BGP Labs: Graceful Shutdown
Using the typical default router configurations, it can take minutes between a failure of an inter-AS link and the convergence of BGP routes. You can fine-tune that behavior with BGP timers and BFD (and still get pwned by Graceful Restart). While you can’t influence link failures, you could drain the traffic from a link before starting maintenance operations on it, and it would be a shame not to do that considering there’s a standard way to do that – the GRACEFUL_SHUTDOWN BGP community defined in RFC 8326. That’s what you’ll practice in the next BGP lab exercise.
BGP Labs: Graceful Shutdown
Using the typical default router configurations, it can take minutes between a failure of an inter-AS link and the convergence of BGP routes. You can fine-tune that behavior with BGP timers and BFD (and still get pwned by Graceful Restart). While you can’t influence link failures, you could drain the traffic from a link before starting maintenance operations on it, and it would be a shame not to do that considering there’s a standard way to do that – the GRACEFUL_SHUTDOWN BGP community defined in RFC 8326. That’s what you’ll practice in the next BGP lab exercise.
Upcoming Changes to the AWX Project
By Matthew Jones, Chief Architect, Ansible Automation at Red Hat
Back in 2013, a small team of engineers worked for over a year to make the first commercial release of Ansible Tower (before we expanded and evolved to Ansible Automation Platform) and during that time we put down the foundation of an application that I’m immensely proud of.
We, the original architects of Tower, were trying to find the best way to create a system that would allow running Ansible at scale for hundreds of thousands of servers. We wanted there to be a way to not just manage those servers but store the results of that automation and provide auditability and traceability. It needed to make Ansible functional for large teams and it succeeded.
Today, we’re not just talking about hundreds of thousands. We’re thinking in the millions and tens of millions, we’re managing automation for some of the largest IT organizations in the world. And we’re not just managing servers. In the intervening years we’ve been automating containers, cloud platforms, network devices, storage, IoT devices and PLCs (among other things). One of the main challenges that we’re facing is that some of the architectural decisions we made Continue reading
On the ‘net: Modeling Tunnels
One reason the OSI model isnメt all that useful anymore is because it assumes things about networks that are no longer true, such as the existence of a clear set of protocols neatly layered one atop another. We just donメt build networks this way any longer.
Getting Barrier Working Between Arch Linux and Ubuntu
I recently had a need to get Barrier—an open source project aimed at enabling mouse/keyboard sharing across multiple computers, aka a “software KVM”—running between Arch Linux and Ubuntu 22.04. Unfortunately, the process for getting Barrier working isn’t as intuitive as it should be, so I’m posting this information in the hopes it will prove useful to others who find themselves in a similar situation. Below, I’ll share how I got Barrier working between an Arch Linux system and an Ubuntu system.
Although this post specifically mentions Arch Linux and Ubuntu, the process for getting Barrier running should be pretty similar (if not identical) for other Linux distributions and for macOS. I don’t have any Windows-based systems on which to test these instructions, but they should be adaptable to Windows as well. Note that there may be slight differences in the flags for the commands listed here when they are run on platforms other than Linux.
Installing Barrier
Both Arch and Ubuntu 22.04 have the latest release of Barrier, version 2.4.0, available in their repositories, so the installation is straightforward.
For Arch, just install with pacman:
pacman -Ss barrier
There’s also a “barrier-headless” package in Continue reading
The New Era of AI Centers
In 1984, Sun was famous for declaring, “The Network is the Computer.” Forty years later we are seeing this cycle come true again with the advent of AI. The collective nature of AI training models relies on a lossless, highly-available network to seamlessly connect every GPU in the cluster to one another and enable peak performance. Networks also connect trained AI models to end users and other systems in the data center such as storage, allowing the system to become more than the sum of its parts. As a result, data centers are evolving into new AI Centers where the networks become the epicenter of AI management.
