NetworkingNexus.net

Istio 1.23 Drops the Sidecar for a Simpler ‘Ambient Mesh’

Louis Ryan, CTO, Solo.io The Istio service mesh software offers a potentially big change in how to handle Kubernetes traffic, with the introduction of an ambient mesh option. Although the technology has been offered as an experimental feature for several releases, the core development team taking feedback from users, this is the first release to offer the feature as a production-grade capability. It’s a new architecture entirely, explained Solo.io, as well as a member of Idit Levine, founder and CEO of Solo.io. Once applications are decomposed into individual services, these services require a way to communicate. Hence it made sense to festoon each Continue reading

NB491: Cisco Revenues Drop 10% in Q4; Texas Instruments Get $1.6 Billion for Chip Factories

Take a Network Break! Hackers may have stolen millions of US Social Security numbers, HPE acquires a multi-cloud management company, and Cisco announces plans to lay off 7% of its employees. Pure Storage joins industry efforts to make Ethernet suitable for AI workloads by signing on to the Ultra Ethernet Consortium, Texas Instruments will add... Read more »

Dropped packet metrics with Prometheus and Grafana

Dropped packets due to black hole routes, buffer exhaustion, expired TTLs, MTU mismatches, etc. can result in insidious connection failures that are time consuming and difficult to diagnose. Dropped packet notifications with Arista Networks, VyOS dropped packet notifications and Using sFlow to monitor dropped packets describe implementations of the sFlow Dropped Packet Notification Structures extension for Arista Networks switches, VyOS routers, and Linux servers respectively, providing end to end visibility into packet drop events (including switch port, drop reason and packet header for each dropped packet).

Flow metrics with Prometheus and Grafana describes how define flow metrics and create dashboards to trend the flow metrics over time. This article describes how the same setup can be used to define and trend metrics based on dropped packet notifications.

  - job_name: sflow-rt-drops
    metrics_path: /app/prometheus/scripts/export.js/flows/ALL/txt
    static_configs:
      - targets: ['sflow-rt:8008']
    params:
      metric: ['dropped_packets']
      key:
        - 'node:inputifindex'
        - 'ifname:inputifindex'
        - 'reason'
        - 'stack'
        - 'macsource'
        - 'macdestination'
        - 'null:vlan:untagged'
        - 'null:[or:ipsource:ip6source]:none'
        - 'null:[or:ipdestination:ip6destination]:none'
        - 'null:[or:icmptype:icmp6type:ipprotocol:ip6nexthdr]:none'
      label:
        - 'switch'
        - 'port'
        - 'reason'
        - 'stack'
        - 'macsource'
        - 'macdestination'
        - 'vlan'
        - 'src'
        - 'dst'
        - 'protocol'
      value: ['frames']
      dropped: ['true']
      maxFlows: ['20']
      minValue: ['0.001']

The Prometheus scrape configuration above is used to Continue reading

Why AMD Spent $4.9 Billion To Buy ZT Systems

If AMD is willing and eager to spend $4.9 billion to buy a systems company – that is more than its entire expected haul for sales of datacenter GPUs for 2024 – then you have to figure that acquisition is pretty important. …

Why AMD Spent $4.9 Billion To Buy ZT Systems was written by Timothy Prickett Morgan at The Next Platform.

Summer 2024 weather report: Cloudflare with a chance of Intern-ets

During the summer of 2024, Cloudflare welcomed approximately 60 Intern-ets from all around the globe on a mission to #HelpBuildABetterInternet. Over the course of their internships, our wonderful interns tackled real-world challenges from different teams all over the company and contributed to cutting-edge projects. As returning interns, we – Shaheen, Aaron, and Jada – would like to show off the great work our cohort has done and experiences we’ve had throughout our time here.

Austin Interns after volunteering at the Central Texas Food Bank.

