0

From Classroom to Community 1 – Sort and Game

I am a former high school teacher with a passion for networking and programming, especially […]

The post From Classroom to Community 1 - Sort and Game first appeared on Brezular's Blog.

0

HN790: From Rule-Based to Goal-Based: Rethinking Autonomous AI Operations (Sponsored)

On Heavy Networking today, AI operations for networking. That is, how do we delegate some amount of responsibility for network operations to artificial intelligence? Cisco is our sponsor, and our guests are Omar Sultan, Director for Product Management of Automation and AI; and Javier Antich, Chief Mad Scientist for AI (yes, that’s his title!). We talk... Read more »

0

TNO037: The Next Era of Network Management and Operations

What’s the next era of network management and operations? Total Network Operations talks to Mahesh Jethanandani, Area Director(AD) for all of Operations and Management (OPS) at IETF and Distinguished Engineer at Arrcus. Mahesh describes a workshop from December of 2024 that sought to investigate the past, present, and future of network management and operations. He... Read more »

0

Vulnerability disclosure on SSL for SaaS v1 (Managed CNAME)

Earlier this year, a group of external researchers identified and reported a vulnerability in Cloudflare’s SSL for SaaS v1 (Managed CNAME) product offering through Cloudflare’s bug bounty program. We officially deprecated SSL for SaaS v1 in 2021; however, some customers received extensions for extenuating circumstances that prevented them from migrating to SSL for SaaS v2 (Cloudflare for SaaS). We have continually worked with the remaining customers to migrate them onto Cloudflare for SaaS over the past four years and have successfully migrated the vast majority of these customers. For most of our customers, there is no action required; for the very small number of SaaS v1 customers, we will be actively working to help migrate you to SSL for SaaS v2 (Cloudflare for SaaS).

Back in 2017, Cloudflare announced SSL for SaaS, a product that allows SaaS providers to extend the benefits of Cloudflare security and performance to their end customers. Using a “Managed CNAME” configuration, providers could bring their customer’s domain onto Cloudflare. In the first version of SSL for SaaS (v1), the traffic for Custom Hostnames is proxied to the origin based on the IP addresses assigned to the Continue reading

0

IPB180: IPv6 Basics – Deployment

We’re continuing our IPv6 Basics series discussing on this episode deployment.  We’ll help you sort out why you should deploy IPv6, things to consider before starting a deployment, and what approach you should take such as “inside out” vs. “outside in” and when you should deploy IPv6. Lastly we explain why you should seek out... Read more »

0

N4N035: Well Actually . . . Listener Comments and Corrections

We ask listeners for follow up and you’ve sent it in. On today’s show we respond to listener comments and corrections on tunneling, the link aggregation control protocol, link aggregation in general, and DHCP options. We also talk about the network engineering certification journey. If you’ve got a “Well, actually” or any other follow up,... Read more »

0

IEPG at IETF 123

he IEPG meeting is held each Sunday at the start of the IETF week. There is no particular theme for these sessions, although subjects of operational relevance are encouraged (www.iepg.org). These are my impressions of the presentations that were made at this IEPG meeting att the start of IETF 123.

0

D2DO278: The Future of HashiCorp Inside IBM

On today’s show, we talk to Armon Dadgar, co-founder and CTO of HashiCorp regarding HashiCorp’s future within IBM. We start with a quick recap of IBM’s acquisition of HashiCorp and then move on to the challenges of bringing a small, young tech company into a huge corporation that makes lots of its revenue on legacy... Read more »

0

Top 5 Kubernetes Network Issues You Can Catch Early with Calico Whisker

Kubernetes networking is deceptively simple on the surface, until it breaks, silently leaks data, or opens the door to a full-cluster compromise. As modern workloads become more distributed and ephemeral, traditional logging and metrics just can’t keep up with the complexity of cloud-native traffic flows.

That’s where Calico Whisker comes in. Whisker is a lightweight Kubernetes-native observability tool created by Tigera. It offers deep insights into real-time traffic flow patterns, without requiring you to deploy heavyweight service meshes or packet sniffer. And here’s something you won’t get anywhere else: Whisker is data plane-agnostic. Whether you run Calico eBPF data plane, nftables, or iptables, you’ll get the same high-fidelity flow logs with consistent fields, format, and visibility. You don’t have to change your data plane, Whisker fits right in and shows you the truth, everywhere.

