netnix.org
Networking and Unix


Self-Signed CA with CRL for Java Code Signing

 April 6th, 2014Apr 6th, 2014        1

I am going to start off by saying that since Java 7 Update 51, that using self-signed certificates is pretty much a waste of time for Internet deployments. With Update 51, Oracle has beefed up the security aspects of Java, which now blocks self-signed JAR files from being run via the web – even for applications which only want to run within the restricted “Sandbox”.

There are a couple of ways around this. The first is to reduce your security settings from the recommended (and default) High option to Medium (in the Java Control Panel), which allows self-signed JAR files to be executed after presenting a scary warning message (for the time being anyway). When set to High you don’t even get a choice, it was just blocked. The second is to get your clients to import your self-signed root certificate into their trust store – this approach could work within a closed or corporate environment but won’t on the Internet. The third, and recommended approach, is to sign your JAR file with a code signing certificate which has been signed by a trusted CA, but this will set you back a few pennies.

[…]

General CA Java OpenSSL


Cisco Context-Aware Diff

 November 18th, 2013Nov 18th, 2013      

How many times have you tried to run a standard diff against two configuration files, only to be presented with a load of differences without any context at all? Configuration files tend to be hierarchical and usually use indentation to denote sections. To demonstrate what I mean, lets use a simple example where I have two interfaces on a Cisco router.

[…]

General Cisco


IP Subnet Lookup using TemplateFx

 November 15th, 2013Nov 15th, 2013      

Let’s think of a scenario where you have a list of IP subnets and within a TemplateFx template you want to find out which subnet a certain IP address is within. There are numerous IP calculators out there that will tell you the first and last IP address of a subnet, but few which allow you to find a matching subnet.

In this scenario we have some regional pop sites that are serving customers around the country. Each of these pop sites has a pool of IP addresses that are being used by customers. By creating a simple template using JavaScript we can provide a simple lookup functionality – this could be used within a template to provision different configuration depending on a customer’s pop location:

<?
  var db = {
    "10.205.0.0/18":"10.205.0.0/18 - UKPOP-BE-001",
    "10.205.64.0/18":"10.205.64.0/18 - UKPOP-WG-001",
    "10.205.128.0/18":"10.205.128.0/18 - UKPOP-OW-001",
    "10.205.192.0/18":"10.205.192.0/18 - UKPOP-NW-001",
    "10.206.0.0/17":"10.206.0.0/17 - UKPOP-GD-001",
    "10.206.128.0/17":"10.206.128.0/17 - UKPOP-GD-002"
  };
 
  function lookup (ip) {
    for (var k in db) {
      if (insubnet(k, ip)) {
        return db[k];
      }
    }
    return null;
  }
?>

<<IP>> is in <?= lookup("<<IP>>") ?>

We can then provide a list of IP addresses within our source data as follows:

IP
10.206.129.17
10.205.134.233
10.205.0.192

Once you click on “Generate Output” you will be presented with the following:

10.206.129.17 is in 10.206.128.0/17 - UKPOP-GD-002
10.205.134.233 is in 10.205.128.0/18 - UKPOP-OW-001
10.205.0.192 is in 10.205.0.0/18 - UKPOP-BE-001

This is just one of the many powerful features of TemplateFx – for more information please see the TemplateFx page.

General TemplateFx


IP QoS Lookup Table

 November 6th, 2013Nov 6th, 2013      

Every now and again I need to lookup an IP ToS or DSCP value and I spend a good couple of minutes hunting for a table that contains all the different values. In some situations the ToS field might have an ECN (Explicit Congestion Notification) flag set which will alter the ToS value but keep the DSCP value unchanged. Instead of looking everytime, I decided to put together a table and keep it online for future reference.

[…]

General QoS


The Long Road to IPv6

 September 22nd, 2013Sep 22nd, 2013      

There is a transition happening, albeit slowly, from IPv4 to IPv6, that is going to have an impact, but mostly on online gaming and other peer to peer services. Ever since the introduction of the Internet as we know it today, we have been using public IPv4 addresses to talk to people and to access content online. Unfortunately we have run out of IPv4 addresses as there weren’t enough to go around. An IPv4 address is a 32-bit number which is represented as 4 numbers separated by a dot (e.g. 192.168.0.1) – this provides roughly 4.3 billion addresses. In comparison, an IPv6 address is a 128-bit number which is represented as 8 groups of 4 hexadecimal digits separated by a colon (e.g. 2001:0db8:85a3:0042:1000:8a2e:0370:7334) – this amounts to approximately 48,000 quadrillion addresses (4.8 x 10^28) for each of the seven billion people alive in 2011.

[…]

General IPv6 NAT