Sunset of VXLAN. Really?
A lightning talk at the recent RIPE77 conference focused on shortcomings of VXLAN and rise of Geneve.
So what are those perceived shortcomings?
No protocol identifier – a single VXLAN VNI cannot carry more than one payload type. Let me point out that MPLS has the same shortcoming, as does IPsec.
Read more ...Troubleshooting NGINX Ingress Rewrites in Kubernetes
When deploying an application to Kubernetes, you almost certainly will want to create a Service to represent that application. Rather than relying on direct connectivity to Pods, which may be ephemeral, Services by contrast are long-living resources that sit on top of one or more Pods. They are also the bare minimum for allowing those pods to communicate outside the cluster. While Services are a nice abstraction so we don’t have to worry about individual Pods, they are also fairly dumb.What is Network Observability?
If you have ambitions to improve reliability through experimention you MUST have observability. You cannot know if you’re getting better without thi. https://twitter.com/tammybutow/status/1067135822204329984 If you don’t set the SLOs for your network, someone else will, and you probably won’t like it. Basically, if we don’t go up the stack and quantify success using application-specific metrics, someone else will do it for us, and we’ll be left out of the loop.Troubleshooting NGINX Ingress Rewrites in Kubernetes
When deploying an application to Kubernetes, you almost certainly will want to create a Service to represent that application. Rather than relying on direct connectivity to Pods, which may be ephemeral, Services by contrast are long-living resources that sit on top of one or more Pods. They are also the bare minimum for allowing those pods to communicate outside the cluster. While Services are a nice abstraction so we don’t have to worry about individual Pods, they are also fairly dumb.VMware’s Heptio Deal Shows the Open Source Water Is Warm and Inviting
Some expect the open source M&A wave to hit its apex next year. I say "why wait?"
IoT Offers Opportunity, But We Must Also Advocate for Privacy
Our world is evolving exceedingly fast these days. Within the last few years in what has been coined the fourth industrial revolution we have witnessed evolutionary developments. One of those fascinating advancements concerns the everyday things and devices now connected to the Internet, also known as the Internet of Things (IoT). However, while every invention brings brand new exciting opportunities, it also entails disadvantages and may result in possible adverse consequences, if the disadvantages are not taken notice of.
Certainly IoT first and foremost provides an opportunity for a more comfortable and organized life. People may enjoy the chance to not preoccupy themselves with, for instance, managing their morning routines that may include waking up at a specific time, preparing the breakfast, and so on. Nowadays when your alarm clock can be connected to the thermostat and the latter has the information about the heavy snowfall of the night, the alarm can automatically readjust itself to wake you up an hour earlier than planned so that you manage to get to work on time.
Other examples may include smart scheduling programs or fitness tracking watches. As a runner, I personally am at ease realizing that I do not have to Continue reading
Huawei Completes a 5G Deployment in China With Zhejiang Mobile
The 5G network can provide a single user peak data rate speeds of 2.7 Gb/s, which could support services such as 8K live broadcasts.
Intel Accelerates Multi-mode 5G Chip Launch
The chip design is unique in the market because it supports legacy 2G, 3G, 4G LTE, and the various 5G specifications on one module.
Linux Foundation Launches Open Source Ceph Storage Group
The Ceph project is a unified distributed storage system providing applications with object, block, and file system interfaces.
Michigan VC Firm Deploys Bigleaf SD-WAN to Its Car Dealerships
As venture capital firm DP Fox began to migrate its business-critical applications to the cloud it needed a connectivity service that could keep up with its growing portfolio.
Research: Measuring IP Liveness
Of the 4.2 billion IPv4 addresses available in the global space, how many are used—or rather, how many are “alive?” Given the increasing usage of IPv6, it might seem this is an unimportant question. Answering the question, however, resolves to another question that is actually more important: how can you determine whether or not an IP address is in use? This question might seem easy to answer: ping every address in the address space. This, however, turns out to be the wrong answer.
Scanning the Internet for Liveness. SIGCOMM Comput. Commun. Rev. 48, 2 (May 2018), 2-9. DOI: https://doi.org/10.1145/3213232.3213234
This answer is wrong because a substantial number of systems do not respond to ICMP requests. According to this paper, in fact, some 16% of the hosts they discovered that would respond to a TCP SYN, and another 2% that would respond to a UDP packet shaped to connect to a service, do not respond to ICMP requests. There are a number of possible reasons for this situation, including hosts being placed behind devices that block ICMP packets, hosts being configured not to respond to ICMP requests, or a server sitting behind a PAT or CGNAT Continue reading
About Matt
My name is Matt Oswalt, and I have a fairly eclectic background. When I was 14, I created my first program - an alien shooter on my TI-82 calculator. Since then, I’ve enjoyed building new things and showing them to anyone who will listen. This passion continues to this day, as you’ll find with projects like ToDD and NRE Labs, I just really enjoy building cool stuff. You can explore these and all my other open source projects on my GitHub profile.Stealthwatch: The “Network Detective Command Console”
Stealthwatch, to me, is like having a Network Detective working in my very own network! I truly love Stealthwatch and I am playing with every chance I can get.
Disclaimer: I do not get commissions from you buying Stealthwatch nor am I part of the Cisco Business Unit for Stealthwatch. I just really honestly and for realsies super love it.
I tossed together a ~31 minute YouTube. Obviously you can watch the entire thing. Or… here you go for the big sections.
- Overview – Start to 1:03
- My 3 Favorite GUIs and What they Have in Common – 1:04 to 2:48
- Being a Network Detective – 2:49 to 4:30
- My First Time Playing with Stealthwatch – 4:31 to 5:44
- Knowledge is Key – 5:45 to 5:59
- Securing the Network has Changed – 6:00 to 6:32
- They Are Inside the Network – 6:33 to 7:41
- The Attack Surface We Need to Protect Is Expanding – 7:42 to 13:28
- Industry Averages: 191 days to detect a Breach, 66 days to contain a breach, $3.62M cost of a data breach – 13:29 to 15:52
- Network Breached – 15:53 to 17:08 (blooper at 16:08 in)
- Example: Continue reading
The Week in Internet News: China Wants Fairer Internet, More Control
China wants fairness: Chinese President Xi Jinping called for international cooperation to make the Internet more “fair and equitable,” while also asserting the Chinese government’s authority to shape it, Reuters reports. Xi has pushed for his country’s “cyber sovereignty” while promoting “core socialist values” online. Chinese officials also promoted the idea that each country should choose its own Internet “governance model,” The Star says.
Drones for broadband: A U.K. company has begun using drones to build fiber broadband networks in remote areas, reports Computer Weekly. Openreach is using drones to lay fiber in remote areas of the Scottish Highlands, where river gorges have previously presented a challenge.
Encrypted chat busted: Dutch police have found a way to infiltrate IronChat, an encrypted chat service running on proprietary hardware, Gizmodo says. The police were able to read 258,000 messages on the service, which costs about US$1,700 for a six-month subscription. News reports suggest the encryption wasn’t as strong as the vendor may have claimed.
Saving the Web: World Wide Web creator Tim Berners-Lee has been pushing a new Contract for the Web, in hopes of defining the responsibilities that governments, companies and citizens each have on the Web. Shortlist.com examines Continue reading
The rise of multivector DDoS attacks
It's been a while since we last wrote about Layer 3/4 DDoS attacks on this blog. This is a good news - we've been quietly handling the daily onslaught of DDoS attacks. Since our last write-up, a handful of interesting L3/4 attacks have happened. Let's review them.
Gigantic SYN
In April, John tweeted about a gigantic 942Gbps SYN flood:
It was a notable event for a couple of reasons.
First, it was really large. Previously, we've seen only amplification / reflection attacks at terabit scale. In those cases, the attacker doesn't actually have too much capacity. They need to bounce the traffic off other servers to generate a substantial load. This is different from typical "direct" style attacks, like SYN floods. In the SYN flood mentioned by John, all 942Gbps were coming directly from attacker-controlled machines.
Secondly, this attack was truly distributed. Normal SYN floods come from a small number of geographical locations. This one, was all over the globe, hitting all Cloudflare data centers:
Thirdly, the attack seem to be partially spoofed. While our analysis was not conclusive, we saw random, spoofed source IP addresses in the largest internet exchanges. The above Hilbert curve shows the source IP Continue reading
Vulnerabilities in our Infrastructure: 5 Ways to Mitigate the Risk
By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.
How Network Automation Increases Security
This blog post was initially sent to subscribers of my SDN and Network Automation mailing list. Subscribe here.
After publishing the Manual Work Is a Bug blog post, I got this feedback from Michele Chubirka explaining why automating changes in your network also increases network security:
Read more ...