Since PAN-OS version 9.0 you can configure GRE tunnels on a Palo Alto Networks firewall. Greetings from the clouds. As always, this is done solely through the GUI while you can use some CLI commands to test the tunnel. This time Palo put a little stumbling block in there as you have to allow a GRE connection with a certain zone/IP reference. I will show how to set up such a GRE tunnel between a Palo and a Cisco router. Here we go:
Maybe you’ve heard of Certificate Transparency and its log. Citing Wikipedia: “Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates.” Basically, it gives you information about any public certificate that is issued. Besides its advantages, I thought of one possible problem as it leaks all FQDNs to the public when using TLS certificates, for example from Let’s Encrypt.
A similar problem might arise when using a single X.509 certificate with a couple of DNS names (subject alternative name SAN) from which one should be kept “private”. It will be publicly known as well.
Hence I made a self-experiment in which I generated two certificates with random names, monitoring the authoritative DNS servers as well as the IPv6 addresses of those names in order to check who is resolving/connecting to otherwise unknown hostnames. Here we go:
Continue reading Certificate Transparency & Alternative Name Disclosure→
A few days ago, my blog turned seven (7). Wow! And this post right here is number 329. This is roughly one post per week over the last seven years. Not bad. ;D I can’t believe I was able to publish that much at this rate for so long. However, I have decided to slow down my publishing rate for some reason. Following are some insights:
Continue reading Slowing down my Blogging Rate→
UK IPv6 Council Spring 2024: Incorrect Working IPv6 Clients & Networks
I did a short presentation at the spring 2024 roundtable of the UK IPv6 Council. The talk was about a case study I did with my NTP server listed in the NTP Pool project: For 66 days I captured all NTP requests for IPv6 and legacy IP while analyzing the returning ICMPv6/ICMPv4 error messages. (A much longer period than my initial capture for 24 hours.) Following are my presentation slides along with the results.
Continue reading UK IPv6 Council Spring 2024: Incorrect Working IPv6 Clients & Networks→
I gave a session about IPv6 at SharkFest’19 EUROPE, the annual Wireshark developer and user community conference, named “IPv6 Crash Course: Understanding IPv6 as seen on the wire“. The talk is about the IPv6 basics, which are: IPv6 addresses & address assignment, link-layer address resolution, and ICMPv6. Tips for using Wireshark coloring rules and display filters round things up.
As I have not yet published the slides, here they are. Unfortunately, we were not able to record the session due to technical problems. Neither the video nor the audio. ;( Hence, here are only mere slides.
At a Glance, IPsec/VPN, TLSPolicy-Based VPN, Remote Access VPN, Route-Based VPN, Site-to-Site VPN, SSL-VPN, TLS, VPN Portal, Web VPNJohannes Weber
Another small post out of my “At a Glance” series: The different types of virtual private networks (VPNs). Looking at Site-to-Site and Remote Access VPNs.
In the previous post, I released my ss节点在哪购买 which includes every single pcap I had so far on my blog. But that’s not all: I have some packets in there that were not yet published up to now. That is, here are some more details about those (probably well-known) protocols. These are:
For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshot on this blog. However, it sometimes takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.
This is supposed to change now:
I’m publishing a single pcap meant to be a single point of source for Wireshark samples. It is summarizing *all* previous ones from my blog and even adding some more protocols and details. I will constantly add more packets to this pcap if I have some. Currently, it has > 50 different protocols and hundreds of variants, such as IPv6 and legacy IP traffic, different DNS query types, ICMP error codes, and so on.
I am using the WHOIS client a lot these days since I am migrating some RIPE objects such as ASes, inetnum/inet6num, etc. Meanwhile, I recognized that I have never captured this TCP port 43 protocol, nor looked at it with Wireshark. That’s what this post is all about, incl. a downloadable pcap for your own analysis.
VoIP calls, using the network protocols SIP/SDP and RTP, are the de-facto standard when it comes to voice calls. Wireshark offers some special features to analyze those calls and RTP streams – even with a nice “Play Streams” option, which discretely decodes your calls. Ouch. Again and again, frightening which privacy-related protocols are completely unencrypted on the Internet!
Here are some hints for Wireshark as well as a downloadable pcap with three calls in there. ;) Have fun!
Some time ago I published a post called DNS Test Names & Resource Records which lists many different FQDNs with lots of different RRs. You can use those public available DNS names to test your DNS servers or the like. However, I was missing a packet capture showing all these resource records as they appear on the wire. So now, here it is. If you are searching for some packets to test your tools for whatever reason, feel free to download this pcap.
