Using No-Export Community to Filter Transit Routes
The very first BGP Communities RFC included an interesting idea: let’s tag paths we don’t want to propagate to other autonomous systems. For example, the prefixes received from one upstream ISP should not be propagated to another upstream ISP (sadly, things don’t work that way in reality).
Want to try out that concept? Start the Using No-Export Community to Filter Transit Routes lab in GitHub Codespaces.
IPB158: “IPv6 Mostly”: A Strategy to Balance Legacy and Modern Networking Needs
The move from IPv4 to IPv6 is not straightforward. In a world where use cases for both protocols exist, there needs to be some sort of transition. Dual stack is one option but “IPv6 mostly” is another. On today’s show, guest Ondřej Caletka from RIPE NCC explores transitioning to an IPv6-centric network while retaining IPv4... Read more »Go wild: Wildcard support in Rules and a new open-source wildcard crate
Back in 2012, we introduced Page Rules, a pioneering feature that gave Cloudflare users unprecedented control over how their web traffic was managed. At the time, this was a significant leap forward, enabling users to define patterns for specific URLs and adjust Cloudflare features on a page-by-page basis. The ability to apply such precise configurations through a simple, user-friendly interface was a major advancement, establishing Page Rules as a cornerstone of our platform.
Page Rules allowed users to implement a variety of actions, including redirects, which automatically send visitors from one URL to another. Redirects are crucial for maintaining a seamless user experience on the Internet, whether it's guiding users from outdated links to new content or managing traffic during site migrations.
As the Internet has evolved, so too have the needs of our users. The demand for greater flexibility, higher performance, and more advanced capabilities led to the development of the Ruleset Engine, a powerful framework designed to handle complex rule evaluations with unmatched speed and precision.
In September 2022, we announced and released Single Redirects as a modern replacement for the URL Forwarding feature of Page Rules. Built on top of the Ruleset Engine, this Continue reading
Better IX network quality monitoring
Better IX network quality monitoring
This post is a textual version of a talk I gave at the first NetUK. You can watch the talk on YouTube that was recorded by the wonderful AV team below if that’s your preferred medium:
Using Multiple Transit VNIs per EVPN VRF
After reading the Layer-3-Only EVPN: Behind the Scenes blog post, one might come to an obvious conclusion: the per-VRF EVPN transit VNI must match across all PE devices forwarding traffic for that VRF.
Interestingly, at least some EVPN implementations handle multiple VNIs per VRF without a hitch; I ran my tests in a lab where three switches used unique per-switch VNI for a common VRF.
The rest of this blog post describes Arista cEOS behavior; please feel free to use the same netlab topology to run similar tests on other devices.
D2DO249: The Anatomy of TLS 1.3 and Why You Should Risk It
Transport Layer Security (TLS) is today’s topic with guest Ed Harmoush. TLS plays a critical role in Internet security, and we dive into the differences between versions 1.2 and 1.3 In addition, Ed shares his journey into TLS, explains its components, and addresses common misconceptions about certificates and their validation processes. The episode also highlights... Read more »NAN071: Understanding the Infrastructure Requirements for AI Workloads (Sponsored)
On today’s Network Automation Nerds, we get into the infrastructure required to support AI workloads. We discuss key considerations including bandwidth, the substantial power and cooling requirements of AI infrastructure, and GPUs. We also talk about InfiniBand and Ethernet as network fabrics for AI workloads, cabling considerations, and more. This is a sponsored episode. Our... Read more »Ethernet History Deepdive – Why Do We Have Different Frame Types?
In my previous post Encapsulation of PDUs On Trunk Ports, I showed what happens to PDUs when you change the configuration of a trunk. You may have noticed that there are typically three different types of Ethernet encapsulations that we see:
- Ethernet II.
- 802.2 LLC.
- 802 SNAP.
Historically, there were even more than three, but we’re ignoring that for now. Why do we have three? To understand this, we need to go back in history.
The Origin of Ethernet
In the early 70’s, Robert Metcalfe, inspired by ARPANET and ALOHAnet had been working on developing what we today know as Ethernet. He published a paper in 1976, together with David Boggs, named Ethernet: Distributed Packet Switching for Local Computer Networks:
In the paper, they describe the addressing used in Ethernet:
3.3 Addressing
Each packet has a source and destination, both of which are identified in the packet’s header.
