IP Packet

NSSA (ABR+ASBR)

Sometime you face to a router in OSPF which is an ASBR NSSA and it's an ABR as well so in this situation you've two external LSAs on that router, one is LSA type 7 which is advertised to NSSA area and other is LSA type 5 which is advertised to other not stub area.
now in some case you don't need to advertise LSA 7 in NSSA area and you need the router acts as ABR router for NSSA area so to prevent advertising LSA 7 to NSSA area at Cisco routers you can use the following command under ospf process :
area area_id nssa no-redistribution

at the above scenario you can see a router which is an ASBR NSSA router and an ABR router so to prevent IGRP advertisements (external routes) to NSSA area you should do by the below commands :
router ospf 100
area 1 nssa no-redistribution

Active directory demotion

A trick when you're going to uninstall active directory on win2000 and the demotion failed! through dcpromot or dcpromot /forceremove commands
At regedt32 modify the following key from lanmanNT to serverNT :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\ProductOptions\ProductType
when you done it, restart your server then delete NTDS directory after that you should change server from member domain to member of workgroup.
after this alteration you must restart server , now your active directory is demoted and you can install a fresh DC or forget it ;-)

Robot, QRIO

What's Robot? in fact we don't have a specific definition for robot but we can define robot with some specification.usually it's a mechanical machine but these days we can see some software robots so it can be non mechanical, it's reprogrammable and it can intelligence. for instance in industry it move material,part,tools through variable programmed.
Have you ever thought about future and robots? in fact how they would can change our social life in future? how can AI (Artificial Intelligence) help them for thinking like human?
I would like to see those days when we live with intelligence robots.
As you know Sony is a big company and they work on a wonderful project that named QRIO (quest and curious).Sony's goal is personal entertainment so they produced QRIO , it embodies advance technologies in motion control, communication , artificial intelligence.
Major technology includes stable dynamic walking, dancing and running, full arm movement allowing throwing a ball, voice/face recognition, stereoscopic vision, obstacle avoidance, visual mapping, wireless network and ....
you can find more information about QRIO at sony web site http://www.sony.net/SonyInfo/QRIO/

NAT Traversal

Probably you heard IPSEC ESP doesn't work through PAT connection because when the PAT wants to modify ESP layer 4 header it faces to problem. why? because it's encrypted and PAT can't change source port. don't worry the RFC 3948 written by four major companies (F-Secure Corporation, Microsoft, Cisco and Nortel) at jan.2005, can help us but what's your VPN vendor? because all vendor haven't implemented yet.
How does it work?
In fact this protocol defines methods for encapsulate and decapsulate ESP packet inside the UDP for traversing through network address translators.

It's so good for any network which are using PAT and they want to have IPSEC ESP from any hosts of its network.really this protocol help to limitation IP V4 (special thanks to the IETF (Internet Engineering Task Force) for fix this problem in working ESP through PAT)

See detail of this protocol from the following URL :
UDP Encapsulation of IPsec ESP Packets RFC
http://www.faqs.org/rfcs/rfc3948.html

QoS , P2P and NBAR

Data classification is one of more important things in QoS but how we can classified data flow through cisco devices (with proper IOS)?and in this days what's important to prioritize?
Data classification depends on each network data flow, for example when you're using voice,video,citrix application and so on , you should plan a strategy for your classification data.

Generally data network is classified to following :
- Voice
- Mission critical (application like citrix)
- Transactional (E-commerce)
- Best-effort (web,email and ...)
- Less-Than-Best-effort (P2P)
*Note : Cisco recommend that your classification doesn't exceeded from 4 or 5 categorize.

These days Peer 2 Peer file sharing applications are a issue for any network which is connected to internet, because it has many data traffic for instance video,mp3 and other larg files so it cause bad situation when the newtrok has congestion.what do you think when you haven't QoS and all of data flow has same priority? yes ofcourse your voice and other low latency data are experienced loss data.
Cisco content networking architecture help you to classified data in later 4-7, it called Network Based Application Recognition (NBAR) so it can regognition some P2P application like Kazza however it depends on PDLM (packet description language module) which is loaded in your cisco device.
You should download the latest PDLM from Cisco web site to up to date application signatures.

