Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Cisco To Develop Third-Party APIs For IOS

Posted by kdawson on Sat Dec 15, 2007 06:30 PM
from the letting-a-little-light-in-on-the-crown-jewels dept.
Networking
MT628496 tips a Computerworld article on Cisco's announcement that it plans to build IOS on a UNIX kernel, in modules, and allow third-party developers to access certain parts of it. IOS has traditionally been a closely guarded piece of software without any way for anyone to add functionality. No timetable was given for when APIs will be available. A Forrester analyst said, "...the network is one of the least programmable pieces of the infrastructure. The automation and orchestration market is far more oriented towards servers, storage and desktop environments. The ability to dynamically change the network is a missing component." The article mentions that Juniper Networks had announced on Monday its own developer platform for Juniper routers, and it's available now.
+ -
story

Related Stories

Submission: Cisco to Allow Third Parties to access IOS by MT628496 (959515)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Cisco To Develop Third-Party APIs For IOS 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • A little confused about this (Score:3, Interesting)

    by the_humeister (922869) on Saturday December 15 2007, @06:56PM (#21712606)
    Wouldn't this make the networking equipment more prone to attacks?
    • Hate to say it, but security thru proprietary technology is nice in this case, IMHO. The less the technology controlling our network is exposed, the better, in some cases. Sadly, vice-versa is true. It's a trade-off, but it is still better than everyone being able to look at it and go "Oh, THAT'S how we shut down and infiltrate major networks!"
      • What you've actually described is security through obscurity.. Being proprietary does not keep it unpublished. The "proprietary technology" source code and utilities have been repeatedly stolen, published, and republished among the cracker crowd, and the tools they write get released and circulated among the script kiddie crowd eventually. And Cisco has repeatedly engaged in really unfortunate security standards for decades, with a lack of reporting of the incidents for both non-disclosure reeasons, and an
      • Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.

        Nobody ever made a mistake in either software implementation of this kind of access scheme, and nobody ever made a mistake in deploying such a system.

        You pretty much nail it on the head, this is going to result in an increase in (scary!) vulnerabilities. If an attacker can take a
        • Taps are often the recommended method of handling IDS now if you're not doing it in-line. However, if someone can see which ports are mirrored, there's a good chance that they can figure out which interfaces are handling the most traffic, and so more likely to be on IDS (if one's IDS deployment is more on the limited side, that is).

  • Hmmm.... a Unix based kernel? (Score:3, Interesting)

    by flydpnkrtn (114575) <pfloyd.nixwizard@net> on Saturday December 15 2007, @06:58PM (#21712618) Homepage
    I wonder if they'll license something like QNX, or port one of the BSD kernels over. I can't imagine they'd use anything with the GPL, this being proprietary-out-the-ass Cisco after all.

  • When Company A announces they've done something already- and Company B announces they will, that's more like the "Company-B-caught-with-pants-down-and-family-jewels-showing department."

    Cisco's response is laughably cliche...

    • And who cares anyway. They are talking about this like it is rocket science.

      I have done that for a living for nearly 10 years now and frankly it is trivial (at least for Cisco). There is _NO_ rocket science in it. It takes a couple of weeks tops for someone who is good in both software development and network engineering to write one. There is no need for an extra API. The techniques on how to deal with IOS are well known.

      The problem is elsewhere. The problem is "what to orchestrate?". Data modelling a netw
  • Enron Broadband was working on this with Cisco starting in 1998. In fact, they bought two companies to try and make this happen. They told everyone that automatic provisioning was the wave of future.

    Think of a Tibco like messaging layer allowing automatic provisioning of more or less bandwidth between carriers throughout the day as companies need it (for real time communications or nightly data warehouse creations.... Whatever).

    10 years later it actually gets implemented.
  • Cisco IOS has already been running in house (for development purposes) on Unix for years. They call it IOU (IOS on Unix). It is a closely guarded secret. Supposedly it is fully featured and can emulate as many routers with as many interfaces as you want, all on one Solaris system. Supposedly Cisco employees get in trouble (fired??) for even mentioning its existence and certainly if they ever gave access to somebody, and only a very small number of Cisco employees even have access to it. It wouldn't be

  • Web 2.0 IOS? (Score:3, Funny)

    by grumling (94709) on Saturday December 15 2007, @11:14PM (#21714182) Homepage
    "This is a nice sense of direction statement - it says that Cisco understands that SOA and Web 2.0 are fundamentally changing how applications are built"

    "According to our router's logfile, your port on the switch has been modded down below the switch's current threshold."

    router#show int eth0/0
    adds by google:
    Get a Juniper router today!
    Best deals on Cisco routers: www.cisco4less.com
    Sid : 5
    Traffic Priority : 0
    Maximum Sustained Rate : 64000
    Maximum Burst : 0
    Minimum Reserved Rate : 0
    Minimum Packet Size : 0
    Maximum Concatenated Burst : 1522
    Scheduling Type : Best Effort
    Nominal Grant Interval : 0
    Tolerated Grant Jitter : 0
    Nominal Polling Interval : 0
    Tolerated Polling Jitter : 0
    Unsolicited Grant Size : 0
    Grants per Interval : 0
    Request/Transmission Policy : 0x0
    IP ToS Overwrite [AND-mask, OR-mask] : 0x0, 0x0
    Current Throughput : 0 bits/sec, 0 packets/sec

  • Cisco has been running QNX in their high end routers for several years now. They call it "IOS XR", but it's QNX. Classic IOS, unlike QNX, isn't a protected-mode OS. In classic IOS, everything runs in one address space. They need to get beyond that. So maybe this is just opening up classic IOS as an end of life measure.

  • More seriously, IOS is a high-performance but extremely poor interface toolkit on top of a lot of proprietary hardware. It doesn't matter much which kernel runs on it, unless they've been tuned out of all recognizability to deal with the high load, low latency issues of routing. And the kernels are pretty near the limits of their ability to tune performance to the hardware: the next level up is the compiler, and the next level up is the actual interface. And the extreaordinarily poor behavior of the user in
  • Not sure I like the sound of this. It's going to confuse the support for applications quite a lot.

    Right now if there's an application problem it is fairly easy to tell where it comes from. You can quite quickly rule out a network problem by checking the basic network traffic works and look at other similar traffic for issues.

    However if you move a load of your application logic onto the networking hardware and something starts running slow, unless your app has a lot of benchmarking built in for troubleshooti

  • I already have IOS on Unix... (Score:3, Insightful)

    by Slashcrap (869349) on Sunday December 16 2007, @12:46PM (#21718076)
    ...thanks to Dynamips.

    I was going to say that it's only of use for training purposes, and can't be used in the real world. But then I noticed a lot of people in this thread advocating the use of consumer routers, and they probably would put emulated IOS on an old PIII and expect it to route 1Mpps. So knock yourselves out, retards.
    • IOS is universally accepted. The model of its tiered, context-determined command structure has been emulated by many. This is including Microsoft, with it's cascaded netsh and other command utilities.

      That said, this kind of command navigation sucks. You are trapped in a maze of twisty, little prompts, all alike.

      The structure of these commands were determined in antiquity, when embedded networking devices were resource starved for storage and memory. That's pretty clearly not the case today.

      Screw IOS, its resistance to simple scripting, and its defiance to be committed easily to memory.
      • Isn't Cisco selling IOS-XR based on QNX to accomplish the same thing? Did it not work out, or is it too expensive, or does BSD just sound like a better plan for a modular router OS?

        • Re: (Score:2, Interesting)

          by funkboy (71672)
          At the moment, IOX only runs on CRS-1 or [propoerly upgraded] GSRs, which pretty much excludes anything in their "enterpise" product portfolio.

          Fact is, Cisco has been trying to be all things to all people and dominate every sector of the market that involves gear or software beyond the PC for such a long time that they have lost focus in their core business of making routers, where they are accustomed to market domination. Competitors have caught up to the point where anything short of carrier-grade Cisco
        • I would be surprised if they went and developed something else entirely because QNX itself is POSIX compliant and has been in development for quite a while now, i can't think of any reason to drop it and develop something BSD based for the rest of the routers. It would make little sense outside of the realm of "ZOMG BSD is teh kewl".