Must Read: Make Two Trips
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
Must Read: Make Two Trips
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
Container Security: Protect your data with Calico Egress Access Controls
23andMe is a popular genetics testing company, which was valued at $6B in 2021. Unfortunately, there was a massive data breach in December 2023, which caused a steep decline in the company’s value and trust, plummeting the company to a penny stock. While this breach was not directly related to Kubernetes, the same risks apply to containers running in your Kubernetes environments. If your containerized applications do not have the right egress access controls defined, chances of data exfiltration are much higher.
The basics
A typical modus operandi for threat actors is to look for vulnerabilities or misconfiguration in the environment and workloads, install malicious pods through privilege escalation techniques, and then exploit this unsecured pod to exfiltrate data.
An easy reconnaissance technique by just scanning the cluster network for public-facing workloads will be a first starting point for most attackers. Privilege escalation occurs mostly due to inconsistent or incorrect RBAC policies in Kubernetes through which unauthorized users can gain root privileges. Vulnerabilities in container images as part of the supply chain are also another attack path. All of these techniques will ultimately land on an exposed pod with a remote code Continue reading
With Thor 2, Broadcom Wants To Become The AI Network Adapter
Aside from all of the buzz that optics get in datacenter networking, copper is still king of the short haul. …
With Thor 2, Broadcom Wants To Become The AI Network Adapter was written by Timothy Prickett Morgan at The Next Platform.
PP016: Tabletop Security Exercises: D&D for Grown-ups
Tabletop security exercises can help organizations game out their response to a security incident. From the technical and business considerations to legal and PR implications, a tabletop exercise, like Dungeons and Dragons, lets you play-test attack and defense scenarios. Johna Till Johnson, CEO of Nemertes consulting firm and co-host of the Heavy Strategy podcast, joins... Read more »HW028: Highlights from Wi-Fi World Congress USA
A cardboard box with a circuit printed on it that harvests just enough power to activate a radio and have it chirp something out a short distance: that’s just one of the cool products and 802.11 standards that stood out at this year’s Wi-Fi World Congress USA. Drew Lentz joins the show to recap the... Read more »On the ‘net: Grey Failures and the Law of Large Numbers
You’ve just finished building a 1,000 router fabric using a proper underlay and overlay. You’ve thought of everything, including doing it all with a single SKU, carefully choosing transceivers, using only the best optical cables, and running all the software through a rigorous testing cycle. Time to relax? Perhaps—or perhaps not.
Rule 11 Academy Update 052724
Three new posts this week:
coupon code for first six months for free: BEAG2DRUP0TORNSKUT
Heavy Strategy: Failure and Resilience
Welcome to a crossover episode with the Heavy Strategy podcast! Firing the wrong person, mistakenly rebooting core switches in a massive network, not passing the CCIE exam– today we talk all about failure. For this conversation, we’re joined by fellow Packet Pushers Kyler Middleton and Ned Bellavance, hosts of the Day Two Cloud podcast. We... Read more »HS073: Failure and Resilience
Firing the wrong person, mistakenly rebooting core switches in a massive network, not passing the CCIE exam– today we talk all about failure. For this conversation, we’re joined by fellow Packet Pushers Kyler Middleton and Ned Bellavance, hosts of the Day Two Cloud podcast. We swap stories, discuss response and prevention, and talk about accountability,... Read more »
Subaru Drives Its EyeSight System Forward With AI Augmentation
Several years ago, Subaru set a goal to stop fatal accidents involving its cars in 2030 and is leaning heavily on AI to reach the target. …
Subaru Drives Its EyeSight System Forward With AI Augmentation was written by Jeffrey Burt at The Next Platform.
BGP Route Reflectors Considered Harmful
The recent IBGP Full Mesh Between EVPN Leaf Switches blog post generated an interesting discussion on LinkedIn focused on whether we need route reflectors (in small fabrics) and whether they do more harm than good. Here are some of the highlights of that discussion, together with a running commentary.
Please note that we’re talking about BGP route reflectors in reasonably small data center fabrics. Large service provider networks with millions of customer VPN routes are a completely different story. As always, what you read in a random blog post might not apply to your network design. YMMV.