Routing Security – Getting Better, But No Reason to Rest!

Editor’s note: This is an abridged version of a post that was first published on MANRS.org. Read the full version.

In January last year I looked back at 2017 trying to figure out how routing security looked like globally and on a country level. I used BGPStream.com – a great public service providing information about suspicious events in the routing system.

The metrics I used for this analysis were number of incidents and networks involved, either by causing such incidents, or being affected by them.

An ‘incident’ is a suspicious change in the state of the routing system that can be attributed to an outage or a routing attack, like a route leak or hijack (either intentional or due to a configuration mistake). BGPStream is an operational tool that tries to minimize false positives, so the number of incidents may be on the low side.

Of course, there are a few caveats with this analysis – since any route view is incomplete and the intents of the changes are unknown, there are false positives. Some of the incidents went under the radar. Finally, the country attribution is based on geo-mapping and sometimes gets it wrong.

However, even if Continue reading

Ubuntu 18.04 Overheating

Since the upgrade from Ubuntu 16.04 LTS to Ubuntu 18.04, my laptop ASUS k55VM) is overheating and goes to critical temperature shutdown. The temperature varies between 70 and 85°C with doing nothing and then goes up to 95 with watching YouTube videos before shutdown. I have tried to clean fans from dust, blacklisted noveau driver but nothing helped. Finally, I have been successful with searching for workaround that is working for me. The issue here is intel_pstate scaling driver which does not reduce the processor speed when temperature increases.

The driver is not modular and it is built-in with kernel so we cannot unload it. However, we can disable it at boot by editing grub configuration. Firstly, check if your system is using the intel_pstate frequency scaling driver. If not, overheating is not caused by the intel_pstate driver and you need to figure out the cause by yourself.

$ cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_driver

intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate

Solution 1 - Disabling intel_pstate at Boot by Editing Grub Configuration

Open /etc/default/grub with editor and locate the line that begins with:

GRUB_CMDLINE_LINUX_DEFAULT

Add intel_pstate=disable at the end of that string as below.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_pstate=disable"

Now, execute:

Update Continue reading

The Modern Healthcare Enterprise

JU-Healthcare-Blog

Until now the intersection of human healthcare and networking machines was somewhat loosely coupled. Healthcare has been historically stymied by regulations and compliance issues making the adoption of modern IT challenging. Yet today in a quest for longer and healthier lives we are driven by metrics to monitor our health, measure continuous feedback of our heart, breathing and track our physical activity and exercise. Digital healthcare is impacting the continuum of patient care and the overall patient experience, generating exponential increases in data, and creating unprecedented demand for increased network speeds and agility. Just as the financial industry took to modernizing real time banking, the time has arrived to leverage the power of the network to modernize healthcare.

How AI can improve network capacity planning

Network capacity planning aims to ensure that sufficient bandwidth is provisioned, allowing network SLA targets, such as delay, jitter, loss, and availability, to be reliably met. It's a complex, error-prone task with serious financial implications. Until recently, the network data necessary for insightful capacity planning was generally only available via static, historical, after-the-fact reports. This situation is now rapidly changing.To read this article in full, please click here(Insider Story)

How AI can improve network capacity planning

Network capacity planning aims to ensure that sufficient bandwidth is provisioned, allowing network SLA targets, such as delay, jitter, loss, and availability, to be reliably met. It's a complex, error-prone task with serious financial implications. Until recently, the network data necessary for insightful capacity planning was generally only available via static, historical, after-the-fact reports. This situation is now rapidly changing.To read this article in full, please click here(Insider Story)

Helping To Build Cloudflare, Part 5: People: Finding, Nurturing and Learning to Let Go

This is part 5 of a six part series based on a talk I gave in Trento, Italy. To start from the beginning go here.

So, let me talk a bit about people. Software is made by people. Sometimes individuals but more likely by teams. I’ve talked earlier about some aspects of our architecture and our frequent rewrites but it’s people that make all that work.

And, honestly, people can be an utter joy and a total pain. Finding, keeping, nurturing people and teams is the single most important thing you can do in a company. No doubt.

Finding People

Finding people is really hard. Firstly, the technology industry is booming, and so engineers have a lot of choices. Countries create special visas just for them. Politicians line up to create mini-Silicon Valleys in their countries. Life is good!

But the really hard thing is interviewing. How do you find good people from an interview? I don’t know the answer to that. We put people through on average 8 interviews and a pair programming exercise. We look at open source contributions. Sometimes we look at people’s degrees.

We tend to look for potential. An old boss used to say, “Don’t Continue reading

Juniper RIPv2

4 steps to configure RIPv2. Define a RIP group Assign interfaces to the RIP group Define a routing policy to export routes Assign the routing policy to the RIP group Configuration Define a RIP group. cmd set protocols rip group RIP-GROUP Assign interfaces to the RIP...continue reading

Juniper OSPFv2

3 steps to configure OSPFv2. Create a router-id (optional) Assign OSPF neighbor facing interfaces to OSPF area Inject routes into OSPF via passive interfaces Configuration Create a router-id. cmd set routing-options router-id 10.255.1.1 Assign OSPF neighbor facing...continue reading

Leveraging Desktop Real Estate To Decrease Distractions

I use a dual-monitor setup. In my setup, the main screen sits centered directly in front of me. The secondary screen, which is slightly smaller, is off to one side. The real estate provided by the two screens gives me plenty of pixels across which to splash my applications–ample “screenery.”

