Archive

Category Archives for "Networking"

Catalyst SD-WAN Enhanced Application Aware Routing

Traditionally, Cisco has leveraged BFD to monitor tunnels and their performance and Application Aware Routing (AAR) to reroute traffic. BFD has been used to measure:

  • Latency.
  • Loss.
  • Jitter.

Additionally, BFD is also used to verify liveliness of the tunnels. This works well, but there are some drawbacks to using a separate protocol for measuring performance:

  • You are adding control plane packets competing for bandwidth with packets in data plane.
  • Sending control plane packets frequently may overload the control plane.
    • This may lead to false positives.
  • It’s not guaranteed that control plane packets and data plane packets are treated equally.
  • AAR did take some time to react to poor transports as it had to collect enough measurements before reacting.
  • AAR didn’t have a built-in dampening mechanism.

With the default BFD settings, BFD packets are sent every second. The default AAR configuration consists of six buckets that hold 10 minutes of data each. This means that with the default settings, AAR will react in 10-60 minutes depending on how poorly the transport is performing. The most aggressive AAR configuration recommended by Cisco was to have 5 buckets holding 2 minutes of data each. AAR would then react in 2-10 minutes which I Continue reading

Boat build phase – Part1

Now I had a design and a half empty shell it was time to get work. The biggest problem with working on a boat is space, you are forever moving things and constantly tidying up. All the materials had to be orderd to arrive just in time for when they were needed as there is no space on the boat to store them. The remoteness of the marina and not having a car didn’t help, I wasted a lot of hours getting local buses to go hire a van or waiting on deliveries.

VPP on FreeBSD – Part 2

About this series

FreeBSD

Ever since I first saw VPP - the Vector Packet Processor - I have been deeply impressed with its performance and versatility. For those of us who have used Cisco IOS/XR devices, like the classic ASR (aggregation services router), VPP will look and feel quite familiar as many of the approaches are shared between the two. Over the years, folks have asked me regularly “What about BSD?” and to my surprise, late last year I read an announcement from the FreeBSD Foundation [ref] as they looked back over 2023 and forward to 2024:

Porting the Vector Packet Processor to FreeBSD

Vector Packet Processing (VPP) is an open-source, high-performance user space networking stack that provides fast packet processing suitable for software-defined networking and network function virtualization applications. VPP aims to optimize packet processing through vectorized operations and parallelism, making it well-suited for high-speed networking applications. In November of this year, the Foundation began a contract with Tom Jones, a FreeBSD developer specializing in network performance, to port VPP to FreeBSD. Under the contract, Tom will also allocate time for other tasks such as testing FreeBSD on common virtualization platforms to improve the desktop experience, improving Continue reading

Keeping the Pipe Just Full

In this post, I will be discussing a paper published by the Internet pioneer Leonard Kleinrock, titled “Keep the Pipe Just Full, But No Fuller”. The paper’s conclusion is that it is best to keep the internet “pipe” full, without overloading it. This idea is a take on Einstein’s famous quote, “Make everything as simple as possible, but not simpler.”

Introduction

It’s not always true that using the network to its fullest capacity will lead to better performance. When the network is overloaded, congestion and queueing delays can occur, which can affect the rate at which useful data is delivered and the time it takes for data to be delivered. This means there is a tradeoff between goodput and latency. To avoid network issues, congestion management is important. TCP regulates data flow from source to destination by sending packets while monitoring the delivery rate and response time to manage congestion. The challenge is to regulate traffic flow, as both underutilizing and overloading the capacity can waste resources and cause congestion.

For many years, TCP congestion control algorithms have relied on loss as a measure of congestion. However, loss causes sawtooth behaviors as flow expands until packets are dropped, then Continue reading

Hedge 213: Batfish with Ratul Mahajan

Network configuration analysis has always been the domain of commercial-grade software. Batfish changes all that with an open source, community-supported tool that can find errors and guarantees the correctness of planned or current network configurations. Ratul Mahajan joins Tom Ammon and Russ White to talk about this new tool, its capabilities, and the importance of network configuration analysis.
 

 
download
 
You can find out more about Batfish at the project home page, and in this paper by Ratul.

Monitoring machine learning models for bot detection

Cloudflare’s Bot Management is used by organizations around the world to proactively detect and mitigate automated bot traffic. To do this, Cloudflare leverages machine learning models that help predict whether a particular HTTP request is coming from a bot or not, and further distinguishes between benign and malicious bots. Cloudflare serves over 55 million HTTP requests per second — so our machine learning models need to run at Cloudflare scale.

We are constantly making improvements to the models that power Bot Management to ensure they are incorporating the latest threat intelligence. This process of iteration is an important part of ensuring our customers stay a step ahead of malicious actors, and it requires a rigorous process for experimentation, deployment, and ongoing observation.

We recently shared an introduction to Cloudflare’s approach to MLOps, which provides a holistic overview of model training and deployment processes at Cloudflare. In this post, we will dig deeper into monitoring, and how we continuously evaluate the models that power Bot Management.

