How Microsoft Azure Orchestration System Crashed My Demos

One of the first things I realized when I started my Azure journey was that the Azure orchestration system is incredibly slow. For example, it takes almost 40 seconds to display six routes from per-VNIC routing table. Imagine trying to troubleshoot a problem and having to cope with 30-second delay on every single SHOW command. Cisco IGS/R was faster than that.

If you’re old enough you might remember working with VT100 terminals (or an equivalent) connected to 300 baud modems… where typing too fast risked getting the output out-of-sync resulting in painful screen repaints (here’s an exercise for the youngsters: how long does it take to redraw an 80x24 character screen over a 300 bps connection?). That’s exactly how I felt using Azure CLI - the slow responses I was getting were severely hampering my productivity.

Supercomputing Coiled To Spring To Exascale

If you want to rank in the world of supercomputing – as national and state governments as well as academic and research institutions most certainly do to prove their worth for research and development – then you need to have at least a petaflops ante now to play the game. …

Supercomputing Coiled To Spring To Exascale was written by Timothy Prickett Morgan at .

Towards multiverse databases

Towards multiverse databases Marzoev et al., HotOS’19

A typical backing store for a web application contains data for many users. The application makes queries on behalf of an authenticated user, but it is up to the application itself to make sure that the user only sees data they are entitled to see.

Any frontend can access the whole store, regardless of the application user consuming the results. Therefore, frontend code is responsible for permission checks and privacy-preserving transformations that protect user’s data. This is dangerous and error-prone, and has caused many real-world bugs… the trusted computing base (TCB) effectively includes the entire application.

The central idea behind multiverse databases is to push the data access and privacy rules into the database itself. The database takes on responsibility for authorization and transformation, and the application retains responsibility only for authentication and correct delegation of the authenticated principal on a database call. Such a design rules out an entire class of application errors, protecting private data from accidentally leaking.

It would be safer and easier to specify and transparently enforce access policies once, at the shared backend store interface. Although state-of-the-are databases have security features designed for exactly this purpose, Continue reading

Welcome to Crypto Week 2019

The Internet is an extraordinarily complex and evolving ecosystem. Its constituent protocols range from the ancient and archaic (hello FTP) to the modern and sleek (meet WireGuard), with a fair bit of everything in between. This evolution is ongoing, and as one of the most connected networks on the Internet, Cloudflare has a duty to be a good steward of this ecosystem. We take this responsibility to heart: Cloudflare’s mission is to help build a better Internet. In this spirit, we are very proud to announce Crypto Week 2019.

Every day this week we’ll announce a new project or service that uses modern cryptography to build a more secure, trustworthy Internet. Everything we release this week will be free and immediately useful. This blog is a fun exploration of the themes of the week.

• Monday: Coming Soon
• Tuesday: Coming Soon
• Wednesday: Coming Soon
• Thursday: Coming Soon
• Friday: Coming Soon

The Internet of the Future

Many pieces of the Internet in use today were designed in a different era with different assumptions. The Internet’s success is based on strong foundations that support constant reassessment and improvement. Sometimes these improvements require deploying new protocols.

Performing an upgrade on a system Continue reading

Security Compliance at Cloudflare

Cloudflare believes trust is fundamental to helping build a better Internet. One way Cloudflare is helping our customers earn their users’ trust is through industry standard security compliance certifications and regulations.

Security compliance certifications are reports created by independent, third-party auditors that validate  and document a company’s commitment to security. These external auditors will conduct a rigorous review of a company’s technical environment and evaluate whether or not there are thorough controls - or safeguards - in place to protect the security, confidentiality, and availability of information stored and processed in the environment. SOC 2 was established by the American Institute of CPAs and is important to many of our U.S. companies, as it is a standardized set of requirements a company must meet in order to comply. Additionally, PCI and ISO 27001 are international standards. Cloudflare cares about achieving certifications because our adherence to these standards creates confidence to customers across the globe that we are committed to security. So, the Security team has been hard at work obtaining these meaningful compliance certifications.

