HN782: Netris Meets Your Network Automation Challenges in AI Data Centers (Sponsored)
Netris is tackling the issue of automating multi-tenancy in an AI data center. Netris has your answer to this challenge, and it’s a solution certified to work with NVIDIA. We’re going to get into the nuts and bolts of Netris network automation with Alex Saroyan, CEO and co-founder of Netris. Along the way, we will... Read more »TNO030: The Backbone of AI: Data Center Ops in the Age of Explosive Growth (Sponsored)
Data Center construction has reached an incredible pace over the last few years with implications on NetOps and operations of all kinds. Today we with talk with sponsor Siemon regarding the state of data centers, past, present and future. We explore legacy data centers and how they are evolving to work in today’s environments. We... Read more »Cloudflare named in 2025 Gartner® Magic Quadrant™ for Security Service Edge
For the third consecutive year, Gartner has named Cloudflare in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) report. This analyst evaluation helps security and network leaders make informed choices about their long-term partners in digital transformation. We are excited to share that Cloudflare is one of only nine vendors recognized in this year’s report. You can read more about our position in the report here.
What’s more exciting is that we’re just getting started. Since 2018, starting with our Zero Trust Network Access (ZTNA) service Cloudflare Access, we’ve continued to push the boundaries of how quickly we can build and deliver a mature SSE platform. In that time, we’ve released multiple products each year, delivering hundreds of features across our platform. That’s not possible without our customers. Today, tens of thousands of customers have chosen to connect and protect their people, devices, applications, networks, and data with Cloudflare. They tell us our platform is faster and easier to deploy and provides a more consistent and reliable user experience, all on a more agile architecture for longer term modernization. We’ve made a commitment to those customers to continue to deliver innovative solutions with the velocity and resilience Continue reading
Video: netlab Introduction by Ethan Banks
Ethan Banks created an excellent introductory Netlab - Automate Your Network Labs With YAML! video showing how easy it is to start and configure a container- or VM-based lab, and explaining the basic netlab commands you need to get started.
Thanks a million!
P.S.: If you’ve done something similar and I haven’t noticed it, please send me the link.
TL014: Scaling Your Leadership with Dr. Brad Topol
On today’s episode, we are joined by Dr. Brad Topol, Distinguished Engineer and Director of Open Source Technologies at IBM, to talk about how to scale your leadership. We explore the process of how he went from individual contributor to distinguished engineer to director and executive. We chat about how you build a career... Read more »Resolving a request smuggling vulnerability in Pingora
On April 11, 2025 09:20 UTC, Cloudflare was notified via its Bug Bounty Program of a request smuggling vulnerability in the Pingora OSS framework discovered by a security researcher experimenting to find exploits using Cloudflare’s Content Delivery Network (CDN) free tier which serves some cached assets via Pingora.
Customers using the free tier of Cloudflare’s CDN or users of the caching functionality provided in the open source pingora-proxy and pingora-cache crates could have been exposed. Cloudflare’s investigation revealed no evidence that the vulnerability was being exploited, and was able to mitigate the vulnerability by April 12, 2025 06:44 UTC within 22 hours after being notified.
The bug bounty report detailed that an attacker could potentially exploit an HTTP/1.1 request smuggling vulnerability on Cloudflare’s CDN service. The reporter noted that via this exploit, they were able to cause visitors to Cloudflare sites to make subsequent requests to their own server and observe which URLs the visitor was originally attempting to access.
We treat any potential request smuggling or caching issue with extreme urgency. After our security team escalated the vulnerability, we began investigating immediately, took steps to disable traffic to vulnerable components, and deployed Continue reading
N4N027: Tunneling Quirks & Features
On today’s show, we’re going to dig deeper into tunnels and explore some of the quirks and features of tunnels. This week we’ll discuss maximum transmission units (MTUs), maximum segment size, IP fragmentation and more. Today’s bonus material is more RFCs – RFC 4821 and RFC 8899. Episode Links: What Is a Tunnel? – N... Read more »Response: True Unnumbered Interfaces
Hendrik left an interesting comment on my Running IS-IS over Unnumbered Ethernet Interfaces blog post:
FRRouting (Linux) with pure IS-IS, the only way it currently (10.3) works is to copy the loopback IPv4 address to the interfaces that you need to do IPv4 routing on. The OpenFabric (IS-IS “extension” draft) does support true unnumbered interfaces and routes IPv6.
Let’s unpack this. There are (at least) four reasons a router needs an address associated with an interface1:
What’s New in Calico: Spring 2025
Introducing Calico Cloud Free Tier
Calico provides a unified platform for all your Kubernetes networking, network security, and observability requirements. From ingress/egress management and east-west policy enforcement to multi-cluster connectivity, Calico delivers comprehensive capabilities. It is distribution-agnostic, preventing vendor lock-in and offering a consistent experience across popular Kubernetes distributions and managed services. Calico eliminates silos, providing seamless networking and observability for containers, VMs, and bare metal servers, and extends effortlessly to multi-cluster environments, in the cloud, on-premises, and at the edge.
With the recent release of Calico Open Source 3.30, we added:
- Improved observability to visualize and troubleshoot workload communication with Calico Whisker and the Goldmane API.
