IP Packet

NSSA (ABR+ASBR)

Sun, 02 Oct 2005 10:20:04 +0330

Sometime you face to a router in OSPF which is an ASBR NSSA and it's an ABR as well so in this situation you've two external LSAs on that router, one is LSA type 7 which is advertised to NSSA area and other is LSA type 5 which is advertised to other not stub area.
now in some case you don't need to advertise LSA 7 in NSSA area and you need the router acts as ABR router for NSSA area so to prevent advertising LSA 7 to NSSA area at Cisco routers you can use the following command under ospf process :
area area_id nssa no-redistribution

at the above scenario you can see a router which is an ASBR NSSA router and an ABR router so to prevent IGRP advertisements (external routes) to NSSA area you should do by the below commands :
router ospf 100
area 1 nssa no-redistribution

Active directory demotion

Mon, 18 Jul 2005 13:10:11 +0330

A trick when you're going to uninstall active directory on win2000 and the demotion failed! through dcpromot or dcpromot /forceremove commands
At regedt32 modify the following key from lanmanNT to serverNT :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\ProductOptions\ProductType
when you done it, restart your server then delete NTDS directory after that you should change server from member domain to member of workgroup.
after this alteration you must restart server , now your active directory is demoted and you can install a fresh DC or forget it ;-)

Robot, QRIO

Tue, 19 Apr 2005 12:02:45 +0330

What's Robot? in fact we don't have a specific definition for robot but we can define robot with some specification.usually it's a mechanical machine but these days we can see some software robots so it can be non mechanical, it's reprogrammable and it can intelligence. for instance in industry it move material,part,tools through variable programmed.
Have you ever thought about future and robots? in fact how they would can change our social life in future? how can AI (Artificial Intelligence) help them for thinking like human?
I would like to see those days when we live with intelligence robots.
As you know Sony is a big company and they work on a wonderful project that named QRIO (quest and curious).Sony's goal is personal entertainment so they produced QRIO , it embodies advance technologies in motion control, communication , artificial intelligence.
Major technology includes stable dynamic walking, dancing and running, full arm movement allowing throwing a ball, voice/face recognition, stereoscopic vision, obstacle avoidance, visual mapping, wireless network and ....
you can find more information about QRIO at sony web site http://www.sony.net/SonyInfo/QRIO/

NAT Traversal

Mon, 04 Apr 2005 17:39:50 +0330

Probably you heard IPSEC ESP doesn't work through PAT connection because when the PAT wants to modify ESP layer 4 header it faces to problem. why? because it's encrypted and PAT can't change source port. don't worry the RFC 3948 written by four major companies (F-Secure Corporation, Microsoft, Cisco and Nortel) at jan.2005, can help us but what's your VPN vendor? because all vendor haven't implemented yet.
How does it work?
In fact this protocol defines methods for encapsulate and decapsulate ESP packet inside the UDP for traversing through network address translators.

It's so good for any network which are using PAT and they want to have IPSEC ESP from any hosts of its network.really this protocol help to limitation IP V4 (special thanks to the IETF (Internet Engineering Task Force) for fix this problem in working ESP through PAT)

See detail of this protocol from the following URL :
UDP Encapsulation of IPsec ESP Packets RFC
http://www.faqs.org/rfcs/rfc3948.html

QoS , P2P and NBAR

Tue, 29 Mar 2005 20:48:02 +0330

Data classification is one of more important things in QoS but how we can classified data flow through cisco devices (with proper IOS)?and in this days what's important to prioritize?
Data classification depends on each network data flow, for example when you're using voice,video,citrix application and so on , you should plan a strategy for your classification data.

Generally data network is classified to following :
- Voice
- Mission critical (application like citrix)
- Transactional (E-commerce)
- Best-effort (web,email and ...)
- Less-Than-Best-effort (P2P)
*Note : Cisco recommend that your classification doesn't exceeded from 4 or 5 categorize.

These days Peer 2 Peer file sharing applications are a issue for any network which is connected to internet, because it has many data traffic for instance video,mp3 and other larg files so it cause bad situation when the newtrok has congestion.what do you think when you haven't QoS and all of data flow has same priority? yes ofcourse your voice and other low latency data are experienced loss data.
Cisco content networking architecture help you to classified data in later 4-7, it called Network Based Application Recognition (NBAR) so it can regognition some P2P application like Kazza however it depends on PDLM (packet description language module) which is loaded in your cisco device.
You should download the latest PDLM from Cisco web site to up to date application signatures.

In another aspects NBAR can recognize the HTTP GET packets contain the URL through hostname, mime type as well as it has protocol discovery analyzes application traffic pattern in real time and discovery which traffic is running on the network.it uses SNMP to provide that information.