A packet placed on the Ether eventually propagates to all stations. Any station can copy a packet
from the Ether into its local memory, but normally only an active destination station matching ‘its
address in the packet’s header will do so as the packet passes. By convention, a Continue reading
Testing bgpipe with netlab
Ever since Pawel Foremski talked about BGP Pipe @ RIPE88 meeting, I wanted to kick its tires in netlab. BGP Pipe is a Go executable that runs under Linux (but also FreeBSD or MacOS), so I could add a Linux VM (or container) to a netlab topology and install the software after the lab has been started. However, I wanted to have the BGP neighbor configured on the other side of the link (on the device talking with the BGP Pipe daemon).
I could solve the problem in a few ways:
NIST’s first post-quantum standards
On August 13th, 2024, the US National Institute of Standards and Technology (NIST) published the first three cryptographic standards designed to resist an attack from quantum computers: ML-KEM, ML-DSA, and SLH-DSA. This announcement marks a significant milestone for ensuring that today’s communications remain secure in a future world where large-scale quantum computers are a reality.
In this blog post, we briefly discuss the significance of NIST’s recent announcement, how we expect the ecosystem to evolve given these new standards, and the next steps we are taking. For a deeper dive, see our March 2024 blog post.
Why are quantum computers a threat?
Cryptography is a fundamental aspect of modern technology, securing everything from online communications to financial transactions. For instance, when visiting this blog, your web browser used cryptography to establish a secure communication channel to Cloudflare’s server to ensure that you’re really talking to Cloudflare (and not an impersonator), and that the conversation remains private from eavesdroppers.
Much of the cryptography in widespread use today is based on mathematical puzzles (like factoring very large numbers) which are computationally out of reach for classical (non-quantum) computers. We could likely continue to use traditional cryptography for decades to Continue reading
HW034: Fixing Your Indoor Cellular Coverage
In this episode of the Heavy Wireless podcast, we talk with Howard Buzick from American Bandwidth about the evolution and current state of wireless connections, particularly in guest network environments. We explore advancements in Wi-Fi technologies, the workings of Passpoint (formerly Hotspot 2.0), and the differences between Passpoint and Open Roaming. Howard explains how American... Read more »PP027: How Wi-Fi Positioning Systems Enable Mass Surveillance
Smartphones use Wi-Fi based Positioning Systems (WPSes) to collect data about nearby Wi-Fi access points and other wireless devices to help determine the phones’ geographic location. Researchers at the University of Maryland show how WPSes from Apple and Google can be used for mass surveillance of access points and, potentially, owners and users of those... Read more »NIST’s first post-quantum standards
On August 13th, 2024, the US National Institute of Standards and Technology (NIST) published the first three cryptographic standards designed to resist an attack from quantum computers: ML-KEM, ML-DSA, and SLH-DSA. This announcement marks a significant milestone for ensuring that today’s communications remain secure in a future world where large-scale quantum computers are a reality.
In this blog post, we briefly discuss the significance of NIST’s recent announcement, how we expect the ecosystem to evolve given these new standards, and the next steps we are taking. For a deeper dive, see our March 2024 blog post.
Why are quantum computers a threat?
Cryptography is a fundamental aspect of modern technology, securing everything from online communications to financial transactions. For instance, when visiting this blog, your web browser used cryptography to establish a secure communication channel to Cloudflare’s server to ensure that you’re really talking to Cloudflare (and not an impersonator), and that the conversation remains private from eavesdroppers.
Much of the cryptography in widespread use today is based on mathematical puzzles (like factoring very large numbers) which are computationally out of reach for classical (non-quantum) computers. We could likely continue to use traditional cryptography for decades to Continue reading
netlab 1.9.0: Routing Policies, Default Routes, Route Redistribution
netlab release 1.9.0 brings tons of new routing features:
- Generic Routing Configuration Module implements routing policies (route maps), prefix filters, AS-path filters, and BGP community filters.
- Default route origination in OSPFv2 and OSPFv3
- Route import (redistribution) into OSPFv2, OSPFv3, and BGP.
- Named prefixes
Other new goodies include:
Summer 2024 weather report: Cloudflare with a chance of Intern-ets
During the summer of 2024, Cloudflare welcomed approximately 60 Intern-ets from all around the globe on a mission to #HelpBuildABetterInternet. Over the course of their internships, our wonderful interns tackled real-world challenges from different teams all over the company and contributed to cutting-edge projects. As returning interns, we – Shaheen, Aaron, and Jada – would like to show off the great work our cohort has done and experiences we’ve had throughout our time here.
Austin Interns after volunteering at the Central Texas Food Bank.
