The platform uses an open-source connector to integrate with IBM and other vendors’ security...
One of the more interesting features introduced by TLS 1.3, the latest revision of the TLS protocol, was the so called “zero roundtrip time connection resumption”, a mode of operation that allows a client to start sending application data, such as HTTP requests, without having to wait for the TLS handshake to complete, thus reducing the latency penalty incurred in establishing a new connection.
The basic idea behind 0-RTT connection resumption is that if the client and server had previously established a TLS connection between each other, they can use information cached from that session to establish a new one without having to negotiate the connection’s parameters from scratch. Notably this allows the client to compute the private encryption keys required to protect application data before even talking to the server.
However, in the case of TLS, “zero roundtrip” only refers to the TLS handshake itself: the client and server are still required to first establish a TCP connection in order to be able to exchange TLS data.
QUIC goes a step further, and allows clients to send application data in the very first roundtrip of the connection, without requiring any other handshake to be Continue reading
The startup claims its decentralized storage costs less than half the price of AWS and cloud...
You need a cloud strategy so you can tackle complex issues such as access and identity management, security and compliance, and networking. Ed Horley sits in on the Day Two Cloud podcast to share sensible advice on how to build a workable strategy that incorporates high-level business goals with more nitty-gritty operational requirements.
The post Day Two Cloud 024: Why IT Operations Needs A Cloud Strategy And How To Form One appeared first on Packet Pushers.
Automation is an essential part of modern IT. In this blog I focus on Ansible credential plugins integration via Hashicorp Vault, an API addressable secrets engine which will make life easier for anyone wishing to handle secrets management and automation better. In order to automate effectively, modern systems require multiple secrets: certificates, database credentials, keys for external services, operating systems, networking. Understanding who is accessing secret credentials and when is difficult and often platform-specific and to manage key rotation, secure storage and detailed audit logging across a heterogeneous toolset is almost impossible. Red Hat Ansible Tower solves many of these issues on its own, but its integration with enterprise secret management solutions means it can utilize secrets on demand without human interaction.
In terms of secrets management, I will demonstrate how some of the risks associated with an automation service account can be mitigated by replacing password authentication with ssh certificate based authentication. In the context of automation, a service account is used to provide authorised access into endpoints from a central location. Best practices around security state that, shared accounts could pose a risk. While Red Hat Ansible Tower has the ability to obfuscate passwords, private keys, etc. Continue reading
Alain Aina has been a key player in the Internet in Africa. While the winner of this year’s Jonathan B. Postel Award has had support from organizations and others, his leadership in building technical communities has helped countless people to spread the Internet across Africa and the world.
As the chief technology officer of the West and Central Africa Research and Education Network (WACREN), Aina has been building a Regional Research and Education Network to interconnect National Research and Education Networks (NRENs) in the region and connect them to the global Research and Education Network. He wants the world to see the work of Africa’s premier researchers and carve out its spot in the academic world – in a way that would be impossible without the resources of this new network and community. He also contributes to AfricaConnect2, a project that supports the development of high-capacity networks for research and education across Africa, by building on existing networks in Eastern, Northern, and Southern Africa to connect to West and Central Africa’s WACREN.
Aina fell into this work after graduating in the early 90s with a degree in electrical engineering and in the maintenance and analysis of computer systems. He was hired to be a technical seller Continue reading
Here’s another “let’s use network automation tools to create reports we couldn’t get in the past” (like IP multicast trees) solution coming from an attendee in our network automation course: Paddy Kelly created L3VPN graphs detailing PE-to-CE connectivity using Cisco’s pyATS to parse the Cisco IOS printouts.
You’ll find dozens of other interesting solutions on our Sample Network Automation Solutions page - all of them were created by networking engineers who knew almost nothing about network automation or open-source automation tools when they started our automation course.
When it comes to multi domain or Inter datacenter communication, minimizing the broadcast traffic between the datacenters is an important scaling requirement.
Especially if you are dealing with millions of end hosts, localizing the broadcast traffic is critical to save resources on the network and the end hosts. Resources are bandwidth , CPU , memory and so on.
In this post I will mention how ARP cache is populated in OTV and EVPN technologies and the importance of ARP proxy function.
Classical approach to control broadcast traffic by localizing it within a datacenter is Proxying.
ARP is a good example of broadcast packet and ARP Proxy or Proxy ARP works either based on control or data plane learning.
Idea is, destination MAC address can be learned from the local device which keeps ARP cache and ARP traffic doesn’t have to traffic over datacenter interconnect links.
I said ARP cache can be populated either via control or data plane learning and let me give an example for each one of them.
OTV as a Cisco preparatory protocol advertise the MAC addresses through IS-IS. MAC reachability information is learned via control plane. But OTV doesn’t advertise MAC to IP binding through IS-IS. Continue reading
One of the advantages of EIGRP Feasible Successor is that it speeds up the EIGRP. In fact, if there is a Feasible Successor in the EIGRP network, such network converges faster than OSPF or IS-IS.
In this post, I will explain the answers to the above questions.
EIGRP Feasible Successor is a backup node that can satisfy the EIGRP feasibility condition.
Feasibility condition simply means that the backup router should be loop-free.
Let’s examine the topology shown below (Figure-1) to understand how EIGRP finds loop-free alternate/backup node.
Figure-1 EIGRP Feasibility Condition
From the Router A’s point of view, Router B and Router C are the equal cost routers; as a result, both ABD and ACD path can be used in the network. What’s more, Router A installs both Router B and Router C not only in the EIGRP topology table but also in the routing table.
There is no backup router in the above topology since Router A uses both Router B and Router C to reach the destination Continue reading
Local-first software: you own your data, in spite of the cloud Kleppmann et al., Onward! ’19
Watch out! If you start reading this paper you could be lost for hours following all the interesting links and ideas, and end up even more dissatisfied than you already are with the state of software today. You might also be inspired to help work towards a better future. I’m all in :).
On the one-hand we have ‘cloud apps’ which make it easy to access our work from multiple devices and to collaborate online with others (e.g. Google Docs, Trello, …). On the other hand we have good old-fashioned native apps that you install on your operating system (a dying breed? See e.g. Brendan Burns’ recent tweet). Somewhere in the middle, but not-quite perfect, are online (browser-based) apps with offline support.
The primary issue with cloud apps (the SaaS model) is ownership of the data.
Unfortunately, cloud apps are problematic in this regard. Although they let you access your data anywhere, all data access must go via the server, and you can only do the things that the server will let you do. Continue reading
This week I’m in San Diego for KubeCon + CloudNativeCon. Instead of liveblogging each session individually, I thought I might instead attempt a “daily summary” post that captures highlights from all the sessions each day. Here’s my recap of day 1 at KubeCon + CloudNativeCon.
KubeCon + CloudNativeCon doesn’t have “one” keynote; it uses a series of shorter keynotes by various speakers. This has advantages and disadvantages; one key advantage is that there is more variety, and the attendees are more likely to stay engaged. I particularly enjoyed Bryan Liles’ CNCF project updates; I like Bryan’s sense of humor, and getting updates on some of the CNCF projects is always useful. As for some of the other keynotes, those that were thinly-disguised vendor sales pitches were generally pretty poor.
I was running late for the start of this session due to booth duty, and I guess the stuff I needed most was presented in that portion I missed. Most of what I saw was about Netflix Titus, and how the Netflix team ported Titus from Mesos to Virtual Kubelet. However, that information was so specific to Netflix’s particular use of Virtual Kubelet that it Continue reading
In addition to expanding its service provider reach, Fortinet announced an alliance with Siemens to...
"That means that all of these programs we were going to spend 100 years of dead weight [on] is now...
Aryaka's restructured SmartServices product line breaks out many features previously only available...