RPKI ASPA: a complement to RPKI/ROA that tackles BGP route hijacks through AS path manipulation. Why does BGP remain vulnerable? BGP was designed in an environment of mutual trust. Every…
The post RPKI ASPA: using the AS-PATH to secure BGP inter-domain routing appeared first on AboutNetworks.net.
Every time we restarted Atlantis, the tool we use to plan and apply Terraform changes, we’d be stuck for 30 minutes waiting for it to come back up. No plans, no applies, no infrastructure changes for any repository managed by Atlantis. With roughly 100 restarts a month for credential rotations and unboarding, that added up to over 50 hours of blocked engineering time every month, and paged the on-call engineer every time.
This was ultimately caused by a safe default in Kubernetes that had silently become a bottleneck as the persistent volume used by Atlantis grew to millions of files. Here’s how we tracked it down and fixed it with a one-line change.
We manage dozens of Terraform projects with GitLab merge requests (MRs) using Atlantis, which handles planning and applying. It enforces locking to ensure that only one MR can modify a project at a time.
It runs on Kubernetes as a singleton StatefulSet and relies on a Kubernetes PersistentVolume (PV) to keep track of repository state on disk. Whenever a Terraform project needs to be onboarded or offboarded, or credentials used by Terraform are updated, we have to restart Atlantis to pick Continue reading
Geoff Huston published an article supposedly describing the challenge of securing NTP, but as is usually the case, he couldn’t skip the prior art going all the way back (almost) to the formation of Earth.
Before coming to the how do we secure NTP section, you’ll learn everything about the wobbly Earth rotation, the changes in the Earth’s angular speed, the impact of tides, the smearing of leap seconds, the differences between UT1 and UTC, why we use quasars to measure time, and everything there is to know about NTP. Have fun!
Heard about Pulumi, but aren’t sure what it is? Maybe you know a little bit about Pulumi—like that it does infrastructure as code (IaC), but using general purpose programming languages—and you’re wondering where it fits in a larger automation framework? Or maybe you’re a network engineer just starting to dabble in network automation, and you’re wondering if this Pulumi thing is something you should check out. If any of these apply to you, then the latest Network Automagic podcast episode is right up your alley.
I recently had the opportunity to join Steinn Bjarnarson and Urs Baumann for an episode of Network Automagic. The focus of our discussion—although I will say we diverged a bit here and there—was on Pulumi, what it is, and whether it fits into a larger network automation framework. After all, if you can use general purpose programming languages like Python with Pulumi, why not just use Pulumi in a Python program that also does network automation stuff?
All in all, recording the podcast with Steinn and Urs was great fun, and I hope that the final product ends up being helpful for folks. There’s a variety of ways to listen in on the episode:
Last September we introduced Code Mode, the idea that agents should perform tasks not by making tool calls, but instead by writing code that calls APIs. We've shown that simply converting an MCP server into a TypeScript API can cut token usage by 81%. We demonstrated that Code Mode can also operate behind an MCP server instead of in front of it, creating the new Cloudflare MCP server that exposes the entire Cloudflare API with just two tools and under 1,000 tokens.
But if an agent (or an MCP server) is going to execute code generated on-the-fly by AI to perform tasks, that code needs to run somewhere, and that somewhere needs to be secure. You can't just eval() AI-generated code directly in your app: a malicious user could trivially prompt the AI to inject vulnerabilities.
You need a sandbox: a place to execute code that is isolated from your application and from the rest of the world, except for the specific capabilities the code is meant to access.
Sandboxing is a hot topic in the AI industry. For this task, most people are reaching for containers. Using a Linux-based container, you can start up any sort of Continue reading
The never-ending “we will replace developers” (or networking engineers) pipe dream didn’t start with the latest bout of AI hype (or SDN). As Stephan Schwab explains in his Why We’ve Tried to Replace Developers Every Decade article, it started with COBOL, the magic high-level programming language that businesspeople would use to write their own programs.
At least some of us know how well that ended. I was also unfortunate to be there for the 5GL hype, the forms-driven programming hype, the “everyone will solve every problem out there with Excel macros” (it does work for networking inventory, doesn’t it?), and a few others. So please excuse me if I remain a bit skeptical about the latest fad, even though I find it (like all the previous ones) very useful when used conservatively in limited domains.
Daftar Pustaka
Pura Segara Kidul berdiri sebagai simbol kuat hubungan manusia dan alam laut. Pura ini berkembang dari tradisi leluhur Bali. Masyarakat pesisir membangun pura sebagai bentuk penghormatan spiritual. Selain itu, pura ini terhubung erat dengan konsep Tri Hita Karana.
