Tech Bytes: How to Get DPUs from Niche to Transformative (Sponsored)

RG Nets builds gateways and centralized-authentication appliances to help manage and automate revenue-generating networks. On today’s Tech Bytes, we talk with RG Nets founder Simon Lok. But instead of talking about RG Nets, we delve into DPUs. This specialized hardware, which provides additional compute for network devices, has the potential to move from a niche... Read more »

HN807: A ‘CLI Lifer’ No More

Andy Lapteff once considered himself a ‘CLI lifer.’ As a network engineer he wasn’t interested in Python. He didn’t want to learn to code. He had no desire to embrace any of the developer-like processes and tools creeping into the profession, particularly around network automation. That’s changed. On today’s Heavy Networking, Andy shares the professional,... Read more »

netlab 25.12: Cisco IOS/XR Configuration Modules, More VXLAN Goodies

netlab release 25.12 (25.12.02 to be exact – I had a few PEBCAK moments) was published last Friday. Here are the highlights:

Significantly improved Cisco IOS/XR support. With the netlab release 25.12, you can configure VLANs, VRFs, static routes, route redistribution, OSPF default routes, BGP confederations, and BGP local-as
VXLAN-over-IPv6 on Arista EOS
VXLAN with ingress replication on Cisco Catalyst 8000v
The shutdown link/interface attribute can be used to start labs with interfaces turned off
Large BGP community lists, implemented on Arista EOS, FRR, and Junos. You can use standard- or large community lists in routing policies
The netlab validate command will reread validation tests from a modified lab topology file every time you run it. It can also read validation tests from a separate file.

Python Workers redux: fast cold starts, packages, and a uv-first workflow

^{Note: This post was updated with additional details regarding AWS Lambda.}

Last year we announced basic support for Python Workers, allowing Python developers to ship Python to region: Earth in a single command and take advantage of the Workers platform.

Since then, we’ve been hard at work making the Python experience on Workers feel great. We’ve focused on bringing package support to the platform, a reality that’s now here — with exceptionally fast cold starts and a Python-native developer experience.

This means a change in how packages are incorporated into a Python Worker. Instead of offering a limited set of built-in packages, we now support any package supported by Pyodide, the WebAssembly runtime powering Python Workers. This includes all pure Python packages, as well as many packages that rely on dynamic libraries. We also built tooling around uv to make package installation easy.

We’ve also implemented dedicated memory snapshots to reduce cold start times. These snapshots result in serious speed improvements over other serverless Python vendors. In cold start tests using common packages, Cloudflare Workers start over 2.4x faster than AWS Lambda without SnapStart and 3x faster than Google Cloud Run.

In this blog post, we’ll explain Continue reading

Compressing embedded files in Go

Go’s embed feature lets you bundle static assets into an executable, but it stores them uncompressed. This wastes space: a web interface with documentation can bloat your binary by dozens of megabytes. A proposition to optionally enable compression was declined because it is difficult to handle all use cases. One solution? Put all the assets into a ZIP archive! 🗜️

Code

The Go standard library includes a module to read and write ZIP archives. It contains a function that turns a ZIP archive into an io/fs.FS structure that can replace embed.FS in most contexts.¹

package embed

import (
  "archive/zip"
  "bytes"
  _ "embed"
  "fmt"
  "io/fs"
  "sync"
)

//go:embed data/embed.zip
var embeddedZip []byte

var dataOnce = sync.OnceValue(func() *zip.Reader {
  r, err := zip.NewReader(bytes.NewReader(embeddedZip), int64(len(embeddedZip)))
  if err != nil {
    panic(fmt.Sprintf("cannot read embedded archive: %s", err))
  }
  return r
})

func Data() fs.FS {
  return dataOnce()
}

We can build the embed.zip archive with a rule in a Makefile. We specify the files Continue reading

Best of the Hedge: Hedge 6 on DoH (Part 2)

In this episode of the Hedge, Geoff Huston joins Tom Ammon and Russ White to finish the discussion on the ideas behind DNS over HTTPS (DoH), and to consider the implications of its widespread adoption. Is it time to bow to our new overlords?