          For a while IOS XR was only on the CRS-1, and the edge devices have been regular IOS, with all its disadvantages like the single memory space, total lack of memory protection, l

          • Re: (Score:2, Insightful)

            by atamido (1020905)
            The first post says no such thing. It simply says that IOS has a very antiquated command system, which it does. If IOS were to break backwards compatibility they would have the opportunity to create a much easier to use and much more flexible ways of doing things. It would be really good in the long run, but is not likely to happen because the short term consequences would probably be so painful.

      • That said, this kind of command navigation sucks

        I don't know - I wish unix had the command parameter prompting system that the shell in IOS has. It's actually really useful. Not sure what the parameters are for any command? Press the question mark key.

        You are trapped in a maze of twisty, little prompts, all alike

        Actually, the prompts change with context. Configuration mode has a different prompt, and within that mode the prompts change with context indicating what you're configuring

        That sa

        • The command interface isn't the problem with IOS, the rest of the platform is. You don't really have to remember every little command and every option in IOS because the entire system provides help for every step of every command.

          Linux as a routing platform is in some ways much worse than IOS unless you use some sort of usable interface on top of it. My home firewall is an Astaro box (linux) which I'm quite happy with but i would never dream of editing firewall rules (or anything else) by hand on it, like w
    • There are specific reasons a business might need a "real" router though. Cisco's equipment is very modular... it's very easy to throw a VPN encryption module in a router and do tunnels at the router level instead of worrying about RRAS or and OpenSWAN server.

      Linksys routers have their uses, especially if you flash them over to Linux with DD-WRT, but they only go so far when you have a branch office of 200 people you need to have securely on the main corporate network. A Linksys wouldn't have the horsepower

      • Re: (Score:3, Insightful)

        by moosesocks (264553)
        The three laws of network hardware:

        1) Quality network hardware is expensive. Often frighteningly so.

        2) If reliability is even remotely important to you, the expense is easily worth it.

        3) Failure to comprehend #2 will almost inevitably cost you your job.
    • Ever seen a commodity router under a FULL 100Mbit/s load, let alone gigabit? They drop packets, mangle packets, route wrong packets... That is, until they hit a buffer overrun, overheat or just reboot repeatedly for no clear reason. They're not meant for serious use. They're designed to be actually capable of handling whatever Joe Average can do with his home network and nothing more. Because they're commodity hardware. Cheap crap, that is. Period.
      People buy those expensive, rackable switches and routers because they want something *reliable* for *serious* use that absolutely requires reliability.

      • People buy those expensive, rackable switches and routers because they want something *reliable* for *serious* use that absolutely requires reliability.

        It's a matter of the right tool for the right job. If all you're doing is routing a T1, you're certainly not going to be processing 100Mbps. In fact, you'll be routing less than Joe Average might route on his cable connection.

        It's hard to say about the reliability, however as long as it's within it's capability, any device with no moving parts can be e

        • Re: (Score:3, Insightful)

          by Enleth (947766)
          Right, but the OP sounded as if he wanted to use consumer devices for everything - which certainly isn't the brightest idea. Anyway, cheap routers and switches can as well fail under their normal working conditions, been there, seen that, always keeping a spare just in case. I'm currently in charge of an improvised dorm network (about 80 computers, 30Mbit/s connection to the outside world, almost saturated all the time), with a 30-port industrial-grade Cisco switch just by the router and dozens of crappy co
          • Sounds like you could benefit from wiring closets in different sections of the dorm. Surely it would beat having little Linksys switches scattered around as repeaters.

          • Agreed, the OP was way on the other extreme.

            In your case, it sounds like there must be some sort of problem there with power or perhaps grounding. I agree that consumer grade switches fail more frequently, but unless you have more switches than computers, one every two weeks is excessive even for cheap switches.

            Does anyone have one of these [fiftythree.org] in their dorm?

          • The grandparent post mentioned moving parts, many decent switches have fans while cheap small ones don't... Tho this is for quite the opposite reason, fans will keep the device cooler and increase its life. If the fans fail, your just in the same boat as a cheaper switch.