Putting the SHIP in internSHIP
Cloudflare interns take pride in driving high-impact initiatives, playing a vital role in advancing Cloudflare's mission. With our diverse roles and projects this summer, we'd love to highlight some of the exciting work we've been involved in:
Rahul, a Software Engineer intern, built a system to autograde intern application assignments for future students looking to join Cloudflare. It was built entirely on the Cloudflare Developer Platform, using Cloudflare Access, Browser Rendering, D1, Durable Objects, R2, and Workers!
Jessica, a Software Engineer intern, created a new threads api for the Workers AI team that automatically recalls past messages when running inference, helping developers to Continue reading
NB491: Cisco Revenues Drop 10% in Q4; Texas Instruments Get $1.6 Billion for Chip Factories
Take a Network Break! Hackers may have stolen millions of US Social Security numbers, HPE acquires a multi-cloud management company, and Cisco announces plans to lay off 7% of its employees. Pure Storage joins industry efforts to make Ethernet suitable for AI workloads by signing on to the Ultra Ethernet Consortium, Texas Instruments will add... Read more »Dropped packet metrics with Prometheus and Grafana
Flow metrics with Prometheus and Grafana describes how define flow metrics and create dashboards to trend the flow metrics over time. This article describes how the same setup can be used to define and trend metrics based on dropped packet notifications.
- job_name: sflow-rt-drops
metrics_path: /app/prometheus/scripts/export.js/flows/ALL/txt
static_configs:
- targets: ['sflow-rt:8008']
params:
metric: ['dropped_packets']
key:
- 'node:inputifindex'
- 'ifname:inputifindex'
- 'reason'
- 'stack'
- 'macsource'
- 'macdestination'
- 'null:vlan:untagged'
- 'null:[or:ipsource:ip6source]:none'
- 'null:[or:ipdestination:ip6destination]:none'
- 'null:[or:icmptype:icmp6type:ipprotocol:ip6nexthdr]:none'
label:
- 'switch'
- 'port'
- 'reason'
- 'stack'
- 'macsource'
- 'macdestination'
- 'vlan'
- 'src'
- 'dst'
- 'protocol'
value: ['frames']
dropped: ['true']
maxFlows: ['20']
minValue: ['0.001']
The Prometheus scrape configuration above is used to Continue reading
Summer 2024 weather report: Cloudflare with a chance of Intern-ets
During the summer of 2024, Cloudflare welcomed approximately 60 Intern-ets from all around the globe on a mission to #HelpBuildABetterInternet. Over the course of their internships, our wonderful interns tackled real-world challenges from different teams all over the company and contributed to cutting-edge projects. As returning interns, we – Shaheen, Aaron, and Jada – would like to show off the great work our cohort has done and experiences we’ve had throughout our time here.
Putting the SHIP in internSHIP
Cloudflare interns take pride in driving high-impact initiatives, playing a vital role in advancing Cloudflare's mission. With our diverse roles and projects this summer, we'd love to highlight some of the exciting work we've been involved in:
Rahul, a Software Engineer intern, built a system to autograde intern application assignments for future students looking to join Cloudflare. It was built entirely on the Cloudflare Developer Platform, using Cloudflare Access, Browser Rendering, D1, Durable Objects, R2, and Workers!
Jessica, a Software Engineer intern, created a new threads api for the Workers AI team that automatically recalls past messages when running inference, helping developers to Continue reading
Why Are OSPF Type 5 LSAs Flooded?
I recently saw a great question on Reddit, on why Type-5 (AS-external) LSAs are flooded, in comparison to Type-3 (Summary) that are regenerated at the ABR. To investigate this, we’ll use the following simple topology where R2 and R3 are ABRs:
OSPF Behavior Type-3 LSAs
Let’s see how OSPF handles Summary LSAs. Let’s first look at Area 1, where R4 is advertising 169.254.0.0/24 into it. This can be seen in the LSDB of R2:
R2#show ip ospf data router 203.0.113.4
OSPF Router with ID (203.0.113.2) (Process ID 1)
Router Link States (Area 1)
LS age: 74
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 203.0.113.4
Advertising Router: 203.0.113.4
LS Seq Number: 80000009
Checksum: 0x1DF0
Length: 84
Number of Links: 5
Link connected to: a Stub Network
(Link ID) Network/subnet number: 169.254.0.0
(Link Data) Network Mask: 255.255.255.0
Number of MTID metrics: 0
TOS 0 Metrics: 1
Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 203.0.113.3
(Link Data) Router Interface address: 192.0.2.14
Number of MTID metrics: 0
TOS 0 Continue reading