From bare-metal to Kubernetes

 

This is a guest post by Hugues Alary, Lead Engineer at Betabrand,  a retail clothing company and crowdfunding platform, based in San Francisco. This article was originally published here.

 

Beyond SD-WAN: VMware’s vision for the network edge

VeloCloud is now a Business Unit within VMware since being acquired in December 2017. The two companies have had sufficient time to integrate their operations and fit their technologies together to build a cohesive offering. In January, Neal Weinberg provided an overview of where VMware is headed with its reinvention. Now let’s look at it from the VeloCloud SD-WAN perspective.I recently talked to Sanjay Uppal, vice president and general manager of the VeloCloud Business Unit. He shared with me where VeloCloud is heading, adding that it’s all possible because of the complementary products that VMware brings to VeloCloud’s table.To read this article in full, please click here

[Sponsored] Short Take – Network Reliability Engineering

In this Network Collective Short Take, Matt Oswalt joins us to talk about the value of network reliability engineering and the unique approach Juniper is taking to empower engineers to learn the tools and techniques of automation with NRE Labs.

Thank you to Juniper Networks for sponsoring today’s episode and supporting the content we’re creating here at Network Collective. If you would like to take the next steps in your automation journey, NRE Labs is a no-strings-attached resource to help you in that journey. You can find NRE Labs at https://labs.networkreliability.engineering.

 

Matt Oswalt
Guest
Jordan Martin
Host

The post [Sponsored] Short Take – Network Reliability Engineering appeared first on Network Collective.

How to quickly deploy, run Linux applications as unikernels

Building and deploying lightweight apps is becoming an easier and more reliable process with the emergence of unikernels. While limited in functionality, unikernals offer many advantages in terms of speed and security.What are unikernels? A unikernel is a very specialized single-address-space machine image that is similar to the kind of cloud applications that have come to dominate so much of the internet, but they are considerably smaller and are single-purpose. They are lightweight, providing only the resources needed. They load very quickly and are considerably more secure -- having a very limited attack surface. Any drivers, I/O routines and support libraries that are required are included in the single executable. The resultant virtual image can then be booted and run without anything else being present. And they will often run 10 to 20 times faster than a container.To read this article in full, please click here

How to quickly deploy, run Linux applications as unikernels

Building and deploying lightweight apps is becoming an easier and more reliable process with the emergence of unikernels. While limited in functionality, unikernals offer many advantages in terms of speed and security.What are unikernels? A unikernel is a very specialized single-address-space machine image that is similar to the kind of cloud applications that have come to dominate so much of the internet, but they are considerably smaller and are single-purpose. They are lightweight, providing only the resources needed. They load very quickly and are considerably more secure -- having a very limited attack surface. Any drivers, I/O routines and support libraries that are required are included in the single executable. The resultant virtual image can then be booted and run without anything else being present. And they will often run 10 to 20 times faster than a container.To read this article in full, please click here

IDG Contributor Network: Performance-Based Routing (PBR) – The gold rush for SD-WAN

BGP (Border Gateway Protocol) is considered the glue of the internet. If we view through the lens of farsightedness, however, there’s a question that still remains unanswered for the future. Will BGP have the ability to route on the best path versus the shortest path?There are vendors offering performance-based solutions for BGP-based networks. They have adopted various practices, such as, sending out pings to monitor the network and then modifying the BGP attributes, such as the AS prepending to make BGP do the performance-based routing (PBR). However, this falls short in a number of ways.The problem with BGP is that it's not capacity or performance aware and therefore its decisions can sink the application’s performance. The attributes that BGP relies upon for path selection are, for example, AS-Path length and multi-exit discriminators (MEDs), which do not always correlate with the network’s performance.To read this article in full, please click here

My Team’s Blogs

I’m thankful to have the opportunity to work with an amazing team. Many of my teammates also produce some very useful content via their own sites, and so I thought it might be useful to my readers to share a list of links to my teammates’ blogs.

Without further ado, here is a list of my teammates who have a blog; each entry is a link to the respective site (these are presented in no particular order):

I know I’ve gained valuable insight from some of their content, and I hope you do as well.

ACI MultiPod – Enable Standby APIC

APIC Controller Cluster You actually need three APIC controller servers to get the cluster up and running in complete and redundant ACI system. You can actually work with only two APICs and you will still have a cluster quorum and will be able to change ACI Fabric configuration. Loosing One Site In the MultiPod, those three controllers need to be distributed so that one of them is placed in the secondary site. The idea is that you still have a chance to keep your configuration on one remaining APIC while losing completely primary site with two APICs. On the other

The post ACI MultiPod – Enable Standby APIC appeared first on How Does Internet Work.