Since the beginning of this year, we have been renewing our PCI DSS certification in February, achieving SOC 2 Type 1 compliance in March, obtaining Continue reading

Weekly Top Posts: 2019-06-16

1. VMware Inks Deal to Buys Avi Networks
2. Telefónica Launches a Fortinet-Powered SD-WAN Virtual Firewall
3. Podcast: Multi-Vendor Network Virtualization with EVPN
4. Cisco Aims to ‘Change the Paradigm’ for Operators with 5G
5. Riverbed Siphons Versa for a Stronger SD-WAN Flow

A free Argo Tunnel for your next project

Argo Tunnel lets you expose a server to the Internet without opening any ports. The service runs a lightweight process on your server that creates outbound tunnels to the Cloudflare network. Instead of managing DNS, network, and firewall complexity, Argo Tunnel helps administrators serve traffic from their origin through Cloudflare with a single command.

We built Argo Tunnel to remove the burden of securing and connecting servers to the Internet. This new model makes it easier to run a service in multi-cloud and hybrid deployments by replacing manual and error-prone work with a process that adds intelligence to the last-mile between Cloudflare and your origins or clusters. However, the service was previously only available to users with Cloudflare accounts. We want to make Argo Tunnel more accessible for any project.

Starting today, any user, even those without a Cloudflare account, can try this new method of connecting their server to the Internet. Argo Tunnel can now be used in a free model that will create a new URL, known only to you, that will proxy traffic to your server. We’re excited to make connecting a server to the Internet more accessible for everyone.

What is Argo Tunnel?

Argo Tunnel replaces Continue reading

Censorship vs. the memes

Heavy Networking 455: The Wonderful World Of Wireless – Beacons, Probes, SSIDs And More

The Packet Pushers' latest crash course podcast on wireless for wired engineers dives into beacons, roaming, SSIDs, the ugly reality of band steering, and more WLAN nerdery. Our guest is Chris Reed.

The post Heavy Networking 455: The Wonderful World Of Wireless – Beacons, Probes, SSIDs And More appeared first on Packet Pushers.

Docker Tools for Modernizing Traditional Applications

Over the past two years Docker has worked closely with customers to modernize portfolios of traditional applications with Docker container technology and Docker Enterprise, the industry-leading container platform. Such applications are typically monolithic in nature, run atop older operating systems such as Windows Server 2008 or Windows Server 2003, and are difficult to transition from on-premises data centers to the public cloud.

The Docker platform alleviates each of these pain points by decoupling an application from a particular operating system, enabling microservice architecture patterns, and fostering portability across on-premises, cloud, and hybrid environments.

As the Modernizing Traditional Applications (MTA) program has matured, Docker has invested in tooling and methodologies that accelerate the transition to containers and decrease the time necessary to experience value from the Docker Enterprise platform. From the initial application assessment process to running containerized applications on a cluster, Docker is committed to improving the experience for customers on the MTA journey.

Application Discovery & Assessment

Enterprises develop and maintain exhaustive portfolios of applications. Such apps come in a myriad of languages, frameworks, and architectures developed by both first and third party development teams. The first step in the containerization journey is to determine which applications are Continue reading

Mininet flow analytics with custom scripts

sudo mn --custom sflow-rt/extras/sflow.py --link tc,bw=10 \
--topo tree,depth=2,fanout=2

sudo env ONOS=10.0.0.73 mn --custom sr.py,sflow-rt/extras/sflow.py \
--link tc,bw=10 --topo=sr '--controller=remote,ip=$ONOS,port=6653'

#!/usr/bin/python                                                                            
                                                                                             
from mininet.topo import Topo
from mininet.net import Mininet
from mininet.util import dumpNodeConnections
from mininet.log import setLogLevel

class SingleSwitchTopo(Topo):
    "Single switch connected to n hosts."
    def build(self, n=2):
        switch = self.addSwitch('s1')
        # Python's range(N) generates 0..N-1
        for h in range(n):
            host = self.addHost('h%s' % (h + 1))
            self.addLink(host, switch)

def simpleTest():
    "Create and test a simple network"
    topo = SingleSwitchTopo(n=4)
    net = Mininet(topo)
    net.start()
    print "Dumping host connections"
    dumpNodeConnections(net.hosts)
    print "Testing bandwidth between h1 and h4"
    h1, h4 = net.get( 'h1', 'h4' )
    net.iperf( (h1, h4) )
    net.stop()

if __name__ == '__main__':
    #  Continue reading

T-Mobile/Sprint Merger Hits State AG Hurdles

Does Riverbed’s Deal With Versa Signal a New SD-WAN Future?

