Hedge 297: MPLS
Has MPLS really “died” because of SD-WAN services? Scott Robohn joins Tom and Russ to talk about the past and future of MPLS.
download
Lab: More Complex EVPN/VXLAN Bridging Scenario
In the first EVPN/VXLAN lab, we added the EVPN control plane to bridging over VXLAN. Now, let’s try out a more complex scenario: several EVPN MAC-VRFs mapped to different VLAN segments on individual PE-devices.
You can run the lab on your own netlab-enabled infrastructure (more details), but also within a free GitHub Codespace or even on your Apple-silicon Mac (installation, using Arista cEOS container, using VXLAN/EVPN labs).
Toxic combinations: when small signals add up to a security incident
At 3 AM, a single IP requested a login page. Harmless. But then, across several hosts and paths, the same source began appending ?debug=true — the sign of an attacker probing the environment to assess the technology stack and plan a breach.
Minor misconfigurations, overlooked firewall events, or request anomalies feel harmless on their own. But when these small signals converge, they can explode into security incidents known as “toxic combinations.” These are exploits where an attacker discovers and compounds many minor issues — such as a debug flag left on a web application or an unauthenticated application path — to breach systems or exfiltrate data.
Cloudflare’s network observes requests to your stack, and as a result, has the data to identify these toxic combinations as they form. In this post, we’ll show you how we surface these signals from our application security data. We’ll go over the most common types of toxic combinations and the dangerous vulnerabilities they present. We will also provide details on how you can use this intelligence to identify and address weaknesses in your stack.
You could define a "toxic combination" in a few different ways, but here Continue reading
ASPA: making Internet routing more secure
Internet traffic relies on the Border Gateway Protocol (BGP) to find its way between networks. However, this traffic can sometimes be misdirected due to configuration errors or malicious actions. When traffic is routed through networks it was not intended to pass through, it is known as a route leak. We have written on our blog multiple times about BGP route leaks and the impact they have on Internet routing, and a few times we have even alluded to a future of path verification in BGP.
While the network community has made significant progress in verifying the final destination of Internet traffic, securing the actual path it takes to get there remains a key challenge for maintaining a reliable Internet. To address this, the industry is adopting a new cryptographic standard called ASPA (Autonomous System Provider Authorization), which is designed to validate the entire path of network traffic and prevent route leaks.
To help the community track the rollout of this standard, Cloudflare Radar has introduced a new ASPA deployment monitoring feature. This view allows users to observe ASPA adoption trends over time across the five Regional Internet Registries (RIRs), and view ASPA records and changes over time Continue reading
Bringing more transparency to post-quantum usage, encrypted messaging, and routing security
Cloudflare Radar already offers a wide array of security insights — from application and network layer attacks, to malicious email messages, to digital certificates and Internet routing.
And today we’re introducing even more. We are launching several new security-related data sets and tools on Radar:
We are extending our post-quantum (PQ) monitoring beyond the client side to now include origin-facing connections. We have also released a new tool to help you check any website's post-quantum encryption compatibility.
A new Key Transparency section on Radar provides a public dashboard showing the real-time verification status of Key Transparency Logs for end-to-end encrypted messaging services like WhatsApp, showing when each log was last signed and verified by Cloudflare's Auditor. The page serves as a transparent interface where anyone can monitor the integrity of public key distribution and access the API to independently validate our Auditor’s proofs.
Routing Security insights continue to expand with the addition of global, country, and network-level information about the deployment of ASPA, an emerging standard that can help detect and prevent BGP route leaks.
Since April 2024, we have tracked the aggregate growth of client support for post-quantum encryption on Cloudflare Continue reading
The most-seen UI on the Internet? Redesigning Turnstile and Challenge Pages
You've seen it. Maybe you didn't register it consciously, but you've seen it. That little widget asking you to verify you're human. That full-page security check before accessing a website. If you've spent any time on the Internet, you've encountered Cloudflare's Turnstile widget or Challenge Pages — likely more times than you can count.
The Turnstile widget – a familiar sight across millions of websites
When we say that a large portion of the Internet sits behind Cloudflare, we mean it. Our Turnstile widget and Challenge Pages are served 7.67 billion times every single day. That's not a typo. Billions. This might just be the most-seen user interface on the Internet.
And that comes with enormous responsibility.