Last Week on ipSpace.net (2019W14)

Last Thursday I started another experiment: a series of live webinar sessions focused on business aspects of networking technologies. The first session expanded on the idea of three paths of enterprise IT. It covered the commoditization of IT and networking in particular, vendor landscape, various attempts at segmenting customers, and potential long-term Enterprise IT paths. Recording is already online and currently available with standard subscription.

Although the attendance was lower than usual, attendees thoroughly enjoyed it – one of them sent me this: “the value of ipSpace.net is that you cut through the BS”. Mission accomplished ;)

How bad can it git? Characterizing secret leakage in public GitHub repositories

How bad can it git? Characterizing secret leakage in public GitHub repositories Meli et al., NDSS’19

On the one hand you might say there’s no new news here. We know that developers shouldn’t commit secrets, and we know that secrets leaked to GitHub can be discovered and exploited very quickly. On the other hand, this study goes much deeper, and also provides us with some very actionable information.

…we go far beyond noting that leakage occurs, providing a conservative longitudinal analysis of leakage, as well as analyses of root causes and the limitations of current mitigations.

In my opinion, the best time to catch secrets is before they are ever committed in the first place. A git pre-commit hook using the regular expressions from this paper’s appendix looks like a pretty good investment to me. The pre-commit hook approach is taken by TruffleHog, though as of the time this paper was written, TruffleHog’s secret detection mechanisms were notably inferior (detecting only 25-29%) to those developed in this work (§ VII.D). You might also want to look at git-secrets which does this for AWS keys, and is extensible with additional patterns. For a belt and braces approach, also Continue reading

DNS Privacy at IETF 104

From time to time the IETF seriously grapples with its role with respect to technology relating to users' privacy. Should the IETF publish standard specifications of technologies that facilitate third party eavesdropping on communications or should it refrain from working on such technologies? Should the IETF take further steps and publish standard specifications of technologies that directly impede various forms of third party eavesdropping on communications? Is a consistent position from the IETF on personal privacy preferred? Or should the IETF be as agnostic as possible and publish protocol specifications based solely on technical coherency and interoperability without particular regard to issues of personal privacy? This issue surfaced at IETF 104 in the context of discussions of DNS over HTTPS, or DOH.

Celebrating 50 Years of the RFCs That Define How the Internet Works

First page of RFC 1

50 years ago today, on 7 April 1969, the very first “Request for Comments” (RFC) document was published. Titled simply “Host Software”, RFC 1 was written by Steve Crocker to document how packets would be sent from computer to computer in what was then the very early ARPANET. [1]

Steve and the other early authors were just circulating ideas and trying to figure out how to connect the different devices and systems of the early networks that would evolve into the massive network of networks we now call the Internet. They were not trying to create formal standards – they were just writing specifications that would help them be able to connect their computers. Little did they know then that the system they developed would come to later define the standards used to build the Internet.

Today there are over 8,500 RFCs whose publication is managed through a formal process by the RFC Editor team. The Internet Engineering Task Force (IETF) is responsible for the vast majority (but not all) of the RFCs – and there is strong process through which documents move within the IETF from ideas (“Internet-Drafts” or “I-Ds”) into published standards or informational documents[2].

50 years Continue reading

Feature Friday: A Chat With Security Experts

DockerCon brings industry leaders and experts of the container world to one event where they share their knowledge, experience and guidance. This year is no different. For the next few weeks, we’re going to highlight a few of our amazing speakers and the talks they will be leading.

In this second highlight, we have several industry experts on container and application security that we’re excited to have sharing their knowledge at DockerCon. We’re going to have sessions covering network security, a dissection of a real world Kubernetes vulnerability (and what to do about it), encrypted containers, and the new AWS Firecracker “micro-VM” for containers, just to name a few.

In case you missed it, you can also see our first speaker highlight here, featuring storage, service mesh and networking experts.

 

Zero Trust Networks Come to Docker Enterprise Kubernetes

More on their session here.

 

Spike Curtis 

Tigera Software Developer

Brent Salisbury 

Docker Technical Alliances

What is your breakout about?

Brent: Docker Enterprise with Calico for networking being used in conjunction with Istio is an exciting intersection of securing various layers of networking – all from a single policy interface.

Spike: The Docker-Calico-Istio combination Continue reading

1 1,222 1,223 1,224 1,225 1,226 3,797