Google

= Topics =

= Preparations =
 * 1st round
 * 1st Week Dec starting

coding tech communication thinking
 * Video interview

1st Troubleshooting code Distributes system Web & Network technologies
 * 1 Hour:

2 tech Networking/General Web troubleshooting 1 manager
 * F2F - Bangalore office


 * Share use cases
 * Working with Code (15 min)
 * What is code, Issue & How to improve it.


 * Ask question about question
 * Break it down


 * No IDE
 * No library

= Topics 2 =


 * Semaphores
 * Mutex
 * Threads

= Questions =

Port Isolation Vlan Isolation Loopback Detection
 * What are alternative solutions of Spanning tree?

200ms latency -> initial rto by most OSs Do not consider normal Retransmissions, but only RTOs exponential backoff rto will double with each iteration -> 400ms, 800ms, 1000ms congestion, pathmtu not honored, icmp rate-limited, reply pathmtud-reply packets dropped, os issues -> Zero window -> cpu high(response slow), memory high, disk issue
 * Tail Latency

RTP uses tcp, n/w level issues, check latency on which side traces,
 * 4k video file edit latency

= Networking Followup =

Moving of files BW APAC & EMEA

 * 1 MBPS speed? whats wrong
 * Take Packet Captures

In half duplex mode, both devices can transmit the signal, but one at a time. In full duplex mode, both devices can transmit the signal at the same time.
 * Check Duplex settings

Use locust or run multiple instances of iperf
 * Multiple streams


 * Pearing


 * Latency


 * Congestion


 * QoS, Filtering, Routing, ISP issues

WSF
 * TCP Window size

Where RTT is Ping Response in Millseconds/1000. There are only two things you can do to affect your data thru-put on a wide area network: Increase your TCP window size, or  Reduce latency.
 * Maximum Possible Transfer Rate = TCP Window Size/RTT

Check for retransmissions after 200 ms --> RTOs
 * Packet capture

It works by passing a multipacket buffer to the network interface card (NIC). The NIC then splits this buffer into separate packets. The technique is also called TCP Segmentation Offload (TSO) when applied to TCP, or generic segmentation offload (GSO). A similar concept to large segment offload for ingress traffic is large receive offload (LRO). LSO and LRO are independent and use of one does not require the use of the other.
 * Large send offload (LSO) is a technique for increasing egress throughput of high-bandwidth network connections by reducing CPU overhead.


 * Fragmentation


 * Packet Loss


 * Network throughput impacted by TCP window size, Latency and Congestion

Maximum amount of data a sender can send before receiving an acknowledgement. Standard TCP Window Size = 65K bytes
 * Window Size

Adding more traffic produces a negative marginal effect above about 30% utilization
 * It’s not just about latency, TCP doesn’t like congestion


 * Application is able to generate 10 GBPS traffic? OS limits - CPU - Memory, Network Card speed?

64KB * 2n (n = window scale factor)
 * Window scaling changes the TCP window to:

With a window scale factor of 7, which equals a TCP window of 8MB

Single-flow throughput is limited to: TCP window size / RTT

Without window scaling, TCP is limited to: 64KB / 100ms = 5 Mbps

With CloudBridge default window scale, TCP is limited to: 8MB / 100 ms = 650 Mbps


 * WSF 64kB to 8MB
 * SACK to minimize data that is resent
 * Fast re-transmits to reduce delay before resend

Amount of data that can be in transit (flight) in the network Bandwidth-delay product is the product of a data link's capacity (in bits per second) and its round-trip delay time (in seconds). The result data is equivalent to the maximum amount of data on the network circuit at any given time, Or data that has been transmitted but not yet acknowledged. A network with a large bandwidth-delay product is commonly known as a Long Fat Network(LFN). A network is considered an LFN if its bandwidth-delay product is significantly larger than 105 bits (12,500 bytes).
 * Bandwidth Delay Product


 * BIC TCP (Binary Increase Congestion control)

Allows bandwidth probing to be more aggressive initially when the difference from the current window size to the target window size is large, and become less aggressive as the current window size gets closer to the target window size. A unique feature of the protocol is that its increase function is logarithmic; it reduces its increase rate as the window size gets closer to the saturation point.
 * BIC TCP for faster recovery from packet loss


 * BIC is optimized for high speed networks with high latency: so-called "long fat networks".
 * For these networks, BIC has significant advantage over previous congestion control schemes in correcting for severely underutilized bandwidth.


