PP024: Considering Resiliency in a Time of Global Outages
In the wake of one of the largest global IT outages, resiliency is the theme of today’s show. We dig into the CrowdStrike debacle as well as an Azure outage that kinda flew under the radar. We also look at the Resiliency Planning Framework Playbook from CISA and other frameworks for building resilient infrastructure. We... Read more »How the Paris 2024 Summer Olympics has impacted Internet traffic
The Paris 2024 Summer Olympics, themed “Games Wide Open” (“Ouvrons grand les Jeux”), kicked off on Friday, July 26, 2024, and will run until August 11. A total of 10,714 athletes from 204 nations, including individual and refugee teams, will compete in 329 events across 32 sports. This blog post focuses on the opening ceremony and the initial days of the event, examining associated impact on Internet traffic, especially in France, the popularity of Olympic websites by country, and the rise in Olympics-related spam and malicious emails.
Cloudflare has a global presence with data centers in over 320 cities, supporting millions of customers, which provides a global view of what’s happening on the Internet. This is helpful for improving security, privacy, efficiency, and speed, but also for observing Internet disruptions and traffic trends.
We are closely monitoring the event through our 2024 Olympics report on Cloudflare Radar and will provide updates on significant Internet trends as they develop.
An opening ceremony to remember
For the first time in modern Olympic history, the opening ceremony was held outside a stadium, lasting nearly four hours and clearly impacting Internet traffic in France. The nation’s engagement was evident during Continue reading
How the Paris 2024 Summer Olympics has impacted Internet traffic
The Paris 2024 Summer Olympics, themed “Games Wide Open” (“Ouvrons grand les Jeux”), kicked off on Friday, July 26, 2024, and will run until August 11. A total of 10,714 athletes from 204 nations, including individual and refugee teams, will compete in 329 events across 32 sports. This blog post focuses on the opening ceremony and the initial days of the event, examining associated impact on Internet traffic, especially in France, the popularity of Olympic websites by country, and the rise in Olympics-related spam and malicious emails.
Cloudflare has a global presence with data centers in over 320 cities, supporting millions of customers, which provides a global view of what’s happening on the Internet. This is helpful for improving security, privacy, efficiency, and speed, but also for observing Internet disruptions and traffic trends.
We are closely monitoring the event through our 2024 Olympics report on Cloudflare Radar and will provide updates on significant Internet trends as they develop.
An opening ceremony to remember
For the first time in modern Olympic history, the opening ceremony was held outside a stadium, lasting nearly four hours and clearly impacting Internet traffic in France. The nation’s engagement was evident during the Continue reading
HS079: Big Rock, Best-in-Breed, or Ecosystem: What’s the Best Vendor Procurement Strategy?
When choosing vendors, what strategy should you employ: big rock, best-in-breed, or ecosystem? The big rock approach consolidates vendor relationships around a few strategic partners. Best-in-breed focuses on selecting top solutions from various vendors. The ecosystem model combines elements of both. Today’s conversation explores all three models and also highlights the importance of integration, the... Read more »
HW032: What’s New With RUCKUS MDUs – From Wi-Fi 7 to AI (Sponsored)
Providing Wi-Fi in multi-dwelling units (MDUs) such as apartments or dormitories is complicated. These environments require dense AP deployments, have to provide secure access to lots of users, must support myriad device types, and must offer good performance. Our guests are Kyle Leissner, founder of Wire Star; and Bart Giordano, president of the RUCKUS at... Read more »Fun Reading: AI and Google’s Quarterly Results
I never mastered the fine art of polite diplomatic sarcasm. Brad Casemore is a virtuoso – you’ll love his take on Google’s Quarterly Results: Investors Begin Questioning Efficacy of GenAI Investments.
Tech Bytes: Nokia’s SR Linux Embraces OpenConfig to Support Network Automation (Sponsored)
Today on the Tech Bytes podcast we talk OpenConfig and data models with sponsor Nokia. Nokia’s SR Linux network OS has embraced OpenConfig to help you support automation initiatives. We talk with Nokia about why it chose OpenConfig, how it handles mixed data models for device platforms that may or may not use OpenConfig, and... Read more »NB488: CrowdStrike Bug Tester Was Buggy; Can Starlink Match US ISP Performance?