I use my screenery productively when recording podcasts. I display a script, conferencing app, and recording tool without having to switch between them. Research productivity is also enhanced. I display a note-taking app front and center, with research subject matter like a video presentation, Kindle book, or PDF off to the side.

No Pixel Left Behind

Acres of screenery has benefits, but lots of screen space is also a potential distraction. I fight the desire to fill every pixel with an application. If I don’t use all the pixels, I must be wasting desktop space, right? I don’t want to waste my not inconsiderable investment in fancy monitors. Hmm. Sounds like an example of the sunk cost fallacy.

Desktop operating system developers have catered to my craving, adding sticky edges to windows that ensure not a single pixel is wasted. I can make my window edges stick to each Continue reading

Understanding CSPF and the TED

In our last post, we talked about one of the major differences between LDP and RSVP – the ability to define EROs or explicit route objects. We demonstrated how we could configure LSP paths through our network by providing a set of loose or strict next hops for the LSP to take. This was a rather huge paradigm shift because it meant we could define paths that didn’t align with what the IGP thought to be the best path through the network. What we didn’t talk about was how the ingress router determined if these paths were feasible. In this post, we’ll deep dive on the traffic engineering database (TED) and how it works in conjunction with the constrained shortest path first (CSPF) algorithm to build RSVP LSPs through a network.

It’s important to remember that the ingress label switching router (LSR) is really the thing doing most of the work in regards to setting up RSVP LSPs. Well – to be fair – the egress LSR is the one that actally sends the RESV message back toward the ingress LSR with the label information which is what’s required for the LSP to work. However – the ingress LSR Continue reading

SDN Ate My Hamster

I posted a Tweet the other day which gained a lot of attention in the networking community:

As SDN gains more traction, people start fearing for their jobs. Some jobs will decrease in demand and some will disappear entirely. However, we can’t stop progress just to keep those jobs hanging around. In the Twitter thread I made what could be seen as an elitist comment:


If you are replaceable by a script or controller, you were never a Network Engineer to begin with.

This was not meant to insult anyone, but rather be a wake-up call. If the only value you provide to the business is that you deploy templates someone else created, configure VLANs on a trunk, or can trace a flapping MAC in the network, you need to reskill and find ways of providing more value. This is not about Junior vs Senior. It’s Continue reading

Research: User Fairness as a Quality of Service Problem

In networks, we tend to think of Quality of Service (QoS) relating primarily to classes of traffic. These classes of traffic, in turn, are grounded in application behavior driven by user expectations. For instance, users expect voice communications to be near real time so conversation can take place “normally,” which means delay must be held to a minimum. In order to provide support for the CODECs that make voice communication possible, jitter must be tightly controlled, as well; it is often better to drop a packet outside some jitter bounds than to deliver it. ‘Net neutrality, on the other hand, tends to see the key factor as access to a particular service.

In this diagram, assume Y and Z are two different video streaming services; A is streaming video from Y, while B is streaming from Z. The argument of ‘net neutrality is that the provider who runs the E to F link (or the network represented by that single link) should not be allowed to prefer the service at Y over Z (or the other way around). One of the basic problems with ‘net neutrality is the problem of not preferring one content provider over another is not as Continue reading

The Black Elephant in the Room

The Black Elephant in the Room

When I come to work at Cloudflare, I understand and believe in this main purpose of why we exist: Helping to Build a Better Internet.

The reason why we feel like we can help build a better internet is simply because we believe in values that instill a nature of freedom, privacy, and empowerment in the tool that helps individuals broaden their intellectual and cultural perspective on the daily.

Knowing all of this, our own great company needs to be able to build itself daily into a better company. And that starts with having those conversations which are always uncomfortable. And let me be clear in saying this, being uncomfortable is a good thing because that makes one grow and not be stagnant. Saying all that, here we go...

The Afrocultural community at Cloudflare should take pride in being diverse and inclusive for all just as we all work together to help build a better internet for all.

And one of the many ways we can build upon this effort is to do more than just belong in a work place and eventually build off of that, feeling normal over time. When I mean belong, it’s more than the "Impostor Continue reading

Coppell ISD Integrates Security into Infrastructure via VMware AppDefense

What do you get when you provide 12,800 kids with technology and programming classes? You get 12,800 people who are getting ready for the modern workforce of today and tomorrow. You also get 12,800 potential vulnerabilities. With the growing quantity of phishing emails, ransomware and malware that Coppell Independent School District (CISD) already had to combat with a small staff, this Texas school system was looking for smarter solutions.

“All these students who have taken programming classes, they’re often looking to bypass administrative privileges, looking for ways around the internet filters, or looking for ways to play games on the school computers,” said Stephen McGilvray, CISD Executive Director of Technology. “So, in addition to all these external threats we have to worry about, we also have a bunch of homegrown, internal threats.”

The school district recently underwent a data center refresh, which included updates for VMware vSphere, VMware App Volumes and VMware Horizon, and launched the implementation of VMware NSX Data Center. During the refresh, their VMware sales rep told them about a relatively new security product called VMware AppDefense.

At its core, AppDefense shifts the advantage from attackers to defenders by determining and ensuring good application Continue reading

1 1,282 1,283 1,284 1,285 1,286 3,797