 * BIC implements a unique congestion window (cwnd) algorithm.
 * This algorithm tries to find the maximum cwnd by searching in three parts: binary search increase, additive increase, and slow start.
 * When a network failure occurs, the BIC uses multiplicative decrease in correcting the cwnd.


 * BIC TCP is implemented and used by default in Linux kernels 2.6.8 and above.
 * The default implementation was again changed to CUBIC TCP in the 2.6.19 version.


 * CUBIC TCP


 * CUBIC is an implementation of TCP with an optimized congestion control algorithm for high bandwidth networks with high latency (LFN: long fat networks).
 * CUBIC TCP is implemented and used by default in Linux kernels 2.6.19 and above, as well as Windows 10 & Windows Servers.
 * It is a less aggressive and more systematic derivative of BIC TCP, in which the window size is a cubic function of time since the last congestion event, with the inflection point set to the window size prior to the event.
 * Because it is a cubic function, there are two components to window growth.
 * The first is a concave portion where the window size quickly ramps up to the size before the last congestion event.
 * Next is the convex growth where CUBIC probes for more bandwidth, slowly at first then very rapidly.
 * CUBIC spends a lot of time at a plateau between the concave and convex growth region which allows the network to stabilize before CUBIC begins looking for more bandwidth.


 * Another major difference between CUBIC and standard TCP flavors is that it does not rely on the cadence of RTTs to increase the window size.
 * CUBIC's window size is dependent only on the last congestion event.
 * With standard TCP, flows with very short round-trip delay times (RTTs) will receive ACKs faster and therefore have their congestion windows grow faster than other flows with longer RTTs.
 * CUBIC allows for more fairness between flows since the window growth is independent of RTT.

SSH to remote server

 * GCP VM SSH Connection Timed out

Existing connection timed out or a new one? Was it idle connection? It not, is there any network disconnection/lantency/congestion?

SSH Packets are reaching Destination? TCPDump on Destination(look for initial TCP packets with the SYN flags). If not check: - Using IP Correct in client side. - DNS Correct? try host file entry or direct ip access - Port Correct - Routes in intermediate devices. - Packets going out of Client? check dest trace. Iptables might hv blocked, or networking issue. - Traceroute - Do Ping & check ICMP Traffic reaching

If yes check: - Reply packets going or not? if going, check Router reverse routes. - IPTables Rejecting packets (Flush IPTabeles -F) - Packets received on correct interface? (SSH might be listening on wrong port - ListenAddress ) - SSH from Server to localhost

Any traffic reaching Server? ifconfig RX, TX count bytes increasing decreasing; If not check: - Networking Config - Interface check? correct ip on correct interface? - Host Level Networking in GCP/VMWare

If Yes check: - Firewall blocking traffic for port 22? - Firewall blocking all external traffic? - Host Level Firewall dropping SSH traffic? - Do Ping & check ICMP Traffic reaching

/etc/ssh/sshd_config     # sshd server configuration file Port 22 ListenAddress 0.0.0.0 PermitRootLogin prohibit-password PubkeyAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no KerberosAuthentication no UsePAM yes Banner none TCPKeepAlive yes
 * SSH Config File:

/etc/ssh/sshd_config     # ssh client configuration file

sudo systemctl restart sshd.service sudo systemctl status sshd.service sudo service sshd status
 * Restart SSHD:

ssh: connect to host 192.168.1.51 port 22: No route to host
 * Wrong IP:

ssh: connect to host 192.168.1.50 port 2222: Connection refused
 * Wrong Port OR SSH Not installed (TCP Reset is sent)

netstat -anp | grep ssh      ==> Check port no of SSHD program in LISTEN State
 * SSH Running on correct port:

netstat -ant | grep 22 tcp       0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
 * Netstat:

journalctl -xe
 * Check Service logs:

top - Memory, CPU, IO CPU, etc Network Congestion, Broadcast Storm Duplicate IPs configured in same LAN, check ARP table repeatedly
 * Intermittent Timedout/Slow connection

ssh -vvv user@host
 * Debug SSH Connection:

Unable to negotiate with 192.168.126.100 port 22: no matching cipher found.
 * Error if Ciphers does not match:


 * SSH Version 2? v1 is not in use now a days

Check: telnet 192.168.1.50 22 Trying 192.168.1.50... Connected to 192.168.1.50. Escape character is '^]'. SSH-2.0-OpenSSH_8.0p1 Ubuntu-6build1

Else use SSH Debug: ssh -vvv user@server.com

System Design

 * Past system design you have done

{XEN SERVER 1}                                                                 {XEN SERVER2} [Asterisk]---[CB]---[Slax Router]---[WanEM]---[Phy Switch][CB]---[Slax Router2]---[Phone1] \_________[Phone2] \________[Phone3]

Used VMs ony Could have used Physical devices - Cisco Call Manager, Physical CBs, Cisco Routers, IPNetSim, IP Phones Used devices across 2 DCs in India & US.
 * Trade off you made in this?


 * Scaling this specific network

Front End Application Backend Application Database
 * 3-tier network design in public cloud. How do you design?

You need LoadBalancer


 * Will you need LB? Why?

How can you establish secure connectivity to public cloud

 * VPN tunnel
 * How do you ensure High Availability for this?
 * Webmin
 * VNC? Encryption? Not by default, can be run inside SSH Tunnel; port 5900, 5901
 * RDP? Encryption? Yes can be encrypted, port 3389
 * TeamViewer
 * Dataplicity

Password authentication is used by users. Username and password combination that you use to login to your SFTP server. When you try to log in, the server checks whether your username and password are both correct and if so, approves your request.
 * SSH Username-Password

Pros: Convenience for users. Easily remembered if web login is possible, browsers can auto-fill these fields Everyone knows how to log in using passwords. Administrators can increase security by creating policies such as: - lock system after 5 retries - Requiring a certain amount of capitalized letters, numbers, and symbols in the password - Forcing users to reset their passwords periodically

Cons: Human nature for people to create passwords that are easily remembered. Simple passwords make these accounts extremely susceptible to intrusion. If these simple passwords are used across multiple apps, the potential for a breach increases massively. Usernames and passwords have to be directly transmitted to the server being logged into, thus making this method more prone to hacking. You can mistakenly log into the wrong server or website, and now that server or website has your password. Hackers love making clones of popular websites to scam users out of their login credentials. Companies could store your password in clear text in their database. Their system administrators can see your password at any time, and if hackers breaks in, they can see your password as well. Even if the password is salted and hashed, a hacker could steal all the passwords, brute force the salt and hash, and see if you used that same password for other apps and websites. Employees may get frustrated by password policies set by IT administrators to increase security.

Keys are used as the default method of authentication for SFTP Gateway.
 * SSH Key based

How SSH keys work for authentication:
 * 1) An SSH key pair, which includes a public and private cryptographic key, is generated by a computer.
 * 2) The public key is stored on the server that you log into, while the private key is stored on your computer.
 * 3) When you attempt to log in, the server will check for the public key and then generate a random string and encrypt it using this public key. This encrypted message can only be decrypted with the associated private key.
 * 4) The server will send this encrypted message to your computer. Upon receipt of the message, your computer will decrypt it using the private key and send this message back to the server. If everything matches up, you’re good to go.

Pros: SSH keys can be up to 4096 bits in length, making them long, complex, and difficult to brute-force hack. These keys are typically at least 1024 bits long, which is the security equivalent of a password that is at least 12 characters. SSH keys aren’t human generated, so they avoid easy-to-guess keys like “123456” or “password”. Unlike passwords, your private SSH key isn’t sent to the server. So even if malicious actors hack into the server, they still can’t access your account. SSH connection can only come from the computer where the private key resides. You can log in using a password from any computer, even a shared desktop at your local library. You can add a password to your SSH key authentication (multi-factor authentication) to increase security even further.

Cons: Private key needs to be stored on the device with which you’re logging in. These devices can be lost or stolen And hackers can gain access to the private key and eventually the server. SSH keys take a bit more work to set up. System administrator can assign initial usernames and passwords and distribute them to employees easily. Employees can change these passwords so that only they know what they are. The sysadmin will no longer have access to employee’s passwords Distribution of public keys and education of staff on how to use SSH keys can be more cumbersome. If the sysadmin provides an employee with a private key, he still has access to said private key and can log into the employee’s account.

Re-Evaluate the design
Room for improvement?