Putting the SHIP in internSHIP

Cloudflare interns take pride in driving high-impact initiatives, playing a vital role in advancing Cloudflare's mission. With our diverse roles and projects this summer, we'd love to highlight some of the exciting work we've been involved in:

Rahul, a Software Engineer intern, built a system to autograde intern application assignments for future students looking to join Cloudflare. It was built entirely on the Cloudflare Developer Platform, using Cloudflare Access, Browser Rendering, D1, Durable Objects, R2, and Workers!

Jessica, a Software Engineer intern, created a new threads api for the Workers AI team that automatically recalls past messages when running inference, helping developers to Continue reading

Why Are OSPF Type 5 LSAs Flooded?

I recently saw a great question on Reddit, on why Type-5 (AS-external) LSAs are flooded, in comparison to Type-3 (Summary) that are regenerated at the ABR. To investigate this, we’ll use the following simple topology where R2 and R3 are ABRs:

OSPF Behavior Type-3 LSAs

Let’s see how OSPF handles Summary LSAs. Let’s first look at Area 1, where R4 is advertising 169.254.0.0/24 into it. This can be seen in the LSDB of R2:

R2#show ip ospf data router 203.0.113.4

            OSPF Router with ID (203.0.113.2) (Process ID 1)

                Router Link States (Area 1)

  LS age: 74
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 203.0.113.4
  Advertising Router: 203.0.113.4
  LS Seq Number: 80000009
  Checksum: 0x1DF0
  Length: 84
  Number of Links: 5

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 169.254.0.0
     (Link Data) Network Mask: 255.255.255.0
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 203.0.113.3
     (Link Data) Router Interface address: 192.0.2.14
      Number of MTID metrics: 0
       TOS 0  Continue reading

BGP Session and Address Family Parameters

As I was doing the final integration tests for netlab release 1.9.0, I stumbled upon a fascinating BGP configuration quirk: where do you configure the allowas-in parameter and why?

A Bit of Theory

BGP runs over TCP, and all parameters related to the TCP session are configured for a BGP neighbor (IPv4 or IPv6 address). That includes the source interface, local AS number (it’s advertised in the per-session OPEN message that negotiates the address families), MD5 password (it uses MD5 checksum of TCP packets), GTSM (it uses the IP TTL field), or EBGP multihop (it increases the IP TTL field).

Linux: Display and Manage IP Address Settings

Modern computers and their users rely on network connectivity for nearly everything, including cloud-based applications, software access, data access and communication. It seems that every aspect of computing relies on networking. Linux workstations and servers are no different in this necessity than Windows or macOS systems. One of a Linux sysadmin’s primary responsibilities is ensuring network connectivity. This requires understanding the system’s identity on the network and configuring it to participate in network data exchanges. Linux systems have three identities on a network. Various network devices use each identity differently. Here are the three identities with a summary of their use: Hostname: A human-friendly name providing users and administrators with an easy way to identify a node. IP address: A logical address routers and network configuration tools use to identify the system. MAC address: A physical address on the network interface card (NIC) that uniquely identifies it to switches and other Layer 2 devices. For example, a computer’s three identities might look like this: Hostname: computer27 IP address: 192.168.2.200 MAC address: 00:1c:42:73:8d:f2 The use and function of these three network identities are assumed knowledge for this article. Be sure to review basic network information Continue reading

How to Create VyOS Firewall Rules?

Hi all, welcome back to another blog post on VyOS. In the previous post, we covered how to install VyOS and set up the initial configurations. In this blog post, we'll cover how to configure firewall rules in VyOS. To demonstrate, we'll create a hypothetical office setup with a VyOS router/firewall. The router will have two interfaces - one facing the Users and another facing the Internet. Our goal is to allow the Users subnet to access the Internet for ICMP, DNS, and general web traffic.

Diagram

Our example is based on the following diagram. I don't have a public IP address on my lab but just play along and pretend that 10.10.0.7 is a public IP 😊 (This IP is behind my ISP's router)

As you can see in the diagram, the VyOS router has two interfaces. The interface connected to the Users subnet (Eth1) has an IP address of 10.1.1.1/24. There's also a test machine in this subnet with the IP address 10.1.1.15. Our goal is to ensure that this test machine can successfully ping an Internet IP address and browse the general Internet.