In another aspects NBAR can recognize the HTTP GET packets contain the URL through hostname, mime type as well as it has protocol discovery analyzes application traffic pattern in real time and discovery which traffic is running on the network.it uses SNMP to provide that information.

Regarding to this article see the following commands :
ip nbar pdlm pdlm-file
class-map [match-all | match-any] class-name
policy-map policy-name
class class-name
service-policy output
service-policy input
match protocol protocol-name (like kazza)
match protocol fasttrack file-transfer "regular-expression"
ip nbar protocol-discovery
snmp-sever enable traps cndp

Artificial Intelligence

In the early 1950s Herbert Simon, Allen Newell and Cliff Shaw conducted experiments in writing programs to imitate human thought processes. The experiments resulted in a program called Logic Theorist, which consisted of rules of already proved axioms. When a new logical expression was given to it, it would search through all possible operations to discover a proof of the new expression, using heuristics.
This was a major step in the development of AI. The Logic Theorist was capable of quickly solving thirty-eight out of fifty-two problems with proofs that Whitehead and Russel had devised. At the same time, Shanon came out with a paper on the possibility of computers playing chess. Though the works of Simon et al and Shanon demonstrated the concept of intelligent computer programs, the year 1956 is considered to be the start of the topic Artificial Intelligence. This is because the first AI conference, organised by John McCarthy, Marvin Minsky, Nathaniel Rochester and Claude Shanon at Dartmouth College in New Hampshire, was in 1956. This conference was the first organised effort in the field of machine intelligence. It was at that conference that John McCarthy, the developer of LISP programming language, proposed the term Artificial Intelligence. The Dartmouth conference paved the way for examining the use of computers to process symbols, the need for new languages and the role of computers for theorem proving instead of focusing on hardware that simulated intelligence.

]]> Newell, Shaw and Simon developed a program called General Problem Solver (GPS) in 1959, that could solve many types of problems. It was capable of proving theorems, playing chess and solving complex puzzles. GPS introduced the concept of means-end analysis, involving the matching of present state and goal state. The difference between the two states was used to find out new search directions. GPS also introduced the concept of backtracking and subgoal states that improved the efficiency of problem solving .
Backtracking is used when the search drifts away from the goal state from a previous nearer state, to reach that state. The concept of subgoals introduced a goal-driven search through the knowledge. The major criticism of GPS was that it could not learn from previously solved problems. In the same year, John McCarthy developed LISP programming language, which became the most widely used AI programming language.

Artificial Intelligence and Expert Systems for Engineers
by C.S. Krishnamoorthy; S. Rajeev
CRC Press, CRC Press LLC
ISBN: 0849391253

Diffie Hellman

Diffe Hellman is a method for exchange securely shared key between two nodes over untrusted netwrok like internet, it's not encryption method,it's key aggrement protocol that was developed by Diffie and Hellman in 1976.
in fact it generates key between two nodes,it uses a mathematical algorithm with simple concept, let's take a look the following example :

- Node A and Node B agree on two numbers : p and g
p is a larg prime number and q is called the base or generator
- Node A picks a secret number a
- Node B picks a secret number b
- Node A choose public number x = g^a mod p
- Node B choose public number y = g^b mod p
- now Node A knows y and Node B knows x
* in this step they create key as follow :
- Node A k(a) = y^a mod p
- Node B k(b) = x^b mod p
In fact k(a) = k(b) = k (laws of algebra) in this section Node A and Node B know K as shared key.

unfortunately this method hasn't authentication so a man-in-the-middle can attack and decrypt any messages from Node A and Node B.
The authenticated Diffie-Hellman key agreement protocol was developed by Diffie, van Oorschot, and Wiener in 1992 to defeat the man-in-the-middle attack. it uses digital signature for authentication each origin.

MAC and HMAC

MAC (Message Authentication Code) and HMAC (Keyed-Hashing for Message Authentication Code) are mechanism for providing integrity when the data transfer over untrusted enviroment like internet, they are work base on shared secret key.
When we use MAC mechanism based on cryptographic hash functions so it called HMAC. there are different cryptographic hash functions like SHA-1,MD5,RIPEMD-160,PANAMA,SHA256 and etc.
Let's take a look to HMAC mathematical algorithm :

HMAC(Message) = Hash[(Key XOR OPAD) || Hash(Key XOR IPAD) || Message]
|| means concatenation operation
OPAD (outer padding) = 36hex, repeated as needed
IPAD (inner padding) = 5Chex, repeated as needed

for instance :
message : welcome to ippacket site
secret key : mehrdad
HMAC digest by MD5 = 76960728e94b2693149728b076c614cf
HMAC digest by SHA-1 = 95ab25cb679c193fe141cb92e55126876a5285ea
HMAC digest by RIPEMD160 = fd9bab4a7f4b69d895fbb38f2fb09972c7137c43

MAC is simple than HMAC , it uses encryption like DES.

* HMAC RFC is RFC 2104 you can read it from FAQ.ORG

RSA Encryption and Digital Signature

It offers encryption and authentication (digital signature), developed in 1977 by Ron Rivest, Adi Shamir and Adleman and it works asymetric and generate public and private key by itself.thus encryption and authentication take place without any sharing of private keys: each person uses only another’s public key or their own private key.

For generate public and private keys it takes two larg prime numbers p and q , they should not equal and with a size of at least 1024 bits.
Let's take a look to its algorithm :
n define as follow :
n = p · q
phi define as follow :
φ = (p – 1) · (q – 1)
e is a number greater than 1 and less than φ as follow :
1< e < φ
d define as follow :
(d.e)/φ=1

d is private key and n,e are public key so it's difficult to obtain the private key d from the public key (n, e).
for example when our plaintext = 707
The encrypted data is c = m^e (mod n) :
ciphertext = 707^425(mod 3431) = 2142
then the plaintext is easily retrieved using m = c^d(mod n)
plaintext = 2142^1769(mod 3431) = 707

RSA group 2003 Picture

A trick for using DIP at NetScreen firewall

When a host initiates several sessions that match a policy with network address translation (NAT) enabled and is assigned an address from a dynamic IP (DIP) pool, the NetScreen device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.
I analyzed it with ethereal and i known it use round roubin algorithm for assigment source ip address for example when You ping a host,source address for request ICMP are dffrent and it use round roubin algorithm.
This behaviur cause problem for some service (some web base email,AOL instance messenger and so on)
for using same ip address from DIP pool to a host for multiple concurrent session you should set the following command
set dip sticky
P.S : you can't set this feature from web base

DES

DES is one of encription algorithms , it's an acronym for Data Encription Standard
Oginally DES was developed by IBM in early 1970 as lucifer.
it's symetric and its key length is 64bits (8bits are used for parety),meaning that
there are 72,057,594,037,927,936 possible keys (56bits).
at that time (~1970) it was good algorithm for encription and decription but it's cracked
When computers became powerful.

Complexity Kills Innovation

I believe that any complexity in anythings can kill innovation.
These days we hear about windows OS vulnerability, worm and virus that are intruded to this OS and do wrong functions so this complexity cause complex solutions for solve them.
We can see this situation in some complex network so trubleshooting in these networks are difficult. what's your idea about this complexity?
you can see the following link about this subject :
http://www.securityfocus.com/columnists/300

Triton Studio and Yamaha

Tow days ago , i had to open my synthesizer box for check it out for a reason
It has three layers electronic board ,clavier section and other hardware like CDROM,Floppy drive ,HD and port controller.
It was intresting that some electronic boards which are used in clavier section were labaled with YAMAHA! it seems these two companies work together in some parts.
Anyway if you need any hardware for triton studio you can buy them from www.korgparts.com or contact to 800-590-0014 or 802-464-0014

Juniper OS :: JUNOS and JUNOSe

I'm intersted in oprating system it means their managements for instance process management,memory management and so on also on deadlock detection/avoidance,file system,scheduling strategies and .... I think freeBSD has the best managements and works properly although other OS like SUN Solaris is powerful but FreeBSD is categurised in non-commercial operating system and it comes with full source code. in fact i wanna talk about JUNOS that based on the FreeBSD , first of all please don't pronounce JUN-OS ,you should pronounce just in one syllable.Juniper appliances have JUNOS as operating system which based on the FreeBSD they've modified the freeBSD,extracted some modules and imported specially modified modules and some engines on it. the JUNOS has some parts contain : JKernel (The operating system package) JRoute (The routing engine software) JPFE (The PFE software) JDocs (Updated online reference documentation) Jcrypto (Security software (U.S. domestic only)) Jbase (Additions to JUNOS) Totally they called Jbundle.

