Troubleshooting TLS Certificates

I was recently working on a blog post involving the use of TLS certificates for encryption and authentication, and was running into errors. I’d checked all the “usual suspects”—AWS security groups, host-level firewall rules (via iptables), and the application configuration itself—but still couldn’t get it to work. When I did finally find the error, I figured it was probably worth sharing the commands I used in the event others might find it helpful.

The error was manifesting itself in that I was able to successfully connect to the application (with TLS) on the loopback address, but not the IP address assigned to the network adapter. Using ss -lnt, I verified that the application was listening on all IP addresses (not just loopback), and as I mentioned earlier I had also verified that AWS security groups and host-level firewall weren’t in play. This lead me to believe that there was something wrong with my TLS configuration.

Since the application’s error message was extremely vague (and not even remotely TLS-related), I decided to try using curl to verify that TLS was working correctly. First I ran this command:

curl --cacert /path/to/CA/certificate https://127.0.0.1 -v

After some output, curl Continue reading

Welcome to AfPIF and iWeek 2018!

A comprehensive view of Africa’s Internet peering and interconnection ecosystem from the region’s top networks and experts, opportunities to strengthen and build new peering relationships with over 300 attendees using an open to all “bilateral meeting” scheduling tool, insightful presentations, studies and reports delivered by a strong lineup of speakers, and a technical village are some of the interesting activities that participants to iWeek/AfPIF 2018 can expect.

The sessions have been spiced up to include a technical village, with vendors offering masterclasses, a super teachers award honoring Africa’s tech teachers, and a beers for peers session, to allow participants to network more.

“This year’s agenda reflects the growing interests from our rapidly evolving regional industry with an increased focus on regional networks, carrier-neutral data centers, cloud services, and regulation in addition to our traditional line-up of quality technical content,” said Kyle Spencer, Co-Coordinator of the African IXP Association.

This year, the Africa Peering and Interconnection Forum (AfPIF) joined hands with the South Africa ISP Association to hold sessions during iWeek. This provides extensive training sessions and opportunities for participants.

“Participants will have opportunities to meet with industry leaders to discuss one on one or in groups the various issues around Continue reading

Edge-Side-Includes with Cloudflare Workers

Edge-Side-Includes with Cloudflare Workers

At Cloudflare we’re accelerating web assets in a number of different ways. Part of this is caching, by storing the response given by the origin server directly within our 151+ global data centers. This will dramatically improve the delivery of the resources as the visitor will directly get them from the data center closest to them, instead of waiting for us to fetch the request from the origin web server.

The issue with dynamic (but not a lot) pages

The subject we’re gonna cover today is the concept of Edge-Side-Includes. And what’s better than a real use-case to introduce what it is used for? Let’s take a website where all pages are including advertisements at the head and bottom. Could we consider these pages static? We couldn’t as at least part of this page is dynamic. Could we consider caching it? That’s a no again as it would mean the first dynamic part rendered will be cached and served for the other visitors trying to get the page. It would be a catastrophe if the advertisements are user-specific.

So the issue here is that we can’t cache the page. That’s quite a shame as it means that we’ll fetch Continue reading

Worth Reading: The Cargo Cult of Google Tools

Tom Hollingsworth published a great blog post summarizing Cloud Field Day presentation by Ben Sigelman.

TL&DR: You’re not Google, you don’t have their problems, and so you’re probably not a good match for their tools.

While this shouldn’t come as a surprise to regular readers of my blog (here’s what I wrote on the topic in 2016), it’s refreshing to see it spelled out so eloquently (and by an ex-Googler).

Filter before you parse: faster analytics on raw data with Sparser

Filter before you parse: faster analytics on raw data with Sparser Palkar et al., VLDB’18

We’ve been parsing JSON for over 15 years. So it’s surprising and wonderful that with a fresh look at the problem the authors of this paper have been able to deliver an order-of-magnitude speed-up with Sparser in about 4Kloc.

The classic approach to JSON parsing is to use a state-machine based parsing algorithm. This is the approach used by e.g. RapidJSON. Such algorithms are sequential and can’t easily exploit the SIMD capabilities of modern CPUs. State of the art JSON parsers such as Mison are designed to match the capabilities of modern hardware. Mison uses SIMD instructions to find special characters such as brackets and colons and build a structural index over a raw json string.

… we found that Mison can parse highly nested in-memory data at over 2GMB/s per core, over 5x faster than RapidJSON, the fastest traditional state-machine based parser available.

How can we parse JSON even faster? The key lies in re-framing the question. The fastest way to parse a JSON file is not to parse it at all. Zero ms is a hard lower bound ;). In other Continue reading

DNSSEC and DNS over TLS

In this article I'd like to look at the roles of Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security (DoT) and question DoT could conceivably replace DNSSEC in the DNS.

African traffic growth and predictions for the future

African traffic growth and predictions for the future

Looking back at our historical data, we realized how much the Internet and Cloudflare grew. With more than 150 datacenters, 10 percent of web-based applications, customers everywhere around the world, from the tiny islands in the Pacific to the big metropolises, we have an Internet landscape of almost every country and continent.

Cloudflare’s mission is to help build a better Internet. To do that we operate datacenters across the globe. By having datacenters close to end user we provide a fast, secure experience for everyone. Today I’d like to talk about our datacenters in Africa and our plans to serve a population of 1.2 billion people over 58 countries.

Internet penetration in developed countries skyrocketed since the 2000s, Internet usage is growing rapidly across Africa. We are seeing a 4% to 7% increase in traffic month on month. As of July 2018, we have 8 datacenters on the African Continent:

VMworld 2018 Sessions on NSX Networking and Security in VMware Cloud on AWS

VMworld 2018 is a week away; are you attending? Want to learn more about NSX Networking and Security in VMware Cloud on AWS, how you can easily deploy and secure workloads in the cloud, or how to build hybrid cloud solutions with the familiarity and capabilities of vSphere? Make sure to attend the below sessions at VMworld 2018. We will go into a deep dive of all the functionality and show how VMware Cloud on AWS is being used by customers. Continue reading

rbenv Install openSUSE

rbenv is a utility for installing multiple ruby versions on a host machine. Using rbenv allows you to install ruby in a path you have ownership over so you can install gems without having to have sudo or root privileges. rbenv also allows you to target the exact ruby version in development...

VMware Cloud on AWS: Advanced Networking and Security with NSX-T SDDC

Announced in AWS Summit in New York last month and also briefly mentioned on the prior blog, Announcing General Availability of VMware NSX-T Data Center 2.2.0, NSX-T networking and security is now available in Preview Mode for new SDDC deployments on VMware Cloud on AWS. Please reach out to your sales/SE contact for more information.  In this blog post, I give an overview of the advanced networking and security functionality provided by NSX-T within VMware Cloud on AWS. Continue reading

New to the INE Course Library – Implementing Inter-VLAN Routing

This course covers the basics of implementing inter-VLAN routing by explaining the theory behind two common methodologies, as well as their implementation on Cisco routers and switches. By the end of this course students will be able to explain the differences between “Router-On-A-Stick” and “Switched Virtual Interfaces,” as well as how to implement inter-VLAN routing using either of these techniques.


Why You Should Watch:

Virtually all organizations that implement VLANs into their switched networking topologies also need to know how to route IP traffic between those VLANs. Knowing the techniques available to accomplish this kind of routing is essential whether you are managing a network, or simply pursuing a networking certification (like the Cisco CCNA).

Many learners are confused about the differences between VLANs and SVIs (Switched Virtual Interfaces) as well as their inter-relationship. This course is meant to clarify any confusion you may have between those differences, and teach you both the theory and implementation (utilizing Cisco IOS software) of Inter-VLAN Routing.


Who Should Watch:

This course is intended for anyone wanting to learn about inter-VLAN routing with an emphasis on the techniques to do so using Cisco routers and switches. A basic familiarity with the Cisco IOS command Continue reading

Weekend Reads 081618: New Vulnerabilities

Spectre and Meltdown are more than a new class of security holes. They’re deeply embedded in the fundamental design of recent generations of CPUs. So it shouldn’t come as any surprise that yet another major Intel chip security problem has been discovered: Foreshadow. —Steven J. Vaughan-Nichols @ZDNet

Foreshadow Attacks – Security researchers disclosed the details of three new speculative execution side-channel attacks that affect Intel processors. The new flaws, dubbed Foreshadow and L1 Terminal Fault (L1TF), were discovered by two independent research teams. —Pierluigi Paganini @Security Affairs

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks. —Swati Khandelwal @The Hacker News

When a room filled with hundreds of security professionals erupts into applause, it’s notable. When that happens less than five minutes into a presentation, it’s remarkable. But that’s what transpired when security researcher Christopher Domas last week showed a room at Black Hat USA how to break the so-called ring-privilege model of modern CPU security. —Curtis Franklin Jr. @Dark Reading

Bought a new Android phone? What if I say your brand Continue reading

IXP Graphs are an Eyesore

Too many IXPs (and networkers in general) are using horrible outdated methods of graphing data. These are an ugly eyesore, and should be updated to something from this century. Big IXPs in particular have no excuse: they have the resources to do better.

IXPs: Invest, Spend, Drop Prices?

Two years ago Dave Temkin from Netflix presented at NANOG 67, talking about The Real Cost of Public IXPs (warning: PDF).

This caused a bit of a stir. As El Reg put it:

[According to Dave Temkin] The internet exchange industry is ripping customers off, charging too much for features people don’t need, and spending millions on staff salaries, unnecessary marketing and social events.

You can argue amongst yourselves as to how much IXPs should invest, how closely their port prices should track transit costs, etc. Or maybe you just like all the free drinks, dammit.

I think that if they’re going to spend money rather than reduce prices, they should spend it on something I care about: Data visualization. Most IXPs traffic graphs are an eyesore, they’re outdated, and it’s time they were fixed.

Ugly Eyesores

Here’s some typical traffic graphs from some of the biggest IXPs in the world:

DE-CIX

Continue reading

IXP Graphs are an Eyesore

Too many IXPs (and networkers in general) are using horrible outdated methods of graphing data. These are an ugly eyesore, and should be updated to something from this century. Big IXPs in particular have no excuse: they have the resources to do better.

IXPs: Invest, Spend, Drop Prices?

Two years ago Dave Temkin from Netflix presented at NANOG 67, talking about The Real Cost of Public IXPs (warning: PDF).

This caused a bit of a stir. As El Reg put it:

[According to Dave Temkin] The internet exchange industry is ripping customers off, charging too much for features people don’t need, and spending millions on staff salaries, unnecessary marketing and social events.

You can argue amongst yourselves as to how much IXPs should invest, how closely their port prices should track transit costs, etc. Or maybe you just like all the free drinks, dammit.

I think that if they’re going to spend money rather than reduce prices, they should spend it on something I care about: Data visualization. Most IXPs traffic graphs are an eyesore, they’re outdated, and it’s time they were fixed.

Ugly Eyesores

Here’s some typical traffic graphs from some of the biggest IXPs in the world:

DE-CIX

Continue reading

1 1,489 1,490 1,491 1,492 1,493 3,835