eBPF: When (and when not) to use it
Extended Berkeley Packet Filter (eBPF) is a relatively new feature for Linux kernels that has many DevOps, SREs, and engineers excited. But is it a one-stop shop solution for all of your Linux kernel needs? Let’s take a look at what eBPF does well, and how it stacks up against standard Linux iptables.
What is eBPF?
eBPF is a feature available in Linux kernels that allows you to run a virtual machine inside the kernel. This virtual machine allows you to safely load programs into the kernel, in order to customize its operation. Why is this important?
In the past, making changes to the kernel was difficult: there were APIs you could call to get data, but you couldn’t influence what was inside the kernel or execute code. Instead, you had to submit a patch to the Linux community and wait for it to be approved. With eBPF, you can load a program into the kernel and instruct the kernel to execute your program if, for example, a certain packet is seen or another event occurs.
With eBPF, the kernel and its behavior become highly customizable, instead of being fixed. This can be extremely beneficial, when used Continue reading
Misconfigurations: Still the Biggest Threat to Cloud Security
With a bit of effort and attention, businesses can avoid cloud security problems that arise from misconfigurations.ThinkPad X1 Carbon (Gen 7): 2 years later
Two years ago, I replaced my ThinkPad X1 Carbon 2014 with the latest generation. The new configuration embeds an Intel Core i7-8565U, 16 Gib of RAM, a 1 Tib NVMe disk, and a WQHD display (2560×1440). I did not ask for a WWAN card. I think it is easier and more reliable to use the wifi hotspot feature of a phone instead: no unreliable firmware and unsupported drivers.1 Here is my opinion on this model.
While the second generation got a very odd keyboard, this one got a classic one with a full row of function keys. I don’t know if my model was defective, but the keyboard skips one keypress from time to time. I have got used to it, but the space key still has a hard time registering when hitting it with my right thumb. The travel course is also shorter and it is less comfortable to type on it than it was on the 2014 version. The trackpoint2 works well. The physical buttons are a welcome addition. I am only using the trackpad for scrolling with the two-finger gesture.
5 Key Cybersecurity Trends to Know For 2021
The fundamentals of cybersecurity in 2021: Scalability, user awareness, and the ability to evolve to meet changing network and security needs..Tech Bytes: How Kentik Enables Automated Performance Testing (Sponsored)
Today on the Tech Bytes podcast we get into the automation of network performance testing and synthetic transactions. Our sponsor is Kentik and our guest is Avi Freedman, Kentik's CEO and co-founder.
The post Tech Bytes: How Kentik Enables Automated Performance Testing (Sponsored) appeared first on Packet Pushers.
Tech Bytes: How Kentik Enables Automated Performance Testing (Sponsored)
Today on the Tech Bytes podcast we get into the automation of network performance testing and synthetic transactions. Our sponsor is Kentik and our guest is Avi Freedman, Kentik's CEO and co-founder.It always takes longer than you think
Everyone is aware that it always takes longer to find a problem in a network than it should. Moving through the troubleshooting process often feels like swimming in molasses—you’re pulling hard, and progress is being made, but never fast enough or far enough to get the application back up and running before that crucial deadline. The “swimming in molasses effect” doesn’t end when the problem is found out, either—repairing the problem requires juggling a thousand variables, most of which are unknown, combined with the wit and sagacity of a soothsayer to work with vendors, code releases, and unintended consequences.
It’s enough to make a network engineer want to find a mountain top and assume an all-knowing pose—even if they don’t know anything at all.
The problem of taking longer, though, applies in every area of computer networking. It takes too long for the packet to get there, it takes to long for the routing protocol to converge, it takes too long to support a new application or server. It takes so long to create and validate a network design change that the hardware, software and processes created are obsolete before they are used.
Why does it always take too long? Continue reading
Network Break 347: Cisco Acquires Container App Monitor; Intel Unwraps Mount Evans IPU
It's the Network Break! This week we analyze Cisco's $500 million acquisition of a container-based and serverless application monitor, Intel's announcement of Mount Evans, an Infrastructure Processing Unit (IPU) for network and storage offload, and more tech news. Guest analyst Johna Till Johnson, CEO and founder of Nemertes Research, joins Greg Ferro.Network Break 347: Cisco Acquires Container App Monitor; Intel Unwraps Mount Evans IPU
It's the Network Break! This week we analyze Cisco's $500 million acquisition of a container-based and serverless application monitor, Intel's announcement of Mount Evans, an Infrastructure Processing Unit (IPU) for network and storage offload, and more tech news. Guest analyst Johna Till Johnson, CEO and founder of Nemertes Research, joins Greg Ferro.
The post Network Break 347: Cisco Acquires Container App Monitor; Intel Unwraps Mount Evans IPU appeared first on Packet Pushers.
The Importance of Network Vulnerability Assessments
A vulnerability assessment identifies and quantifies vulnerabilities in a company’s assets across applications, systems, and network infrastructures.Making Magic Transit health checks faster and more responsive
Magic Transit advertises our customer’s IP prefixes directly from our edge network, applying DDoS mitigation and firewall policies to all traffic destined for the customer’s network. After the traffic is scrubbed, we deliver clean traffic to the customer over GRE tunnels (over the public Internet or Cloudflare Network Interconnect). But sometimes, we experience inclement weather on the Internet: network paths between Cloudflare and the customer can become unreliable or go down. Customers often configure multiple tunnels through different network paths and rely on Cloudflare to pick the best tunnel to use if, for example, some router on the Internet is having a stormy day and starts dropping traffic.
Because we use Anycast GRE, every server across Cloudflare’s 200+ locations globally can send GRE traffic to customers. Every server needs to know the status of every tunnel, and every location has completely different network routes to customers. Where to start?
In this post, I’ll break down my work to improve the Magic Transit GRE tunnel health check system, creating a more stable experience for customers and dramatically reducing CPU and memory usage at Cloudflare’s edge.
Everybody has their own weather station
To decide where to send traffic, Cloudflare edge servers Continue reading
The Week in Internet News: Groups Ask Apple to Stop Photo-Scanning Plans
Apple photo privacy; FTC takes Facebook back to court; porn site bans porn; humanoid and pet-like robots
The post The Week in Internet News: Groups Ask Apple to Stop Photo-Scanning Plans appeared first on Internet Society.
Worth Reading: Simplifying Networks
Justin Pietsch wrote another fantastic blog post, this time describing how they simplified Amazon’s internal network, got rid of large-scale VLANs and multi-NIC hosts, moved load balancing functionality into a proxy layer managed by application teams, and finally introduced merchant silicon routers.