Designing a product with billions of eyeballs on it isn't just challenging — it requires a fundamentally different approach. Every pixel, every word, every interaction has to work for someone's grandmother in rural Japan, a teenager in São Paulo, a visually impaired developer in Berlin, and a busy executive in Lagos. All at the same time. In moments of frustration.
Today we’re sharing the story of how we redesigned Turnstile and Challenge Pages. It's a story told in three parts, by three Continue reading
We deserve a better streams API for JavaScript
Handling data in streams is fundamental to how we build applications. To make streaming work everywhere, the WHATWG Streams Standard (informally known as "Web streams") was designed to establish a common API to work across browsers and servers. It shipped in browsers, was adopted by Cloudflare Workers, Node.js, Deno, and Bun, and became the foundation for APIs like fetch(). It's a significant undertaking, and the people who designed it were solving hard problems with the constraints and tools they had at the time.
But after years of building on Web streams — implementing them in both Node.js and Cloudflare Workers, debugging production issues for customers and runtimes, and helping developers work through far too many common pitfalls — I've come to believe that the standard API has fundamental usability and performance issues that cannot be fixed easily with incremental improvements alone. The problems aren't bugs; they're consequences of design decisions that may have made sense a decade ago, but don't align with how JavaScript developers write code today.
This post explores some of the fundamental issues I see with Web streams and presents an alternative approach built around JavaScript language primitives that demonstrate something better is possible.
Configuring 6PE Route Reflector on Cisco IOS
Imagine you want to deploy a BGP route reflector for MPLS 6PE or L3VPN service. Both services run over MPLS LSPs, use IPv4 BGP sessions, and use IPv4 next hops for BGP routes. There’s absolutely no reason to need IPv6 routing on a node that handles solely the control-plane activity (it never appears as a BGP next hop anywhere), right? Cisco IOS disagrees, as I discovered when running route reflector integration tests for netlab 6PE and (MPLS) L3VPN functionality.
Most platforms failed those tests because we forgot to configure route-reflector-clients in labeled IPv6 and VPNv4/VPNv6 address families1. That was easy to fix, but the IOS-based devices were still failing the tests, with nothing in the toolchain ever complaining about configuration problems.
Join Calico at KubeCon Europe 2026: AI Agents, Silent Discos, and Dutch Delights!
The cloud-native community is heading to the historic canals and vibrant tech scene of Amsterdam for KubeCon + CloudNativeCon Europe 2026! From March 23–26, Amsterdam will be buzzing with the latest in Kubernetes, platform engineering, and, of course, all things Calico.
Whether you’re a long-time Calico user or just starting your cloud-native security journey, Tigera has a packed schedule to make your KubeCon experience both educational and unforgettable.
Meet Our International Team
Meet Our International TeamOur international team, hailing from Vancouver, Toronto, San Francisco, Cork, London, and Cambridge, is converging on Amsterdam to welcome you! Whether you’re a first-time attendee or a KubeCon veteran, our crew has been through the trenches and is ready to share tips on everything from eBPF security to the best bitterballen in the city.
Securing the Future: AI Agent Workshop
The biggest shift in the ecosystem this year? Autonomous AI Agents. But as we move these agents into production, how do we ensure they are secure, compliant, and observed?
Join us for our featured workshop: Securing Autonomous AI Agents in Production. We’ll dive deep into how to implement zero-trust security for AI workloads and protect the underlying infrastructure that powers them.
Shane Walsh, Corporate Account Executive (Cork, Continue reading
Context Is Expensive
When it comes to learning and understanding, facts are easy. If I ask you how many bits are in an IPv4 address it’s a single answer. People memorize facts and figures like this all the time. It’s easy to recall them for tests and to prove you understand the material. Where things start getting interesting is when you need to provide context around the answer. Context is expensive.
Cognitive Costs
Questions with one correct answer or with a binary answer choice are easy to deal with cognitively. You memorize the right answer and move on with your life. IPv4 addresses are 32 bits long. The sun rises in the east. You like Star Wars but not Galatica 1980. These things don’t take much effort to recall.
Now, think about why those answers exist. Why does the sun rise in the east? Why are addresses 32 bits long? Why don’t you like Galactica 1980? The answers are much longer now. They involve nuance and understanding of things that are outside of the bounds of simple fact recall. For example, look at this video of Vint Cerf explaining why they decided on 32-bit addresses all the way back in the mid-1970s:
There’s Continue reading
Packet Trimming Deep Dive – Part II
Receive Interface Group (Rx IFG)
Ingress Pre-Processing and Integrity
The Receive Interface Group (Rx IFG) is the ingress pre-processing stage that handles the incoming Ethernet bitstream before the packet enters the Packet Processing Array (PPA) of the Receive Network Processing Unit (Rx NPU) in the Cisco Silicon One architecture.
