WAN MACsec – Encrypting Ethernet-Frames in the WAN

Not talking about ATM, PPP, HDLC, Frame Relay WAN. Ethernet is the new WAN.

Sometimes you need an easy to use encryption, which is just added to a Link between two devices – and you don’t want to invent IPSec-VPNs which at least add complexity to the design.

MACsec solved this problem bringing absolutely transparent encryption, but – since MACsec-Sessions are sent to a „link-local“ ethernet destination address (01-80-c2-00-00-03) they aren’t allowed to be forwarded by any device. A typical „non-dark-fiber“ WAN-Link can’t be encrypted using MACsec.

http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0213-v02.pdf discussed years ago the elegant technical solution.

Years later these thoughts are moving into production: Cisco invented „WAN MACsec“:

  • simply allowing the network-designer to change destination-mac-address and the ethernet-frametype.

This makes it possible for active provider devices to forward MACsec-Sessions through the WAN so the WAN-Customers could create a virtual encrypted link between sites, completely transparent
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/white-paper-c11-737544.html

This example shows the most simple suggestion:

  • change the destination-mac from link-local-multicast to broadcast 😉

Router A

key chain KC_WAN macsec
 key 1
   key-string PASSWORD
interface GigabitEthernet0/0/0
  ip address 10.0.0.1 255.255.255.252 
  eapol destination-address broadcast
  mka pre-shared-key key-chain KC_WAN
  macsec

Router B

key chain KC_WAN macsec
 key 1
   key-string PASSWORD
interface GigabitEthernet0/0/0
  ip address 10.0.0.2 255.255.255.252
  eapol destination-address broadcast 
  mka pre-shared-key key-chain KC_WAN
  macsec

Might make sense to change the cipher, increase the anti-reply-window etc…

Chrome – Using with HTTPs-Proxy

Security is important.

But sometimes it’s important, too, to be productive, for example during work hours.

Maybe at a trusted customer site with a restrictive security policy to intercept all HTTPs-Traffic using a customer-provided certificate which never fits to the visited web-sites.

Most of my technical research jobs using Google aren’t secret, otherwise I won’t pass them to Google, so HSTS for at least Google-Sites doesn’t makes sense in these cases.

Google knows that and invented the no-HSTS-Switch:
--ignore-certificate-errors

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors

Thank you!

Cisco UCSD: Custom Workflow Task

this is maybe just a note for myself as i found out that the UCSD-Documentation is in polite wording „somehow incomplete“.

After re-engineering some existing workflow task-scripts and playing around a bit, the good news:

  • it’s simple and straightforward to create custom workflow tasks on your own.

Background

I wanted to create the name of newly provisioned VLANs automatically:

  • the IP-Subnet was provided by an IPAM, e.g. „10.2.3.0“,
  • the VLAN-Names should have fixed length, had to be padded („010.002.003.000“).

The workflow takes two task inputs:

  • the „network“,
  • the char to be used to pad the network-string to the fixed length
    • as special feature, this parameter is optional („Mandatory: false“)
UCSD - Custom Task Inputs
Custom Task Inputs

A javascript will build the padded vlan-name – the task output:

UCSD Custom Task Output
Custom Task Output

The Script fetches the inputs:

input.<Input Field Name>

a) mandatory input:

var subnet = input.subnet;

b) optional (with default-value „0“) input:

  • length „0“ => optional parameter not set

var pad = "0";
if (input.pad.length==1) {
  pad = input.pad;
}

The padded result is published to

output.<Output Field Name>

c) padded subnet

output.paddedSubnet = paddedSubnet;

 

The Script itself is straightforward:

function expand(num, size, pad) {
  if (num.length<size) {
    return expand(pad+num, size, pad);
  }
  return num;
}

var subnet = input.subnet;
var paddedSubnet = "";

var pad = "0";
if (input.pad.length==1) {
  pad = input.pad;
}

logger.addInfo("---------------------------------");
logger.addInfo("input.subnet = "+subnet);
logger.addInfo("using pad = ["+pad+"]");
//
var parts = subnet.split('.');
for(var j=0; j<parts.length; j++) {
  if (paddedSubnet) {
    paddedSubnet += ".";
  }
  paddedSubnet = paddedSubnet + expand(parts[j], 3, pad);
}

output.paddedSubnet = paddedSubnet;

logger.addInfo("output.subnet = "+paddedSubnet);
logger.addInfo("---------------------------------");

 

Cisco UCS Director (UCSD) as Unified Infrastructure Controller

Yes, I agree: this product name can’t get worse.

What’s not good with the product name „UCS Director“? It needs explanation!

Nobody in this world could guess it’s feature-set, everybody thinks it’s some additional umbrella-management on top of the UCS-Manager or UCS Central.

„Unified Infrastructure Controller“ would fit much better, since the UCSD not only automates UCS-Components, but the whole Datacenter (and more) including LAN/SAN-Switches, Firewalls and the virtualization environment like vSphere or Hyper-V.

 

Cisco CLI syntax highlighting

It’s hard to believe that syntax highlighting, manual or automatic, is so hard in 2017…

Really no CLI-/Sourcecode-Plugin that fits my needs available:

  • bold font for relevant commands, in the example ’show…‘
  • colour background for interesting parts of the show-output
N9K-A# show vlan id 123

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
123  010.002.003.004                  active

That’s all I’m looking for…

devoted to: the broadcast

Long time ago, there was a networking protocol called ipv4 which drove the internet and everybody was happy.

Everybody?

Not everybody, unfortunately – my fridge for example had no access to the internet and was not able to order food when the forecast predicted low-food level. My washing machine couldn’t send an email when finishing work, it wasn’t possible for my car to have a facebook account to like empty highways without speed limit…

These issues have been solved with ipv6, ip next generation, the new foundation of the internet.

The broadcast-concept left the stage, too.

Never miss the broadcast – catch the frame with destination address „all-ones“!