SGUEZ #20572: 2010

Wednesday, November 03, 2010

IPIP tunnel creator via bash

   1:  #!/bin/bash

   2:  #

   3:  # Tunnel ipip Automation

   4:  # Creator: Shiran Guez

   5:  #

   6:  TUN_ETH="eth0"

   7:  IP_DEST_EXT=""

   8:  TUNNEL_IP_SRC=""

   9:  TUNNEL_IP_DST=""

  10:  _CREATE_ () {

  11:  echo "Please enter the name of your local interface [eth0 is default]: "

  12:  echo "[ To Skip enter >>>skip<<< ]"

  13:  while :;

  14:  do

  15:      read COMM_ETH

  16:      if [ "$COMM_ETH" == "skip" ] ;then

  17:          break

  18:      elif [ "$COMM_ETH" == "eth0" ] ;then

  19:          break

  20:      else

  21:          ifconfig "$COMM_ETH" >/dev/null

  22:          if [ $? -eq 0 ] ;then

  23:              TUN_ETH="$COMM_ETH"

  24:              break

  25:          else

  26:              echo "You have entered a wrong ethernet interface"

  27:              echo "Please try again: "

  28:          fi

  29:      fi

30:

  31:  done

  32:  localip=$(ifconfig $TUN_ETH | grep Bcast | awk '{print $2}' | awk -F: '{print $2}')

  33:  echo "Please enter the destination IP for the tunnel: "

  34:  while :;

  35:  do

  36:      read IP_DEST_EXT

  37:      echo "Are you sure $IP_DEST_EXT is a valid IP [Y]:"

  38:      read ANS_ME

  39:      ANS_ME=$(echo $ANS_ME | tr a-z A-Z)

  40:      if [ "$ANS_ME" == "Y" ] ;then

  41:          break

  42:      else

  43:          echo "Please enter destination again:"

  44:       fi

  45:  done

  46:  echo "Please enter tunnel IP and Peer Address: "

  47:  while :;

  48:  do

  49:      echo "IP : "

  50:          read TUNNEL_IP_SRC

  51:      echo "Peer : "

  52:      read TUNNEL_IP_DST

  53:      echo "Peer subnet mask [ /16 , /24 ...]: "

  54:      read TUNNEL_IP_DST_MASK

  55:      echo "Tunnel IP will be $TUNNEL_IP_SRC and its peer address will be $TUNNEL_IP_DST using subnet mask $TUNNEL_IP_DST_MASK"

  56:      echo "Please confirm [Y]:"

  57:          read ANS_ME_NOW

  58:          ANS_ME_NOW=$(echo $ANS_ME_NOW | tr a-z A-Z)

  59:          if [ "$ANS_ME_NOW" == "Y" ] ;then

  60:                  break

  61:          else

  62:                  echo "Please enter again:"

  63:          fi

64:

  65:  done

  66:  ip tu ad ipiptun mode ipip local $localip remote $IP_DEST_EXT ttl 64 dev $TUN_ETH

  67:  ip ad ad dev ipiptun $TUNNEL_IP_SRC peer $TUNNEL_IP_DST/$TUNNEL_IP_DST_MASK

  68:  ifconfig ipiptun up

  69:  }

70:

  71:  _DESTROY_ () {

  72:  ip add | grep ipiptun > /dev/null

  73:  if [ $? -eq 0 ] ;then

  74:      ifconfig ipiptun down

  75:      echo "Tunnel was removed"

  76:  else

  77:      echo "No Tunnel to remove"

  78:  fi

  79:  }

80:

  81:  lsmod | grep ipip > /dev/null

  82:  if [ $? -eq 0 ] ;then

  83:      while :;

  84:      do

  85:          echo "Please enter 1 to create or 2 for removing a tunnel"

  86:          read SELECTION

  87:          if [ "$SELECTION" == "1" ] ; then

  88:              _CREATE_

  89:              break

  90:          elif [ "$SELECTION" == "2" ] ; then

  91:              _DESTROY_

  92:              break

  93:          fi

94:

  95:      done

  96:  else

  97:      echo "ipip module is not loaded try to first load the ipip module and then run the tool again, Thank you!"

  98:  fi

Wednesday, September 22, 2010

OT : mp4 to mp3 conversion tool

Hi All I have decided to share with you something I did for my self as I found my self doing many conversion of mp4 to mp3 for my iPhone, i did an automation script that takes the path of a directory or file and convert all mp4 to mp3.