If you’re into DNSSEC, you’ll probably have to troubleshoot or at least to verify it. While there are some good online tools such as DNSViz, there is also a command-line tool to test DNSSEC signatures onsite: delv.
delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
Continue reading Dive into delv: DNSSEC Validation→
As you might have noticed, I am playing a lot with NTP these days. Having a networking background I also like Power over Ethernet. So what’s more obvious than using a PoE-powered NTP display for test purposes? ;D
This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.
In the previous posts, I already introduced the Network Time Security (NTS) protocol and described the most important features. Although the specification process has not been completed, there are already some independent NTS implementations and public time servers (IETF106). NTPsec is one of the important representatives of this series and already offers an advanced NTS solution. In this post, I’ll give you a short guide to setting up an NTS-secured NTP client/server with NTPsec.
Continue reading Setting up NTS-Secured NTP with NTPsec→
I Love IPv6 Addressing!
At a Glance, IPv6Advantages, IP Address, IPv6, Legacy IPJohannes Weber
Probably the biggest prejudice when it comes to IPv6 is: “I don’t like those long addresses – they are hard to remember.” While this seems to be obvious due to the length and hexadecimal presentation of v6 addresses, it is NOT true. In the end, you’ll love IPv6 addresses in your own networks. This is why – summed up in one poster:
Continue reading I Love IPv6 Addressing!→
连连看vpn
连连看vpn
Categories
Commentary (3)
Conference Talks (6)
国内ss节点 (20)
Kinderspielzeug (1)
Virtual Radar Server (8)
Zeitraffer (1)
Future Work (4)
Memorandum (118)
At a Glance (12)
Template (20)
Tutorial/Howto (60)
Monitoring (43)
MRTG/Routers2 (15)
RIPE Atlas (3)
Syslog (4)
Musik (3)
ss节点免费 (2)
Synthesizer (1)
Network (242)
Bandwidth/Delay (11)
shadowsock节点购买 (11)
DHCP (5)
国内ss节点 (39)
Internet Access (15)
Internet of Things (IoT) (4)
IPsec/VPN (43)
ss节点购买 (56)
Mail (3)
NAT (5)
NTP (33)
Routing (27)
SSH (9)
Switching (6)
TLS (8)
WLAN/WiFi (3)
Off-Topic (11)
Security (80)
Authentication (24)
国内ss节点 (5)
Crypto (12)
OpenPGP (1)
Password (10)
shadowrocket节点购买 (7)
Vendor/Device/OS (192)
Airconsole (1)
Android (4)
ss节点购买 (36)
F5 Networks (3)
Fortinet (32)
FRITZ!Box (12)
Infoblox (5)
iPhone/iPad (5)
Juniper Networks (30)
Lastline (2)
Linux (25)
Meinberg (4)
NetworkMiner (1)
Palo Alto Networks (57)
ss节点购买 (1)
Profitap (2)
Pulse Secure (3)
Quagga (2)
Raspberry Pi (12)
shadowrocket节点购买 (2)
Tufin (1)
Windows (2)
SS节点
ss节点在哪购买 on Palo Alto DNS Proxy Rule for Reverse DNS
Israel on Palo Alto DNS Proxy Rule for Reverse DNS
ss节点在哪购买 on MRTG with RRDtool and Routers2 – Installation from Scratch
Pete on NTP Server via DCF77 on a Raspberry Pi
Patrick on NTP Server via DCF77 on a Raspberry Pi
Linux HowTo: is there any option ntpq for the ntp server connectivity test like ntpdate -d command? - TECHPRPR on 免费伕理IP_HTTP伕理服务器IP_隐藏IP_QQ伕理_国内外伕理 ...:国内高匿伕理IP 更多 国家 伕理IP地址 端口 服务器地址 是否匿名 类型 存活时间 验证时间 114.97.184.199 8888 安徽合肥 高匿 HTTP 1分钟 22分钟前 202.115.142.147 9200 四川成都
Johannes Weber on NTP Server via DCF77 on a Raspberry Pi
Patrick on NTP Server via DCF77 on a Raspberry Pi
Patrick on NTP Server via DCF77 on a Raspberry Pi
Weekend Reads 071020 – rule 11 reader on Certificate Transparency & Alternative Name Disclosure
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More