Take a Network Break! We start with listener follow-up on CrowdStrike and Microsoft, and then examine a CrowdStrike incident review in which the security company says a bug in its content validator meant that a problematic update was mistakenly validated. An insurance company estimates the CrowdStrike Windows crash will cost the Fortune 500 about $5... Read more »Avoiding downtime: modern alternatives to outdated certificate pinning practices
In today’s world, technology is quickly evolving and some practices that were once considered the gold standard are quickly becoming outdated. At Cloudflare, we stay close to industry changes to ensure that we can provide the best solutions to our customers. One practice that we’re continuing to see in use that no longer serves its original purpose is certificate pinning. In this post, we’ll dive into certificate pinning, the consequences of using it in today’s Public Key Infrastructure (PKI) world, and alternatives to pinning that offer the same level of security without the management overhead.
PKI exists to help issue and manage TLS certificates, which are vital to keeping the Internet secure – they ensure that users access the correct applications or servers and that data between two parties stays encrypted. The mis-issuance of a certificate can pose great risk. For example, if a malicious party is able to issue a TLS certificate for your bank’s website, then they can potentially impersonate your bank and intercept that traffic to get access to your bank account. To prevent a mis-issued certificate from intercepting traffic, the server can give a certificate to the client and say “only trust connections if Continue reading
Avoiding downtime: modern alternatives to outdated certificate pinning practices
In today’s world, technology is quickly evolving and some practices that were once considered the gold standard are quickly becoming outdated. At Cloudflare, we stay close to industry changes to ensure that we can provide the best solutions to our customers. One practice that we’re continuing to see in use that no longer serves its original purpose is certificate pinning. In this post, we’ll dive into certificate pinning, the consequences of using it in today’s Public Key Infrastructure (PKI) world, and alternatives to pinning that offer the same level of security without the management overhead.
PKI exists to help issue and manage TLS certificates, which are vital to keeping the Internet secure – they ensure that users access the correct applications or servers and that data between two parties stays encrypted. The mis-issuance of a certificate can pose great risk. For example, if a malicious party is able to issue a TLS certificate for your bank’s website, then they can potentially impersonate your bank and intercept that traffic to get access to your bank account. To prevent a mis-issued certificate from intercepting traffic, the server can give a certificate to the client and say “only trust connections if Continue reading
Crafting endless AS paths in BGP
Combining BGP confederations and AS override can potentially create a BGP routing loop, resulting in an indefinitely expanding AS path.
BGP confederation is a technique used to reduce the number of iBGP sessions and improve scalability in large autonomous systems (AS). It divides an AS into sub-ASes. Most eBGP rules apply between sub-ASes, except that next-hop, MED, and local preferences remain unchanged. The AS path length ignores contributions from confederation sub-ASes. BGP confederation is rarely used and BGP route reflection is typically preferred for scaling.
AS override is a feature that allows a router to replace the ASN of a
neighbor in the AS path of outgoing BGP routes with its own. It’s useful when
two distinct autonomous systems share the same ASN. However, it interferes with
BGP’s loop prevention mechanism and should be used cautiously. A safer
alternative is the allowas-in directive.1
In the example below, we have four routers in a single confederation, each in
its own sub-AS. R0 originates the 2001:db8::1/128 prefix. R1, R2, and
R3 forward this prefix to the next router in the loop.
The router configurations are available in a Continue reading
HN742: Designing a Real-World Hybrid Cloud Network
On today’s show we talk about designing a network to support hybrid cloud deployments. That is, building and operating a network to interconnect the Big Three US public clouds (GCP, AWS, and Azure) as well as on-prem infrastructure to support a variety of applications and workloads. The network design had to meet several requirements, including... Read more »Experience Expansion
Recently at Networking Field Day, one of the presenters for cPacket had a wonderful line that stuck with me:
There’s no compression algorithm for experience.
Like, floored. Because it hits at the heart of a couple of different things that are going on in the IT industry right now that showcase why it feels like everything is on the verge of falling apart and what we can do to help that.