- Kubernetes Network Policies are critical for preventing ransomware, achieving microsegmentation to isolate sensitive assets for compliance, and thwarting attacks from malicious actors. However, implementing them effectively can be challenging due to the complexity of identifying, testing, and rapidly updating policies to meet evolving threats. Calico Open Source 3.30 introduces staged policies to enable teams to audit and validate policies before they are enforced, reducing the risk of misconfigured policies and improving security and compliance.
- The ability to manage Kubernetes ingress traffic with Calico Ingress Gateway, a 100% upstream, enterprise-ready implementation Continue reading
🤖 AI Customer Support using an Agentic Framework
In this blog, I’ll walk you through the design, development, and lessons learned while building a multi-agent AI customer support assistant using the LangChain framework and related AI tools. 🎮💬 🎯 Motivation: Why Build This? At KGeN, a game aggregation platform connecting publishers and gamers, our primary users are gamers and clan chiefs (micro-community leaders). … Continue reading 🤖 AI Customer Support using an Agentic FrameworkBringing connections into view: real-time BGP route visibility on Cloudflare Radar
The Internet relies on the Border Gateway Protocol (BGP) to exchange IP address reachability information. This information outlines the path a sender or router can use to reach a specific destination. These paths, conveyed in BGP messages, are sequences of Autonomous System Numbers (ASNs), with each ASN representing an organization that operates its own segment of Internet infrastructure.
Throughout this blog post, we'll use the terms "BGP routes" or simply "routes" to refer to these paths. In essence, BGP functions by enabling autonomous systems to exchange routes to IP address blocks (“IP prefixes”), allowing different entities across the Internet to construct their routing tables.
When network operators debug reachability issues or assess a resource's global reach, BGP routes are often the first thing they examine. Therefore, it’s critical to have an up-to-date view of the routes toward the IP prefixes of interest. Some networks provide tools called "looking glasses" — public routing information services offering data directly from their own BGP routers. These allow external operators to examine routes from that specific network's perspective. Furthermore, services like bgp.tools, bgp.he.net, RouteViews, or the NLNOG RING looking glass offer aggregated, looking glass-like lookup capabilities, drawing Continue reading
NAN092: From Stealth to Scale – Decoding Network Data Management with Damian Garros
Damien Garros, CEO and co-founder of OpsMill is with us once again for today’s podcast. Since we last spoke with Damien, OpsMill has emerged from stealth mode and is making progress as one of the leaders in network source of truth in the field. Today, we’ll talk through the progress Infrahub has made and get... Read more »Amazing Speed of Bug Fixes in Nokia SR Linux
A few weeks ago, I was criticising Nokia’s unnecessary changes to the SR Linux configuration data model, so it’s only fair that I also publish a counterexample:
- On April 12th, SR Linux failed one of the netlab integration tests. We keep adding functionality to these tests as we discover edge cases we didn’t test before, so sometimes a device that passed the test before might fail the modified version.
- I opened a netlab issue, believing it might be a configuration error on our part.
- It quickly became evident that we’re dealing with an SR Linux bug, as the failure to apply routing policies was random.
I thought that was the end of the story and closed the issue, but then something truly amazing happened:
PP063: Wi-Fi Security and AI in the WLAN at Mobility Field Day
Wireless security takes center stage in this episode of Packet Protector. Jennifer Minella and guests discuss “secure by default” efforts by WLAN vendors; the current state of PSK, SAE, and WPA3; NAC and zero trust; more WLAN vendors adding AI to their products (or at least their messaging); and more. Jennifer is joined by Jonathan... Read more »Performance measurements… and the people who love them
⚠️ WARNING ⚠️ This blog post contains graphic depictions of probability. Reader discretion is advised.
Measuring performance is tricky. You have to think about accuracy and precision. Are your sampling rates high enough? Could they be too high?? How much metadata does each recording need??? Even after all that, all you have is raw data. Eventually for all this raw performance information to be useful, it has to be aggregated and communicated. Whether it's in the form of a dashboard, customer report, or a paged alert, performance measurements are only useful if someone can see and understand them.
This post is a collection of things I've learned working on customer performance escalations within Cloudflare and analyzing existing tools (both internal and commercial) that we use when evaluating our own performance. A lot of this information also comes from Gil Tene's talk, How NOT to Measure Latency. You should definitely watch that too (but maybe after reading this, so you don't spoil the ending). I was surprised by my own blind spots and which assumptions turned out to be wrong, even though they seemed "obviously true" at the start. I expect I am not alone in these regards. For that Continue reading
Network Topology Visualization #4 – Interactive Map Using D3 Javascript Library
This will be probably last visualization example for a while because I stopped working with network visualizations for some time now. But I wanted to finish publishing some last examples … Read More0520 HS104: How Long Should Your Planning Horizon Be?
How far ahead should you plan, and what things belong in your strategic plan? Conventional wisdom holds that a 3-year planning horizon is “about right”–but in a period of rapid technical and geopolitical change (such as we’re arguably in right now) does that go too far out, particularly when agile methodologies recommend shorter action plans... Read more »
netlab 2.0: Use Custom Bridges on Multi-Access Links
netlab uses point-to-point links provided by the underlying virtualization software to implement links with two nodes and Linux bridges to implement links with more than two nodes connected to them. That’s usually OK if you don’t care about the bridge implementation details, but what if you’d like to use a bridge (or a layer-2 switch if you happen to be of marketing persuasion) you’re familiar with?
You could always implement a bridged segment with a set of links connecting edge nodes to a VLAN-capable device. For example, you could use the following topology to connect two Linux hosts through a bridge running Arista EOS: