Archive

Category Archives for "Networking"

Why We Built Lynx: Bringing Control to the Age of AI Agents

For a decade, one idea has guided everything we’ve built at Tigera: How do you secure a dynamic system with a lot of moving parts that is changing rapidly, with a programmatic approach? Calico has applied that idea for Global 2000 companies running the largest Kubernetes platforms in the world, securing tens of millions of mission-critical transactions every day. Today I’m excited to announce the next chapter of that work: Lynx, a unified control plane for Kubernetes-native AI agents.

This enables us to apply our deep knowledge of Kubernetes, eBPF, and our expertise in building scalable and highly performant systems to solve the security challenges that come with deploying AI Agents. Before I explain how Lynx addresses these challenges, it’s worth being clear about why AI agents are so hard to secure in the first place.

AI agents broke the assumptions security stacks were built on

The enterprise security tooling most organizations run was designed for workloads that are deterministic. A service does roughly the same thing today that it did yesterday. You can reason about its behavior, define what it’s allowed to touch, and trust that a valid credential maps to expected actions.

AI agents don’t work that way. Continue reading

Introducing the Cloudflare One stack: agent-powered deployment

Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place.

Today, we’re releasing the Cloudflare One stack, a set of skills you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare.

Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever. 

The agent gap in network security

Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents Continue reading

Menjelajahi Telc Republik Ceko: Wisata Sejarah dan Arsitektur Klasik

Kota Telc, yang berada di Republik Ceko, adalah permata tersembunyi yang wajib dikunjungi bagi para pecinta wisata sejarah dan arsitektur klasik. Kota kecil ini terkenal dengan alun-alun utama yang menawan, yang memadukan keindahan Renaisans dan gaya Barok yang unik. Artikel ini akan membawa Anda menelusuri keindahan Telc dan daya tarik utama yang membuatnya menjadi destinasi menarik.

Sekilas Tentang Telc, Republik Ceko

Telc merupakan sebuah kota kecil di wilayah Vysočina, Republik Ceko, yang memiliki sejarah panjang sejak abad ke-14. Kota ini dikenal dengan pusat bersejarahnya yang dipertahankan dengan baik, dengan bangunan-bangunan bergaya Renaisans yang menciptakan suasana klasik dan elegan. Oleh karena itu, Telc menjadi salah satu situs Warisan Dunia UNESCO yang populer bagi wisata sejarah.

Keindahan Alun-Alun Bergaya Renaisans

Fokus utama wisatawan yang berkunjung ke Telc adalah alun-alun kota yang luar biasa indah. Alun-alun tersebut dipenuhi oleh deretan rumah bergaya Renaisans yang warna-warni dan dihiasi dengan panel dekoratif serta ornamen klasic yang menggambarkan keindahan arsitektur klasik.

Ciri Khas Alun-Alun Telc:

  • Rencana kota berbentuk persegi panjang yang rapi dan simetris.
  • Fasad bangunan berwarna pastel dengan elemen dekoratif khas Renaisans.
  • Masing-masing rumah memiliki portal dan jendela yang artistik, memberikan nuansa bersejarah yang autentik.
  • Air mancur di tengah alun-alun menjadikan suasana lebih hidup Continue reading

Toe Wrestling: Olahraga Unik dan Kompetisi Tradisional dari Inggris

Dalam dunia olahraga, banyak jenis aktivitas yang dikenal luas seperti sepak bola, basket, atau renang. Namun, ada juga olahraga unik yang mungkin belum banyak diketahui oleh masyarakat umum, salah satunya adalah toe wrestling. Olahraga ini menawarkan konsep kompetisi yang berbeda dan penuh keunikan. Yuk, kita mengenal lebih jauh tentang toe wrestling, sebuah kompetisi tradisional yang berasal dari budaya Inggris.

Apa Itu Toe Wrestling?

Toe wrestling adalah sebuah olahraga di mana dua peserta bertanding dengan mengaitkan jari kaki mereka, lalu berusaha menjatuhkan lawan dengan teknik tertentu. Mirip dengan wrestling atau gulat biasa, namun bedanya di sini yang digunakan adalah jari kaki, bukan tangan.

Olahraga unik ini biasanya dilakukan dengan kaki telanjang, dan para peserta berjuang untuk “menundukkan” kaki lawan di atas arena kecil yang telah disediakan. Sportsmanship dan strategi dalam flipping atau mengunci jari kaki menjadi kunci keberhasilan dalam kompetisi ini.

Asal Usul dan Sejarah Toe Wrestling

Toe wrestling bermula di Inggris pada tahun 1976, di sebuah kota kecil bernama Staffordshire. Olahraga ini awalnya dibuat sebagai hiburan di sebuah pub lokal, kemudian berkembang menjadi acara tahunan yang menarik banyak peserta dan penonton dari berbagai daerah.

Seiring waktu, toe wrestling menjadi bagian dari kompetisi tradisional yang dicintai banyak orang dan tetap dipertahankan Continue reading

ARP with Anycast Gateways in EVPN Asymmetric IRB

In previous blog posts, I described the ARP issues in EVPN environments, starting with centralized routing, and then asymmetric IRB with unicast (per-leaf-switch) first-hop gateways. Of course, no self-respecting vendor would tell you to do that; anycast gateways are all the rage these days.

As always, anycast gateways could mean different things, depending on which vendor documentation you read ;)

  1. Active-active VRRP (one device is the active VRRP gateway, but all devices listen to the VRRP MAC address).
  2. Shared MAC+IP address beside device-specific unicast MAC and IP addresses.
  3. Shared MAC+IP address with no PE-specific IP address.

PP114: MACsec Overview

MACsec (IEEE 802.1AE) encrypts Ethernet frames hop-by-hop at Layer 2 — before traffic even hits IP — making it one of the strongest protections you can put on wire. It’s been in the standards for years, hardware support is widespread, and yet most organizations aren’t running it. JJ and Drew dig into why: the hardware... Read more »

Chapter 1: SONiC Fundamentals

Introduction

SONiC (Software for Open Networking in the Cloud) is a Linux-based open-source network operating system that was originally developed at Microsoft and is now maintained by a broader open-source community. Its core idea is that the same network operating system can run on switch platforms from multiple hardware vendors. This reduces vendor lock-in and provides a more consistent operational model across different environments.

SONiC can also be viewed as an abstraction layer between network operators and the underlying switch hardware. Instead of learning and managing several vendor-specific operating systems, operators can use a common software architecture and management model across different switch platforms. This simplifies network operations, automation, monitoring, and telemetry collection. It can also reduce operational errors caused by configuration differences between platforms and make it easier to onboard new engineers.

Organizations can choose the hardware platform that best meets their technical, operational, and business requirements without being tied to a single software ecosystem. Some vendors provide commercially supported SONiC distributions together with professional support services, while others support community-based deployments or customer-tailored implementations. The appropriate model depends on the organization's operational requirements and support expectations.

From an architectural perspective, SONiC is a modular and container-based system. Major Continue reading

Cloudflare DMARC Management is now generally available

When we first launched DMARC Management, it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand.

Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible.

The DMARC Management dashboard offers a unified view of your email authentication posture.

What email authentication actually does for you

Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference.

Email authentication is the set of DNS records that answers that question. There Continue reading

Building a Soviet Nail Factory: how KPIs killed efficiency

In 2008, I landed my second job, in the network team at Orange Portails, the division behind the websites and search engine of the French telecom operator Orange. The place ran like clockwork: a comprehensive technical setup, a dedicated team for every part of the business, and room to focus on what I do best. A few years later, none of that mattered: thanks to an obsession with the numbers, we could no longer deliver new services on time.

Disclaimer

This is a story I like to tell to warn people about Goodhart’s law.1 As these events happened almost 15 years ago, my recollection is a bit fuzzy. I left in 2012.

The first years

During my first years, the department operated like a startup. Its cradle was the French company Echo. They built a search engine. France Télécom bought it and renamed it Voila. It was the most visited search engine in France in the early 2000s. France Télécom consolidated the portal activities into the Wanadoo Portails division, later renamed Orange Portails.

The technical environment was excellent. We had many internal tools:2 a ticket system, an RRD-based graphing tool, an IPAM, a reporting tool, and an SNMP-based Continue reading

NB579: Datadog Unleashes Autonomous Agents; SpaceX Launches IPO

Take a Network Break! Our Red Alert covers critical vulnerabilities in Ivanti Sentry, including OS command injection and authentication bypass, for which patches are now available. On the news front, we dig into Arista’s new 1.6Tbps rack-scale portfolio for AI infrastructure and Nokia’s Deepfield Genome Shield, designed to proactively stop DDoS from residential proxy botnets. We... Read more »

Growing the Cloudflare AI team with talent from Ensemble AI

Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale.

Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures.

As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible.

Incorporating Ensemble’s expertise 

The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a quantization or hardware problem, Continue reading

Quake demos raytraced again

This is a follow-up to a previous post about raytracing Quake demos.

But first, the money shot:

e1m1 flat shaded e1m1 with textures

And flat shaded and textured videos. Youtube is Very Aggressive™ with its compression, so the quality there is not good. For pixel quality the above images showcase it better.

A new raytracer

One of my original reasons for creating the quake demo povray files is that it was a good source of data for 3D experiments. POV-Ray is a great raytracer, though entirely CPU (no GPU) and no longer state of the art.

POV-Ray has plenty of built in options, but takes forever to render the 30-60fps demos I want to play with.

Also POV-Ray is AGPL now, so nope nope nope nope nope. That’s a dead end.

Another AI detour

We live in interesting times. We could be living in a time when no two people are running the same email client, or music player, or shell. There used to be a barrier to writing these things custom. I know people who wrote their own shell and use it as a daily driver. I wrote my own email client, and use that.

There are many people out there, me included, who Continue reading

Installing Step CA in My Homelab

Step CA is an open-source private CA made by Smallstep. I will use it to generate certificates for some componenents in my lab.

First we install the dependencies:

sudo apt-get update && sudo apt-get install -y --no-install-recommends curl gpg ca-certificates

Then we get the Smallstep repository signing key:

sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg   -o /etc/apt/keyrings/smallstep.asc

Then we add the Smallstep repository:

cat << 'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources > /dev/null
Types: deb
URIs: https://packages.smallstep.com/stable/debian
Suites: debs
Components: main
Signed-By: /etc/apt/keyrings/smallstep.asc
EOF

Then we install step-cli and step-ca:

sudo apt-get update && sudo apt-get -y install step-cli step-ca

Then we check the install:

step-ca version
step version
Smallstep CA/0.30.2 (linux/amd64)
Release Date: 2026-03-23T00:18:00Z
Smallstep CLI/0.30.4 (linux/amd64)
Release Date: 2026-06-10T06:10:28Z

Next, we’ll run the initializer:

step ca init \
  --name "lostintransit.se" \
  --dns "stepca.lostintransit.se" \
  --address ":443" \
  --provisioner "[email protected]"
✔ Deployment Type: Standalone
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]: 

Generating root certificate... done!
Generating intermediate certificate... done!

✔ Root certificate: /home/ddib/.step/certs/root_ca.crt
✔ Root private key: /home/ddib/.step/secrets/root_ca_key
✔ Root fingerprint: 8f08102ae41eb7fc6a57f62fbaccaf82cb7a67dbedca858a0352a75b4fa763cd
✔ Intermediate certificate: /home/ddib/.step/certs/intermediate_ca. Continue reading

AI solving problems

I’ve been able to find some time, lately, to work on my project backlog. And because it’s 2026, I’ve been using AI as a diligent intern.

I’ve ranted before about seccomp, but still used it for a project or two. But then, rarely, it triggered an unexpected openat. That’s exactly the kind of I do want to detect and kill the binary for, so I don’t just want to allow it. I want to know where it’s coming from.

strace showed it’s trying to read /proc/sys/vm/overcommit_memory.

It’s certainly not my code. But just the Rust transitive dependency tree is quite a few crates:

$ cargo tree | sed -r 's/^[^a-z]+//;s/ .*//' | sort -u | wc -l
236

Step 1 was to run it in gdb, and reproduce the problem. But it’s a bit trickier than that, because seccomp fully kills the process, so no backtrace. And setting breakpoints requires a few more syscalls to work, just for the process to work under gdb (e.g. sigaltstack).

And turns out some calls fail with EINTR if running under a debugger.

Yes, I can fix all these things. But why not put the AI intern on it?

AI Continue reading