Regarding to this article see the following commands :
ip nbar pdlm pdlm-file
class-map [match-all | match-any] class-name
policy-map policy-name
class class-name
service-policy output
service-policy input
match protocol protocol-name (like kazza)
match protocol fasttrack file-transfer "regular-expression"
ip nbar protocol-discovery
snmp-sever enable traps cndp

Artificial Intelligence

Sat, 19 Mar 2005 15:25:53 +0330

In the early 1950s Herbert Simon, Allen Newell and Cliff Shaw conducted experiments in writing programs to imitate human thought processes. The experiments resulted in a program called Logic Theorist, which consisted of rules of already proved axioms. When a new logical expression was given to it, it would search through all possible operations to discover a proof of the new expression, using heuristics.
This was a major step in the development of AI. The Logic Theorist was capable of quickly solving thirty-eight out of fifty-two problems with proofs that Whitehead and Russel had devised. At the same time, Shanon came out with a paper on the possibility of computers playing chess. Though the works of Simon et al and Shanon demonstrated the concept of intelligent computer programs, the year 1956 is considered to be the start of the topic Artificial Intelligence. This is because the first AI conference, organised by John McCarthy, Marvin Minsky, Nathaniel Rochester and Claude Shanon at Dartmouth College in New Hampshire, was in 1956. This conference was the first organised effort in the field of machine intelligence. It was at that conference that John McCarthy, the developer of LISP programming language, proposed the term Artificial Intelligence. The Dartmouth conference paved the way for examining the use of computers to process symbols, the need for new languages and the role of computers for theorem proving instead of focusing on hardware that simulated intelligence.

Diffie Hellman

Sat, 12 Mar 2005 17:26:35 +0330

Diffe Hellman is a method for exchange securely shared key between two nodes over untrusted netwrok like internet, it's not encryption method,it's key aggrement protocol that was developed by Diffie and Hellman in 1976.
in fact it generates key between two nodes,it uses a mathematical algorithm with simple concept, let's take a look the following example :

- Node A and Node B agree on two numbers : p and g
p is a larg prime number and q is called the base or generator
- Node A picks a secret number a
- Node B picks a secret number b
- Node A choose public number x = g^a mod p
- Node B choose public number y = g^b mod p
- now Node A knows y and Node B knows x
* in this step they create key as follow :
- Node A k(a) = y^a mod p
- Node B k(b) = x^b mod p
In fact k(a) = k(b) = k (laws of algebra) in this section Node A and Node B know K as shared key.

unfortunately this method hasn't authentication so a man-in-the-middle can attack and decrypt any messages from Node A and Node B.
The authenticated Diffie-Hellman key agreement protocol was developed by Diffie, van Oorschot, and Wiener in 1992 to defeat the man-in-the-middle attack. it uses digital signature for authentication each origin.

MAC and HMAC

Mon, 07 Mar 2005 16:42:59 +0330

MAC (Message Authentication Code) and HMAC (Keyed-Hashing for Message Authentication Code) are mechanism for providing integrity when the data transfer over untrusted enviroment like internet, they are work base on shared secret key.
When we use MAC mechanism based on cryptographic hash functions so it called HMAC. there are different cryptographic hash functions like SHA-1,MD5,RIPEMD-160,PANAMA,SHA256 and etc.
Let's take a look to HMAC mathematical algorithm :

HMAC(Message) = Hash[(Key XOR OPAD) || Hash(Key XOR IPAD) || Message]
|| means concatenation operation
OPAD (outer padding) = 36hex, repeated as needed
IPAD (inner padding) = 5Chex, repeated as needed

for instance :
message : welcome to ippacket site
secret key : mehrdad
HMAC digest by MD5 = 76960728e94b2693149728b076c614cf
HMAC digest by SHA-1 = 95ab25cb679c193fe141cb92e55126876a5285ea
HMAC digest by RIPEMD160 = fd9bab4a7f4b69d895fbb38f2fb09972c7137c43

MAC is simple than HMAC , it uses encryption like DES.

* HMAC RFC is RFC 2104 you can read it from FAQ.ORG

RSA Encryption and Digital Signature

Sun, 06 Mar 2005 10:20:29 +0330

It offers encryption and authentication (digital signature), developed in 1977 by Ron Rivest, Adi Shamir and Adleman and it works asymetric and generate public and private key by itself.thus encryption and authentication take place without any sharing of private keys: each person uses only another’s public key or their own private key.