VyOS Firewall Basics

I Continue reading

Palo Alto Firewall For Absolute Beginners

Hi all, if you are here, I assume you're looking to learn about Palo Alto Firewalls, and you've come to the right place. In this blog post, we will cover the very basics of Palo Alto firewalls and how to get started.

Prerequisites

This blog post assumes you have a basic understanding of networking concepts such as routing, Layer 3 interfaces, traffic flow, subnets, and the necessity of a firewall. If you’ve previously used firewalls from different vendors, that’s even better, and you should find it easier to understand the concepts. When I first started with Palo Alto firewalls, I was already working as a network engineer and had experience with Cisco ASA firewalls. However, it still took some time for me to fully understand the nuances. Therefore, my focus here is to explain the nuances of Palo Alto firewalls using simple examples.

What We Will Cover?

In this post, we’ll touch on several key topics related to Palo Alto firewalls, providing an overview without diving too deep into any single area. I’ve written numerous posts on Palo Alto firewalls, and I will include links to those for more in-depth exploration. Here’s what we’ll cover.

Firewall Basics and Why We Continue reading

Inter-Domain Traffic-Engineering Based MPLS-LSPs

Recently I was exploring solution to have inter-domain traffic-engineerig based MPLS LSPs and came up with following writeup (after going through relevant rfc and vendor Implementation document (my favourite Junos). Please glance through it on my github home page. thanks

https://github.com/kashif-nawaz/Inter-Domain-Traffic-Engineering-and-MPLS-LSPs

HN745: Using Abstractions in Automation

Today’s episode of Heavy Networking comes to you from AutoCon1 in Amsterdam, recorded live on premises. In today’s network automation discussion, we cover abstraction layers with guest Jaakko Rautanen. Practically speaking, what are abstractions, and how do they help make your network automation project successful? We’ll also discuss some of our guest’s automation projects, how... Read more »

A wild week in phishing, and what it means for you

Being a bad guy on the Internet is a really good business. In more than 90% of cybersecurity incidents, phishing is the root cause of the attack, and during this third week of August phishing attacks were reported against the U.S. elections, in the geopolitical conflict between the U.S., Israel, and Iran, and to cause $60M in corporate losses.

You might think that after 30 years of email being the top vector for attack and risk we are helpless to do anything about it, but that would be giving too much credit to bad actors, and a misunderstanding of how defenders focused on detections can take control and win.

Phishing isn’t about email exclusively, or any specific protocol for that matter. Simply put, it is an attempt to get a person, like you or me, to take an action that unwittingly leads to damages. These attacks work because they appear to be authentic, visually or organizationally, such as pretending to be the CEO or CFO of your company, and when you break it down they are three main attack vectors that Cloudflare has seen most impactful from the bad emails we protect our customers Continue reading

A wild week in phishing, and what it means for you

This post is also available in 한국어, 日本語, 简体中文, 繁體中文, Français, Deutsch and Español.

Weekend Reads 081624

Beware of Internet FORCES aiming to change your mind or direct your decisions! That acronym, coined by behavioral scientist Patrick Fagan, helps people know when they’re being “nudged.”

Enter your name into an internet search engine and the first few results will probably include detailed profiles of you compiled by “people-search” websites with names like Intelius, PeopleFinders, and Spokeo.

Following the July 19 outages caused by a bad update, the cybersecurity firm faces shareholder lawsuits and pressure to pay damages for at least one major customer, Delta Airlines. Will software liability follow?

Since 1998 — the last year Congress passed a major law to reform the tech industry and protect children in the virtual space — a lot has changed.

According to a damning report from 404 Media, backed with internal Slack chats, emails, and documents obtained by the outlet, Nvidia helped itself to “a human lifetime visual experience worth of training data per day,” Ming-Yu Liu, vice president of Research at Nvidia and a Cosmos project leader, admitted in a May email.

