Hedge 255: Open Multi-perspective Issuance

One of the various attack surfaces in encryption is insuring the certificates used to share the initial set of private keys are not somehow replaced by an attacker. In systems where a single server or source is used to get the initial certificates, however, it is fairly easy for an attacker to hijack the certificate distribution process.

Henry Birge-Lee joins us on this episode of the Hedge to talk about extensions to existing certificate systems where a certificate is pulled from more than one source. You can find his article here.

download

N4N009: High-Speed Ethernet Lanes Explained

On today’s episode, we’re explaining high-speed Ethernet lanes at the request of listener Matthew. We cover lanes, channels, and their physical representation in networking – think actual cables. We explain both 40Gb and 100Gb technologies and compare them to Link Aggregation Control Protocol (LACP). We also have a discussion on standards and practical implications for... Read more »

Red Hat Woos VMware Shops With OpenShift Virtualization Engine

Broadcom’s $61 billion acquisition of VMware in November 2023 and the subsequent changes to venerable virtualization company’s business model and pricing have rankled many long-time enterprise users, a situation that has been highly publicized despite assertions by Broadcom and VMware executives that such reports are little than FUD – short for fear, uncertainty, and doubt.

Red Hat Woos VMware Shops With OpenShift Virtualization Engine was written by Jeffrey Burt at The Next Platform.

Cloud Monitoring’s Blind Spot: The User Perspective

The evolution of internet-centric application delivery has worsened IT’s visibility gaps into what impacts an end user’s experience. This problem is exacerbated when these gaps lead to negative business consequences, such as loss of revenue or lower Net Promoter Scores (NPS). The need to address this worsening visibility gap problem is reinforced by Gartner’s recent publication of its first

Comparing IGP and BGP Data Center Convergence

A Thought Leader1 recently published a LinkedIn article comparing IGP and BGP convergence in data center fabrics2. In it, they3 claimed that:

iBGP designs would require route reflectors and additional processing, which could result in slightly slower convergence.

Let’s see whether that claim makes any sense.

TL&DR: No. If you’re building a simple leaf-and-spine fabric, the choice of the routing protocol does not matter (but you already knew that if you read this blog).

PP045: Reducing the Risk of Compromised Digital Certificates with CAA and Certificate Transparency

Transport Layer Security (TLS) relies on certificates to authenticate Web sites and enable encryption. On today’s Packet Protector we look at mechanisms that domain owners can take to ensure the validity of their digital certificates. More specifically, we cover Certification Authority Authorization (CAA) and Certificate Transparency (CT). Our guest is Ed Harmoush. Ed is a... Read more »

Demonstrating reduction of vulnerability classes: a key step in CISA’s “Secure by Design” pledge

In today’s rapidly evolving digital landscape, securing software systems has never been more critical. Cyber threats continue to exploit systemic vulnerabilities in widely used technologies, leading to widespread damage and disruption. That said, the United States Cybersecurity and Infrastructure Agency (CISA) helped shape best practices for the technology industry with their Secure-by-Design pledge. Cloudflare signed this pledge on May 8, 2024, reinforcing our commitment to creating resilient systems where security is not just a feature, but a foundational principle.

We’re excited to share an update aligned with one of CISA’s goals in the pledge: To reduce entire classes of vulnerabilities. This goal aligns with the Cloudflare Product Security program’s initiatives to continuously automate proactive detection and vigorously prevent vulnerabilities at scale.   

Cloudflare’s commitment to the CISA pledge reflects our dedication to transparency and accountability to our customers. This blog post outlines why we prioritized certain vulnerability classes, the steps we took to further eliminate vulnerabilities, and the measurable outcomes of our work.

The core philosophy that continues: prevent, not patch

Cloudflare’s core security philosophy is to prevent security vulnerabilities from entering production environments. One of the goals for Cloudflare’s Product Security team is to champion this philosophy and ensure Continue reading

Weird Junos IS-IS Metrics

As part of the netlab development process, I run almost 200 integration tests on more than 20 platforms (over a dozen operating systems), and the amount of weirdness I discover is unbelievable.

Today’s special: Junos is failing the IS-IS metrics test.

The test is trivial:

  • The device under test is connected to two IS-IS routers (X1 and X2)
  • It has a low metric configured on the link with X1 and a high metric configured on the link with X2

The validation process is equally trivial:

NB509: FCC to Raise Funds for Rip-and-Replace of Chinese Telco Gear; Billionaire Space Race Takes Off

Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »

netlab: Multi-Site VLANs

Imagine you want to create a simple multi-site network with netlab:

  • The lab should have two sites (A and B).
  • Each site has a layer-3 switch, a single VLAN (VLAN 100), and two hosts connected to that VLAN.
  • As you don’t believe in the magic powers of stretched VLANs, you have a layer-3 (IPv4) link between sites.
Network diagram

Network diagram