For generate public and private keys it takes two larg prime numbers p and q , they should not equal and with a size of at least 1024 bits.
Let's take a look to its algorithm :
n define as follow :
n = p · q
phi define as follow :
φ = (p – 1) · (q – 1)
e is a number greater than 1 and less than φ as follow :
1< e < φ
d define as follow :
(d.e)/φ=1

d is private key and n,e are public key so it's difficult to obtain the private key d from the public key (n, e).
for example when our plaintext = 707
The encrypted data is c = m^e (mod n) :
ciphertext = 707^425(mod 3431) = 2142
then the plaintext is easily retrieved using m = c^d(mod n)
plaintext = 2142^1769(mod 3431) = 707

RSA group 2003 Picture

A trick for using DIP at NetScreen firewall

Thu, 03 Mar 2005 01:10:24 +0330

When a host initiates several sessions that match a policy with network address translation (NAT) enabled and is assigned an address from a dynamic IP (DIP) pool, the NetScreen device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.
I analyzed it with ethereal and i known it use round roubin algorithm for assigment source ip address for example when You ping a host,source address for request ICMP are dffrent and it use round roubin algorithm.
This behaviur cause problem for some service (some web base email,AOL instance messenger and so on)
for using same ip address from DIP pool to a host for multiple concurrent session you should set the following command
set dip sticky
P.S : you can't set this feature from web base

DES

Wed, 02 Mar 2005 22:38:19 +0330

DES is one of encription algorithms , it's an acronym for Data Encription Standard
Oginally DES was developed by IBM in early 1970 as lucifer.
it's symetric and its key length is 64bits (8bits are used for parety),meaning that
there are 72,057,594,037,927,936 possible keys (56bits).
at that time (~1970) it was good algorithm for encription and decription but it's cracked
When computers became powerful.

Complexity Kills Innovation

Wed, 02 Mar 2005 12:10:58 +0330

I believe that any complexity in anythings can kill innovation.
These days we hear about windows OS vulnerability, worm and virus that are intruded to this OS and do wrong functions so this complexity cause complex solutions for solve them.
We can see this situation in some complex network so trubleshooting in these networks are difficult. what's your idea about this complexity?
you can see the following link about this subject :
http://www.securityfocus.com/columnists/300

Triton Studio and Yamaha

Tue, 01 Mar 2005 22:16:04 +0330

Tow days ago , i had to open my synthesizer box for check it out for a reason
It has three layers electronic board ,clavier section and other hardware like CDROM,Floppy drive ,HD and port controller.
It was intresting that some electronic boards which are used in clavier section were labaled with YAMAHA! it seems these two companies work together in some parts.
Anyway if you need any hardware for triton studio you can buy them from www.korgparts.com or contact to 800-590-0014 or 802-464-0014

Juniper OS :: JUNOS and JUNOSe

Tue, 31 Aug 2004 22:29:37 +0330

I'm intersted in oprating system it means their managements for instance process management,memory management and so on also on deadlock detection/avoidance,file system,scheduling strategies and .... I think freeBSD has the best managements and works properly although other OS like SUN Solaris is powerful but FreeBSD is categurised in non-commercial operating system and it comes with full source code. in fact i wanna talk about JUNOS that based on the FreeBSD , first of all please don't pronounce JUN-OS ,you should pronounce just in one syllable.Juniper appliances have JUNOS as operating system which based on the FreeBSD they've modified the freeBSD,extracted some modules and imported specially modified modules and some engines on it. the JUNOS has some parts contain : JKernel (The operating system package) JRoute (The routing engine software) JPFE (The PFE software) JDocs (Updated online reference documentation) Jcrypto (Security software (U.S. domestic only)) Jbase (Additions to JUNOS) Totally they called Jbundle.

Virtual Private LAN service

Wed, 18 Aug 2004 12:11:33 +0330

As you know Ethernet is simple,flexible and scaleable bandwith also it has been revolition in MetroEthernet.Virtual Private LAN service (VPLS) allows service providers to deliver VPN service base on ethernet and it's one of the most inovation of providing Ethernet/MPLS VPN.
it uses Martini encapsulation standard and empowers service providers Ethernet networks with scalability and availability. Without VPLS, the scalability of Ethernet networks is limited to the number of unique identifiers or VLAN IDs used to provide services, and the availability of Ethernet networks is limited by the poor resiliency characteristics of mechanisms such as Spanning Tree Protocol.Some limitation such as QinQ solves and VPLS networks can support over a million unique identifiers.
VPLS is based on an Internet Engineering Task Force (IETF) draft called Lasserre-V. Kompella, written by Marc Lasserre of Riverstone Networks Inc. and Vach Kompella of TiMetra Networks, now owned by Alcatel. VPLS is expected to be a fully ratified standard by the end of this year, but several service providers are already deploying the service because they feel it’s stable enough for commercial use, says Newell.