RPKI and BGP: our path to securing Internet Routing
This article will talk about our approach to network security using technologies like RPKI to sign Internet routes and protect our users and customers from route hijacks and misconfigurations. We are proud to announce we have started deploying active filtering by using RPKI for routing decisions and signing our routes.
Back in April, articles including our blog post on BGP and route-leaks were reported in the news, highlighting how IP addresses can be redirected maliciously or by mistake. While enormous, the underlying routing infrastructure, the bedrock of the Internet, has remained mostly unsecured.
At Cloudflare, we decided to secure our part of the Internet by protecting our customers and everyone using our services including our recursive resolver 1.1.1.1.
From BGP to RPKI, how do we Internet ?
A prefix is a range of IP addresses, for instance, 10.0.0.0/24, whose first address is 10.0.0.0 and the last one is 10.0.0.255. A computer or a server usually have one. A router creates a list of reachable prefixes called a routing table and uses this routing table to transport packets from a source to a destination.
On the Internet, network Continue reading
RPKI – The required cryptographic upgrade to BGP routing
We have talked about the BGP Internet routing protocol before. We have talked about how we build a more resilient network and how we can see outages at a country-level via BGP. We have even talked about the network community that is vital to the operation of the global Internet.
Today we need to talk about why existing operational practices for BGP routing and filtering have to significantly improve in order to finally stop route leaks and hijacks; which are sadly pervasive in today’s Internet routing world. In fact, the subtle art of running a BGP network and the various tools (both online and within your a networks subsystems) that are vital to making the Internet routing world a safe and reliable place to operate need to improve.
Internet routing and BGP and security along with its operational expertise must improve globally.
Nothing specific triggered today’s writing except the fact that Cloudflare has decided that it's high-time we took a leadership role to finally secure BGP routing. We believe that each and every network needs to change its mindset towards BGP security both on a day-by-day and a long-term basis.
It's time to stop Continue reading
Better Together: Net Managers are Partnering with the Security Team
Network managers need to be open to an expanded partnership with the security group. A new EMA report finds such collaboration is already underway in many organizations.
Infrastructure-as-Code, NETCONF and REST API
This is the third blog post in “thinking out loud while preparing Network Infrastructure as Code presentation for the network automation course” series. You might want to start with Network-Infrastructure-as-Code Is Nothing New and Adjusting System State blog posts.
As I described in the previous blog post, the hardest problem any infrastructure-as-code (IaC) tool must solve is “how to adjust current system state to desired state described in state definition file(s)”… preferably without restarting or rebuilding the system.
There are two approaches to adjusting system state:
Read more ...VMware NSX-T Data Center in Evaluation for Common Criteria EAL4+ Certification
VMware NSX-T Data Center 2.x is now under evaluation for Common Criteria certification at Evaluation Assurance Level 4+ with BSI, Germany’s Federal Office for Information Security. Common Criteria is an internationally recognized standard (ISO-15408) that defines, validates, and assures security features and capabilities of IT security products. To see the evaluation status for VMware NSX-T 2.x, visit the German BSI certification website and reference certificate # BSI-DSZ-CC-1099.
VMware NSX-T was introduced to help organizations meet the stringent security demands of containerized workloads, multi-hypervisor, and multi-cloud. And this latest milestone for NSX-T 2.x reinforces VMware’s continuing commitment to deliver secure software to our customers. During the Common Criteria certification process, VMware NSX-T will undergo a thorough and rigorous evaluation methodology, with testing performed by a commercial Common Criteria Evaluation Facility under the oversight of the Certification Body. The Common Criteria certification acts as a seal of assurance for the federal government, its agencies, contractors and other organizations and assures that the product complies with strict security requirements specified within the designated level.
Within the VMware NSX portfolio, we have a long history of investing in certification efforts. For example, VMware NSX Data Center for vSphere 6.x also Continue reading
Kernel of Truth episode 7: data center networking in APAC and EMEA
Subscribe to Kernel of Truth on iTunes, Google Play, Spotify, Cast Box and Sticher!
Click here for our previous episode.
We wanted to give this podcast a bit of international flair, so we invited some overseas guests into the recording booth. I’m joined by Attilla de Groot (Sales Engineer for EMEA) and Sutharsan Sivapalan (Sales Engineer for APAC), who filled me in on the networking customers, trends and challenges that are cropping up in their respective regions. There are definitely differences between these two ends of the world, but you’d be surprised how much these regions have in common despite the distance.
Tweet any questions, feedback or topics you want us to discuss at @cumulusnetworks and use the hashtag #KernelOfTruth — let us know if you like what you’re hearing!
Guest bios
Sutharsan Sivapalan: CCIE #40322 (Data Center), is a Senior Systems Engineer covering the US West and Asia-Pacific regions for Cumulus Networks. Prior to joining Cumulus, Sutharsan spent 6 years at Cisco designing and troubleshooting some of the most complex networks in the world, as a member of their Technical Services organisation. In that role, he supported the entire Data Centre portfolio, including UCS, the Nexus Continue reading
Intel’s Growing Chip Portfolio Stretches From Cloud to Edge
Intel may be best known for its x86 server chips, but its growing silicon portfolio targets cloud and edge applications, as well as 5G.
ARM Supports Chip Makers in Servers, IoT, and 5G
Instead of manufacturing chips, ARM provides its instruction set architecture to its customers — such as Qualcomm, Broadcom, NXP, and Marvell — and those companies manufacture the chips.
Linkerd 2.0 Update Moves Closer to Kubernetes
The service mesh's 2.0 update is focused on easing deployment for service owners compared to other platforms like Istio.
NetApp Buys StackPointCloud, Launches Kubernetes Service
“Because the developers love Stackpoint.io so much, after our testing I bought the company. It’s just that good,” said NetApp's Anthony Lye.
Cisco Enterprise Networking GM Talks About Arista’s Entrance in Campus and Branch
“I think we have an extremely strong hand when we look at competing against somebody like Arista in the campus and branch,” said Scott Harrell.
Interconnection Bandwidth Skyrockets With 5G as an ‘Amplifier,’ Equinix Says
SDN and NFV are contributing to the growth of interconnection because these technologies make it easier for customers to consume more bandwidth.
AppNeta Extends Scale of Its NPM With Support for SD-WAN, Azure, DNS
The performance monitoring company offers a single SaaS-based monitoring platform that monitors and manages application delivery, experience, and usage.
Monolithic Data Center Interconnect Is Not Always the Best Bet
Monolithic compact DCI boxes are like a race car. But why buy a high-performance race car when all you really need is a flexible, rock-solid daily driver?