DNS OARC 42
The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together DNS service operators, DNS software implementors, and researchers together to share concerns, information and learn together about the operation and evolution of the DNS. They meet between two to three times a year in a workshops format. The most recent workshop was held in Charlotte, North Carolina in early February 2024. Here are my thoughts on the material that was presented and discussed at this workshop.DNS OARC 42
The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together DNS service operators, DNS software implementors, and researchers together to share concerns, information and learn together about the operation and evolution of the DNS. They meet between two to three times a year in a workshops format. The most recent workshop was held in Charlotte, North Carolina in early February 2024. Here are my thoughts on the material that was presented and discussed at this workshop.Catalyst SD-WAN 20.13 – RBAC
Catalyst SD-WAN has supported Role Based Access Control (RBAC) for a long time. It has been possible to use predefined roles or create custom roles and defining what areas the user should have access to. However, before 20.13 it was not possible to define a scope. In large companies it’s quite common that one group manages one set of devices, for example all the sites in EU, all the sites in the US, etc. There may also be multiple business units within the company which may share some infrastructure but operate autonomously from each other where a BU should only have access to its own set of devices. As of 20.13, it is not possible to define scope when using RBAC in Catalyst SD-WAN.
There is another feature, called Network Hierarchy that is somewhat related to RBAC. When onboarding devices, you assign a Site ID to the device. The site is then assigned a name in the format of SITE_SiteID, for example SITE_10 when using a Site ID of 10. By default all sites belong to the global node as can be seen below:
Note that it says Auto-Generated site. It is possible to edit the site Continue reading
Boat design phase
I purposely bought a boat that needed work so that I could customise it to my needs and learn how everything works. The wooden interior was dated and gloomy, it only had 1 DC socket, no working AC (no fuse board or inverter), no hot water (water heater broken) and a rusted up stove with 1 radiator run off it. After 5 months of hardship and an ever decreasing bank balance whether that was a good idea is debatable…..
VPP on FreeBSD – Part 1
About this series
Ever since I first saw VPP - the Vector Packet Processor - I have been deeply impressed with its performance and versatility. For those of us who have used Cisco IOS/XR devices, like the classic ASR (aggregation services router), VPP will look and feel quite familiar as many of the approaches are shared between the two. Over the years, folks have asked me regularly “What about BSD?” and to my surprise, late last year I read an announcement from the FreeBSD Foundation [ref] as they looked back over 2023 and forward to 2024:
Porting the Vector Packet Processor to FreeBSD
Vector Packet Processing (VPP) is an open-source, high-performance user space networking stack that provides fast packet processing suitable for software-defined networking and network function virtualization applications. VPP aims to optimize packet processing through vectorized operations and parallelism, making it well-suited for high-speed networking applications. In November of this year, the Foundation began a contract with Tom Jones, a FreeBSD developer specializing in network performance, to port VPP to FreeBSD. Under the contract, Tom will also allocate time for other tasks such as testing FreeBSD on common virtualization platforms to improve the desktop experience, improving Continue reading
Hedge 212: Shift Left? w/Chris Romeo
How many times have you heard you should “shift left” in the last few years? What does “shift left” even mean? Even if it had meaning once, does it still have any meaning today? Should we abandon the concept, or just the term? Listen in as Chris Romeo joins Tom Ammon and Russ White to talk about the origin, meaning, and modern uselessness of the term “shift left.”
download
HN720: What Yale Learned about RADIUS Load Balancing
Yale’s efforts to load-balance RADIUS servers is a case study in system design for resiliency. First, there was a lone, redundant PSN. Next, F5s load balancers entered the picture. Then the network team realized a feature in IOS-XE was the answer… and brought Cisco along the learning journey with them. Hear it all from the... Read more »Navigating Single Cloud, Multi-Cloud, and Hybrid Cloud Environments
Before deciding on a cloud strategy, enterprises must fully understand the possibilities and the limitations that come with single cloud, multi-cloud, and hybrid cloud environments.Repetition Without Repetition
I just finished spending a wonderful week at Cisco Live EMEA and getting to catch up with some of the best people in the industry. I got to chat with trainers like Orhan Ergun and David Bombal and see how they’re continuing to embrace the need for people in the networking community to gain knowledge and training. It also made me think about a concept I recently heard about that turns out to be a perfect analogy to my training philosophy even though it’s almost 70 years old.
Practice Makes Perfect
Repetition without repetition. The idea seems like a tautology at first. How can I repeat something without repeating it. I’m sure that the people in 1967 that picked up the book by Soviet neurophysiologist Nikolai Aleksandrovitsch Bernstein were just as confused. Why should you do things over and over again if not to get good at performing the task or learning the skill?
The key in this research from Bernstein lay in how the practice happens. In this particular case he looked at blacksmiths to see how they used hammers to strike the pieces they were working on. The most accurate of his test subjects didn’t just perform the Continue reading
Get to Know Mike Twumasi and Why You Should be Ready for DDI
Principal Consultant Mike Twumasi walks us through his background in tech, explains how the core concepts of DNS, DHCP, and IP address services can be combined into one platform solution that can transform network management, and previews his keynote presentation from our “Why DDI? How to Integrate DNS, DHCP, and IP Address Management in Your Network,” live webinar. This excerpt launched on Wednesday, January 31.Mike Twumasi Reveals DDI Use Cases
Learn about the benefits and competitive advantages gained when enterprises move to DDI (DNS, DHCP, and IP Address Management).Calico monthly roundup: January 2024
Welcome to the Calico monthly roundup: January edition! From open source news to live events, we have exciting updates to share—let’s get into it!