Why monitoring matters

Before bot detection models are released, we undergo an extensive model testing/validation process to ensure our detections perform as expected. Model performance is validated across a wide number of web traffic Continue reading

KU048: Platforms in the Clouds

What are we talking about when we are all talking about private clouds? On-prem? Hybrid? Virtualization? Where does hardware fit into it all– and would younger engineers even know what to do with a physical piece of hardware? Driven by Broadcom’s acquisition of VMare and the anticipated rising costs of VMare licenses, enterprises are exploring... Read more »

Safeguarding your brand identity: Logo Matching for Brand Protection

In an era dominated by digital landscapes, protecting your brand’s identity has become more challenging than ever. Malicious actors regularly build lookalike websites, complete with official logos and spoofed domains, to try to dupe customers and employees. These kinds of phishing attacks can damage your reputation, erode customer trust, or even result in data breaches.

In March 2023 we introduced Cloudflare’s Brand and Phishing Protection suite, beginning with Brand Domain Name Alerts. This tool recognizes so-called “confusable” domains (which can be nearly indistinguishable from their authentic counterparts) by sifting through the trillions of DNS requests passing through Cloudflare’s DNS resolver, 1.1.1.1. This helps brands and organizations stay ahead of malicious actors by spotting suspicious domains as soon as they appear in the wild.

Today we are excited to expand our Brand Protection toolkit with the addition of Logo Matching. Logo Matching is a powerful tool that allows brands to detect unauthorized logo usage: if Cloudflare detects your logo on an unauthorized site, you receive an immediate notification.

The new Logo Matching feature is a direct result of a frequent request from our users. Phishing websites often use official brand logos as part of their facade. In Continue reading

Traefik Proxy v3 Adds WebAssembly and Kubernetes Gateway API Support

A leading open source reverse proxy and load balancer, Emile Vauge, Traefik’s creator, said previously in The New Stack, “Traditional reverse proxies were not well-suited for these dynamic environments.” Now, the Traefik Labs, the project’s parent company, introduced the first Release Candidate of Traefik Proxy v3. This new version now supports WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. A Game-Changer for WebAssembly? WebAssembly support inclusion may prove a game-changer. Besides offering high-performance, language-agnostic capabilities for serverless and containerized applications, Traefik’s support provides Wasm with a larger potential market. “This is a major step towards a low friction extensibility story for Traefik as it brings broader plugins into its growing ecosystem while providing a great developer experience. with plugins that can be written in different languages and compiled directly into Wasm,” said Open Worldwide Application Security Project (OWASP) OpenTelemetry protocol (OTLP), will provide users with improved visibility into their applications. Since the Prometheus and Jesse Haka, a cloud architect at

D2C233: Pinning Down Private Clouds

What are we talking about when we are all talking about private clouds? On-prem? Hybrid? Virtualization? Where does hardware fit into it all– and would younger engineers even know what to do with a physical piece of hardware? Driven by Broadcom’s acquisition of VMare and the anticipated rising costs of VMare licenses, enterprises are exploring... Read more »

Welcome to Network Automation Nerds

Hi, I’m Eric Chou, and welcome to the Network Automation Nerds podcast, the newest addition to the Packet Pushers family. This is your audio destination for network engineers and infrastructure professionals who are on a mission to build stronger, more resilient systems through the art of network automation. Join us as we connect with a... Read more »

Shaping the future: Cloudflare’s service partner strategy

Introduction and partner landscape

Cloudflare’s global network spans over 310 cities in more than 120 countries, and interconnects with 13,000 networks globally, including major ISPs, cloud services, and enterprises. This network serves as a globally distributed foundation from which Cloudflare offers a broad product portfolio spanning everything from core Internet services like security, performance, and reliability — to web development, AI, corporate access management, creative products, and more.

The diversity of our products is reflected in our millions of customers, who span a dizzying array of industries and institutions in nearly every country around the world. This incredible diversity has meant a lot of specialisation, as Cloudflare’s adaptable product suite is fitted for each use case. Many customers are keen to have a partner to help them ensure they are getting everything they can out of Cloudflare. And they’d like to do it in the language of their choice, with partners who are familiar with the industries and regions they operate in.

This is why Cloudflare has for many years invested in our Partner Services programs, and has made a concerted effort to scout and partner with the world’s leading service providers who can deliver Cloudflare solutions to the Continue reading

BGP Labs: Session Templates

Configuring an IBGP session on a route reflector takes a half-dozen parameters, starting with the remote BGP AS number (equal to the local one), remote IP address, and the source IP address or interface. You might have to specify the propagation of BGP communities and an MD5 password, and you will definitely have to specify that the BGP neighbor is a route reflector client.

Wouldn’t it be nice if you could group those parameters into a template and apply the template to a neighbor? Most BGP implementations have something along those lines. That feature could be called a session template or a peer group, and you can practice it in the next BGP lab exercise.