Misteaks Hapin
Let’s just get this out of the way: you are going to screw up. Anyone doing any job ever for any amount of time has made a mistake. I know I’ve made my fair share of them over the years. When I finished chastising myself I looked back at what happened, figured out what went wrong, and made sure that it didn’t happen that exact same way again. That’s experience.
Experience is key to understanding why we do things the way we do them or why we don’t do something a certain way. You know how you get experience? By doing it. It’s rare that someone can read a book or a blog post about some topic and instantly know everything there is to know about Continue reading
Hedge 236: Permissionless with Greg Ferro
Eyvonne and Russ catch up with Greg Ferro one last time to talk about the permissionless Internet–a thing of the past–vendor lock in, and many other random topics on this episode of the Hedge. Greg–here’s to a grand time in the future. We’ll miss you.
Using netlab Reports
Did you know you can use netlab to generate reports describing your lab topology, IP addressing, BGP details, or OSPF areas? The magic command (netlab report) was introduced in August 2023, followed by netlab show reports to display the available reports a few months later.
You can generate the reports in text, Markdown, or HTML format. The desired format is selected with the report name suffix. For example, the bgp-asn.md report will create Markdown text.
Let’s see how that works.
IPB156: Insights From the Making of RFC 9099
RFC 9099 addresses security considerations for operating IPv6 networks, including issues such as address allocation and architecture, security considerations for DHCPv6 and DNS64, and more. Two of the RFC’s co-authors, Merike Kaeo and Eric Vyncke, join the IPv6 Buzz team to talk about the motivations for and challenges of creating RFC 9099. Episode Guests: Merike... Read more »I’m a Network Engineer, I Want to Learn Cloud, What Should I Do?
As a Network Engineer, I often receive messages on LinkedIn and through my blog with people asking, “How do I start learning about Cloud?” After getting so many similar messages, I thought it would be more easier to write a dedicated blog post to address this. If you’re looking for a quick answer, I’ll tell you this, Learning about Cloud is easier than you might think, especially if you’re already familiar with networking concepts like BGP, Subnets and Routing.
💡
Please note that when I mention “Cloud,” I’m specifically talking about the networking aspects of cloud computing. The cloud covers a vast array of technologies, and trying to learn everything is almost impossible. So, my focus here is primarily on understanding how networking functions within the cloud, and perhaps managing some virtual machines (VMs). I’ll be focusing on AWS since that’s the cloud environment I’m most familiar with.
Please note, this blog post isn’t intended to teach you everything about AWS but rather to point you in the right direction on how to begin learning. The best way to learn is by actively doing something in AWS and picking up more knowledge as you go.
If You Continue reading
Dropped packet notifications with Arista Networks
Visibility into dropped packets is essential for Artificial Intelligence/Machine Learning (AI/ML) workloads, where a single dropped packet can stall large scale computational tasks, idling millions of dollars worth of GPU/CPU resources, and delaying the completion of business critical workloads. Enabling real-time sFlow telemetry provides the observability into traffic flows and packet drops needed to effectively manage these networks.
The availability of the Arista EOS 4.31.4M maintenance release brings sFlow dropped packet monitoring (previously demonstrated using the 4.30.1F feature release - see SC23 Dropped packet visibility demonstration) to production networks, see EOS Life Cycle Policysflow sampling 50000 sflow polling-interval 20 sflow vrf mgmt destination 203.0.113.100 sflow vrf mgmt source-interface Management0 sflow runThe above Arista EOS commands enable sFlow counter polling and packet sampling on all ports, sending the sFlow telemetry to the sFlow analyzer at 203.0.113.100
flow tracking mirror-on-drop
sample limit 100 pps
!
tracker SFLOW
exporter SFLOW
format sflow
collector sflow
local interface Management0
no shutdown
The above commands add sFlow Dropped Packet Notification Structures to the sFlow telemetry feed using Broadcom Mirror on Drop (MoD) instrumentation. Broadcom implements mirror-on-drop in Jericho 2, Trident 3, and Tomahawk 3, Continue reading