An In-Depth Look at Istio Ambient Mode with Calico
The Next Step Toward a Unified Kubernetes Platform: Istio Ambient Mode
Organizations are struggling with rising operational complexity, fragmented tools, and inconsistent security enforcement as Kubernetes becomes the foundation for modern application platforms. As a result of this complexity and fragmentation, platform teams are increasingly burdened by the need to stitch together separate solutions for networking, network security, and observability. This fragmentation also creates higher operating costs, security gaps, inefficient troubleshooting, and an elevated risk of outages in mission-critical environments. The challenge is even greater for companies running multiple Kubernetes distributions, as relying on each platform’s unique and often incompatible networking stack can lead to significant vendor lock-in and operational overhead.
The Tigera Unified Strategy: Addressing Fragmentation
Tigera’s unified platform strategy is designed to address these challenges by providing a single solution that brings together all the essential Kubernetes networking and security capabilities enterprises need, that includes Istio Ambient Mode, delivered consistently across every Kubernetes distribution.
Istio Ambient Mode brings sidecarless service-mesh functionality that includes authentication, authorization, encryption, L4/L7 traffic controls, and deep application-level (L7) observability directly into the unified Calico platform. By including Istio Ambient Mode with Calico and making it easy to install and manage with the Tigera Continue reading
React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques
On December 3, 2025, immediately following the public disclosure of the critical, maximum-severity React2Shell vulnerability (CVE-2025-55182), the Cloudforce One Threat Intelligence team began monitoring for early signs of exploitation. Within hours, we observed scanning and active exploitation attempts, including traffic originating from infrastructure associated with Asian-nexus threat groups.
Early activity indicates that threat actors quickly integrated this vulnerability into their scanning and reconnaissance routines. We observed systematic probing of exposed systems, testing for the flaw at scale, and incorporating it into broader sweeps of Internet‑facing assets. The identified behavior reveals the actors relied on a combination of tools, such as standard vulnerability scanners and publicly accessible Internet asset discovery platforms, to find potentially vulnerable React Server Components (RSC) deployments exposed to the Internet.
Patterns in observed threat activity also suggest that the actors focused on identifying specific application metadata — such as icon hashes, SSL certificate details, or geographic region identifiers — to refine their candidate target lists before attempting exploitation.
In addition to React2Shell, two additional vulnerabilities affecting specific RSC implementations were disclosed: CVE-2025-55183 and CVE-2025-55184. Both vulnerabilities, while distinct from React2Shell, also relate to RSC payload handling and Server Function semantics, and are described in more detail Continue reading
LIU005: The Importance of Community In a Networking Career
AJ Murray joins Kevin and Alexis to share his unique journey into tech, pivoting away from aviation maintenance into networking. Together they explore the importance of person-to-person networking and building a community in order to be successful. They also talk about the reality of burnout, which ultimately led AJ to step away from his podcast.... Read more »IETF v6ops Working Group with Nick Buraglio
The first IPv6 specs were published in 1995, and yet 30 years later, we still have a pretty active IETF working group focused on “developing guidelines for the deployment and operation of new and existing IPv6 networks.” (taken from the old charter; they updated it in late October 2025). Why is it taking so long, and what problems are they trying to solve?
Nick Buraglio, one of the working group chairs, provided some answers in Episode 203 of the Software Gone Wild podcast.
TCG065: AutoCon 4 Recap, AI Tools, MCP’s First Birthday, and More
In this year-end episode, William and Eyvonne recap their experiences at AutoCon 4 in Austin, Texas. They discuss the conference’s new multi-track format, including Eyvonne’s presentation in the leadership track on why technical projects fail. The conversation dives into how AI tools like Google Gemini can augment – not replace – human creativity, from research... Read more »UET Protocol: How the NIC constructs packet from the Work Entries (WRE+SES+PDS)
Semantic Sublayer (SES) Operation
[Rewritte 12. Dec-2025]
After a Work Request Entity (WRE) is created, the UET provider generates the parameters needed by the Semantic Sublayer (SES) headers. At this stage, the SES does not construct the actual wire header. Instead, it provides the header parameters, which are later used by the Packet Delivery Context (PDC) state machine to construct the final SES wire header, as explained in the upcoming PDC section. These parameters ensure that all necessary information about the message, including addressing and size, is available for later stages of processing.
Fragmentation Due to Guaranteed Buffer Limits
In our example, the data to be written to the remote GPU is 16 384 bytes. The dual-port NIC in figure 5-5 has a total memory capacity of 16 384 bytes, divided into three regions: a 4 096-byte guaranteed per-port buffer for Eth0 and Eth1, and an 8 192-byte shared memory pool available to both ports. Because gradient synchronization requires lossless delivery, all data must fit within the guaranteed buffer region. The shared memory pool cannot be used, as its buffer space is not guaranteed.
Since the message exceeds the size of the guaranteed buffer, it must be fragmented. The UET provider splits the 16 384-byte Continue reading
NAN108: Perspectives, Hopes, and Challenges of Young Network Engineers
Let’s hear from the next generation of network engineers. Eric Chou sits down with Sem Eyob and Damon Hoody, two early-career network engineers, to talk about how they got into the profession and where they hope to go. They share their views on AI and its effect on their generation, their struggles finding entry level... Read more »D2DO289: Instana: Leading the Future of Observability (Sponsored)
As AI tools and agentic AI become part of how applications are developed, delivered, and managed, application performance monitoring and observability have to adapt. Ned Bellavance sits down with Drew Flowers and Jacob Yackenovich from IBM Instana about where these fields sit today, and the potential impacts of AI. They detail the challenges of application... Read more »Simplifying SR-TE with mesh templates
A big problem with deploying traffic engineering is configuration complexity. This has now been solved.
Why use Traffic Engineering
Typical reasons for using traffic engineering are:
- Send some traffic via a low latency path
- Send A/B streams via different paths
Evergreen: The Big Ball of Mud
In 2007, Jeff Atwood published a legendary blog post summarizing a 1997 paper by Brian Foote and Joseph Yoder.
Reading that blog post (or the original paper), the inevitable conclusion is that we haven’t made much progress in the last 20 years. Even worse, almost every single pathological architecture described in that blog post applies quite well to real-life organically grown networks.
2026 INFINITI QX80 Autograph 4WD: SUV Mewah dengan Lompatan Teknologi Baru
Daftar Pustaka
Desain Eksterior yang Semakin Berwibawa
Generasi terbaru 2026 INFINITI QX80 Autograph 4WD hadir dengan tampilan yang lebih tegas dan modern. Desain bodinya terlihat tebal namun tetap elegan. Bentuk gril dark chrome kini memberi kesan premium sejak pandangan pertama. Selain itu, velg 22 inci dengan finishing two-tone membuat tampilannya semakin berkelas. Karena itu, QX80 Autograph 4WD tidak hanya sekadar SUV besar, tetapi juga simbol status yang nyata.
Selain tampilan solid, fitur eksteriornya juga mendukung kemudahan. Pengemudi mendapatkan akses pintu otomatis, INFINITI Light Path, serta puddle lights yang membantu saat malam. Lalu, roof dual-pane moonroof memberi atmosfer kabin yang lebih lapang dan mewah. Semua elemen tersebut bersatu menciptakan identitas baru yang lebih kuat.
Interior Ultra Mewah dengan Kemudahan Maksimal
Masuk ke dalam kabin, QX80 Autograph 4WD langsung menunjukkan standar kenyamanan kelas atas. Material semi-aniline leather dengan pola dot quilting terasa sangat lembut. Kursi baris pertama dan kedua punya fitur heated, ventilated, dan massage, sehingga perjalanan jauh terasa nyaman. Bahkan baris ketiga sudah Continue reading
PP090: Why Native Controls Aren’t Enough to Protect Your Cloud Workspaces (Sponsored)
Cloud-based workspaces such as Google Workspace are often the backbone of an organization. But they also face threats from spam and phishing, account takeovers, and illicit access to sensitive documents and files. On today’s Packet Protector we talk with sponsor Material Security about how it brings additional layers of protection to Google Workspace, including email... Read more »HS120: Eight New Year’s Resolutions for 2026
As you wind down 2025, what should you be planning to do for 2026? The Heavy Strategy team breaks it down for you with eight resolutions for the new year. From setting an AI strategy to cloud optimization, Johna and John can help you enter the new year prepared for what’s next. Other resolutions include... Read more »
Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code
The Cloudflare platform is a critical system for Cloudflare itself. We are our own Customer Zero – using our products to secure and optimize our own services.
Within our security division, a dedicated Customer Zero team uses its unique position to provide a constant, high-fidelity feedback loop to product and engineering that drives continuous improvement of our products. And we do this at a global scale — where a single misconfiguration can propagate across our edge in seconds and lead to unintended consequences. If you've ever hesitated before pushing a change to production, sweating because you know one small mistake could lock every employee out of critical application or take down a production service, you know the feeling. The risk of unintended consequences is real, and it keeps us up at night.
This presents an interesting challenge: How do we ensure hundreds of internal production Cloudflare accounts are secured consistently while minimizing human error?
While the Cloudflare dashboard is excellent for observability and analytics, manually clicking through hundreds of accounts to ensure security settings are identical is a recipe for mistakes. To keep our sanity and our security intact, we stopped treating our configurations as manual point-and-click tasks and Continue reading
NB555: AI and APIs Drive HPE’s Dual-Platform WLAN Strategy; Dell, HPE Dangle VMware Alternatives
Take a Network Break! Our Red Alert calls out a dangerous vulnerability in the popular open-source React library. On the news front, HPE decides on a “both and” strategy for its two wireless portfolios and rolls out an option to let customers pick and choose among cross-platform features in Mist and Aruba Networking Central through... Read more »Tech Bytes: How to Get DPUs from Niche to Transformative (Sponsored)
RG Nets builds gateways and centralized-authentication appliances to help manage and automate revenue-generating networks. On today’s Tech Bytes, we talk with RG Nets founder Simon Lok. But instead of talking about RG Nets, we delve into DPUs. This specialized hardware, which provides additional compute for network devices, has the potential to move from a niche... Read more »HN807: A ‘CLI Lifer’ No More
Andy Lapteff once considered himself a ‘CLI lifer.’ As a network engineer he wasn’t interested in Python. He didn’t want to learn to code. He had no desire to embrace any of the developer-like processes and tools creeping into the profession, particularly around network automation. That’s changed. On today’s Heavy Networking, Andy shares the professional,... Read more »netlab 25.12: Cisco IOS/XR Configuration Modules, More VXLAN Goodies
netlab release 25.12 (25.12.02 to be exact – I had a few PEBCAK moments) was published last Friday. Here are the highlights:
- Significantly improved Cisco IOS/XR support. With the netlab release 25.12, you can configure VLANs, VRFs, static routes, route redistribution, OSPF default routes, BGP confederations, and BGP local-as
- VXLAN-over-IPv6 on Arista EOS
- VXLAN with ingress replication on Cisco Catalyst 8000v
- The shutdown link/interface attribute can be used to start labs with interfaces turned off
- Large BGP community lists, implemented on Arista EOS, FRR, and Junos. You can use standard- or large community lists in routing policies
- The netlab validate command will reread validation tests from a modified lab topology file every time you run it. It can also read validation tests from a separate file.
Python Workers redux: fast cold starts, packages, and a uv-first workflow
Note: This post was updated with additional details regarding AWS Lambda.
Last year we announced basic support for Python Workers, allowing Python developers to ship Python to region: Earth in a single command and take advantage of the Workers platform.
Since then, we’ve been hard at work making the Python experience on Workers feel great. We’ve focused on bringing package support to the platform, a reality that’s now here — with exceptionally fast cold starts and a Python-native developer experience.
This means a change in how packages are incorporated into a Python Worker. Instead of offering a limited set of built-in packages, we now support any package supported by Pyodide, the WebAssembly runtime powering Python Workers. This includes all pure Python packages, as well as many packages that rely on dynamic libraries. We also built tooling around uv to make package installation easy.
We’ve also implemented dedicated memory snapshots to reduce cold start times. These snapshots result in serious speed improvements over other serverless Python vendors. In cold start tests using common packages, Cloudflare Workers start over 2.4x faster than AWS Lambda without SnapStart and 3x faster than Google Cloud Run.
In this blog post, we’ll explain Continue reading