Archive

Category Archives for "Networking"

Calico integration with WireGuard using kOps

It has been a while since I have been excited to write about encrypted tunnels. It might be the sheer pain of troubleshooting old technologies, or countless hours of falling down the rabbit hole of a project’s source code, that always motivated me to pursue a better alternative (without much luck). However, I believe luck is finally on my side.

In this blog post we will explore using open-source WireGuard, a new technology that offers encrypted tunnels with remarkable performance and an effortless implementation, to establish secure encrypted tunnels between workloads in K8s clusters.

 

Introduction: WireGuard

With the release of open-source Calico 3.14 back in June of 2020, Tigera announced a tech preview of its WireGuard integration, which allows node-to-node traffic to be encrypted using WireGuard.

Other encryption methods (e.g. TLS) were available to encrypt workloads’ traffic at higher TCP/IP layers (in this case, the Application Layer). However, WireGuard targets traffic at a lower layer (the Transport Layer), which makes it effective for a wider range of applications, and also reduces complexity for the user.

WireGuard is an open-source project that implements virtual private network (VPN) techniques to establish secure point-to-point connections leveraging Linux Continue reading

Netdev 0x15


The recent Netdev 0x15 conference included a number of papers diving into the technology behind Linux as a network operating system. Slides and videos are now available on the conference web site.
Network wide visibility with Linux networking and sFlow describes the Linux switchdev driver used to integrate network hardware with Linux. The talk focuses on network telemetry, showing how standard Linux APIs are used to configure hardware instrumentation and stream telemetry using the industry standard sFlow protocol for data center wide visibility.
Switchdev in the wild describes Yandex's experience of deploying Linux switchdev based switches in production at scale. The diagram from the talk shows the three layer leaf and spine network architecture used in their data centers. Yandex operates multiple data centers, each containing up to 100,000 servers.
Switchdev Offload Workshop provides updates about the latest developments in the switchdev community. 
FRR Workshop discusses the latest development in the FRRouting project, the open source routing software that is now a defacto standard on Linux network operating systems.

gRPC: A Deep Dive into the Communication Pattern

Danesh Kuruppu is a technical lead at WSO2, with expertise in microservices, messaging protocols and service governance. Danesh has spearheaded development of Ballerina’s standard libraries including gRPC, data and microservices framework. He has co-authored 'gRPC Up and Running' published by O’Reilly media. If you have built gRPC applications and know about the communication fundamentals, you may already know there are four fundamental communication patterns used in gRPC-based applications: simple RPC, server-side streaming, client-side streaming and bidirectional streaming. In this article, I dive deeper into these communication patterns and discuss the importance of each pattern as well as how to pick the right one, according to the use case. Before I discuss each pattern, I’ll discuss what they have in common, such as how gRPC sends messages between clients and servers over the network and how request/response messages are structured. gRPC over HTTP/2 According to official documentation, the gRPC core supports different transport protocols; however, HTTP/2 is the most common among them. In HTTP/2, communication between a client and a server happens through a single TCP connection. Within the connection, there can be multiple bidirectional flows of bytes, which are called streams. In gRPC terms, one RPC call is mapped to Continue reading

The Best Technologists First Try To Solve Their Own Problems

Every once in a while, I get questions from random internet folks who want me to do their homework for them. They want me to provide them with detailed technical information, solve their complex design problem, or curate content on a difficult topic so that they don’t have to do the sifting.

While I like to help folks out as much as anyone (and often do), I usually ignore these sorts of questions. Why? Partly, I don’t have enough time to fix the internet. Partly, I like to get paid for consulting. But more importantly, the best technologists first try to solve their own problems.

A Manager’s Perspective

When interviewing candidates for technical positions, one of my questions is, “If you run into a problem you’ve never faced before, how do you solve it?” There are two typical answers.

  1. “I’ll ask someone else for help. Probably you.”
  2. “I’ll search the internet, company wiki, and product documentation. I’ll set up a lab. If I’m still stuck, I’ll ask for help.”

