The State of Routing Security at DNS Registries
The Domain Name System (DNS) is an important component of the Internet, but it was not designed with security in mind. In the last 20 years or so, much attention has been directed at improving its inherently insecure aspects.
This includes the deployment of DNS Security Extensions (DNSSEC) that enables cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS, which encrypts DNS transactions between hosts and resolvers.
The DNS, though, is also dependent on the global routing system for sending DNS queries from resolvers to servers, and then returning the responses. The integrity of the routing system is, therefore, extremely important for ensuring DNS transactions are delivered efficiently to the correct destination. Yet, at present, few DNS registries are implementing Routing Public Key Infrastructure (RPKI), a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol (BGP).
A survey of 4,138 zones – that included 1,201 generic top-level domains (gTLDs), 308 country code top-level domains (ccTLDs), 271 reverse map zones, and 1,780 sub-ccTLD zones – showed a total of 6,910 route origins for the name servers that are serving these zones.
Yet, just 22% of these had valid Route Origin Authorisations (ROA), Continue reading
Improving the Wrangler Startup Experience
Today I’m excited to announce wrangler login, an easy way to get started with Wrangler! This summer for my internship on the Workers Developer Productivity team I was tasked with helping improve the Wrangler user experience. For those who don’t know, Workers is Cloudflare’s serverless platform which allows users to deploy their software directly to Cloudflare’s edge network.
This means you can write any behaviour on requests heading to your site or even run fully fledged applications directly on the edge. Wrangler is the open-source CLI tool used to manage your Workers and has a big focus on enabling a smooth developer experience.
When I first heard I was working on Wrangler, I was excited that I would be working on such a cool product but also a little nervous. This was the first time I would be writing Rust in a professional environment, the first time making meaningful open-source contributions, and on top of that the first time doing all of this remotely. But thanks to lots of guidance and support from my mentor and team, I was able to help make the Wrangler and Workers developer experience just a little bit better.
The Problem
The main improvement Continue reading
Worth Reading: Hardware Packet Capture Failures
Greg Ferro is back with some great technical content, this time explaining why hardware-based packet capture might return unexpected results.
What’s the Big Deal About Multi-Cloud Networking – Part 2
If you were experiencing issues with Zoom calls today, you were not alone. But if you take a close look at today’s outage, it is clear that it was correlated with an AWS outage today. In fact, most of Zoom runs on AWS, according to AWS. This is despite Oracle’s claim that millions of users … Continue reading What’s the Big Deal About Multi-Cloud Networking – Part 2New Livelesson: Understanding Network Transports
Safari Books Online just published my latest Livelesson—eight hours of technical yet fundamental training on network transports. I co-authored this one with Ethan Banks (yes, that Ethan Banks). I consider this video series a compliment to the transport chapters in Computer Networking Problems and Solutions.
If you ever wanted to really understand transport protocols … this is your chance.
The White Board and the Simulation
In the argument between OSPF and BGP in the data center fabric over at Justin’s blog, I am decidedly in the camp of IS-IS. Rather than lay my reasons out here, however (a topic for another blog post?), I want to focus on something else Justin said that I think is incredibly important for network engineers to understand.
I think whiteboards are the most important tool for network design currently available, which makes me sad. I wish that wasn’t true, I want much better tools. I can’t even tell you the number of disasters averted by 2-3 great network engineers arguing over a whiteboard.
I remember—way back—when I was working on the problems around making a link-state protocol work well in a Mobile Ad Hoc Network (MANET), we had two competing solutions presented to the IETF. The first solution was primarily based on whiteboarding through various options and coming up with one that should reduce flooding to an acceptable level. The second was less optimal on the whiteboard but supported by simulations showing it should reduce flooding more effectively.
Which solution “won?” I don’t know what “winning” might mean here, but the solution designed on the whiteboard has Continue reading
Network Break 298: Arista Launches CloudVision As A Service; Cisco, Megaport Partner On SD-WAN
Take a Network Break! Pass around the virtual pickles as we delve into Arista's new SaaS version of CloudVision, Cisco and Megaport's SD-WAN partnership, new Intent-Based Networking features from Apstra, and more tech news.
The post Network Break 298: Arista Launches CloudVision As A Service; Cisco, Megaport Partner On SD-WAN appeared first on Packet Pushers.
Network Break 298: Arista Launches CloudVision As A Service; Cisco, Megaport Partner On SD-WAN
Take a Network Break! Pass around the virtual pickles as we delve into Arista's new SaaS version of CloudVision, Cisco and Megaport's SD-WAN partnership, new Intent-Based Networking features from Apstra, and more tech news.The Week in Internet News: Facebook Bans Conspiracy Accounts
Ban hammer: Facebook has banned banned about 900 pages and groups and 1,500 ads tied to the conspiracy theory QAnon, NBC News reports. QAnon followers believe an anonymous, supposed government insider has warned them about a massive group of satanic cannibals and pedophiles inside the U.S. government. QAnon, militia movements, and violent movements tied to protests will no longer be allowed to buy ads on Facebook, the social media giant said.
That’s really fast: Researchers from University College London have been able to transmit data at 178 terabits per second, The Independent says. That speed is double the speed of any current system being used, and about 20 percent faster than the previous record. With that speed, an Internet user could download the entire Netflix library in just one second.
Cracks in the ‘Net: U.S. President Donald Trump’s campaign against Chinese services TikTok and WeChat could further fracture the Internet, the New York Times reports. “China and the United States once acted like opposites when it came to governing the internet … When President Donald Trump issued executive orders that could lead to a U.S. ban next month on two of the world’s most popular Chinese-made apps, TikTok Continue reading
Delivering HTTP/2 upload speed improvements
Cloudflare recently shipped improved upload speeds across our network for clients using HTTP/2. This post describes our journey from troubleshooting an issue to fixing it and delivering faster upload speeds to the global Internet.
We launched speed.cloudflare.com in May 2020 to give our users insight into how well their networks perform. The test provides download, upload and latency tests. Soon after release, we received reports from a small number of users that sometimes upload speeds were underreported. Our investigation determined that it seemed to happen with end users that had high upload bandwidth available (several hundreds Mbps class cable modem or fiber service). Our speed tests are performed via browser JavaScript, and most browsers use HTTP/2 by default. We found that HTTP/2 upload speeds were sometimes much slower than HTTP/1.1 (assuming all TLS) when the user had high available upload bandwidth.
Upload speed is more important than ever, especially for people using home broadband connections. As many people have been forced to work from home they’re using their broadband connections differently than before. Prior to the pandemic broadband traffic was very asymmetric (you downloaded way more than you uploaded… think listening to music, or streaming a movie), Continue reading
This feed has moved and will be deleted soon. Please update your subscription now.
The publisher is using a new address for their RSS feed. Please update your feed reader to use this new URL:
MUST READ: What I’ve learned about scaling OSPF in Datacenters
Justin Pietsch published a fantastic recap of his experience running OSPF in AWS infrastructure. You MUST read what he wrote, here’s the TL&DR summary:
- Contrary to popular myths, OSPF works well on very large leaf-and-spine networks.
- OSPF nuances are really hard to grasp intuitively, and the only way to know what will happen is to run tests with the same codebase you plan to use in production environment.
Dinesh Dutt made similar claims on one of our podcasts, and I wrote numerous blog posts on the same topic. Not that anyone would care or listen, it’s so much better to watch vendor slide decks full of latest unicorn dust… but in the end, it’s usually not the protocol that’s broken, but the network design.
The Making of an RFC in today’s IETF
These days the process of making an RFC involves extensive review. You might think that the result of this truly exhaustive document review process is some bright shiny truth that is stated with precision and clarity. But that is not necessarily so. Why not?Zero-Touch Provisioning for Cisco IOS
The official documentation to automatically upgrade and configure on first boot a Cisco switch running on IOS, like a Cisco Catalyst 2960-X Series switch, is scarce on details. This note explains how to configure the ISC DHCP Server for this purpose.
When booting for the first time, Cisco IOS sends a DHCP request on all ports:
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x0000117c
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Cisco_6c:12:c0 (b4:14:89:6c:12:c0)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier
Length: 25
Type: 0
Client Identifier: cisco-b414.896c.12c0-Vl1
Option: (55) Parameter Request List
Length: 12
Parameter Request List Item: (1) Subnet Mask
Parameter Request List Item: (66) TFTP Server Name
Parameter Request List Item: (6) Domain Name Server
Parameter Request List Item: Continue readingCEX (Code EXpress) 13. Creating your own Python modules.
Hello my friend,
Recently we have learned how to use the external modules to make your Python’s code more powerful. At some point, perhaps already now, you started creating user-defined functions so good that you would like to re-use them in other projects.
Automate all the things
Network automation is one of the most important things named by CIOs in Gather’s research. As such, the companies are (and will be) looking for the experts, who are able to develop new solutions and find creative ways to improve networks’ efficiency via automation. And we are keen to help you with that?
At our network automation training, either self-paced or instructor lead, you will learn the leading technologies, protocols, and tools used to manage the networks in the busiest networks worldwide, such as Google data centres. However, once you master all the skills, you will be able to automate the network of any scale. You will see the opportunities and you will exploit them.
Secret words: NETCONF, REST API, gRPC, JSON , XML, Protocol buffers, SSH, OpenConfig, Python, Ansible, Linux, Docker; and many other wonderful tools and techniques are waiting for you in our training!
Don’t miss opportunity to start your network Continue reading