Join us at CalicoCon 2024 in Paris
We are thrilled to announce that CalicoCon 2024 will be held on March 19 in Paris as a KubeCon + CloudNativeCon Europe 2024 co-located event. Join us for an immersive event focused on the latest trends, strategies, and technologies in Kubernetes networking, security, and observability. Limited spots are available, so register now to secure your spot. |
Customer case study: NuraLogix
AI-driven healthtech company, NuraLogix, improves security and compliance on Amazon EKS using Calico Cloud. |
Tigera has achieved AWS Security Competency status!
Tigera has gained a new AWS Security Competency, which we’re proud to add to our already existing AWS Containers Software Competency. Read about the addition of our newest security competency. |
Securely connect EKS workloads to approved SaaS with Calico Egress Gateway Learn how Calico Egress Gateway for AWS Elastic IP provides a valuable tool to bolster an organization’s defenses and ensure secure and dependable connections to trusted SaaS platforms. |
Open source news
*NEW* GitHub Discussion forum – Looking for Continue reading
connect() – why are you so slow?
It is no secret that Cloudflare is encouraging companies to deprecate their use of IPv4 addresses and move to IPv6 addresses. We have a couple articles on the subject from this year:
- Amazon’s $2bn IPv4 tax – and how you can avoid paying it
- Using DNS to estimate worldwide state of IPv6 adoption
And many more in our catalog. To help with this, we spent time this last year investigating and implementing infrastructure to reduce our internal and egress use of IPv4 addresses. We prefer to re-allocate our addresses than to purchase more due to increasing costs. And in this effort we discovered that our cache service is one of our bigger consumers of IPv4 addresses. Before we remove IPv4 addresses for our cache services, we first need to understand how cache works at Cloudflare.
How does cache work at Cloudflare?
Describing the full scope of the architecture is out of scope of this article, however, we can provide a basic outline:
- Internet User makes a request to pull an asset
- Cloudflare infrastructure routes that request to a handler
- Handler machine returns cached asset, or if miss
- Handler machine reaches to origin server (owned by a customer) to pull the Continue reading
IPB144: AWS Adds New Charge for IPv4, Governments Push toward IPv6
A round-up of IP address news to start the new year: Eric Vyncke of the IETF has created an RFC 6724 website that is an excellent time-saving tool for figuring out source destination address selection processes. AWS announces more IPv6 features and support, and adds a new charge for public IPv4 use. State actors, including... Read more »D2C232: Chaos Engineering: Breaking Things on Purpose
Chaos engineering is all about resilience and reliability… it just takes the harder path to get there. By injecting random and unpredictable behavior to the point of failure, chaos engineers observe systems’ weak points, apply preventative maintenance, and develop a failover plan. Matt Schillerstrom from Harness introduces Ned and Ethan to this wild corner of... Read more »Join us at CalicoCon 2024, co-located with KubeCon + CloudNativeCon Europe 2024
We are excited to announce CalicoCon 2024, an in-person learning event for Project Calico, taking place March 19th, 2024 as a co-located event with KubeCon + CloudNativeCon Europe 2024.
As Kubernetes continues to expand its presence in both enterprises and small-to-medium businesses, understanding container networking and security in managed or self-managed Kubernetes environments becomes crucial. Organizations are now presented with choices for dataplanes, such as eBPF, Windows HNS, and Linux IP tables, multi-cloud and Kubernetes distributions as they scale their applications and make them more performance-efficient. Additionally, the process of creating new cloud-native applications or modernizing legacy applications also presents Kubernetes users with a selection of cutting-edge and mature container networking and security technologies.
To make these decisions to leverage their existing investments and future-proofing, users require guidance on developing and implementing scalable network security policies, selecting dataplanes, achieving low latency, optimizing resources, and integrating with bare metal and VM workloads.
What can you expect?
At CalicoCon, we will provide KubeCon Paris 2024 attendees with an opportunity to actively participate in a full-day event where they will:
- Discuss how to incorporate the latest Calico eBPF container networking and security innovations into their applications
- Discover best practices for securing Continue reading
Rethinking the Impossible: How AI Makes Edge Computing Even More Powerful
Edge computing has evolved from its legacy foundations to its modern format where servers are closer to the end user. Now, the addition of AI allows real-time, automated analysis and insights at the edge, providing benefits for a wide variety of industries.Fulfilling the promise of single-vendor SASE through network modernization
As more organizations collectively progress toward adopting a SASE architecture, it has become clear that the traditional SASE market definition (SSE + SD-WAN) is not enough. It forces some teams to work with multiple vendors to address their specific needs, introducing performance and security tradeoffs. More worrisome, it draws focus more to a checklist of services than a vendor’s underlying architecture. Even the most advanced individual security services or traffic on-ramps don’t matter if organizations ultimately send their traffic through a fragmented, flawed network.
Single-vendor SASE is a critical trend to converge disparate security and networking technologies, yet enterprise "any-to-any connectivity" needs true network modernization for SASE to work for all teams. Over the past few years, Cloudflare has launched capabilities to help organizations modernize their networks as they navigate their short- and long-term roadmaps of SASE use cases. We’ve helped simplify SASE implementation, regardless of the team leading the initiative.
Announcing (even more!) flexible on-ramps for single-vendor SASE
Today, we are announcing a series of updates to our SASE platform, Cloudflare One, that further the promise of a single-vendor SASE architecture. Through these new capabilities, Cloudflare makes SASE networking more flexible and accessible for Continue reading