PMTUD in MPLS-enabled Networks

In the previous post on MSS, MSS Clamping, PMTUD, and MTU, we learned how PMTUD is performed by setting the Don’t fragment flag in the IP header which leads to the device that needs to perform fragmentation dropping the packet and sending ICMP Fragmentation needed packet towards the source. In MPLS-enabled networks, it’s not always possible to send the ICMP packet straight towards the source as the P routers have no knowledge of the customer specific networks. In RFC 3032 – MPLS Label Stack Encoding, such a scenario is described:

Suppose one is using MPLS to "tunnel" through a transit routing
domain, where the external routes are not leaked into the domain's
interior routers.  For example, the interior routers may be running
OSPF, and may only know how to reach destinations within that OSPF
domain.  The domain might contain several Autonomous System Border
Routers (ASBRs), which talk BGP to each other.  However, in this
example the routes from BGP are not distributed into OSPF, and the
LSRs which are not ASBRs do not run BGP.

In this example, only an ASBR will know how to route to the source of
some arbitrary packet.  If an interior router needs  Continue reading

PP030: Volt Typhoon On the Attack, Starlink Joins the Navy, and More Security News

Today’s Packet Protector is an all-news episode. We cover the Volt Typhoon hacker group exploiting a zero-day in Versa Networks gear and a multitude of vulnerabilities in Zyxel network products. We also debate whether Microsoft’s endpoint security summit will be more than a public relations exercise, a serious backdoor in RFID cards used in offices... Read more »

HS082: Citizen Coders: Boon Or Bane?

The low-code/no-code movement means business users who aren’t programmers can create software. This capability might make these citizen coders more efficient and productive, but could also pose risks due to a lack of formal training in software development and security. Is citizen coding a boon or bane to business? Johna Johnson and John Burke discuss... Read more »

A good day to trie-hard: saving compute 1% at a time

Cloudflare’s global network handles a lot of HTTP requests – over 60 million per second on average. That in and of itself is not news, but it is the starting point to an adventure that started a few months ago and ends with the announcement of a new open-source Rust crate that we are using to reduce our CPU utilization, enabling our CDN to handle even more of the world’s ever-increasing Web traffic. 

Motivation

Let’s start at the beginning. You may recall a few months ago we released Pingora (the heart of our Rust-based proxy services) as an open-source project on GitHub. I work on the team that maintains the Pingora framework, as well as Cloudflare’s production services built upon it. One of those services is responsible for the final step in transmitting users’ (non-cached) requests to their true destination. Internally, we call the request’s destination server its “origin”, so our service has the (unimaginative) name of “pingora-origin”.

One of the many responsibilities of pingora-origin is to ensure that when a request leaves our infrastructure, it has been cleaned to remove the internal information we use to route, measure, and optimize traffic for our customers. This has to be Continue reading

Emulating congestion with Containerlab

The Containerlab dashboard above shows variation in throughput in a leaf and spine network due to large "Elephant" flow collisions in an emulated network, see Leaf and spine traffic engineering using segment routing and SDN for a demonstration of the issue using physical switches.

This article describes the steps needed to emulate realistic network performance problems using Containerlab. First, using the FRRouting (FRR) open source router to build the topology provides a lightweight, high performance, routing implementation that can be used to efficiently emulate large numbers of routers using the native Linux dataplane for packet forwarding. Second, the containerlab tools netem set command can be used to introduce packet loss, delay, jitter, or restrict bandwidth of ports.

The netem tool makes use of the Linux tc (traffic control) module. Unfortunately, if you are using Docker desktop, the minimal virtual machine used to run containers does not include the tc module.

multipass launch docker
Instead, use Multipass as a convenient way to create and start an Ubuntu virtual machine with Docker support on your laptop. If you are already on a Linux system with Docker installed, skip forward to the git clone step.
multipass ls
List the multipass virtual machines. 
 Continue reading

Where Retail Meets The Intelligent Edge, Great Things Are Happening

PARTNER CONTENT: Most retailers are saddled with aging, heterogeneous IT environments spread across wide geographical areas, making it difficult to adopt the latest and greatest advancements of the data-driven, artificial intelligence (AI) age.

Where Retail Meets The Intelligent Edge, Great Things Are Happening was written by Timothy Prickett Morgan at The Next Platform.

Live: BGP Labs and Netlab Testing @ SINOG 8

I’ll talk about the BGP labs and the magic behind the scenes that ensures the lab configurations are correct at the SINOG 8 meeting later today (selecting the English version of the website is counter-intuitive; choose English from the drop-down field on the right-hand side of the page).

The SINOG 8 presentations will be live-streamed; I should start around 13:15 Central European Time (11:15 GMT; figuring out the local time is left as an exercise for the reader).

Watch the live stream

More NPM packages on Cloudflare Workers: Combining polyfills and native code to support Node.js APIs

Today, we are excited to announce a preview of improved Node.js compatibility for Workers and Pages. Broader compatibility lets you use more NPM packages and take advantage of the JavaScript ecosystem when writing your Workers.

Our newest version of Node.js compatibility combines the best features of our previous efforts. Cloudflare Workers have supported Node.js in some form for quite a while. We first announced polyfill support in 2021, and later built-in support for parts of the Node.js API that has expanded over time.