Processing begins at the Rx MAC. The Rx MAC reconstructs (“delimits”) the Ethernet frame from the Physical Coding Sublayer (PCS) bitstream and verifies frame integrity by computing a Frame Check Sequence (FCS) using the CRC-32 algorithm. If the computed FCS does not match the received FCS value, the frame is considered corrupted and is dropped immediately at ingress. If the CRC check succeeds, the frame is admitted for further processing.
Shallow classification and Traffic Class mapping
After frame validation, the Rx IFG identifies the Ethernet MAC header and detects the presence of IEEE 802.1Q VLAN tags. The Rx IFG performs shallow classification to efficiently manage hardware resources before deeper protocol parsing and forwarding decisions are executed in the Rx NPU. When an IEEE 802.1Q VLAN tag is present, the Rx IFG extracts the Priority Code Point (PCP) bits from the VLAN tag and maps them to an Internal Continue reading
On AI Agents Speaking BGP
I guess your LinkedIn feed is as full of AI nonsense as mine is, so I usually just skip all that posturing. However, every now and then, I stumble upon an idea that makes sense… until you start to dig deeper into it.
There was this post about AI agents speaking BGP with an associated GitHub repo, so I could go take a look at what it’s all about.
The proof-of-concept (so the post author) has two components:
How we rebuilt Next.js with AI in one week
*This post was updated at 12:35 pm PT to fix a typo in the build time benchmarks.
Last week, one engineer and an AI model rebuilt the most popular front-end framework from scratch. The result, vinext (pronounced "vee-next"), is a drop-in replacement for Next.js, built on Vite, that deploys to Cloudflare Workers with a single command. In early benchmarks, it builds production apps up to 4x faster and produces client bundles up to 57% smaller. And we already have customers running it in production.
The whole thing cost about $1,100 in tokens.
Next.js is the most popular React framework. Millions of developers use it. It powers a huge chunk of the production web, and for good reason. The developer experience is top-notch.
But Next.js has a deployment problem when used in the broader serverless ecosystem. The tooling is entirely bespoke: Next.js has invested heavily in Turbopack but if you want to deploy it to Cloudflare, Netlify, or AWS Lambda, you have to take that build output and reshape it into something the target platform can actually run.
If you’re thinking: “Isn’t that what OpenNext does?”, you are correct. Continue reading
Interesting: Open Space Events
Following a link in another Martin Fowler’s blog post, I stumbled upon his thoughts on Open Space events – a way to set up self-organizing events.
I’m not sure I’m brave (or young) enough to try it out, but if you’re planning to organize a small gathering (like a local Network Operator Group), this might be an interesting, slightly more structured approach than a Net::Beer event. It would also be nice to know whether someone managed to pull it off in an online format.
10 Rumah Adat di Indonesia yang Mempesona
Daftar Pustaka
Indonesia dikenal karena kekayaan budayanya, salah satunya lewat rumah adat. Setiap provinsi menampilkan arsitektur unik yang mencerminkan tradisi dan filosofi lokal. Dengan demikian, rumah adat bukan hanya hunian, tetapi juga simbol identitas budaya. Di bawah ini, mari kita jelajahi 10 rumah adat paling terkenal di Indonesia.
1. Rumah Gadang – Sumatera Barat
Suku Minangkabau terkenal dengan Rumah Gadang. Atap rumah menjulang tinggi menyerupai tanduk kerbau, sehingga terlihat megah. Bahkan, rumah ini menampung beberapa keluarga besar sekaligus. Dengan ruang terbuka, anggota keluarga mudah berinteraksi dan menjaga keharmonisan. Selain itu, rumah Gadang menjadi pusat acara adat dan pertemuan keluarga.