This is part two of a two part series. This is a “best of the Hedge” repost.

download

TNO051: Networks That Do: From Automated to Autonomous Networks with Meter (Sponsored)

Will it be possible to have fully autonomous networks in the near future? Anil Varanasi, CEO and Co-Founder of Meter, joins Scott Robohn in this sponsored episode to discuss the ongoing evolution from automated to autonomous networks. Anil breaks down how Meter differentiates from other networking vendors, discusses how Meter’s network products are vertically integrated... Read more »

Lab: More Complex VXLAN Deployment Scenario

In the first VXLAN lab, we covered the very basics. Now it’s time for a few essential concepts (before introducing the EVPN control plane or integrated routing and bridging):

Each VXLAN segment could have a different set of VTEPs (used to build the BUM flooding list)
While the VXLAN Network Identifier (VNI) must be unique across the participating VTEPs, you could map different VLAN IDs into a single VNI (allowing you to merge two VLAN segments over VXLAN)
Neither VXLAN VNI nor VLAN ID has to be globally unique (but it helps to make them unique to remain sane)

Cloudflare outage on December 5, 2025

^{Note: This post was updated to clarify the relationship of the internal WAF tool with the incident on Dec. 5.}

On December 5, 2025, at 08:47 UTC (all times in this blog are UTC), a portion of Cloudflare’s network began experiencing significant failures. The incident was resolved at 09:12 (~25 minutes total impact), when all services were fully restored.

A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare. Several factors needed to combine for an individual customer to be affected as described below.

The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.

Any outage of our systems is unacceptable, and we know we have let the Internet down again following the incident on November 18. We will be publishing details next week about the work we are doing to stop these types of incidents from occurring.

What happened

The graph below shows HTTP 500 errors served by our network during the Continue reading

N4N044: Redundancy Vs. High Availability Part 2 – HA Networking Isn’t Free

In Part 1 of Redundancy vs. High Availability, we said that sometimes high availability and redundancy are considered to be the same thing, but we disagree. Holly and Ethan do agree that high availability can be considered a network design goal, and that redundancy is just one technique that can be used to help make... Read more »

IPB189: RFC 9898 – Neighbor Discovery Considerations in IPv6 Deployments

The newly published RFC 9898 is the discussion of today’s podcast. The IPv6 Buzz crew explore the complexities of neighbor discovery and review solutions for both operators and architects. They share how this RFC serves as a single, detailed resource to improve your understanding of neighbor discovery and to reduce the potential attack surface in... Read more »

Technical Writing: Lower Your Expectations

Sean Goedecke published an excellent set of recommendations for good technical writing, including:

Keep it short
Try to make your point in the first sentence
Details matter less than you think.

Based on some emails I received in the past (and the lack of response to the lengthy emails I sent), we should apply the same rules to emails (and all other forms of technical communication).

D2DO288: Technology, Career, and Finding a Purpose with Deana Solis

Ned and Kyler sit down with Deana Solis, a freelance FinOps engineer and mentor. They discuss the undervalued skills of communication, look at the inherent biases and misplaced confidence of AI models, and offer guidance for those starting their careers. Deana also talks about her journey to discover the intersection of technology, career, and finding... Read more »

TCG064: Governing AI Agents for Real-World Infrastructure (Sponsored)

In this sponsored episode recorded live at AutoCon 4 in Austin, we sit down with Peter Sprygada, Chief Architect at Itential, to discuss Itential’s on-stage announcement of FlowAI. Peter shares his journey from network engineering skeptic to AI advocate, explaining how Itential securely connects AI agents to infrastructure with enterprise-grade governance and traceability. We dive... Read more »

Cloudflare WAF proactively protects against React vulnerability

Cloudflare has deployed a new protection to address a vulnerability in React Server Components (RSC). All Cloudflare customers are automatically protected, including those on free and paid plans, as long as their React application traffic is proxied through the Cloudflare Web Application Firewall (WAF).

Cloudflare Workers are inherently immune to this exploit. React-based applications and frameworks deployed on Workers are not affected by this vulnerability.

We strongly recommend that customers immediately update their systems to the most recent version of React, despite our WAF being designed to detect and prevent this exploit.