It has been an enduring fascination to see how we could use packet networking in the context of digital communications in space.

At a recent conference Continue reading

Technology Short Take 181

Welcome to Technology Short Take #181! The summer of 2024 is nearly over, and Labor Day rapidly approaches. Take heart, though; here is some reading material for your weekend. From networking to security and from hardware to the cloud, there’s something in here for just about everyone. Enjoy!

Networking

Leon Adato has a great piece on transitioning from being a network engineer to being a cloud engineer. The post links to some good resources, and Leon provides three quick “lessons” to help folks get started.
Geoff Huston discusses DNS and UDP truncation.
Ivan Pepelnjak examines when you might need to use BGP, EVPN, VXLAN, or SRv6.

Servers/Hardware

Permanent damage? No recall? Ouch! Sean Hollister discusses Intel’s responses to questions asked about instabilities in their 13th and 14th Gen Intel Core desktop processors.
Chaim Gartenberg shares a look back at 10 years of Google’s AI-specialized chips (the Tensor Processing Units, or TPUs).

Security

I enjoy Ben Bornholm’s article showing how to use Cilium and Tetragon to secure a vulnerable web application. Practical examples like this are useful. Thanks for sharing, Ben!
Writing for The Hacker News, Ravie Lakshmanan discusses CRYSTALRAY and a recent surge of infections aiming “to harvest and sell Continue reading

Simplify cloud routing and object storage configurations with Cloud Connector

As part of Cloudflare's mission to help build a better Internet, we’re continuously integrating with other networks and service providers, ensuring ease of use for anyone, anywhere, anytime.

Today, we’re excited to announce Cloud Connector – a brand-new way to put Cloudflare in front of popular public cloud services, protecting your assets, accelerating applications, and routing your traffic between multiple cloud providers seamlessly.

Cloud Connector is a natural extension of Cloudflare's Connectivity Cloud, which aims to simplify and secure the complex web of connections across today’s enterprises. Imagine Origin Rules, but managed by Cloudflare, available for all plans, created with just a few clicks, and working out of the box without the need for additional rules. It allows you to route traffic to different public clouds without complicated workarounds. This means you can now direct specific requests to AWS S3, Google Cloud Storage, Azure Blob Storage, or our own R2, even if these services are not set as the DNS target for your hostname.

Whether you’re an e-commerce site looking to route image traffic to the best-performing cloud storage for faster load times, a media company distributing video content efficiently across various cloud providers, or Continue reading

Introducing high-definition portrait video support for Cloudflare Stream

Cloudflare Stream is an end-to-end solution for video encoding, storage, delivery, and playback. Our focus has always been on simplifying all aspects of video for developers. This goal continues to motivate us as we introduce first-class portrait (vertical) video support today. Newly uploaded or ingested portrait videos will now automatically be processed in full HD quality.

Why portrait video

In the past few years, the popularity of portrait video has exploded, motivated by short-form video content applications such as TikTok or YouTube Shorts. However, Cloudflare customers have been confused as to why their portrait videos appear to be lower quality when viewed on portrait-first devices such as smartphones. This is because our video encoding pipeline previously did not support high-quality portrait videos, leading them to be grainy and lower quality. This pain point has now been addressed with the introduction of high-definition portrait video.

The current stream pipeline

When you upload a video to Stream, it is first encoded into several different “renditions” (sizes or resolutions) before delivery. This is done in order to enable playback in a wide variety of network conditions, as well as to standardize the way a video is experienced. By using these adaptive Continue reading

Introducing high-definition portrait video support for Cloudflare Stream

Why portrait video

The current stream pipeline

Simplify cloud routing and object storage configurations with Cloud Connector

Introduction

As part of Cloudflare's mission to help build a better Internet, we’re continuously integrating with other networks and service providers, ensuring ease of use for anyone, anywhere, anytime.

« Previous 1 … 129 130 131 132 133 … 3,855 Next »