Case Study: NAT64

Introduction

Front

IPng’s network is built up in two main layers, (1) an MPLS transport layer, which is disconnected from the Internet, and (2) a VPP overlay, which carries the Internet. I created a BGP Free core transport network, which uses MPLS switches from a company called Centec. These switches offer IPv4, IPv6, VxLAN, GENEVE and GRE all in silicon, are very cheap on power and relatively affordable per port.

Centec switches allow for a modest but not huge amount of routes in the hardware forwarding tables. I loadtested them in [a previous article] at line rate (well, at least 8x10G at 64b packets and around 110Mpps), and they forward IPv4, IPv6 and MPLS traffic effortlessly, at 45 watts.

I wrote more about the Centec switches in [my review] of them back in 2022.

IPng Site Local

IPng SL

I leverage this internal transport network for more than just MPLS. The transport switches are perfectly capable of line rate (at 100G+) IPv4 and IPv6 forwarding as well. When designing IPng Site Local, I created a number plan that assigns IPv4 from the 198.19.0.0/16 prefix, and IPv6 from the 2001:678:d78:500::/56 prefix. Within these, I allocate blocks for Continue reading

Modern Egress Gateway: Assign stable IPs to traffic leaving Kubernetes clusters

Whether an enterprise is migrating its legacy application to a cloud-native architecture or deploying a new cloud-native application, it will face the challenge of integrating with security tools such as firewalls that rely on a stable network identity for security configuration. This is due to the fact that cloud-native workloads aren’t guaranteed to have a fixed network identity. The juxtaposition of dynamic, modern workloads alongside traditional applications that rely on fixed network identifiers presents a unique set of challenges.

This is particularly pertinent for DevOps and platform teams tasked with ensuring seamless communication and security between these disparate environments. It becomes crucial for DevOps, platforms, and network security teams to ensure seamless communication and secure traffic flow as organizations balance innovation (cloud-native applications) and harness existing investments (traditional firewalls and data sources).

Common Scenarios

Securing and Identifying Traffic Leaving the Cluster

One of the key challenges in integrating cloud-native workloads with legacy applications behind a firewall is securing and identifying traffic from specific workloads running in the cluster. Many applications, such as databases, are protected by firewalls that need a stable IP address to enable access to these applications. Teams want to ensure that only authorized traffic from specific workloads Continue reading

Weekend Reads 052424


The European Union’s new Digital Markets Act (DMA) is a complex, many-legged beast, but at root, it is a regulation that aims to make it easier for the public to control the technology they use and rely on.


When optimizing the write performance of GreptimeDB v0.7, we discovered through flame graphs that the CPU time spent parsing Prometheus write requests accounted for about 12% of the total.


We think that waferscale computing is an interesting and even an inevitable concept for certain kinds of compute and memory. But inevitably, the work you need to do goes beyond what a single wafer’s worth of cores can deliver, and then you have the same old network issues.


Evidence is mounting that tech companies’ policies demanding staff return to the office are only serving to drive out the talent that became accustomed to remote work.


ZTDNS integrates the Windows DNS client and the Windows Filtering Platform (WFP) to enable this domain-name-based lockdown. First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names.


The use of Machine Learning and Deep Learning models allows us to understand the intention of Continue reading

Upcoming Training: How the Internet Really Works

The 29th of May, in 7 days, I’m teaching a four-hour webinar/class on Safari Books Online:

From technologists to business leaders, few have a “big picture” understanding of how the Internet is put together. Often this is because the Internet is composed of so many different systems, each of which is deeply complex, so it is easy to specialize in “one part of the Internet,” and it is hard to learn about the other parts without diving into many details. This class de-mystifies the overall structure and “moving parts” of the global Internet. The class begins with a user connecting to a web site, and the process of translating the name of the service the user is seeking to a logical location (a server) where the service is actually located. From there, the path of the packets between the user and the server is traced, exposing each of the different kinds of providers that carry the packet along the way.

This class isn’t just for network engineers, it’s for anyone interested in how the Internet works. You don’t need prior network engineering experience or knowledge to understand the content–so feel free to forward along to anyone you think might be Continue reading

Hedge 227: Provider Consolidation and Competition

Europe and the United States are completely different landscapes of Internet service providers. Which provides better service for customers, and which direction should these different markets go? Luke Kehoe joins Tom Ammon, Eyvonne Sharp, and Russ White to discuss the European market specifically, and why the European market needs consolidation.

Luke’s article on this topic is here.

download

HN735: Managing OT Networks

The variety and number of OT devices continue to grow at such a pace that network engineers really need to think through how to manage them as part of their broader network. Dan Massameno joins the show to talk about how he’s collaborating with his facilities department and using SD-Access to manage the OT virtual... Read more »

BGP EVPN Fabric – Remote Leaf MAC Learning Process

Remote VTEP Leaf-102: Low-Level Control Plane Analysis


In this section, we will first examine the update process of the BGP tables on the VTEP switch Leaf-102 when it receives a BGP Update message from Spine-11. After that, we will go through the update processes for the MAC-VRF and the MAC Address Table. Finally, we will examine how the VXLAN manager on Leaf-102 learns the IP address of Leaf-10's NVE interface and creates a unidirectional NVE peer record in the NVE Peer Database based on this information.


Remote Learning: BGP Processes

We have configured switches Leaf-101 and Leaf-102 as Route Reflector Clients on the Spine-11 switch. Spine-11 has stored the content of the BGP Update message sent by Leaf-101 in the neighbor-specific Adj-RIB-In of Leaf-101. Spine-11 does not import this information in its local BGP Loc-RIB because we have not defined a BGP import policy. Since Leaf-102 is an RR Client, the BGP process on Spine-11 copies this information in the neighbor-specific Adj-RIB-Out table for Leaf-102 and sends the information to Leaf-102 in a BGP Update message. The BGP process on Leaf-102 stores the received information from the Adj-RIB-In table to the BGP Loc-RIB according to the import policy of EVPN Instance 10010 (import RT 65000:10010). During the import process, the Route Distinguisher values are also modified to match the configuration of Leaf-102: change the RD value from 192.168.10.101:32777 (received RD) to 192.168.10.102:32777 (local RD).

Figure 3-13: MAC Address Propagation Process – From BGP Adj-RIB-Out.
Continue reading

Worth Reading: Using AWS Services via IPv6

AWS started charging for public IPv4 addresses a few months ago, supposedly to encourage users to move to IPv6. As it turns out, you need public IPv4 addresses (or a private link) to access many AWS services, clearly demonstrating that it’s just another way of fleecing the sheep Hotel California tax. I’m so glad I moved my videos to Cloudflare ;)

For more details, read AWS: Egress Traffic and Using AWS Services via IPv6 (rendered in beautiful, easy-to-read teletype font).

Worth Reading: Using AWS Services via IPv6

AWS started charging for public IPv4 addresses a few months ago, supposedly to encourage users to move to IPv6. As it turns out, you need public IPv4 addresses (or a private link) to access many AWS services, clearly demonstrating that it’s just another way of fleecing the sheep Hotel California tax. I’m so glad I moved my videos to Cloudflare ;)

For more details, read AWS: Egress Traffic and Using AWS Services via IPv6 (rendered in beautiful, easy-to-read teletype font).

Nvidia’s Enormous Financial Success Becomes . . . Normal

For the past five years, since Nvidia acquired InfiniBand and Ethernet switch and network interface card supplier Mellanox, people have been wondering what the split is between compute and networking in the Nvidia datacenter business that has exploded in growth and now represents most of revenue for each quarter.

Nvidia’s Enormous Financial Success Becomes . . . Normal was written by Timothy Prickett Morgan at The Next Platform.

EVPN Designs: IBGP Full Mesh Between Leaf Switches

In the previous blog post in the EVPN Designs series, we explored the simplest possible VXLAN-based fabric design: static ingress replication without any L2VPN control plane. This time, we’ll add the simplest possible EVPN control plane: a full mesh of IBGP sessions between the leaf switches.

This blog post describes an initial BGP design that we’ll refine in subsequent blog posts. Having a full mesh of IBGP sessions between leaf switches might be a bad idea unless you have a tiny fabric or you’re deploying a small-scale EVPN pilot.
Read more …

EVPN Designs: IBGP Full Mesh Between Leaf Switches

In the previous blog post in the EVPN Designs series, we explored the simplest possible VXLAN-based fabric design: static ingress replication without any L2VPN control plane. This time, we’ll add the simplest possible EVPN control plane: a full mesh of IBGP sessions between the leaf switches.

This blog post describes an initial BGP design that we’ll refine in subsequent blog posts. Having a full mesh of IBGP sessions between leaf switches is a bad idea unless you have a tiny fabric or you’re deploying a small-scale EVPN pilot.
Read more …

Expanding Regional Services configuration flexibility for customers

This post is also available in Français, Español, Nederlands.

When we launched Regional Services in June 2020, the concept of data locality and data sovereignty were very much rooted in European regulations. Fast-forward to today, and the pressure to localize data persists: Several countries have laws requiring data localization in some form, public-sector contracting requirements in many countries require their vendors to restrict the location of data processing, and some customers are reacting to geopolitical developments by seeking to exclude data processing from certain jurisdictions.

That’s why today we're happy to announce expanded capabilities that will allow you to configure Regional Services for an increased set of defined regions to help you meet your specific requirements for being able to control where your traffic is handled. These new regions are available for early access starting in late May 2024, and we plan to have them generally available in June 2024.

It has always been our goal to provide you with the toolbox of solutions you need to not only address your security and performance concerns, but also to help you meet your legal obligations. And when it comes to data localization, we know that some of you need Continue reading

AI Gateway is generally available: a unified interface for managing and scaling your generative AI workloads

During Developer Week in April 2024, we announced General Availability of Workers AI, and today, we are excited to announce that AI Gateway is Generally Available as well. Since its launch to beta in September 2023 during Birthday Week, we’ve proxied over 500 million requests and are now prepared for you to use it in production.

AI Gateway is an AI ops platform that offers a unified interface for managing and scaling your generative AI workloads. At its core, it acts as a proxy between your service and your inference provider(s), regardless of where your model runs. With a single line of code, you can unlock a set of powerful features focused on performance, security, reliability, and observability – think of it as your control plane for your AI ops. And this is just the beginning – we have a roadmap full of exciting features planned for the near future, making AI Gateway the tool for any organization looking to get more out of their AI workloads.

Why add a proxy and why Cloudflare?

The AI space moves fast, and it seems like every day there is a new model, provider, or framework. Given this high rate of Continue reading

1 100 101 102 103 104 3,803