What you need to know

Cloudflare has been alerted by its security partners to a Remote Code Execution (RCE) vulnerability impacting Next.js, React Router, and other React frameworks (security advisory CVE-2025-55182, rated CVSS 10.0). Specifically, React version 19.0, 19.1, and 19.2, and Next.js from version 15 through 16 were found to insecurely deserialize malicious requests, leading to RCE.

In response, Cloudflare has deployed new rules across its network, with the default action set to Block. These new protections are included in both the Cloudflare Free Managed Ruleset (available to all Free customers) and the standard Cloudflare Managed Ruleset (available to all paying Continue reading

Cloudflare’s 2025 Q3 DDoS threat report — including Aisuru, the apex of botnets

Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025.

The third quarter of 2025 was overshadowed by the Aisuru botnet with a massive army of an estimated 1–4 million infected hosts globally. Aisuru unleashed hyper-volumetric DDoS attacks routinely exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps). The number of these attacks surged 54% quarter-over-quarter (QoQ), averaging 14 hyper-volumetric attacks daily. The scale was unprecedented, with attacks peaking at 29.7 Tbps and 14.1 Bpps.

Key insights

Other than Aisuru, additional key insights in this report include:

DDoS attack traffic against AI companies surged by as much as 347% MoM in September 2025, as public concern and regulatory review of AI increases.
Escalating EU-China trade tensions over rare earth minerals and EV tariffs coincide with a significant increase in DDoS attacks against the Mining, Minerals & Metals industry as well as the Automotive industry in 2025 Q3.
Overall, in the third quarter of 2025, Cloudflare’s autonomous Continue reading

Worth Watching: AI/ML Data Center Design

What could be better than watching 0x02 Jeffs discuss networking? How about having Petr Lapukhov of the RFC 7938 fame as a guest discussing AI/ML Data Center Design?

Note: Petr disappeared into the information black hole called Facebook over a decade ago, so I wondered how they allowed him to chat on a podcast for hours. It turns out he moved to NVIDIA, which might influence the podcast content a bit, but I’m pretty sure Petr is still Petr ;)

AI Meets Kubernetes Security: Tigera CEO Reveals What Comes Next for Platform Teams

Kubernetes adoption is growing rapidly, but so are complexity and security risks.

Tigera CEO, Ratan Tipirneni, on Calico AI and the Push for Simpler, Unified Kubernetes Security

Platform teams are tasked with keeping clusters secure and observable while navigating a skills gap. At KubeCon + CloudNativeCon North America, The New Stack spoke with Ratan Tipirneni, President and CEO of Tigera, about the future of Kubernetes security, AI-driven operations, and emerging trends in enterprise networking. The highlights from that discussion are summarized below.

Portions of this article are adapted from a recorded interview between The New Stack’s Heather Joslin and Tigera CEO Ratan Tipirneni. You can watch the full conversation on The New Stack’s YouTube channel. Watch the full interview here

How Can Teams Better Manage the Kubernetes Blast Radius and Skills Gap?

Tipirneni emphasizes the importance of controlling risk in Kubernetes clusters. “You want to be able to microsegment your workloads so that if you do come under an attack, you can actually limit the blast radius,” he says.

Egress traffic is another area of concern. According to Tipirneni, identifying what leaves the cluster is critical for security and compliance. Platform engineers are often navigating complex configurations without decades of Continue reading

HW066: An Inside Look at the WLAN-Pi App

Ben Toner once again joins Keith Parsons to explain the new WLAN-Pi App. Originally built to control the WLAN-Pi Go, the app now works with all WLAN-Pi models and consolidates controls previously spread across the web UI and APIs. They then dive deeper into the method of connectivity for the app and the functionalities it... Read more »

PP089: Hidden Wi-Fi Misconfigurations and Wi-Fi 7 Issues to Be Aware Of

There may be misconfigurations and other problems lurking in your wireless network. From a lack of peer isolation to poor segmentation to RADIUS problems and vendor fails, these issues can make your WLAN less secure. Jennifer “JJ” Minella goes from Packet Protector co-host to guest as she discusses these issues with Drew Conry-Murray. This episode... Read more »

« Previous 1 2 3 4 … 3,475 Next »

Archive