            Those cheaper switches often have no protection against connecting two of their ports together with a crossover cable either, that can cause utter chaos.
      • A lot of supposedly higher end kit falls over well below it's rated capacity too...
        Try synflooding across 100mb interfaces on a 7200vxr, a lot of cisco kit is based on the same pci-bus design as a pc but with a slower cpu. The NIC will generate an interrupt on the bus for each packet, lots of small packets will saturate the pci bus and take the device down wether it's a cisco 7200 or a pc with 2 nics.
        You can improve the situation by using 64bit pci, pcie, pci-x etc but the problem remains it's just got a hi
        • My company has found that the most cost-effective way of building a high performance router is to buy Symantec 5440's on ebay. These boxes are basically a xeon, 1GB of ram, with 6 gigabit interfaces. Throw mikrotik routeros on it and it can route 3 gigabit without pushing the hardware much. I would have thrown some more at it but i didn't have enough machines with gigabit interfaces lying around at the time.

    • Re:Get a D-Link or a LinkSys, Routers r a commodit (Score:5, Insightful)

      by WizardX (63639) on Saturday December 15 2007, @07:48PM (#21712964)
      Soory, but I must feed this troll.

      Most people do not buy 800 series routers, but if they do, it is typically because of managability and security. When it comes to being able to manage a remote network device and use a central authentication system, Cisco beats the pants off of ANY comsumer grade device.

      Once you get to 1800 devices and above (even 1600 and 1700, but they are EOL) you have features that far exceed any consumer device.

      Real routing capabilities (RIP, OSPF, EIGRP, ISIS, BRP, etc).
      Modular interface cards. You have Modem, ISDN, xDSL, Cable, 56k, DS1, ATM, DS3, SONET, etc.)
      QoS. Should be self explanitory
      Various security functionality. VPN, tunnles, RADIUS, TACACS+, etc. (I am not a security guy)
      Voice Terminate voice, act as a phone system (2800 and 3800) run VXML, etc

      These are just the routers. Switches are just as much above the consumer grade as the routers are. QoS, port density, VLANs, true Layer 3, etc.

      Both have their place and in some cases, a consumer grade equipment has its place in the corp environment. I have used them many times. T

      To say Cisco is a rip-off is pure ignorance. (Do not use the list price to justify yourself either. NO ONE pays list for Cisco gear. As a general rule 35% - 50% is the rule.) Sure Cisco is not the cheapest or the best, but they provide a complete end-to-end solution and everyone knows Cisco. Heck, even Nortel switches and Extreme (I think) made their interfaces to emulate IOS.

      • Sure Cisco is not the cheapest or the best, but they provide a complete end-to-end solution and everyone knows Cisco.

        That's it in a nutshell, and it's a real shame. Cisco is the new "nobody got fired buying IBM". People are just so scared to try anything else on their networks, and it really holds back competition. Got a budget to build a network? Buy a Cisco, and no one will blame you. If it goes wrong, well hey, you did the industry standard thing- that's just how networks work, right?

        • You know, I am not entirely sure. I was trying to corral the kids at the time. Strike the word true.
          • No need to strike it you're quite right.

            A layer 3 switch is one that can do IP routing at wire speed, usually by doing the routing in hardware.

            Normally switches are layer 2 only and don't understand IP, they just pass stuff based on MAC address. You then need a separate router to do the layer 3 work.

            Consumer grade stuff like the wrt54g does support layer 3, otherwise you wouldn't be able to connect to anything. But it uses software routing, not hardware, which is nowhere near as fast.
        • So do my linux and macos based laptops..

          As a test tho, login to a fast box hosted somewhere, and run a syn flooding tool against your home box over the cheap consumer level router. Flood yourself with small packets, and see how many of them actually make it past the router to hit your box.

          I managed to receive about 300k of small packets, on an 8mb dsl connection. When hit with small packets, 300k is all the router could manage. The box flooding me was generating more than 8mb of packets, and needless to say
    • I just spent 5 minutes making sure that that link went where it claimed to go and no further (It points to a /. article entitled "FCC To Require Backdoor Network Access for Feds").
    • I think all versions of JUNOS allow individual processes to be restarted. Different versions have different processes (for example, PPP is in the kernel for most versions, but it is being moved to a user-space process). Juniper also already works with third-parties for hardware. For example, on the J-series, you can get a PIM that has an Avaya PBX in a slot.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.