I prefer to hire a person who first tries to figure things out. While I want neither a cowboy nor science experiments making their way into production, I Continue reading

The EPYC journey continues to Milan in Cloudflare’s 11th generation Edge Server

The EPYC journey continues to Milan in Cloudflare’s 11th generation Edge Server
The EPYC journey continues to Milan in Cloudflare’s 11th generation Edge Server

When I was interviewing to join Cloudflare in 2014 as a member of the SRE team, we had just introduced our generation 4 server, and I was excited about the prospects. Since then, Cloudflare, the industry and I have all changed dramatically. The best thing about working for a rapidly growing company like Cloudflare is that as the company grows, new roles open up to enable career development. And so, having left the SRE team last year, I joined the recently formed hardware engineering team, a team that simply didn’t exist in 2014.

We aim to introduce a new server platform to our edge network every 12 to 18 months or so, to ensure that we keep up with the latest industry technologies and developments. We announced the generation 9 server in October 2018 and we announced the generation 10 server in February 2020. We consider this length of cycle optimal: short enough to stay nimble and take advantage of the latest technologies, but long enough to offset the time taken by our hardware engineers to test and validate the entire platform. When we are shipping servers to over 200 cities around the world with a variety of regulatory Continue reading

Are ISPs Better Bets to Offer Cloud Computing for the Edge?

Edge computing is getting more attention of late — because there are advantages to having computing power and data storage near the location where it’s needed. As Edge computing needs grow, users are likely to take a hard look at whether public cloud giants like AWS, Google are their best choice, or whether their local ISP is best suited for the job. ISPs — including cable, DSL and mobile providers — claim to offer benefits when delivering SaaS and other services compared to public cloud providers: low latency, high-bandwidth connections, fewer security vulnerabilities, regional regulation compliance, and greater data sovereignty. While they must also demonstrate that they can deliver services robust enough to meet DevOps needs, ISPs can offer tremendous benefits and fill gaps in current cloud computing offerings. “A key concern cloud customers have when leveraging their microservices architecture for the applications they offer or rely on is how to achieve and maintain ultra-low latency,” said

Getting more than expected from a virtual-server training exercise

During a recent training exercise in a non-production environment, I built a Cisco ISE virtual server using VMware vSphere and succeeded troubleshooting an issue, which demonstrates the value of this type of exercise. It also shows how important it is for network engineers to have clear priorities and keep their eye on the goals set for the task at hand.In this exercise, the build of the virtual server gave me the option of using one of two datastores that we’ll call Datastore One and Datastore Two. It also provided the option of choosing from multiple ESXI host machines to launch the virtual server on, and we’ll designate them with letters such as Host A, Host B, etc. Some of the hosts could associate only with Datastore One, and the rest could associate only with Datastore Two.To read this article in full, please click here

Western Digital, Kioxia could be talking merger

Hard disk giant Western Digital and Japan-based Kioxia Holdings are said to be in advanced talks to merge in a deal that could be valued at over $20 billion.Citing unnamed sources familiar with the matter, The Wall Street Journal said a deal could be reached as soon as mid-September. It would be a stock transaction and current WD CEO David Goeckeler would be CEO of the combined company.Chip shortage will hit hardware buyers for months to years This is not the first time there has been talk of a potential merger for Kioxia. In March, the Journal reported that both Western Digital and memory manufacturer Micron were looking at a possible acquisition of Kioxia in a deal that might have been valued at about $30 billion.To read this article in full, please click here

Getting more than expected from a virtual-server training exercise

During a recent training exercise in a non-production environment, I built a Cisco ISE virtual server using VMware vSphere and succeeded troubleshooting an issue, which demonstrates the value of this type of exercise. It also shows how important it is for network engineers to have clear priorities and keep their eye on the goals set for the task at hand.In this exercise, the build of the virtual server gave me the option of using one of two datastores that we’ll call Datastore One and Datastore Two. It also provided the option of choosing from multiple ESXI host machines to launch the virtual server on, and we’ll designate them with letters such as Host A, Host B, etc. Some of the hosts could associate only with Datastore One, and the rest could associate only with Datastore Two.To read this article in full, please click here

Western Digital, Kioxia could be talking merger

Hard disk giant Western Digital and Japan-based Kioxia Holdings are said to be in advanced talks to merge in a deal that could be valued at over $20 billion.Citing unnamed sources familiar with the matter, The Wall Street Journal said a deal could be reached as soon as mid-September. It would be a stock transaction and current WD CEO David Goeckeler would be CEO of the combined company.Chip shortage will hit hardware buyers for months to years This is not the first time there has been talk of a potential merger for Kioxia. In March, the Journal reported that both Western Digital and memory manufacturer Micron were looking at a possible acquisition of Kioxia in a deal that might have been valued at about $30 billion.To read this article in full, please click here

Marketing Wins

Off-topic post for today …

In the battle between marketing and security, marketing always wins. This topic came to mind after reading an article on using email aliases to control your email—

For example, if you sign up for a lot of email newsletters, consider doing so with an alias. That way, you can quickly filter the incoming messages sent to that alias—these are probably low-priority, so you can have your provider automatically apply specific labels, mark them as read, or delete them immediately.

One of the most basic things you can do to increase your security against phishing attacks is to have two email addresses, one you give to financial institutions and another one you give to “everyone else.” It would be nice to have a third for newsletters and marketing, but this won’t work in the real world. Why?

Because it’s very rare to find a company that will keep two email addresses on file for you, one for “business” and another for “marketing.” To give specific examples—my mortgage company sends me both marketing messages in the form of a “newsletter” as well as information about mortgage activity. They only keep one email address on file, Continue reading

Tech Bytes: Fortinet Secures Work-From-Anywhere With SD-WAN And ZTNA (Sponsored)

Today on the Tech Bytes podcast we explore the evolution of SD-WAN to encompass Zero Trust Network Access, or ZTNA. Our sponsor is Fortinet and we’ll dig into how Fortinet’s SD-WAN and FortiClient combine to support work from anywhere with zero trust.

The post Tech Bytes: Fortinet Secures Work-From-Anywhere With SD-WAN And ZTNA (Sponsored) appeared first on Packet Pushers.

Network Break 348: Ransomware Bedevils Cyber Insurance; TSMC To Raise Chip Prices

This week's Network Break examines how ransomware has insurers rethinking premiums and coverage limits, discusses the pros and cons of ISPs sharing flow records with security companies, digs into Arista's efforts to tackle the router market, pontificates on TSMC chip price hikes, and more tech news analysis.

The post Network Break 348: Ransomware Bedevils Cyber Insurance; TSMC To Raise Chip Prices appeared first on Packet Pushers.

IBM updates its mainframe processor to help AI

IBM has introduced a new CPU for its Z Series mainframe that’s designed for transactions like banking, training, insurance, customer interactions, and fraud detection.The Telum processor was unveiled at the annual Hot Chips conference and has been in development for three years to provide high-volume, real-time inferencing needed for artificial intelligence.The Telum design is very different from its System z15 predecessor. It features 8 CPU cores, on-chip workload accelerators, and 32MB of what IBM calls Level 2 semi-private cache. The L2 cache is called semi-private because it is used to build a shared virtual 256MB L3 connection between the cores on the chip. This is a 1.5x growth in cache size over the z15.To read this article in full, please click here

IBM updates its mainframe processor to help AI

IBM has introduced a new CPU for its Z Series mainframe that’s designed for transactions like banking, training, insurance, customer interactions, and fraud detection.The Telum processor was unveiled at the annual Hot Chips conference and has been in development for three years to provide high-volume, real-time inferencing needed for artificial intelligence.The Telum design is very different from its System z15 predecessor. It features 8 CPU cores, on-chip workload accelerators, and 32MB of what IBM calls Level 2 semi-private cache. The L2 cache is called semi-private because it is used to build a shared virtual 256MB L3 connection between the cores on the chip. This is a 1.5x growth in cache size over the z15.To read this article in full, please click here

What is firewall as a service?

So what’s firewall as a service? Firewall as a service, or FWaaS, relies on technology in the cloud. A user or application connects to the FWaaS via the internet, and the service applies domain rules, URL filtering, and other security that physical firewall appliances use. The idea is to replace the multitude of hardware firewalls you’d need to secure all of your business’ traffic from all of its different operational sites with secure internet connections to the service.What’s wrong with firewall appliances? Possibly nothing. Physical firewalls are still quite popular, particularly for businesses without a lot of different locations and without a lot of remote workers. They even have some advantages over FWaaS, like different cost profiles. On-prem firewalls are a capex expenditure up-front but tend to be cheaper over time. They also have lower latency.To read this article in full, please click here

1 565 566 567 568 569 3,455