VMware eyes Avi Networks for data-center software

VMware punched up its data-center network virtualization capabilities by announcing it would buy Avi Networks load balancing, analytics and application-delivery technology for an undisclosed amount.Founded in 2012 by a group of Cisco engineers and executives, Avi offers a variety of software-defined products and services including a software-based application delivery controller (ADC) and intelligent web-application firewall.  The software already integrates with VMware vCenter and NSX, OpenStack, third party SDN controllers, as well as Amazon AWS and Google Cloud Platform, Red Hat OpenShift and container orchestration platforms such as Kubernetes and Docker.To read this article in full, please click here

VMware eyes Avi Networks for data-center software

VMware punched up its data-center network virtualization capabilities by announcing it would buy Avi Networks load balancing, analytics and application-delivery technology for an undisclosed amount.Founded in 2012 by a group of Cisco engineers and executives, Avi offers a variety of software-defined products and services including a software-based application delivery controller (ADC) and intelligent web-application firewall.  The software already integrates with VMware vCenter and NSX, OpenStack, third party SDN controllers, as well as Amazon AWS and Google Cloud Platform, Red Hat OpenShift and container orchestration platforms such as Kubernetes and Docker.To read this article in full, please click here

AlefEdge Launches Manhattan Project for Open Edge Ecosystem

Weekend Reads 061519

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet. —Swati Khandelwal

Recursive resolvers are often overlooked when it comes to their role and importance in the Domain Name System (DNS). —Metin Açıkalın

NRE != Automated Networks, just the same as a fast car != driving fast. —David Gee

It’s easy to view iPadOS as just a fun name, another one of Apple’s catchy coinages. But in this case it’s also not just a name. —Lauren Goode

Currently, at release candidate 3, the Linux 5.2 kernel is coming soon and promises to offer quite a host of impressive new features and improvements. —Jack Wallen

We are also seeing for the first time a true multi-vendor DWDM standard emerge around 400GZR/ZR+. —Jonathan Homa

Configure Network Cards by PCI Address with Ansible Facts

In this post, you will learn advanced applications of Ansible facts to configure Linux networking. Instead of hard-coding device names, you will find out how to specify network devices by PCI addresses. This prepares your configuration to work on different Red Hat Enterprise Linux releases with different network naming schemes.

Red Hat Enterprise Linux System Roles

The RHEL System Roles provide a uniform configuration interface across multiple RHEL releases. However, the names of network devices in modern Linux distributions can often not be stable for various releases. In the past, the kernel named the devices after their order of appearance. The first device got the name eth0, the next eth1, and so on.

To make the device names more reliable, developers introduced other methods. This interferes with creating a release-independent network configuration based on interface names. An initial solution to this problem is to address network cards by MAC address. But this will require an up-to-date inventory with MAC addresses of all network cards. Also, it requires updating the inventory after replacing broken hardware. This results in extra work. To avoid this effort, it would be great to be able to specify network cards by their PCI address. Continue reading

Report: Mirai tries to wrap its tentacles around SD-WAN

Mirai – the software that has hijacked hundreds of thousands of internet-connected devices to launch massive DDoS attacks – now goes beyond recruiting just IoT products; it also includes code that seeks to exploit a vulnerability in corporate SD-WAN gear.That specific equipment – VMware’s SDX line of SD-WAN appliances – now has an updated software version that fixes the vulnerability, but by targeting it Mirai’s authors show that they now look beyond enlisting security cameras and set-top boxes and seek out any vulnerable connected devices, including enterprise networking gear. More about SD-WANTo read this article in full, please click here(Insider Story)

Report: Mirai tries to wrap its tentacles around SD-WAN

Mirai – the software that has hijacked hundreds of thousands of internet-connected devices to launch massive DDoS attacks – now goes beyond recruiting just IoT products; it also includes code that seeks to exploit a vulnerability in corporate SD-WAN gear.To read this article in full, please click here(Insider Story)