Let’s walk through 5 network issues Whisker helps you catch early, before they turn into outages or security incidents.

1. Policy Misconfigurations

Traditional observability tools often show whether a packet was forwarded, accepted or dropped, but not why. They lack visibility into which Kubernetes network policy was responsible or if one was even applied.

With Whisker, each network flow is paired with:

• The enforced policy name Continue reading

0

PP072: Mobile Device Threat Management

Mobile devices blur the boundaries between personal and work devices and are packed with sensitive information, making them popular targets for malware, spyware, and data collection. On today’s Packet Protector we dig into strategies for managing threats to mobile devices with guest Akili Akridge. Akili started his career pulling burner phones off suspects as a... Read more »

0

Mythbusting IPv6: Why Adoption Lags and What Will Change It

IPv6 was developed in the late 1990s as a successor to IPv4 to address the internet’s rapid growth and prevent IPv4 address exhaustion. The original vision was that, after a period of dual-stack operation, IPv4 would be phased out. Over 25 years later, full-scale depletion of IPv4 addresses is imminent, yet IPv6 adoption remains slow — currently only about 30% worldwide, with the same proportion of Alexa Top 1,000 websites reachable via IPv6. The timeline for a full transition remains uncertain. Understanding IP Addresses: The Internet’s Postal System Before diving into the complexities of IPv6 adoption, it’s essential to understand what these protocols actually do. Think of IP addresses as the internet’s equivalent of postal addresses — they tell data packets where to go across the vast network of interconnected computers that make up the internet. IPv4 vs. IPv6 address space: A scale comparison The scale difference is staggering.

0

HW057: Orb – A New Tool for Monitoring Internet Connectivity

Orb is an intelligent app and platform designed to help consumers understand and improve their internet connectivity. Orb continuously monitors networks to give a complete picture of true internet experience, beyond just peak speed. Today’s guest, Doug Suttles, CEO and co-founder of Orb, explains exactly what Orb does, including speed, responsiveness and reliability testing, plus... Read more »

0

Linux packet sampling using eBPF

Linux 6.11+ kernels provide TCX attachment points for eBPF programs to efficiently examine packets as they ingress and egress the host. The latest version of the open source Host sFlow agent includes support for TCX packet sampling to stream industry standard sFlow telemetry to a central collector for network wide visibility, e.g. Deploy real-time network dashboards using Docker compose describes how to quickly set up a Prometheus database and use Grafana to build network dashboards.

static __always_inline void sample_packet(struct __sk_buff *skb, __u8 direction) {
    __u32 key = skb->ifindex;
    __u32 *rate = bpf_map_lookup_elem(&sampling, &key);
    if (!rate || (*rate > 0 && bpf_get_prandom_u32() % *rate != 0))
        return;

    struct packet_event_t pkt = {};
    pkt.timestamp = bpf_ktime_get_ns();
    pkt.ifindex = skb->ifindex;
    pkt.sampling_rate = *rate;
    pkt.ingress_ifindex = skb->ingress_ifindex;
    pkt.routed_ifindex = direction ? 0 : get_route(skb);
    pkt.pkt_len = skb->len;
    pkt.direction = direction;

    __u32 hdr_len = skb->len < MAX_PKT_HDR_LEN ? skb->len : MAX_PKT_HDR_LEN;
    if (hdr_len > 0 && bpf_skb_load_bytes(skb, 0, pkt.hdr, hdr_len) < 0)
        return;
    bpf_perf_event_output(skb, &events, BPF_F_CURRENT_CPU, &pkt, sizeof(pkt));
}

SEC("tcx/ingress")
int tcx_ingress(struct __sk_buff *skb) {
    sample_packet(skb, 0);

    return TCX_NEXT;
}

SEC("tcx/egress")
int tcx_egress(struct __sk_buff *skb) {
    sample_packet(skb, 1);

    return TCX_NEXT;
}

The sample.bpf.c file Continue reading

0

NB536: Fortinet FortiOS Goes Post-Quantum; Intel Scales Back Global Projects

Take a Network Break! In our Red Alert section we note that memory safety bugs bug Firefox and Thunderbird, and on-prem SharePoint instances are under attack. In tech news, Fortinet adds support for Post Quantum Cryptography in FortiOS, Cato Networks integrates Azure Virtual WANs to its SASE offering, and we weigh the pros and cons... Read more »

0

Fun Reading: Who is LLM?

Is an LLM a stubborn donkey, a genie, or a slot machine (and why)? Find out in the Who is LLM? article by Martin Fowler.

0

Worth Reading 072725

We sketch out the enabling technologies for AI. They include search, reasoning, neural networks, natural language processing, signal processing and computer graphics, programming and conventional software engineering, human-computer interaction, communications, and specialized hardware that provides supercomputing power.

For decades, thanks to the low latency enabled by Remote Direct Memory Access, or RDMA, a method of allowing CPUs and then GPUs and finally other kinds of XPUs to directly access the main memory of each other without having to go through the entire network software stack, InfiniBand found a niche and was one of the reasons why Nvidia shelled out $6.9 billion to acquire Mellanox Technologies more than five years ago.

Shipments of tape storage media increased again in 2024, according to HPE, IBM, and Quantum – the three companies that back the Linear Tape-Open (LTO) Format.

In this episode of PING, APNIC’s Chief Scientist, Geoff Huston, discusses a day in the life of Border Gateway Protocol (BGP). Not an extraordinary day, not a special day, just a regular day.

Dumb phones represent the laziest possible solution to a complex behavioral problem. They’re the dietary equivalent of having your jaw wired shut.

0

HN789: How a Global Payments Processor Automates Firewall Changes at Scale

Adyen is a global payments processor whose primary business is providing payment services for merchants, retailers, and venues, as well as online payments. On today’s Heavy Networking we talk about a firewall automation project the company has undertaken. With dozens of change requests coming in every day that need to touch network and host firewalls,... Read more »

0

TNO036: Bridging Networking and Security with Auvik (Sponsored)

Auvik is network management software that lets users monitor, manage, and troubleshoot their networks. On today’s sponsored episode we talk with Doug Murray, CEO; and John Harden, Director of Strategy & Technology Evangelism, both from Auvik, about the challenges facing today’s network operators. We look at the rise of the IT generalist, workloads and burnout,... Read more »

0

ArubaCX: When BGP Soft Reconfiguration Becomes a No-Op

Changing an existing BGP routing policy is always tricky on platforms that apply line-by-line changes to device configurations (Cisco IOS and most other platforms claiming to have industry-standard CLI, with the notable exception of Arista EOS). The safest approach seems to be:

• Do not panic when the user makes changes to route maps and underlying filters (prefix lists, AS-path access lists, or community lists).
• Let the user decide when they’re done and process the BGP table with the new routing policy at that time.

0

The White House AI Action Plan: a new chapter in U.S. AI policy

On July 23, 2025, the White House unveiled its AI Action Plan (Plan), a significant policy document outlining the current administration's priorities and deliverables in Artificial Intelligence. This plan emerged after the White House received over 10,000 public comments in response to a February 2025 Request for Information (RFI). Cloudflare’s comments urged the White House to foster conditions for U.S. leadership in AI and support open-source AI, among other recommendations. 

There is a lot packed into the three pillar, 28-page Plan. 

• Pillar I: Accelerate AI Innovation. Focuses on removing regulations, enabling AI adoption and developing, and ensuring the availability of open-source and open-weight AI models.

• Pillar II: Build American AI Infrastructure. Prioritizes the construction of high-security data centers, bolstering critical infrastructure cybersecurity, and promoting Secure-by-Design AI technologies. 

• Pillar III: Lead in International AI Diplomacy and Security. Centers on providing America’s allies and partners with access to AI, as well as strengthening AI compute export control enforcement. 

Each of these pillars outlines policy recommendations for various federal agencies to advance the plan’s overarching goals. There’s much that the Plan gets right. Below we cover a few parts of the Plan that we think are particularly important. Continue reading