]]> Juniper Networks releases several new versions of JUNOS software each year. you can see some feature of JUNOS : - Modularity - JUNOS software employs a modular software design, providing superior resilience and ensuring that new capabilities such as IPv6 can be easily integrated - Routing expertise - Juniper Networks IP routing expertise delivers a full complement of production-hardened routing protocols - Standards-based - thoughtful adherence to industry standards for routing, MPLS, and availability mechanisms such as Protocol Graceful Restart translates to improved stability and reduced operational complexity for customers - Security - JUNOS software combines intelligent packet processing with superior performance to offer customers a potent IP security toolkit - Service richness - whether individual subscriber, enterprise business, or service provider, JUNOS IP services portfolio enables customers to deliver assured experiences to end users of any profile - Policy and control - Juniper Networks SDX and NMC platforms allow customer to invoke and control these powerful JUNOS capabilities; in addition, Juniper Networks JUNOScript XML interface simplifies and accelerates OSS integration Modular software architecture The Juniper appliences load JUNOS from flash memory but they have hard disk for other purpose like syslogs,Backup and so on thereby when they want to become shutdown they should be manually turned off from OS it means execute halt command (request system halt). there isn't any concern about blackout without the shutting down command because at next boot , maybe it takes a few time for checking file system on hard disk drive so if it fails in the worst situation the applience will boot successfully and works properly because the JUNOS is on flash and in this case we don't have backup and logs and so on. Another OS from Juniper is JUNOSe,it's the operating system that powers Juniper Networks market-leading E-series family of edge routers.the Juniper web site said "twenty of the top twenty-five service providers in the world use JUNOSe in their production networks, delivering profitable service to end-user customers. Major publicly announced deployments include: Bell Canada, Cable & Wireless, Deutsche Telekom, France Telecom, Korea Telecom, PCCW, Telstra, Telefonica, XO, and many others.JUNOSe is specifically architected to help service providers migrate from traditional “best effort” IP services to enhanced IP services based on the infranet model." Totally JUNOSe is specifically architectured to address and overcome the challenges that's service provider face at the edge. Some new service in JUNOSe : - Hierarchical QoS capabilities to deliver a voice and data service. - Virtual router and MPLS 2547 VPN technologies. - rolling out IPTV and Video on Demand - A service provider using the per-VLAN queuing, rate limiting, and policy. and .... You can get more information about JUNOS and JUNOSe at the Juniper web site : http://www.juniper.net

Virtual Private LAN service

As you know Ethernet is simple,flexible and scaleable bandwith also it has been revolition in MetroEthernet.Virtual Private LAN service (VPLS) allows service providers to deliver VPN service base on ethernet and it's one of the most inovation of providing Ethernet/MPLS VPN.
it uses Martini encapsulation standard and empowers service providers Ethernet networks with scalability and availability. Without VPLS, the scalability of Ethernet networks is limited to the number of unique identifiers or VLAN IDs used to provide services, and the availability of Ethernet networks is limited by the poor resiliency characteristics of mechanisms such as Spanning Tree Protocol.Some limitation such as QinQ solves and VPLS networks can support over a million unique identifiers.
VPLS is based on an Internet Engineering Task Force (IETF) draft called Lasserre-V. Kompella, written by Marc Lasserre of Riverstone Networks Inc. and Vach Kompella of TiMetra Networks, now owned by Alcatel. VPLS is expected to be a fully ratified standard by the end of this year, but several service providers are already deploying the service because they feel it’s stable enough for commercial use, says Newell.