It’s been a while since we started work on one of our newest projects. We have been trying to solve a problem in app location. It all came from the notion that Little Caesars know where my pizza is, so why can’t the network resolve where the app is? We also thought it would be novel use of Anycast because the app can be anywhere.
So, what problems specifically have we solved using this design? Intent based gateways are a signaling mechanism allows the apps to be delivered along with the pizza. As we can see app Buffalo Wings can reach both the intent based gateway and Fried Pickles using TI-LFA, which strips the fat bits before they reach the gateway. Our unique caching solution using Tupperware, which are stacked in K8s, allows for the apps to be delivered in a bursty nexthop specific competitive manner. This has proven to keep the apps warm within the physical layer.
In our example, the Delivery Center Interconnect, we are doing an east to west Multi Pizza Layered Service that can drop the apps with full BTU into any of the regions. The apps are Continue reading
This post is a collection of links to resources I have found useful on infosec related topics. CVE {{ link.href( path="https://www.exploit-db.com/", description="Exploit DB" ) }} - CVE compliant archive of public exploits and corresponding vulnerable software,...continue reading
This post is a collection of links to resources I have found useful on infosec related topics. CVE {{ link.href( path="https://www.exploit-db.com/", description="Exploit DB" ) }} - CVE compliant archive of public exploits and corresponding vulnerable software,...continue reading
Fortinet’s Zero Trust Network Access (ZTNA) lets network and security teams enforce fine-grained access policies for users working remotely and in the office. It can control access to applications hosted on premises, in the public cloud, or delivered via SaaS. This post walks through the elements required to deploy ZTNA and offers advice on transitioning to a zero-trust approach.
The post A Walk-Through Of Fortinet’s Zero Trust Network Access (ZTNA) Architecture appeared first on Packet Pushers.
In previous blog posts, my colleagues and I have introduced and explored the Calico eBPF data plane in detail, including learning how to validate that it is configured and running correctly. If you have the time, those are still a great read; you could dive in with the Calico eBPF Data Plane Deep-Dive.
However, sometimes a picture paints a thousand words! I was inspired by Daniele Polencic’s wonderful A Visual Guide on Troubleshooting Kubernetes Deployments. With his permission and kind encouragement, I decided to adapt the validation part of my previous deep-dive post to this easy-to-digest flowchart. Feel free to share it far and wide; wherever you think a Calico-learning colleague might benefit! It includes a link back here in case the diagram is updated in the future.
Did you know you can become a certified Calico operator? Learn container and Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.
There are additional level-two courses as well. One of them specifically addresses eBPF and the Calico eBPF data plane!
The post A visual guide to Calico eBPF data plane validation appeared first on Tigera.
Another year of massive growth in the number and speed of connections to the global Internet—what is the impact on the global routing table? Goeff Huston joins Donald Sharp and Russ White to discuss the current state of the BGP table, the changes in the last several years, where things might go, and what all of this means. This is part two of a two part episode.
A set of high profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.
Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:
Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.
The Cloudflare WAF team is actively monitoring these CVEs and has already deployed a number of new managed mitigation rules. Customers should review the rules listed below to ensure they are enabled while also patching the underlying Java Spring components.
A new rule has been developed and deployed for this CVE with an emergency release on March 29:
Managed Rule Spring - CVE:CVE-2022-22947
e777f95584ba429796856007fbe6c869
100522
Note that the above rule is disabled by Continue reading
Storm control is a feature for monitoring traffic levels and dropping broadcast, multicast, and unknown unicast packets, which is commonly known as BUM Traffic, and when a specified traffic level, referred to as the storm control level or storm control bandwidth is exceeded, limiting the traffic to protect the Local Area Network environment. In this blog post, we will try to understand the basics of it.
Although the Storm Control feature is mainly used for Broadcast, we should configure it to protect from unnecessarily used Multicast and Unknown Unicast packets. There can be bugs in the software or hardware or due to the mis-cabling or configuration, if any of the above traffic exceeds the limit that we specify, traffic should be blocked. We need to understand some terminologies if we want to understand Storm control and its usage on Network Switch.
In the above configuration, we will show not only for Broadcast but also for Multicast and Unknown Unicast threshold levels on the Cisco switches.
Let’s have a look at how Storm Control is used in Cisco switch and let’s learn some new terminologies.
interface GigabitEthernet0/0 storm-control broadcast level bps 100k 90k Continue reading
At Cloudflare, we are preparing the Internet and our infrastructure for the arrival of quantum computers. A sufficiently large and stable quantum computer will easily break commonly deployed cryptography such as RSA. Luckily there is a solution: we can swap out the vulnerable algorithms with so-called post-quantum algorithms that are believed to be secure even against quantum computers. For a particular system, this means that we first need to figure out which cryptography is used, for what purpose, and under which (performance) constraints. Most systems use the TLS protocol in a standard way, and there a post-quantum upgrade is routine. However, some systems such as SaltStack, the focus of this blog post, are more interesting. This blog post chronicles our path of making SaltStack quantum-secure, so welcome to this adventure: this secret extra post-quantum blog post!
SaltStack, or simply Salt, is an open-source infrastructure management tool used by many organizations. At Cloudflare, we rely on Salt for provisioning and automation, and it has allowed us to grow our infrastructure quickly.
Salt uses a bespoke cryptographic protocol to secure its communication. Thus, the first step to a post-quantum Salt was to examine what the protocol was actually doing. In Continue reading
Henk Smit made the following claim in one of his comments:
I think BGP-MPLS-VPNs are over-complicated. And you don’t get enough return for that extra complexity.
TL&DR: He’s right (and I just violated Betteridge’s law of headlines)
The history of how we got to the current morass might be interesting for engineers who want to look behind the curtain, so here we go…