Pada awalnya, masyarakat memanfaatkan pura sebagai tempat memohon keselamatan. Oleh karena itu, para nelayan sering melakukan persembahyangan sebelum melaut. Seiring waktu, peran pura semakin luas. Bahkan, pura menjadi pusat kegiatan keagamaan penting. Dengan demikian, Pura Segara Kidul memiliki nilai sejarah dan spiritual tinggi.
Makna spiritual Pura Segara Kidul sangat mendalam. Pura ini melambangkan keseimbangan antara manusia dan kekuatan laut. Selain itu, pura juga mencerminkan rasa syukur terhadap anugerah alam. Karena itu, umat Hindu rutin menggelar upacara khusus.
Selanjutnya, masyarakat meyakini laut sebagai sumber kehidupan. Oleh sebab itu, pura mengajarkan sikap hormat terhadap alam. Bahkan, filosofi ini menanamkan kesadaran lingkungan. Dengan kata lain, Pura Continue reading
Daftar Pustaka
Secara ilmiah, awan merupakan agregat tetesan air dan kristal es yang tersuspensi di atmosfer. Setiap tetesan memiliki diameter antara 10 hingga 50 mikrometer, namun jumlahnya bisa mencapai jutaan per meter kubik udara. Akibatnya, bobot satu awan cumulus rata-rata mencapai satu juta ton. Meskipun demikian, awan tetap melayang karena adanya gaya buoyancy yang dihasilkan oleh udara panas dan arus konveksi. Proses ini menyeimbangkan gaya gravitasi sehingga awan mampu tetap stabil di berbagai ketinggian.
Pergerakan awan dikendalikan oleh angin atmosfer dan perbedaan tekanan. Di lapisan troposfer, angin dapat mencapai kecepatan lebih dari 200 km/jam pada ketinggian tertentu, terutama di jet stream. Awan cirrus, yang berada di ketinggian 6–12 km, bergerak lebih cepat dibanding awan rendah karena dipengaruhi oleh aliran angin kuat di lapisan atas. Selain itu, konveksi lokal dan sistem tekanan rendah juga memicu pergerakan horizontal dan vertikal awan, memengaruhi distribusi hujan serta pola cuaca regional.
Warna awan tergantung pada interaksi cahaya matahari dengan tetesan air atau kristal es. Secara ilmiah, awan putih terjadi karena Continue reading
Two years ago, Cloudflare deployed our 12th Generation server fleet, based on AMD EPYC™ Genoa-X processors with their massive 3D V-Cache. That cache-heavy architecture was a perfect match for our request handling layer, FL1 at the time. But as we evaluated next-generation hardware, we faced a dilemma — the CPUs offering the biggest throughput gains came with a significant cache reduction. Our legacy software stack wasn't optimized for this, and the potential throughput benefits were being capped by increasing latency.
This blog describes how the FL2 transition, our Rust-based rewrite of Cloudflare's core request handling layer, allowed us to prove Gen 13's full potential and unlock performance gains that would have been impossible on our previous stack. FL2 removes the dependency on the larger cache, allowing for performance to scale with cores while maintaining our SLAs. Today, we are proud to announce the launch of Cloudflare's Gen 13 based on AMD EPYC™ 5th Gen Turin-based servers running FL2, effectively capturing and scaling performance at the edge.
AMD's EPYC™ 5th Generation Turin-based processors deliver more than just a core count increase. The architecture delivers improvements across multiple dimensions of what Cloudflare Continue reading
A few months ago, Cloudflare announced the transition to FL2, our Rust-based rewrite of Cloudflare's core request handling layer. This transition accelerates our ability to help build a better Internet for everyone. With the migration in the software stack, Cloudflare has refreshed our server hardware design with improved hardware capabilities and better efficiency to serve the evolving demands of our network and software stack. Gen 13 is designed with 192-core AMD EPYC™ Turin 9965 processor, 768 GB of DDR5-6400 memory, 24 TB of PCIe 5.0 NVMe storage, and dual 100 GbE port network interface card.
Gen 13 delivers:
Up to 2x throughput compared to Gen 12 while staying within latency SLA
Up to 50% improvement in performance / watt efficiency, reducing data center expansion costs
Up to 60% higher throughput per rack keeping rack power budget constant
2x memory capacity, 1.5x storage capacity, 4x network bandwidth
Introduced PCIe encryption hardware support in addition to memory encryption
Improved support for thermally demanding powerful drop-in PCIe accelerators
This blog post covers the engineering rationale behind each major component selection: what we evaluated, what we chose, and why.