The latest changes make it even better:

To give it a try, add the following flag to wrangler.toml, and deploy your Worker with Wrangler:

compatibility_flags = ["nodejs_compat_v2"]

Packages that could not be imported with nodejs_compat, even as a dependency of another package, will now load. This Continue reading

Looking for 240/4 Addresses

In the IANA IPv4 Address registry a block of addresses, 240.0.0.0/4 is marked as reserved for "Future Use"". If we have run out of available IPv4 addresses, then why are some quarter of a billion IPv4 addresses still sitting idle in an IANA registry waiting for an undefined Future Use?

Weekend Reads 090724


A federal judge struck down a Biden administration rule on Tuesday that banned employers from using noncompete agreements, which would have affected the contracts of millions of Americans.


The Open Compute Project, the org best known for offering designs for hyperscale hardware, has rounded up AWS, Google, Meta, and Microsoft to help it test concrete.


Recent trends show that ransomware attacks continue to grow more advanced and persistent.


When you are designing applications that run across the scale of an entire datacenter and that are comprised of hundreds to thousands of microservices running on countless individual servers and that have to be called within a matter of microseconds to give the illusion of a monolithic application, building fully connected, high bi-section bandwidth Clos networks is a must


The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come.


Linearity is one of the greatest success stories in mathematics. According to Encyclopedia Britannica, “Unlike other parts of Continue reading

Optimizing OSPF RFC Access with Serper API and Large Language Models

Disclaimer: All Writings And Opinions Are My Own And Are Interpreted Solely From My Understanding. Please Contact The Concerned Support Teams For A Professional Opinion, As Technology And Features Change Rapidly.

This series of blog posts will focus on one feature at a time to simplify understanding.

At this point, ChatGPT—or any Large Language Model (LLM)—needs no introduction. I’ve been exploring GPTs with relative success, and I’ve found that API interaction makes them even more effective.

But how can we turn this into a workflow, even a simple one? What are our use cases and advantages? For simplicity, we’ll use the OpenAI API rather than open-source, self-hosted LLMs like Meta’s Llama.

Let’s consider an example: searching for all OSPF-related RFCs on the web. Technically, we’ll use a popular search engine, but to do this programmatically, I’ll use Serper. You can find more details at https://serper.dev. Serper is a powerful search API that allows developers to programmatically access search engine results. It provides a simple interface to retrieve structured data from search queries, making it easier to integrate search functionality into applications and workflows.

Let’s build the first building block and try to fetch results using Serper. When you sign Continue reading

Network CI/CD – Configuration Management with Napalm and Nornir

Network CI/CD - Configuration Management with Napalm and Nornir

Hi all, welcome back to part 4 of the Network CI/CD blog series. So far, we've covered the purpose of a Network CI/CD pipeline, the problems it solves for Network Engineers, and how to set up GitLab, including creating projects, installing runners, and understanding GitLab executors. We also looked at how to use GitLab variables to securely hide secrets.

In this part, we'll explore how to manage a campus network using Nornir and Napalm and deploy configurations through a CI/CD pipeline. Let's get to it!

Network CI/CD Pipeline - What’s the Point?
Hi all, welcome to the ‘Network CI/CD’ blog series. To kick things off, let’s ask the question, “Why do we even need a CI/CD pipeline for networks?” Instead of diving straight into technical definitions
Network CI/CD - Configuration Management with Napalm and NornirPacketswitchSuresh Vina
Network CI/CD - Configuration Management with Napalm and Nornir

As I mentioned previously, I'm not a CI/CD expert at all and I'm still learning. The reason for creating this series is to share what I learn with the community. The pipeline we are building is far from perfect, but that's okay. The goal here is to create a simple pipeline that works and then build upon it as we go. This way, you can start small and gradually Continue reading

HN748: How AI and HPC Are Changing Data Center Networks

On today’s episode of Heavy Networking, Rob Sherwood joins us to discuss the impact that High Performance Computing (HPC)and artificial intelligence computing are having on data center network design. It’s not just a story about leaf/spine architecture. That’s the boring part. There’s also power and cooling issues, massive bandwidth requirements, and changes in how we... Read more »

TNO002: How Simplification Helps MSPs Scale

Simplification is the theme of today’s episode. Host Scott Robohn and guest Jack Maxfield explore the operational impacts of simplification for a Managed Service Provider (MSP). They discuss the challenges of managing multi-vendor environments and how to use templating and tools to simplify the management process. Proactive client communication and the integration of network and... Read more »

Technology Short Take 182

Welcome to Technology Short Take #182! I have a slightly bulkier list of links for you today, bolstered by some recent additions to my RSS feeds and supplemented by some articles I found through social media. There should be enough here to keep folks entertained this weekend—enjoy!

Networking

Servers/Hardware

  • I thought this write-up of Andy Bechtolsheim’s keynote at Hot Interconnects 2024 was an interesting summary of where we could see hardware development go in the next 4 years.
  • It turns out that Yubikeys—hardware security keys—are subject to a potential cloning vulnerability, although it does require physical access Continue reading
1 126 127 128 129 130 3,857