Ericsson's very good bad quarter, Mozilla encrypts SNI, new TIP projects, and more

Your weekly dose of networking

Coming off a long string of losses, Ericsson probably hoped to turn in some good news, but at its latest financial results, the company announced the sacking of 50 people in response to a corruption scandal.

This is in relation to an ongoing US Department of Justice and the US Securities and Exchange Commission (SEC) probe that began in 2013, and is, according to reports, to do with allegations of bribery in the company's Asia-Pacific and EMEA regions.

During the Q3 2018 earnings presentation, CEO Börje Ekholm said the 50 people dismissed have also been reported to authorities and foreshadowed that further measures were likely.

The company doesn't yet know how much the investigation (and any subsequent legal action) might cost it: “Today we can't assess the magnitude of this which is why we don't take a provision against it … It is an ongoing matter and that is unfortunate, but that is where we are,” Ekholm told analysts at an earnings presentation.

In its announcement, Ericsson noted that it has been cooperating with the SEC since 2013 and the Department of Justice since 2015.

Oh, and its sales were up 9 per cent over Q3 2017 – from SEK 49.4bn ($5.47bn) to SEK 53.8bn ($6bn) – with a Q3 2018 net profit of 2.7 billion Swedish kronor ($300m). That's quite the turnaround from its SEK3.5bn ($390m) loss in Q3 2017.

Mozilla adding crypto to server lookups

Mozilla has shut off another possible approach to user tracking: in the latest Firefox Nightly, it has started encrypting the SNI (Server Name Indication) field.

As Eric Rescorla explained, website content is protected by HTTPS, but SNI fields travel in the clear.

SNI is important when multiple servers share the same IP address, because it indicates which security certificate the browser should accept – and that means a snoop could read that data to build a user's history.

At this stage, only Cloudflare supports encrypted SNI requests, but Rescorla said Mozilla hopes other DNS hosts will come to the party.

TIP tips transponder APIs into the open world

The Telecom Infrastructure Project has had a busy week with its TIP Summit '18 in London.

For a start, it shipped interface specs for optical transponders, the Transponder Abstraction Interface (TAI), which it said “allows integration of optical subsystems and modules in a uniform manner” and lets optical vendors ship kit that works out of the box with existing software.

TIP also announced that Vodafone, Telefonica, Orange, and TIM Brazil are working together on the disaggregation of cell sites, in a project called Odyssey-DCSG.

Qualcomm adds mmWave Wi-Fi chipsets

Qualcomm didn't get the memo from the Wi-Fi Alliance about version numbering: this week, it launched a range of 60GHz chips under the 802.11ay banner.

If you're hoping for ultra-fast performance for your laptop, don't get too excited: the silicon designer's QCA64x8 and QCA64x1 are designed for 10Gbps performance or better, but the target is peripherals and mesh-based mobile backhaul.

The vendor has also been watching work going on in academia, it seems: capabilities like using Wi-Fi to estimate the number of people in a room used to look like mere boffinry, but Qualcomm wants it to become mainstream.

Its release said the chip can support “new 60GHz Wi-Fi Sensing applications like proximity and presence detection, gesture recognitions, room mapping with precise location and improved facial feature detection”.

Kaloom launches software defined data centre fabric

Kaloom has taken a look at what telcos have done to turn their internals into software, and reckons data centres could do with a shot of that software-defined juice.

Speaking to The Register, the company's marketing veep Thomas Eklund and CTO Suresh Krishnan said data centre fabrics are driven by too few vendors and need too much hand-feeding.

That lack of automation means scalability is difficult and expensive, unless you're among the handful of hyperscale operators that can take white-boxes and build whatever tools aren't already out there.

Elkund said telcos and hyperscalers are getting together “to open up the hardware and software, open the APIs, drive open source and programmability, and drive down the price” – but those payoffs aren't available if you're running one or two enterprise data centres.

What Kaloom launched today includes a fabric controller to handle topology management of spine and leaf switches and their controllers, and integrated network functions (a vRouter, vSwitch, and virtual gateway or vGW).

The fabric controllers use standard interfaces like YANG and NETCONF for northbound communications to Kaloom's management software interfaces.

Automation aims to deliver self-forming and self-discovery, zero-touch provisioning, and automated software upgrades.

The company told The Register its virtualisation means the system can host tenant networks with “millions of IP (v4 or v6) addresses”.

From the network operator's point of view, Krishnan said, everything looks like a single switch with a huge port count, with interfaces to show the physical topology, leaf and spine switches, and so on.

The network operator “should be able to take any server-facing port, and turn that into a 'slice', a virtual fabric – even with large numbers of vFabrics, we can support isolation between those ports for any number of tenants.

“Each slice looks like a data centre network, with VLANs or VxLANs on top of it,” he added.

The isolation provides different data plane functions for different slices, Krishnan explained, so a network admin could create a “test” data centre with its associated virtual fabric and test different protocols without affecting production traffic.

Because the vRouter is part of the SDF, he said, packets get lower latency – they don't need to leave the fabric to be handled by a router.

The P4 (Programming Protocol-Independent Packet Processors) provided the opportunity for customers or third parties to write into the environment, he said – for example, so a third party's firewall can be hosted on the same fabric.

The company designed its vSwitch to improve latency and cut down the resources the switch consumes, Krishnan said.

In environments using OVS-DPDK (Open vSwitch – Data Plane Development Kit), he said, packets spend too much time being transmitted between different functions. The virtualised fabric means Kaloom's vSwitch has the chance to examine a packet to see whether its destination is on the same server.

Only if the packet's destination is off-server is it handed off to the network. Reducing the number of switches leaving the server reduces the number of cores the switch needs, reduces latency, and improves throughput.

Googlers help students harden 2FA against backdoors

It's a week old, but still interesting if you follow the worldwide “cryptowars”. Governments might be trying to demand the tech sector build backdoors into products – but what happens if backdoor resistance is built into protocols?

In this paper at arXiv, five boffins from Stanford University and Google looked at two-factor authentication and found today's systems can be compromised if an attacker could compromise something like a user's dongle (SMS-based 2FA, we know, was pwned long ago).

The proposed “True2F” takes into account token faults or backdoors, or even an attacker with access to a user's computer (as long as they don't also have access to the token), without any server-side changes, only limited work by browser authors, and could be added to most existing tokens with just a firmware update.

That's because it's a change to the protocol – True2F proposes adding extra messages to the session handshake: “The only difference is that a True2F compliant token and browser exchange a few extra messages before responding to the relying party. These messages allow the browser to enforce the token’s correct behaviour, preventing a malicious token from choosing weak or preloaded keys, or from covertly leaking keying material in messages to the relying party”.

Further: “Even if the attacker takes control of the user’s machine, the attacker can still not authenticate to the relying party without interacting with the token. This holds even if the attacker can passively observe the browser’s interactions with the token before taking control of the machine.”

Listen carefully and you can hear law enforcement and spooks wondering how to draft legislation to ban excessively secure protocols. ®




Biting the hand that feeds IT © 1998–2018