Archive

Category Archives for "Networking"

Tigera Announces Open-Source Calico for Windows and Collaboration with Microsoft

Tigera is pleased to announce that we have open-sourced Calico for Windows and made it immediately available for all to use for free. With the launch of open-source Calico for Windows, the vast ecosystem of Windows users now has unprecedented access to Kubernetes via the industry’s de-facto standard for Kubernetes networking and network security.

We have been collaborating with Microsoft and our joint customers over the past few years to bring Project Calico to the Windows platform, and have seen increasing demand for Windows nodes ever since the release of Kubernetes 1.14.  Most enterprises have a Windows footprint, and Windows workloads are increasingly being modernized and migrated to containers and orchestrated with Kubernetes. Enterprise users want to deploy a single solution for network security that works across both Linux and Windows workloads. Open-sourcing Calico for Windows provides those users with the best and only solution available, and for free.

“We are seeing an influx in interest in Windows Kubernetes workloads, as well as interest in securing those workloads. Calico has been a key means of deploying network security policies across both Windows and Linux platforms, however, their Windows support has been commercially licensed by Tigera until today,“ said Continue reading

Accessing Docker Container Services over IPv6

Getting Docker to work with IPv6 is an interesting and under-documented (trying to stay diplomatic) adventure, but there’s a shortcut to the promised land: even if your Docker environment is pure IPv4 morass, you can still reach published container ports over IPv6 thanks to the userland proxy I described last week. The performance is obviously commensurate with traversing kernel-user boundary too many times.

New to this rabbit hole? Start here.

Finally, you don’t have to tell me (again) that Docker is dead and we should all use K8s. It’s as useful as telling me CloudStack is dead and we should all use OpenStack. Different challenges deserve different tools.

Cradlepoint buy nets Ericsson 5G infrastructure for carriers, enterprises

Ericsson’s purchase of wireless WAN vendor Cradlepoint means that the Sweden-based networking powerhouse is targeting growth in the 5G and edge markets, according to experts. 5G resources What is 5G? Fast wireless technology for enterprises and phones How 5G frequency affects range and speed Private 5G can solve some problems that Wi-Fi can’t Private 5G keeps Whirlpool driverless vehicles rolling 5G can make for cost-effective private backhaul CBRS can bring private 5G to enterprises The deal, valued at $1.1 billion, will see Cradlepoint become a fully owned subsidiary of Ericsson, part of the larger company’s Business Area Technologies and New Business divisionTo read this article in full, please click here

Reducing RPKI Single Point of Takedown Risk

The RPKI, for those who do not know, ties the origin AS to a prefix using a certificate (the Route Origin Authorization, or ROA) signed by a third party. The third party, in this case, is validating that the AS in the ROA is authorized to advertise the destination prefix in the ROA—if ROA’s were self-signed, the security would be no better than simply advertising the prefix in BGP. Who should be able to sign these ROAs? The assigning authority makes the most sense—the Regional Internet Registries (RIRs), since they (should) know which company owns which set of AS numbers and prefixes.

The general idea makes sense—you should not accept routes from “just anyone,” as they might be advertising the route for any number of reasons. An operator could advertise routes to source spam or phishing emails, or some government agency might advertise a route to redirect traffic, or block access to some web site. But … if you haven’t found the tradeoffs, you haven’t looked hard enough. Security, in particular, is replete with tradeoffs.

Every time you deploy some new security mechanism, you create some new attack surface—sometimes more than one. Deploy a stateful packet filter to protect a Continue reading

Network Break 302: Nvidia Bids Billions For Arm; VMware Melds Kubernetes With vSphere

It's a baker's dozen of tech news in today's Network Break episode. We analyze Nvidia's $40 billion bid for Arm, Broadcom's banishment of Cumulus, vSphere's Kubernetes injection via Tanzu, a new hardware strategy from Extreme, new products from Palo Alto and Juniper, and more!

The post Network Break 302: Nvidia Bids Billions For Arm; VMware Melds Kubernetes With vSphere appeared first on Packet Pushers.

The Week in Internet News: Trading Trash for WiFi

Turning plastic into access: Students in a Jakarta, Indonesia, neighborhood are collecting discarded plastic and trading it for access at a WiFi station that sells the plastic waste, the World Economic Forum website says. The owner of the WiFi station uses the profits from selling the plastic to purchase access for small groups of students who need Internet access during continuing COVID-19 lockdowns.

No access here: About 54 percent of households in rural Bangladesh lack Internet access, according to a new survey featured at The Daily Star. Nearly six in 10 don’t have access to a smart phone. The survey also found that about eight in 10 rural households have very limited digital skills.

Trump vs. TikTok: U.S. President Donald Trump’s administration has moved to ban Chinese apps TikTok and WeChat as of 20 September, Reuters reported. The U.S. Department of Commerce was planning to issue an order on Friday that would prohibit app stores available in the U.S. from offering the two apps. TikTok owner ByteDance was still exploring a sale of the video-sharing app to U.S. companies.

Rockets on boats: SpaceX is planning to test its proposed Starlink satellite Internet network by using a Continue reading

Should you upgrade tape drives to the latest standard?

With the recent release of the linear tape–open 9 (LTO-9) standard, tape drives with increased capacity and speed should be available soon, but that doesn’t mean users of tape drives should rush to buy them.Here are some of the pros and cons to weigh when considering whether an upgrade is in order.Tape drives are a very reliable way to write data to storage, and are very good at holding onto data for multiple decades. They make an excellent medium for long-term storage and for shipping large amounts of data across long distances (a FedEx truck has unlimited bandwidth).[Get regularly scheduled insights by signing up for Network World newsletters.] What tape is not good at is going slow. LTO-8 has a compressed transfer speed of 900MB/s, which is significantly faster than most any backup you're going to send to it. It's definitely faster than any incremental backup that will be sent to it, and that comprises most backups. That makes tapes as the initial target of backups problematic.To read this article in full, please click here

Should you upgrade tape drives to the latest standard?

With the recent release of the linear tape–open 9 (LTO-9) standard, tape drives with increased capacity and speed should be available soon, but that doesn’t mean users of tape drives should rush to buy them.Here are some of the pros and cons to weigh when considering whether an upgrade is in order.Tape drives are a very reliable way to write data to storage, and are very good at holding onto data for multiple decades. They make an excellent medium for long-term storage and for shipping large amounts of data across long distances (a FedEx truck has unlimited bandwidth).[Get regularly scheduled insights by signing up for Network World newsletters.] What tape is not good at is going slow. LTO-8 has a compressed transfer speed of 900MB/s, which is significantly faster than most any backup you're going to send to it. It's definitely faster than any incremental backup that will be sent to it, and that comprises most backups. That makes tapes as the initial target of backups problematic.To read this article in full, please click here

Interesting: PyEnv

If you’re like me, you’re probably sick-and-tired of Python versions, environments… Every time I update Python on my MacBook Pro with Homebrew, I lose all packages I installed for the previous version of Python (because I’m installing them system-wide and they’re stored in version-specific directory).

Jon Langemak found a potential solution to this problem: PyEnv. My first reaction was: Great, just what I need… but as he described how it really works, I realized that it’s always possible to add another layer of indirection. RFC1925 strikes again.

Keepalived and unicast over multiple interfaces

Keepalived is a Linux implementation of VRRP. The usual role of VRRP is to share a virtual IP across a set of routers. For each VRRP instance, a leader is elected and gets to serve the IP address, ensuring the high availability of the attached service. Keepalived can also be used for a generic leader election, thanks to its ability to use scripts for healthchecking and run commands on state change.

A simple configuration looks like this:

vrrp_instance gateway1 {
  state BACKUP          # ❶
  interface eth0        # ❷
  virtual_router_id 12  # ❸
  priority 101          # ❹
  virtual_ipaddress {
    2001:db8:ff/64
  }
}

The state keyword in ❶ instructs Keepalived to not take the leader role when starting. Otherwise, incoming nodes create a temporary disruption by taking over the IP address until the election settles. The interface keyword in ❷ defines the interface for sending and receiving VRRP packets. It is also the default interface to configure the virtual IP address. The virtual_router_id directive in ❸ is common to all nodes sharing the virtual IP. The priority keyword in ❹ helps choosing which router will be elected as leader. If you need more information around Keepalived, be sure to check Continue reading

Syncing NetBox with a custom Ansible module

The netbox.netbox collection from Ansible Galaxy provides several modules to update NetBox objects:

- name: create a device in NetBox
  netbox_device:
    netbox_url: http://netbox.local
    netbox_token: s3cret
    data:
      name: to3-p14.sfo1.example.com
      device_type: QFX5110-48S
      device_role: Compute Switch
      site: SFO1

However, if NetBox is not your source of truth, you may want to ensure it stays in sync with your configuration management database1 by removing outdated devices or IP addresses. While it should be possible to glue together a playbook with a query, a loop and some filtering to delete unwanted elements, it feels clunky, inefficient and an abuse of YAML as a programming language. A specific Ansible module solves this issue and is likely more flexible.

Notice

I recommend that you read “Writing a custom Ansible module” as an introduction, as well as “Syncing MySQL tables” for a first simpler example.

Code

The module has the following signature and it syncs NetBox with the content of the provided YAML file:

netbox_sync:
  source: netbox.yaml
  api: https://netbox.example.com
  token: s3cret

The synchronized objects are:

1 775 776 777 778 779 3,480