#!/bin/bash

# mp4tomp3

# Cool Tool created to automate the conversion process of mp4 files to mp3

# Creator : Shiran Guez

# Created under ubuntu but should work on any linux distribution

# That have ffmpeg installed

CONVERTER_PATH=$1

if [ -z $1 ] ; then

    CONVERTER_PATH=$(echo "`pwd`")

fi

if [ -d $CONVERTER_PATH ] ; then

    for i in *.mp4

do

        ffmpeg -i "$i" -f mp3 -ab 192000 -vn $(echo $i | sed 's/.\mp4/.\mp3/')

    done

    echo "Done"

else

    file $CONVERTER_PATH | grep "MPEG v4"

    if [ $? -eq 0 ] ;then

        ffmpeg -i "$CONVERTER_PATH" -f mp3 -ab 192000 -vn $(echo $CONVERTER_PATH | sed 's/.\mp4/.\mp3/')

    else

        echo "That is not a valid format of mp4 file to convert"

        echo "either provide a path of  directory containing mp4 extensions"

        echo "or provide a path to a valid mp4 file"

fi

fi

I moved the script to /usr/sbin and added excutable priv “chmod +x /usr/sbin/mp4tomp3” to run it simply run the command from cli example:

sudo mp4tomp3 <path_of_dir or file_name>

or just under the directory you have files to convert

cd /to/desired/path sudo mp4tomp3

enjoy

Tuesday, September 07, 2010

eBgp-Multihop vs. ttl-security

Today I have answered one of the Cisco CCIE groupstudy questions on the relation between the two features.

To understand the relation first lets explore what each feature job and purpose in life:
eBgp-multihop – like in IGP the default ttl for packets is 1 and that is to ensure delivery only to the directly connected network node, but unlike IGP eBgp is often (in real networks) established via interface loopback and because packet generated / sourced from Interface loopback going out the router using its next hop interface that break the communication as 1-1 = 0 and 0 TTL mean packet can’t be delivered to destination, so

what to do?!
increase TTL (is the answer :-))
using the eBgp-multihop is like simply indicating what TTL should be set to the packet to ensure delivery to the desired network

ttl-security – so we now understand the eBgp affect packet going out of our system by manipulating its TTL,
How do I prevent neighbor coming 10 hops away from me?!
you set the ttl-security.

Now you will say, if you didn't want to be neighbor do not set him up on your side and that would be also ok, but lets say you have neighbor relation with 2 router and each is 3 hops away (normally) now one router experienced a link fail causing it to change route to reach you and now he is 5 hops away, and your policy is to maintain neighbor relation with no more then 3 hops away.

but again you would say, so set the eBgp-multihop to 3 (or 4 if using the loopback) and you would be again correct.

so why ttl-security, mainly it is to prevent DoS attack!

hope this helped in some way to understand the difference and each feature job in life.

Friday, August 06, 2010

OT : DropBox Very Cool

I have discovered that service just last week and my life was changed since then, dropbox provide a share with all your PC’s with versioning of files and other very cool features.

How many times you transferred a file from your home pc to work pc or the other way around and if you like me that have 2 pc at work laptop and 2 pc at home well… I hope you get the picture :-)

https://www.dropbox.com/referrals/NTk3NTUxNzY5

Friday, June 25, 2010

How I Started?!

My first encounter with Cisco was at year 2000 when I had just started in a small startup as MS sys admin, the company wanted to develop some proprietary voice codec as that was not very successful they wanted to channel there knowledge to make money and VoIP calling cards was the way, in 2000 it was something very fresh and not high quality (very buggy) but the main goal was to save for the card distributers and make some money.

So why am I telling you all thins, I realized that I have never did a VoIP article although that was one of the first topics I learned and worked with Cisco products, I think I should dedicate some words to that part of my past.

May be I will start and tell you how our first setup looked like back then component wise and lets see where it takes us, so “what we had there” (small joke for all Israeli):

Israel Side
3640 with 4 E1 voice cards module IOS was I think 12.0 or 12.1 with voice feature set (sorry cant remember)
US Side (Hudson 60)
Nortel PBX connected to several Cisco 7200
Monitoring and Billing
Monitoring System (HPOV, yes full HPOV over Solaris version 7 or 8 )
AAA and Billing System (some home made Russian using “freeradius” for the AAA)

This is showing the very start:

Very Basic diagram of how it looked like, on the Israel Side first we where connected to the local PSTN and on the US Side we where connected to a privet PBX that was connected in Hudson 60 to many carriers, the IP Side we used first GW to GW setup very basic but as the operation grown and we needed to connect more GW’s and more Global Distributed Termination Providers the management had become less and less efficient, that where (after ~30 Different Interconnected termination points) we moved to a central call management system using a better design using Gatekeeper (until year 2004 we worked only h323) . first system we used was VoiceMaster (by sysmaster.com) I traveled to san Francisco to both learn and adapt that system to our need’s as until we came they where working only with Quintum Voice GW’s, I helped then integrate their system with Cisco Voice Gateways.

The main integration work was on adjusting the TCL scripts for the PrePaid system, we used IVR based on TCL script running in the Cisco pulling voice prompts from a tftp those where the days :-)

Thursday, June 17, 2010

First CCA's

Thursday, March 18, 2010

L2L IPSec Tunnel ASA to IOS

I would like to share with you a case I got that allowed me to explore the ASA, as I am no ASA expert I hope that is not to dumb and will provide some added value but if not then ok I will share it anyway

For the case study here lets say there is no network beside the diagram you will see bellow

First I would like to share configuration and some debug commands (and there output).

###ASA

crypto isakmp enable <outside-if-name>
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

access-list IPSec-traffic extended permit ip <SOURCE_NET_SERVER_FARM> <DESTINATION_NET_HOSTS>
crypto ipsec transform-set TS esp-des esp-md5-hmac
crypto map IPSEC 10 match address IPSec-traffic
crypto map IPSEC 10 set peer <C2800-DST-IP>
crypto map IPSEC 10 set transform-set TS
crypto map IPSEC interface <outside-if-name>

tunnel-group <C2800-DST-IP> type ipsec-l2l
tunnel-group <C2800-DST-IP> ipsec-attributes
pre-shared-key <PASSWORD>

###ROUTER

#IKE PHASE 1
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key <PASSWORD> address 0.0.0.0 0.0.0.0

#IKE PHASE 2 IPSEC
crypto ipsec transform-set TS esp-des esp-md5-hmac
crypto dynamic-map DYN 10
set transform-set TS
crypto map IPSEC 10 ipsec-isakmp dynamic DYN

interface <X>
crypto map IPSEC

# ASA SOME SHOW/DEBUG COMMANDS

ciscoasa(config)# sh isakmp sa detail

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: <C2800-DST-IP>
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 57501

ciscoasa(config)# sh ipsec sa detail
interface: outside
Crypto map tag: IPSEC, seq num: 10, local addr: <ASA-SRC-IP>

      access-list IPSec-traffic permit ip <SOURCE_NET_SERVER_FARM> <DESTINATION_NET_HOSTS>
      local ident (addr/mask/prot/port): (SOURCE_NET/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (DESTINATION_NET/255.255.255.0/0/0)
      current_peer: <C2800-DST-IP>

      #pkts encaps: 71917, #pkts encrypt: 71917, #pkts digest: 71917
      #pkts decaps: 71903, #pkts decrypt: 71903, #pkts verify: 71903
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 71917, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: <ASA-SRC-IP>, remote crypto endpt.: <C2800-DEST-IP>

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E1C2DB71

    inbound esp sas:
      spi: 0xE8F3372E (3908253486)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: IPSEC
         sa timing: remaining key lifetime (kB/sec): (4274983/1861)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE1C2DB71 (3787643761)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: IPSEC
         sa timing: remaining key lifetime (kB/sec): (4274983/1861)
         IV size: 8 bytes
         replay detection support: Y

# ISAKMP DEBUG

ciscoasa# debug crypto isakmp

HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE RECEIVED Message (msgid=c49feb32) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing hash payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing SA payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing nonce payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received-SOURCE_NET_SERVER_FARM
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--DESTINATION_NET_HOSTS
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing notify payload
%ASA-7-713906: Responder Lifetime decode follows (outb SPI[4]|attributes):
%ASA-7-713906: 0000: 37D453FB 80010001 00020004 00000E10 7.S.............
%ASA-5-713073: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
%ASA-7-713906: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, loading all IPSEC SAs
%ASA-7-715001: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-7-715001: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x37D453FB) between <ASA-SRC-IP> and <C2800-DEST-IP>(user= <C2800-DEST-IP>) has been created.
%ASA-5-713049: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Security negotiation complete for LAN-to-LAN Group (<C2800-DEST-IP>) Initiator, Inbound SPI = 0x24d888f2, Outbound SPI = 0x37d453fb
%ASA-7-713906: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, oakley constructing final quick mode
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x24D888F2) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-7-714006: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, IKE Initiator sending 3rd QM pkt: msg id = c49feb32
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=c49feb32) with payloads : HDR + HASH (8) + NONE (0) total length : 72
%ASA-7-715007: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, IKE got a KEY_ADD msg for SA: SPI = 0x37d453fb
%ASA-7-715077: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Pitcher: received KEY_UPDATE, spi 0x24d888f2
%ASA-6-713905: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Starting P2 Rekey timer to expire in 3420 seconds
%ASA-5-713120: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, PHASE 2 COMPLETED (msgid=c49feb32)

# IPSEC DEBUG
ciscoasa# debug crypto ipsec

%ASA-3-713119: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, PHASE 1 COMPLETED
%ASA-7-713121: IP = <C2800-DEST-IP>, Keep-alive type for this connection: DPD
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Starting phase 1 rekey timer: 82080000 (ms)
%ASA-7-715006: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE got SPI from key engine: SPI = 0xeaa54840
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, oakley constucting quick mode
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing blank hash payload
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing IPSec SA payload
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing IPSec nonce payload
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing proxy ID
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Transmitting Proxy Id:
Local subnet: SOURCE_NET_SERVER_FARM mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: DESTINATION_NET_HOSTS Mask 255.255.255.0 Protocol 0 Port 0
%ASA-7-714007: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing qm hash payload
%ASA-7-714004: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending 1st QM pkt: msg id = 0b0b91e2
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE RECEIVED Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing hash payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing SA payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing nonce payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--SOURCE_NET_SERVER_FARM
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--DESTINATION_NET_HOSTS
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing notify payload
%ASA-7-713906: Responder Lifetime decode follows (outb SPI[4]|attributes):
%ASA-7-713906: 0000: 18C33FE5 80010001 00020004 00000E10 ..?.............

%ASA-5-713073: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, loading all IPSEC SAs
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x18C33FE5) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-5-713049: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Security negotiation complete for LAN-to-LAN Group (<C2800-DEST-IP>) Initiator, Inbound SPI = 0xeaa54840, Outbound SPI = 0x18c33fe5
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, oakley constructing final quick mode
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEAA54840) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-7-714006: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending 3rd QM pkt: msg id = 0b0b91e2
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + NONE (0) total length : 72
%ASA-7-715007: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE got a KEY_ADD msg for SA: SPI = 0x18c33fe5
%ASA-7-715077: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Pitcher: received KEY_UPDATE, spi 0xeaa54840
%ASA-6-713905: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Starting P2 Rekey timer to expire in 3420 seconds
%ASA-5-713120: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, PHASE 2 COMPLETED (msgid=0b0b91e2)

THERE WILL BE CONTINUE…

Thursday, March 11, 2010

GOOGLE BUZZ

RIP V2 Analysis

it is very basic stuff but will give you some prospective on how the RIP process works on Cisco router.
When you start the RIP process initially until you define the first network under it you will not see any process running

as you can see from above print once I have entered a network 3 process came up, RIP Router the main process RIP send and RIP Timers each name is simply enough self explanatory. now after I have added my own network I will send a request for receiving the full routing table

How do you know that this is a request well just by looking into the wireshark you can see he did the hard work for you but actually it is not that hard as the first byte is either 1 or 2. 1 for request, 2 for response the whole algorithm is laying on this 2 messages, another interesting part about this message is that the metric is set to 16 witch is infinity in RIP world.

now, once I start adding more network’s to be advertised the router start sending response packet every almost 30 seconds the router actually calculate a random time between 25 – 30 seconds and then send the response.

the response contain the full rip routing table, the max number of routes that can be sent in such packet is 25 any thing else will be sent in additional packet, now in case you add a network the router will send immediately a route update contain the single or the number of networks you advertise, but it will not reset the original response timer so you may have as the example bellow:

packet 11 show that he was sent after 26.9884 sec
packet 12 I have added a subnet so it was sent immediately, it just happen to be after 10 sec from the last full update
packet 13 after 16 sec from the partial update the router send a full table
So you see that the router didn't update his time due to the update

Now I have added Authentication see the diff between clear text and MD5 beside the obvious see if you can tell

I hope you found it, but if not I will tell you!!!
see the number of networks without authentication and with authentication!!
Yes with authentication (clear text) the router remove the last prefix and insert the authentication at the top

Now when adding a key chain and assigning it to the interface you can select the mode of authentication, the default is clear text but you have also an MD5 option
you need to remember that when adding MD5 the authentication is growing 100% from 20byte to 40byte what makes the largest possible RIP packet to 532byte instead of 512byte with default or no authentication.

Now the last part, when removing a network the router advertise the network you removed with metric 16 and that is to poison the routers and telling them that network no longer exist in my routing.

Over all you can see that RIP is very basic protocol no fancy neighbor relationships no reliable mechanism, very simple to implement and troubleshoot.

Wednesday, March 03, 2010

Some IPv6 Basics

IPv6 is one of my favorite topics as it looks very complex but it is really nice and easy.

easy deployed
easy to manage

IPv6 Header as you can see constructed of

8 bit – Version 8 bit - Traffic Class (also known as TOS byte) 20 bit – Flow Label 20 bit - Payload Length 8 bit – Next Header 8 bit – Hop Limit (similar to TTL idea) 128 bit – S. Address 128 bit – D. Address

Total 40byte header

Compare it to the IPv4 Header:

You can see a smaller header 20byte but much more complex and with the options it can be extended up to 60byte so that is much more then IPv6 Ok now I would like to get to some demonstration of how easy just to get you the taste of IPv6 On my PC (OS-Win7) i didn't configure any IPv6 manually, by default OS win7 and most linux distributions are IPv6 enabled once installed, what that mean you ask?! It mean ipv6 link local address is configured automatically, now for those of you that are new to IPv6 you will ask me, what is link local IPv6 address?! Link Local – it is a non routable ipv6 address that is unique to the local segment, a link local address start with the following FE80::/10 in Cisco the link local address is created from FE80:: + MAC address after taking the 7th bit and converting it (if it was 0 –> 1 and if 1 –>0) so example from my router

HOME-GUEZ(config-if)#do sh int vl16 Vlan16 is up, line protocol is up Hardware is EtherSVI, address is 0017.5922.8114 (bia 0017.5922.8114)

Take 0017.5922.8114 7th bit is 0 change it to 1 makes it 0217.5922.8114 and in the middle inserting 0xFFFE so the full address should look like:

FE80:0000:0000:0000:0217:59FF:FE22:8114 = 128 bit or in short FE80::217:59FF:FE22:8114 and as you can see from the show bellow I was correct :-)

HOME-GUEZ(config-if)#do sh ipv6 int vl16 Vlan16 is up, line protocol is up IPv6 is enabled, link-local address is FE80::217:59FF:FE22:8114

Now I would like to show you something, I have enabled debug of ipv6 packets and under my vlan interface I have added a unicast global ipv6 address and at that moment like magic you can see the router starting working automaticly

HOME-GUEZ#debug ipv6 packet detail IPv6 unicast packet debugging is on (detailed) HOME-GUEZ#term mon HOME-GUEZ# HOME-GUEZ#conf t Enter configuration commands, one per line. End with CNTL/Z. HOME-GUEZ(config)#int vl16 HOME-GUEZ(config-if)#ipv6 address 2001::1/64 HOME-GUEZ(config-if)# Mar 2 21:05:53.956: IPV6: source :: (local) Mar 2 21:05:53.956: dest FF02::1:FF22:8114 (Vlan16) #### prot 58 is ICMPv6, Routers with IPv6 use ICMPv6 control messages to solicit and advertise neighbors, also notice to the use of the last 24 bits 22:8114 at the end of the destination address, the router is sending his own link local last 24 bits to verify that he is the only one of the link local with such address, also called DAD (Duplicate Address Detection) #### I didnt mention this before as I wanted to show you before I talk about it, but the next headed filed job in the ipv6 header is to indicate what is coming after the ipv6 header #### In the first packet you so prot 58 witch is ICMPv6, but in the next you can see prot 0 and that mean hop by hop option is directly after the ipv6 header, #### unlike the ipv4 the ipv6 options are not really part of the ipv6 header, the hop by hop header job is informative extension that each routing node should know about #### not very interesting to us now. Mar 2 21:05:53.956: traffic class 224, flow 0x0, len 64+16, prot 58, hops 255, originating Mar 2 21:05:53.956: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.964: IPv6: Sending on Vlan16 Mar 2 21:05:54.456: IPV6: source :: (local) Mar 2 21:05:54.456: dest FF02::16 (Vlan16) Mar 2 21:05:54.456: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:54.456: IPv6: Sending on Vlan16 #### Here is neighbor advertisement Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 72+8, prot 58, hops 255, originating Mar 2 21:05:54.956: IPv6: Sending on Vlan16 #### And that is a Router Advertisement after my PC had received the router advertisement it already configured him self with a global unicast ipv6 address #### IPv6 Address. . . . . . . . . . . : 2001::6df4:5c91:aac1:9a36(Preferred) Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 104+1396, prot 58, hops 255, originating

And you can see I could ping my router IPv6 global unicast ipv6 address

C:\Users\shiran>ping 2001::1

Pinging 2001::1 with 32 bytes of data: Reply from 2001::1: time=4ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms

Ping statistics for 2001::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 4ms, Average = 1ms

Now I made the debugging shorter then it is but let me show you how dose the router advertisement look like and that will be the last for this post:

Now I know that this post is not very organized and it should contain much more explanation but I wanted to give you some 10000 feet view on how it looks complex but at the end I did on my router only 2 commands and I had my home network running IPv6

ipv6 unicast-routing <under the interface> ipv6 address 2001::1/64

Now yes that is not a grand design but think what you had to do if you wanted the same simple network for ipv4….

Sunday, February 28, 2010

See how a lunch in 1989 impacted our life today and for many years to come

For those of you that need introduction “Yakov Rekhter” is one of the fathers of BGP and MPLS Architecture, I hope you will all enjoy this Lecture (disregard the Juniper logo :-))

[ OFF TOPIC ] Wet iPhone

Few days ago I have been driving my motorcycle back from work to my home, there was at the time an unexpected pouring rain, needless to say I was wet to my bones When I have arrived home I saw that my iPhone suffered a wet shower, I didn’t know if it damaged my iPhone as it was functioning, so I went to sleep. the next day I tried to open my phone and my precious iPhone refused to function properly, the screen was really dark, I started to cry (not really) then I went to my friend to search for a solution, I saw that someone had saved his blackberry using a bawl of rice, I was skeptic and started to plan the funeral but I have inserted my precious to a bawl of rice (Persian rice), then after almost 2 nights I have opened my iPhone and like magic it started speaking to me again.

conclusion:

driving in motorcycle in the rain can damage your iPhone!
A bawl off rice can be more then a Chinese side dish

Friday, February 26, 2010

[ OFF TOPIC ] VMWARE ESX Clone

Ok, I wish to share with you a tool I created and is helping me in my day to day work. for thouse of you that are using ESX or ESXi (especialy the ESXi as it is free) without the Virtual Center you probebly noticed that there is no clone option, now it is no problem for us tech people to overcome this problem, but some times we are lazy (dont tell that to anyone). I have done a simple shell script that run under the ESX or ESXi console (in the ESXi there is the unsupported console) please noice as I written it very fast and for my use it has almost no tolerance for user error so play with care. Get it here

Thursday, February 25, 2010

TCP Over Satellite communications

First I would like to say it has been a very long time since my last article, but now I am in the mode for writing so I would like to share my expireance with TCP and Satellite Communication challanges. I am working at Expand Networks and one of our advantages is in optimizing TCP communication in challanging enviorments such as Satellite, so what is so challanging you ask??

The Satellites we use for communication are up in the sky ~35000 kilometer away from ground also called GEO Sat
Communication between ground station to the Satellite easly impacted from enviorment (clouds, rain, snow, solar events...)
Satellite is a shared resource

All the Satellite set a big challange in TCP communication, one of the main is RTT (round trip time), the other is packet loss due to channel error's the satellite may encounter.

To overcome this challanges we use some of the avilable TCP enhancments avilable such as: proxying the TCP session and in the session over the satelite increasing Window Size using the window scale options. additional to that selecting the congestion control that is most suitable for the enviorment we are in. the congestion control as his name indicate is an algorithem that tells the TCP when to back off because a congestion was detected or when to continue and at what level to send the tcp traffic.

Here are Some of the Congestion Control Algorithems:

Reno - the most common used today by default (linux implement NewReno), basicly during the slow start increasing 1/cwnd for each ACK recived and decrease by 0.5 if a loss was detected

BIC - binary increase congestion as the name imply it uses some binary search algorithem to esitimate the correct cwnd

CUBIC - another algorithem considered some kind of enhancment to the BIC algorithem

Hybla - some kind of a hot topic in congestion control algorithem over satellite communication

Vegas, illinois,Veno, Westwood....

basicly you can see that there are many algorithms out there and all are created due to diffrent challanges sattelite , wireless or even wired communication had brought over the years.

There is no ultimate algorithem that can handle all sitiuations (as of today), each have his advantages and disadvantages, Reno is ok when delay is going +-20ms + RTT but more then that if you had +-100ms + RTT with Reno you would be in a problem as it would often back off the window by half.