Alice and Bob song ;-)

…. written by Armand Navabi

Alice is sending her message to Bob
Protecting that transmission is Crypto's job
Without the help of our good friend Trent,
It's hard to get that secret message sent
Work tries to deposit the check of your salary
But with no crypto, it'll be changed by Mallory
You think no one will see what it is, you believe?
But you should never forget, there's always an Eve...

'Cause I'm encrypting s**t like every single day
Sending data across the network in a safe way
Protecting messages to make my pay
If you hack me, you're guilty under DMCA

DES is wrong if you listen to NIST
Double DES ain't no better man, that got dissed
Twofish for AES, that was Schneier's wish
Like a shot from the key, Rijndael made the swish
But Blowfish is still the fastest in the land
And Bruce used his fame to make a few grand
Use ECB, and I'll crack your ciphertext
Try CFB mode to keep everyone perplexed

'Cause I'm encrypting s**t like every single day
Sending data across the network in a safe way
Protecting messages to make my pay
If you hack me, you're guilty under DMCA

Random numbers ain't easy to produce...
Do it wrong, and your key I'll deduce
RSA, only public cipher in the game
Creating it helped give Rivest his fame
If we could factor large composites in poly time,
We'd have enough money to not have to rhyme
Digesting messages with a hashing function
Using SHA1 or else it won't cause disfunction

'Cause I'm encrypting s**t like every single day
Sending data across the network in a safe way
Protecting messages to make my pay
If you hack me, you're guilty under DMCA

Password confirmed. Stand by...

Reserved for documentation use

Sometimes you have document a network behavior and need example prefixes or AS numbers. Here is a list of some documents and reserved values, which could be useful for this:

  • MAC unicast address (see RFC7042): 00:00:5E:00:53:00 to 00:00:5E:00:53:FF
  • MAC multicast address (see RFC7042): 01:00:5E:90:10:00 to 01:00:5E:90:10:FF
  • IPv4 unicast prefix (see RFC5737)-, and
  • IPv4 multicast prefix (see RFC6676)-
  • IPv6 unicast prefix (see RFC3849)- 2001:DB8::/32
  • IPv6 multicast prefix (see RFC6676)- FF0<any hex value>::DB8:0:0/96
  • AS numbers 16-bit (see RFC5398) – 64496 – 64511
  • AS numbers 32-bit (see RFC5398) – 65536 – 65551
  • Top-Level Domain (see BCP32) – .example


  • Alice and Bob, alternatives for ‚Person A’/’Person B‘ when describing processes in telecommunications; in cryptography Eve (the eavesdropper) is also added.(see Wikipedia)

Huawei Switches – Software Update

This post is not related to Juniper stuff, but nice to know if you work with Huawei switches…

I’ve worked with the S2300 series last year and learned a lot about the „Huawei Versatile Routing Platform Software“ or VRP.  From my point of view the cli felt not very comfortable.  For example: most of the time where I used the tab-completion it fails, because the cli suggested the complete(!) first command instead of only suggest the next characters to the next closest matching word – like Juniper or Cisco cli does 😉 If you are fast in typing this could be very frustating.  However the cli could be very smart, because it doesn’t let you remove a option or command, which is currently in use by another command. This prevent you of wrong configurations.

I also did some software updates on these decives and I would share the procedure with you.:

1) remove old patches

patch delete all

2) take a look at your flash disk and remove old *.cc files

delete /unreserved <name of old .cc file>

3) get your new .cc file, for e.g. via FTP

ftp <ip>
get <name of new .cc file>

4) apply new software image for next startup

startup system-software <name of new .cc file>

5) verify correct startup settings

display startup

6) fire and forget 😉


… and hopefully your switch will now come up with the new software image.

TTL Handling

In some cases you want to hide your mpls backbone to your vpn customers and  prevent traceroutes (…and annoying questions….). There are some options to achieve this.

First of all tell your customers they don’t have to do this. Yes, and they will do it 😉

Think about it, you can configure a RE firewall filter and filter all traceroute traffic. Really? No, we don’t want additional host-bound traffic which we than drop by a firewall rule, thats stupid and wasting of ressources.

The best option will be the prevention of ttl handling during the mpls push/pop operations on the ingress or egress PE. You customer can decrease the ttl value as he like, but the value won’t get copied into the mpls header. The TTL value in the mpls header will be fixed on 255 on ingress PE.

There are two options in JunOS:

no-decrement-ttl – This is only valid for RSVP LSPs and signaled as OBJC_LABEL_REQUEST per LSP. This is not clearly stated on Juniper command description, but here. However this is a proprietary value. From my point of view, this wouldn’t be the best way to do this.

no-propagate-ttl – This is usual option for changing the ttl behavior. The ttl value of the ip packet won’t get copied into the ttl field of the mpls header on ingress and egress PE.

You can configure no-propagate-ttl on a global level:

protocols {
    mpls {

Or per VRF:

routing-instance {
    your-vrf-name {
        no-vrf-propagate-ttl;               # or "vrf-propagate-ttl"

VRF is more specific, so for e.g. you can disable ttl propagation globally and enable it on a single VRF if needed.

You can verify the ttl opration on every vpn prefixes in your VRF routing table:

admin@router> show route table <your-vrf-name> <vpn-prefix> extensive
Label TTL action: no-prop-ttl

You can see the options no-prop-ttl or prop-ttl.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.