Generation | Gen 13 Compute | Previous Gen 12 Compute |
Form Factor | 2U1N, Single Continue reading |
The Internet routing security story of the past decade has largely been about fixing route origins. RPKI Route Origin Validation (ROV) gave operators a cryptographic way to verify that the AS announcing a prefix was actually authorized to do so. That work has now reached majority coverage, with over half of all IPv4 and IPv6 routes now protected by Route Origin Authorizations (ROAs).
But origin validation only tells you where a route claims to start. It says nothing about the path it took to get to you. A route can have a perfectly valid origin and still arrive via a completely illegitimate chain of ASes, through a misconfigured transit network, a malicious route leak, or a manipulated AS_PATH. This gap is exactly what ASPA (Autonomous System Provider Authorization) is designed to close.
ASPA has moved from theory into early operational deployment, even though the core ASPA profile and verification work remain in IETF draft form as of March 2026. ARIN and RIPE NCC both support ASPA object creation in production. Major networks have begun deploying ASPA validation globally. Router implementations exist in BIRD and OpenBGPD. This article is intended to explain what ASPA is, how it works technically, what it Continue reading
I work on a laptop that loves to power down when not used (the right thing to do), which often breaks the SSH session to my netlab server (not so good).
Reconnecting is trivial. Figuring out which lab I was working on and where it lives on the disk after a few hours? That’s the annoying part.
We solved most of that ages ago with the netlab status --all command. It shows all running labs1 and their directories, so you can quickly jump back to where you were. However, even that gets tedious the 100th time you have to do it.
SAN JOSE, Calif., March 23, 2026 — Tigera, the creator and maintainer of Project Calico, today announced a major expansion of its Unified Network Security Platform for Kubernetes, aimed at helping enterprises consolidate infrastructure and accelerate the migration of legacy workloads to cloud-native platforms.
The new capabilities include:
These innovations help organizations tackle the rising “complexity tax” in managing high-scale Kubernetes clusters and provide a high-velocity path to consolidate virtual machines and containers into a single, standardized platform.
“The industry is at a breaking point where the operational overhead of managing legacy hardware and fragmented VM silos is no longer sustainable. By building a distributed load balancer into the fabric of Calico, launching an Al assistant that ‘troubleshoots at the speed of thought,’ Continue reading
Co-authors
Abhishek Rao | Tigera
Ka Kit Wong, Charles Lee, & Christian Rauber | Broadcom
VMware vSphere Kubernetes Service (VKS) is the CNCF-certified Kubernetes runtime built directly into VMware Cloud Foundation (VCF), which delivers a single platform for both virtual machines and containers. VKS enables platform engineers to deploy, manage, and scale Kubernetes clusters while leveraging a comprehensive set of cloud services. And with VKS v3.6, that foundation just got significantly more powerful: VKS now natively supports Calico Enterprise — part of the Calico Unified Platform — as a validated, lifecycle-managed networking add-on through the new VKS Addon Framework. This integration is a key milestone in VMware’s expanded partnerships across the Kubernetes ecosystem, ensuring customers have access to best-in-class networking and security tools.
Even better, VKS natively integrates Calico Open Source by Tigera as a supported, out-of-the-box Container Network Interface (CNI). This gives organizations a powerful open source baseline right from day one:
For anyone who has managed a data center fiber plant over the past decade, the arrival of 400 Gigabit Ethernet came with a painful side effect: singlemode fiber. If your…
The post 400G Over Multimode Fiber: BiDi Changes the Game appeared first on AboutNetworks.net.
I often need a quick calculation or a unit conversion. Rather than reaching for
a separate tool, a few lines of Zsh configuration turn = into a calculator.
Typing = 660km / (2/3)c * 2 -> ms gives me 6.60457 ms1 without
leaving my terminal, thanks to the Zsh line editor.
The main idea looks simple: define = as an alias to a calculator command. I
prefer Numbat, a scientific calculator that supports unit conversions.
Qalculate is a close second.2 If neither is available, we fall back to
Zsh’s built-in zcalc module.
As the alias built-in uses = as a separator for name and value, we need to
alter the aliases associative array:
if (( $+commands[numbat] )); then aliases[=]='numbat -e' elif (( $+commands[qalc] )); then aliases[=]='qalc' else autoload -Uz zcalc aliases[=]='zcalc -f -e' fi
With this in place, = 847/11 becomes numbat -e 847/11.
The first problem surfaces quickly. Typing = 5 * 3 fails: Zsh expands the *
character as a glob Continue reading