Notes from NANOG 89: Trust and Network Infrastructure
Trust is such a difficult concept in any context, and certainly computer networks are no exception. How can you be assured that your network infrastructure us running on authentic platforms, both hardware and software, and its operation has not been compromised in any way?Accelerate AWS Access with Arista
AWS Cloud WAN Tunnel-less Connect and Arista CloudEOS integrate to accelerate cloud onramp
As cloud and multicloud adoption continue to evolve, public cloud providers like AWS continue to introduce more and more tools for enterprise IT to choose from. For example, customers can deploy a virtual router in a Transit VPC and BGP peer with AWS Cloud WAN to interconnect on-premises networks and AWS VPCs. However, GRE or IPsec tunnels are often required for the BGP peering, adding up the network complexity and increasing operational costs.
7 Strategic Network Automation Steps to Continuously Improve Network Security
Network automation can be strategically used to not only automate network operations tasks and save time, but also continuously improve the security posture of the network.Cache Rules go GA: precision control over every part of your cache
One year ago we introduced Cache Rules, a new way to customize cache settings on Cloudflare. Cache Rules provide greater flexibility for how users cache content, offering precise controls, a user-friendly API, and seamless Terraform integrations. Since it was released in late September 2022, over 100,000 websites have used Cache Rules to fine-tune their cache settings.
Today, we're thrilled to announce that Cache Rules, along with several other Rules products, are generally available (GA). But that’s not all — we're also introducing new configuration options for Cache Rules that provide even more options to customize how you cache on Cloudflare. These include functionality to define what resources are eligible for Cache Reserve, what timeout values should be respected when receiving data from your origin server, which custom ports we should use when we cache content, and whether we should bypass Cloudflare’s cache in the absence of a cache-control header.
Cache Rules give users full control and the ability to tailor their content delivery strategy for almost any use case, without needing to write code. As Cache Rules go GA, we are incredibly excited to see how fast customers can achieve their perfect cache strategy.
History of Customizing Cache Continue reading
netlab 1.6.4: Support for Multi-Lab Projects; More BGP Goodies
Features in netlab release 1.6.4 were driven primarily by the needs of my BGP labs project:
- bgp.session plugin (formerly known as ebgp.utils plugin) got support for BFD, passive BGP peers and remove-private-as option.
- bgp.policy plugin implements basic BGP routing policy tools, including per-neighbor weights, local preference and MED.
- You can enable external tools in user defaults and use default groups to create user- or project-wide groups in the defaults files.
- Version-specific lab topology files allow netlab to select a lab topology that is a best fit for the netlab release you’re running.
Numerous platforms already support the new BGP nerd knobs:
netlab 1.6.4: Support for Multi-Lab Projects; More BGP Goodies
Features in netlab release 1.6.4 were driven primarily by the needs of my BGP labs project:
- bgp.session plugin (formerly known as ebgp.utils plugin) got support for BFD, passive BGP peers and remove-private-as option.
- bgp.policy plugin implements basic BGP routing policy tools, including per-neighbor weights, local preference and MED.
- You can enable external tools in user defaults and use default groups to create user- or project-wide groups in the defaults files.
- Version-specific lab topology files allow netlab to select a lab topology that is a best fit for the netlab release you’re running.
Numerous platforms already support the new BGP nerd knobs:
Setting up secure wifi
If you don’t set a password on your wifi, then not only can anyone connect, but it’s not even encrypted. This means that even when an open network gives you a captive portal, that could actually be an attacker giving you a fake portal. Even if the portal is HTTPS, because you may be connected to https://evil-fake-portal.com.
That is solved in WPA3, where even open networks become encrypted.
Of course, the attacker can just set up a fake access point, and you’ll connect, none the wiser. Even if the network has a password, the attacker only needs to know that password in order to fake it.
Before WPA3, passwords can easily be brute forced offline. A few years ago I calculated that it would cost about $70 to crack the default generated 8 character random passwords used by a popular ISP here in London, using some GPUs in Google Cloud. I’m sure it’s cheaper now.
That’s potentially years of free use of your neighbours wifi, for just the cost of a couple of months of paying for your own.
But that’s illegal, of course. This post is about protecting you against these attacks, not performing them.
If you Continue reading
Tech Bytes: Addressing New Service Provider Routing Applications With Nokia’s FPcx Silicon (Sponsored)
Today's Tech Bytes podcast explores custom silicon with sponsor Nokia. Nokia has recently launched its new FPcx chip for Nokia routers. We’ll talk about the features and capabilities in the new silicon, and the value to service providers and enterprises that custom silicon can bring.
The post Tech Bytes: Addressing New Service Provider Routing Applications With Nokia’s FPcx Silicon (Sponsored) appeared first on Packet Pushers.