VNFs and Containers: Heptagonal Pegs and Triangle Holes

One of my readers sent me this question:

It would be nice to have a blog post or a webinar describing how to implement container networking in case when: (A) application does not tolerate NAT (telco, e.g. due to SCTP), (B) no DNS / FQDN, is used to find the peer element and (C) bandwidth requirements may be tough.

The only thing I could point him to is the Advanced Docker Networking part of Docker Networking Fundamentals webinar (available with free subscription) where macvlan and ipvlan are described.

Unikernels as processes

Unikernels as processes Williams et al., SoCC’18

Ah, unikernels. Small size, fast booting, tiny attack surface, resource efficient, hard to deploy on existing cloud platforms, and undebuggable in production. There’s no shortage of strong claims on both sides of the fence.

See for example:

• Unikernels: library operating systems for the cloud
• Jitsu: just-in-time summoning of unikernels
• IncludeOS: A minimal, resource efficient unikernel for cloud systems,
• My VM is lighter (and safer) than your container, and
• Unikernels are unfit for production

In today’s paper choice, Williams et al. give us an intriguing new option in the design space: running unikernels as processes. Yes, that’s initially confusing to get your head around! That means you still have a full-fat OS underneath the process, and you don’t get to take advantage of the strong isolation afforded by VMs. But through a clever use of seccomp, unikernels as processes still have strong isolation as well as increased throughput, reduced startup time, and increased memory density. Most importantly though, with unikernels as processes we can reuse standard infrastructure and tools:

We believe that running unikernels as processes is an important step towards running them in production, because, as processes, they can Continue reading

Rancher Labs Ropes Tencent, Alibaba, Huawei Support Into Container Platform

The company now supports the six largest Kubernetes providers in the world.

Cisco links wireless, wired worlds with new Catalyst 9000 switches

Cisco is making it possible to run, manage, automate and secure wired and wireless networks all on top of a single operating system.Key to the company's next step in operational efficiency is a new Catalyst 9000 switch, the 802.11ax-ready 9800 Wireless LAN Controller family which is available in an on-premises chassis or as a software addition that can be run on select Catalyst 9000 switches or a private or public cloud, Cisco said.[ Related: Getting grounded in intent-based networking] High-Efficiency Wireless or 802.11ax promises a fourfold increase in average throughput per user and is designed to handle high-density public environments. But it also will be beneficial in Internet of Things (IoT) deployments, in heavy-usage homes, in apartment buildings and in offices that use bandwidth-hogging applications like videoconferencing.To read this article in full, please click here

Cisco links wireless, wired worlds with new Catalyst 9000 switches

Cisco is making it possible to run, manage, automate and secure wired and wireless networks all on top of a single operating system.Key to the company's next step in operational efficiency is a new Catalyst 9000 switch, the 802.11ax-ready 9800 Wireless LAN Controller family which is available in an on-premises chassis or as a software addition that can be run on select Catalyst 9000 switches or a private or public cloud, Cisco said.[ Related: Getting grounded in intent-based networking] High-Efficiency Wireless or 802.11ax promises a fourfold increase in average throughput per user and is designed to handle high-density public environments. But it also will be beneficial in Internet of Things (IoT) deployments, in heavy-usage homes, in apartment buildings and in offices that use bandwidth-hogging applications like videoconferencing.To read this article in full, please click here

Prepare For The ITIL Certification Exams With This $49 Training Bundle

Enterprise demands for IT services have grown considerably, so considering a role in IT service management (ITSM) can be a stable and lucrative career move. However, not just anyone can become an IT service manager; it requires earning IT certifications, which demand rigorous preparation. Not to mention, there are numerous courses to choose from online. If you want to earn an IT certification, this Ultimate ITIL Certification Training Bundle by Integrity Training can help you prepare for $49.To read this article in full, please click here

Choosing an EVPN Underlay Routing Protocol

EVPN is all the rage these days. The ability to do L2 extension and L3 isolation over a single IP fabric is a cornerstone to building the next-generation of private clouds. BGP extensions spelled out in RFC 7432 and the addition of VxLAN in IETF draft-ietf-bess-evpn-overlay established VxLAN as the datacenter overlay encapsulation and BGP as the control plane from VxLAN endpoint (VTEP) to VxLAN endpoint. Although RFC 7938 tells us how to use BGP in the data center, it doesn’t discuss how it would behave with BGP as an overlay as well. As a result, every vendor seems to have their own ideas about how we should build the “underlay” network to get from VTEP to VTEP, allowing BGP-EVPN to run over the top.

An example of a single leaf’s BGP peering for EVPN connectivity from VTEP to VTEP

Let’s take a look at our options in routing protocols we could use as an underlay and understand their strengths and weaknesses that make them a good or bad fit for deployment in an EVPN network. We’ll go through IS-IS, OSPF, iBGP and eBGP. I won’t discuss EIGRP. Although it’s now an IETF standard, it’s still not widely supported Continue reading

Real URLs for AMP Cached Content Using Cloudflare Workers

Today, we’re excited to announce our solution for arguably the biggest issue affecting Accelerated Mobile Pages (AMP): the inability to use real origin URLs when serving AMP-cached content. To allow AMP caches to serve content under its origin URL, we implemented HTTP signed exchanges, which extend authenticity and integrity to content cached and served on behalf of a publisher. This logic lives on Cloudflare Workers, meaning that adding HTTP signed exchanges to your content is just a simple Workers application away. Publishers on Cloudflare can now take advantage of AMP performance and have AMP caches serve content with their origin URLs. We're thrilled to use Workers as a core component of this solution.

HTTP signed exchanges are a crucial component of the emerging Web Packaging standard, a set of protocols used to package websites for distribution through optimized delivery systems like Google AMP. This announcement comes just in time for Chrome Dev Summit 2018, where our colleague Rustam Lalkaka spoke about our efforts to advance the Web Packaging standard.

What is Web Packaging and Why Does it Matter?

You may already see the need for Web Packaging on a daily basis. On your smartphone, perhaps you’ve searched for Christmas Continue reading

GPUs are vulnerable to side-channel attacks

Computer scientists at the University of California at Riverside have found that GPUs are vulnerable to side-channel attacks, the same kinds of exploits that have impacted Intel and AMD CPUs.Two professors and two students, one a computer science doctoral student and a post-doctoral researcher, reverse-engineered a Nvidia GPU to demonstrate three attacks on both graphics and computational stacks, as well as across them. The researchers believe these are the first reported side-channel attacks on GPUs.[ Read also: What are the Meltdown and Spectre exploits? | Get regularly scheduled insights: Sign up for Network World newsletters ] A side-channel attack is one where the attacker uses how a technology operates, in this case a GPU, rather than a bug or flaw in the code. It takes advantage of how the processor is designed and exploits it in ways the designers hadn’t thought of.To read this article in full, please click here

GPUs are vulnerable to side-channel attacks

Computer scientists at the University of California at Riverside have found that GPUs are vulnerable to side-channel attacks, the same kinds of exploits that have impacted Intel and AMD CPUs.Two professors and two students, one a computer science doctoral student and a post-doctoral researcher, reverse-engineered a Nvidia GPU to demonstrate three attacks on both graphics and computational stacks, as well as across them. The researchers believe these are the first reported side-channel attacks on GPUs.[ Read also: What are the Meltdown and Spectre exploits? | Get regularly scheduled insights: Sign up for Network World newsletters ] A side-channel attack is one where the attacker uses how a technology operates, in this case a GPU, rather than a bug or flaw in the code. It takes advantage of how the processor is designed and exploits it in ways the designers hadn’t thought of.To read this article in full, please click here

GPUs are vulnerable to side-channel attacks

Computer scientists at the University of California at Riverside have found that GPUs are vulnerable to side-channel attacks, the same kinds of exploits that have impacted Intel and AMD CPUs.Two professors and two students, one a computer science doctoral student and a post-doctoral researcher, reverse-engineered a Nvidia GPU to demonstrate three attacks on both graphics and computational stacks, as well as across them. The researchers believe these are the first reported side-channel attacks on GPUs.[ Read also: What are the Meltdown and Spectre exploits? | Get regularly scheduled insights: Sign up for Network World newsletters ] A side-channel attack is one where the attacker uses how a technology operates, in this case a GPU, rather than a bug or flaw in the code. It takes advantage of how the processor is designed and exploits it in ways the designers hadn’t thought of.To read this article in full, please click here

Latest Security Unicorn Netskope Scores $168.7M Series F

An IPO is on the horizon but being acquired is not. “We are fiercely independent,” Netskope CEO Sanjay Beri said.

Red Hat Squeezes OpenStack, OpenShift Closer Together

The OpenStack Platform 14 update makes it easier to install and run OpenShift in that environment and to run Kubernetes-orchestrated containers on bare metal.

OpenStack Expands With New Projects, Canonical’s CEO Is Not Thrilled About It

According to the OpenStack Foundation board the new strategy reflects the desire of OpenStack users. But Canonical’s CEO thinks it distracts from the group’s core mission.

ThoughtSpot Brings Search-Based Analytics to Google Cloud

The search and AI-driven analytics company also added new integration with the Google Cloud Machine Learning Engine.

Oracle Puts Together RDMA, Bare Metal for HPC

Oracle was famously behind the cloud computing curve, with co-founder and then-CEO Larry Ellison several years ago dismissing it as little more than an empty tag that was more on par with fashion trends than anything serious in the tech world. …

Oracle Puts Together RDMA, Bare Metal for HPC was written by Jeffrey Burt at .

History of Networking: Bob Hinden on IPv6

Introducing Docker’s Windows Server Application Migration Program

Last week, we announced the Docker Windows Server Application Migration Program, designed to help companies quickly and easily migrate and modernize legacy Windows Server 2008 applications while driving continuous innovation across any application, anywhere.

We recognize that Windows Server 2008 is one of the most widely used operating systems today and the coming end-of-support in January 2020 leaves IT organizations with few viable options to cost-effectively secure their legacy applications and data. The Docker Windows Server Application Migration Program represents the best and only way to containerize and secure legacy Windows Server applications while enabling software-driven business transformation. With this new program, customers get:

• Docker Enterprise: Leading Container Platform and only one for Windows Server applications.
  Docker Enterprise is the leading container platform in the industry– familiar to millions of developers and IT professionals. It’s also the only one that runs Windows Server applications, with support for Windows Server 2016, 1709, 1803 and soon, 2019 (in addition to multiple Linux distributions.) Organizations routinely save 50% or more through higher server consolidation and reduced hardware and licensing costs when they containerize their existing applications with Docker Enterprise.

• Industry-proven tools & services: Easily discover, containerize, and migrate with immediate Continue reading

Get 90% Off Your First Year of RemotePC, Up To 50 Computers for $6.95

iDrive has activated a significant discount on their Remote access software RemotePC in these days leading into Black Friday. RemotePC by iDrive is a full-featured remote access solution that lets you connect to your work, home or office computer securely from anywhere, and from any iOS or Android device. Right now, their 50 computer package is 90% off or just $6.95 for your 1st year. If you've been thinking about remote access solutions, now is a good time to consider RemotePC. Learn more about it here.To read this article in full, please click here

Get 90% Off Your First Year of RemotePC, Up To 50 Computers for $6.95

iDrive has activated a significant discount on their Remote access software RemotePC in these days leading into Black Friday. RemotePC by iDrive is a full-featured remote access solution that lets you connect to your work, home or office computer securely from anywhere, and from any iOS or Android device. Right now, their 50 computer package is 90% off or just $6.95 for your 1st year. If you've been thinking about remote access solutions, now is a good time to consider RemotePC. Learn more about it here.To read this article in full, please click here