2. Rumah Joglo – Jawa Tengah dan Yogyakarta
Masyarakat Jawa membangun Rumah Joglo dengan struktur atap tinggi dan megah. Ruang tengah rumah ini biasanya digunakan untuk acara adat, pertemuan keluarga, dan hiburan. Selain itu, Continue reading
Merek Suspensi Motor Showa: Kualitas dan Inovasi untuk Performa Maksimal
Daftar Pustaka
Suspensi motor menjadi salah satu komponen vital yang menentukan kenyamanan dan stabilitas berkendara. Salah satu merek terkemuka di dunia adalah Showa, produsen Jepang yang telah menghadirkan solusi suspensi canggih selama puluhan tahun. Artikel ini membahas sejarah, teknologi, dan keunggulan suspensi Showa, serta alasan mengapa banyak pengendara dan produsen motor mempercayainya.
Sejarah dan Perkembangan Showa
Showa Corporation didirikan pada tahun 1938 dan sejak itu fokus pada teknologi suspensi otomotif. Seiring waktu, perusahaan berkembang menjadi pemasok utama suspensi motor dan mobil di dunia. Bahkan, banyak pabrikan motor ternama seperti Honda, Yamaha, dan Kawasaki menggunakan suspensi Showa sebagai standar pada motor mereka.
Selain reputasi, Showa dikenal karena inovasi berkelanjutan. Perusahaan selalu menyesuaikan produk suspensi dengan kebutuhan pengendara modern, baik untuk motor harian maupun motor sport. Dengan kata lain, kualitas, ketahanan, dan performa selalu menjadi prioritas.
Teknologi Suspensi Showa
Suspensi Showa menggabungkan teknologi canggih dengan material berkualitas tinggi. Terdapat beberapa jenis utama yang populer:
| Jenis Suspensi | Deskripsi | Kelebihan |
|---|---|---|
| Telescopic Fork | Suspensi depan standar untuk motor harian | Stabilitas tinggi, perawatan mudah |
| Inverted Fork (USD) | Suspensi depan untuk motor sport | Handling lebih presisi, responsif |
| Shock Absorber Rear | Continue reading |
Apple Vision Pro: Era Baru Komputasi Spasial dari Apple
Daftar Pustaka
Pengertian Apple Vision Pro
Apple Vision Pro hadir sebagai perangkat komputasi spasial terbaru dari Apple. Produk ini menggabungkan augmented reality dan virtual reality dalam satu ekosistem. Selain itu, Apple merancang perangkat ini untuk penggunaan profesional dan hiburan. Oleh karena itu, Apple Vision Pro membuka cara baru berinteraksi dengan dunia digital.
Selanjutnya, perangkat ini menggunakan visionOS sebagai sistem operasi khusus. Sistem tersebut mengatur aplikasi dalam ruang tiga dimensi. Kemudian, pengguna dapat mengontrol antarmuka dengan mata, tangan, dan suara. Dengan demikian, pengalaman terasa alami dan intuitif.
Desain dan Teknologi Utama
Apple Vision Pro menampilkan desain futuristik dengan material premium. Apple menggunakan aluminium, kaca laminasi, dan tali kain fleksibel. Selain itu, desain ini menyesuaikan kenyamanan pemakaian jangka panjang. Oleh sebab itu, pengguna tetap fokus saat bekerja.
Perangkat ini memakai dua layar micro-OLED beresolusi sangat tinggi. Resolusi tersebut menghadirkan detail visual tajam. Kemudian, Apple menanamkan chip M2 dan chip R1. Kombinasi ini memproses grafis dan sensor secara real-time. Dengan demikian, latensi visual hampir tidak terasa.
Selain itu, sensor LiDAR, kamera Continue reading
Real-time visualization of AI / ML traffic matrix
For example, the Heatmap above comes from a large high performance compute cluster running a mixture of tasks. Traffic is concentrated along the diagonal, indicating that the job scheduler is packing related tasks in racks so that most traffic is confined to the rack.
Note: Live Dashboards links to a number dashboards showing live traffic, including the Heatmap above.
netlab: The Caveats of Using Startup Configurations
Petr Ankudinov wrote an excellent comment about netlab Fast cEOS Configuration implementation. Paraphrasing the original comment:
If the use case is the initial lab deployment, why don’t you use containerlab startup-config option to change the device’s startup configuration?
I have to admit, I’m too old to boldly go with the just use the startup configuration approach. In ancient times, Cisco IOS did crazy stuff if you rearranged the commands in the startup configuration. But ignoring that historical trivia (Cisco IOS/XE seems to be doing just fine), there are several reasons why I decided to use the startup configurations (and you can use them with some containers) as the last resort: