Archive

Category Archives for "Networking"

Cloudflare partners to simplify China connectivity for corporate networks

Cloudflare partners to simplify China connectivity for corporate networks
Cloudflare partners to simplify China connectivity for corporate networks

IT teams have historically faced challenges with performance, security, and reliability for employees and network resources in mainland China. Today, along with our strategic partners, we’re excited to announce expansion of our Cloudflare One product suite to tackle these problems, with the goal of creating the best SASE experience for users and organizations in China.

Cloudflare One, our comprehensive SASE platform, allows organizations to connect any source or destination and apply single-pass security policies from one unified control plane. Cloudflare One is built on our global network, which spans 275 cities across the globe and is within 50ms of 95% of the world’s Internet-connected population. Our ability to serve users extremely close to wherever they’re working—whether that’s in a corporate office, their home, or a coffee shop—has been a key reason customers choose our platform since day one.

In 2015, we extended our Application Services portfolio to cities in mainland China; in 2020, we expanded these capabilities to offer better performance and security through our strategic partnership with JD Cloud. Today, we’re unveiling our latest steps in this journey: extending the capabilities of Cloudflare One to users and organizations in mainland China, through additional strategic partnerships. Let’s break down Continue reading

Network Break 409: Regulators Tap Brakes On Broadcom, VMware; Google Settles Location Tracking Charges For $392M

This week's Network Break podcast discusses UK and EU regulators wanting a closer look at Broadcom's VMware acquisition, Google settling with 40 US states over location tracking charges, and the FCC publishing responses from the 15 biggest US mobile providers regarding customer geolocation data tracking, plus even more IT news.

The post Network Break 409: Regulators Tap Brakes On Broadcom, VMware; Google Settles Location Tracking Charges For $392M appeared first on Packet Pushers.

Network Break 409: Regulators Tap Brakes On Broadcom, VMware; Google Settles Location Tracking Charges For $392M

This week's Network Break podcast discusses UK and EU regulators wanting a closer look at Broadcom's VMware acquisition, Google settling with 40 US states over location tracking charges, and the FCC publishing responses from the 15 biggest US mobile providers regarding customer geolocation data tracking, plus even more IT news.

A simple BPFTrace to see TCP SendBytes as a Histogram

< MEDIUM: https://raaki-88.medium.com/a-simple-bpftrace-to-see-tcp-sendbytes-as-a-histogram-f6e12355b86c >

A significant difference between BCC and BPF is that BCC is used for complex analysis while BPF programs are mostly one-liners and are ad-hoc based. BPFTrace is an open-source tracer, reference below

https://ebpf.io/ — Excellent introduction to EBPF

https://github.com/iovisor/bpftrace — Excellent Resource.

Let me keep this short, we will try to use BPFTrace and capture TCP

We will need

  1. Netcat
  2. DD for generating a dummy 1GB File
  3. bpftrace installed

To understand the efficiency of this, let’s attach a Tracepoint, a Kernel Static Probe to capture all of the new processes that get triggered, imagine an equivalent of a TOP utility with means of reacting to the event at run-time if required

https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md#probes — Lists out type of probes and their utility

We can clearly see we invoked a BPFTrace for tracepoint system calls which takes execve privilege, I executed the ping command and various other commands and you can see that executing an inbound SSH captured invoke of execve-related commands and the system banner.

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { join(args->argv); }'

Attaching 1 probe...

clear
ping 1.1.1.1 -c 1
/usr/bin/clear_console -q
/usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u Continue reading

Tech Bytes: Run On-Prem Infrastructure Like Public Cloud With vSphere+ (Sponsored)

Today’s Tech Bytes podcast, sponsored by VMware, dives into VMware’s vSphere+. vSphere+ allows you to operate your on-prem workloads and infrastructure as if they were a public cloud. It supports VMs and Kubernetes, and provides admin, developer, and add-on services delivered via SaaS.

The post Tech Bytes: Run On-Prem Infrastructure Like Public Cloud With vSphere+ (Sponsored) appeared first on Packet Pushers.

The Linux Kernel Key Retention Service and why you should use it in your next application

The Linux Kernel Key Retention Service and why you should use it in your next application
The Linux Kernel Key Retention Service and why you should use it in your next application

We want our digital data to be safe. We want to visit websites, send bank details, type passwords, sign documents online, login into remote computers, encrypt data before storing it in databases and be sure that nobody can tamper with it. Cryptography can provide a high degree of data security, but we need to protect cryptographic keys.

At the same time, we can’t have our key written somewhere securely and just access it occasionally. Quite the opposite, it’s involved in every request where we do crypto-operations. If a site supports TLS, then the private key is used to establish each connection.

Unfortunately cryptographic keys sometimes leak and when it happens, it is a big problem. Many leaks happen because of software bugs and security vulnerabilities. In this post we will learn how the Linux kernel can help protect cryptographic keys from a whole class of potential security vulnerabilities: memory access violations.

Memory access violations

According to the NSA, around 70% of vulnerabilities in both Microsoft's and Google's code were related to memory safety issues. One of the consequences of incorrect memory accesses is leaking security data (including cryptographic keys). Cryptographic keys are just some (mostly random) data stored in Continue reading

Data-center requirements should drive network architecture

If you like survey data, here’s an interesting fact for you. Every year since 2000, when I started surveying enterprises on the question, the most important factor driving investment and change in enterprise networks was the data center. It’s like the network is the tail of a big, fuzzy, maybe-largely-invisible dog, and it’s time we look at where that dog might be leading us.Today’s virtual private networks (VPNs) evolved from the days when companies leased time-division-multiplexed (TDM) lines and connected their own routers. That approach focused companies on how to network sites, and they now think about networking people instead. But people are half the story; the other half is what the people are doing, which is accessing (increasingly via the cloud) data-center applications and databases.To read this article in full, please click here

Data-center requirements should drive network architecture

If you like survey data, here’s an interesting fact for you. Every year since 2000, when I started surveying enterprises on the question, the most important factor driving investment and change in enterprise networks was the data center. It’s like the network is the tail of a big, fuzzy, maybe-largely-invisible dog, and it’s time we look at where that dog might be leading us.Today’s virtual private networks (VPNs) evolved from the days when companies leased time-division-multiplexed (TDM) lines and connected their own routers. That approach focused companies on how to network sites, and they now think about networking people instead. But people are half the story; the other half is what the people are doing, which is accessing (increasingly via the cloud) data-center applications and databases.To read this article in full, please click here

netlab Release 1.4.1: Cisco ASAv

The star of the netlab release 1.4.1 is Cisco ASAv support: IPv4 and IPv6 addressing, IS-IS and BGP, and libvirt box building instructions.

Other new features include:

Upgrading is as easy as ever: execute pip3 install --upgrade networklab.

New to netlab? Start with the Getting Started document and the installation guide.

netlab Release 1.4.1: Cisco ASAv

The star of the netlab release 1.4.1 is Cisco ASAv support: IPv4 and IPv6 addressing, IS-IS and BGP, and libvirt box building instructions.

Other new features include:

Upgrading is as easy as ever: execute pip3 install --upgrade networklab.

New to netlab? Start with the Getting Started document and the installation guide.

Day Two Cloud Invite: Recording At TopGolf Las Vegas Nov. 30, 2022

If you're headed to AWS re:Invent in Las Vegas, you can catch Ned & me recording a show live. On Wednesday, November 30, 2022, we’ll be at TopGolf with sponsor Prosimo from 4 to 7 pm. Join us to have some fun! Links and drinks, meet fellow engineers building clouds for their companies, and then watch us record the show. Space is limited, so register at prosimo.io. We’ll see you at TopGolf Las Vegas on Wednesday the 30th!

The post Day Two Cloud Invite: Recording At TopGolf Las Vegas Nov. 30, 2022 appeared first on Packet Pushers.

Day Two Cloud Invite: Recording At TopGolf Las Vegas Nov. 30, 2022

If you're headed to AWS re:Invent in Las Vegas, you can catch Ned & me recording a show live. On Wednesday, November 30, 2022, we’ll be at TopGolf with sponsor Prosimo from 4 to 7 pm. Join us to have some fun! Links and drinks, meet fellow engineers building clouds for their companies, and then watch us record the show. Space is limited, so register at prosimo.io. We’ll see you at TopGolf Las Vegas on Wednesday the 30th!

Congestion Control Algorithms Are Not Fair

Creating a mathematical model of queuing in a distributed system is hard (Queuing Theory was one of the most challenging ipSpace.net webinars so far), and so instead of solutions based on control theory and mathematical models we often get what seems to be promising stuff.

Things that look intuitively promising aren’t always what we expect them to be, at least according to an MIT group that analyzed delay-bounding TCP congestion control algorithms (CCA) and found that most of them result in unfair distribution of bandwidth across parallel flows in scenarios that diverge from spherical cow in vacuum. Even worse, they claim that:

[…] Our paper provides a detailed model and rigorous proof that shows how all delay-bounding, delay-convergent CCAs must suffer from such problems.

It seems QoS will remain spaghetti-throwing black magic for a bit longer…

Congestion Control Algorithms Are Not Fair

Creating a mathematical model of queuing in a distributed system is hard (Queuing Theory was one of the most challenging ipSpace.net webinars so far), and so instead of solutions based on control theory and mathematical models we often get what seems to be promising stuff.

Things that look intuitively promising aren’t always what we expect them to be, at least according to an MIT group that analyzed delay-bounding TCP congestion control algorithms (CCA) and found that most of them result in unfair distribution of bandwidth across parallel flows in scenarios that diverge from spherical cow in vacuum. Even worse, they claim that:

[…] Our paper provides a detailed model and rigorous proof that shows how all delay-bounding, delay-convergent CCAs must suffer from such problems.

It seems QoS will remain spaghetti-throwing black magic for a bit longer…