Random Thoughts on Zero-Trust Architecture

When preparing the materials for the Design Clinic section describing Zero-Trust Network Architecture, I wondered whether I was missing something crucial. After all, I couldn’t find anything new when reading the NIST documents – we’ve seen all they’re describing 30 years ago (remember Kerberos?).

In late August I dropped by the fantastic Roundtable and Barbecue event organized by Gabi Gerber (running Security Interest Group Switzerland) and used the opportunity to join the Zero Trust Architecture roundtable. Most other participants were seasoned IT security professionals with a level of skepticism approaching mine. When I mentioned I failed to see anything new in the now-overhyped topic, they quickly expressed similar doubts.

Read more …

On Infrastructure as Code and Bit Rot

The architecture of the infrastructure-as-code (IaC) tooling you use will determine the level to which your IaC definitions are exposed to bit rot.

This is a maxim I have arrived at after working with multiple IaC tool sets, both professionally and personally, over the last few years. In this blog post, I will explain how I arrived at this maxim by describing three architectural patterns for IaC tools, each with differing levels of risk for bit rot.

Read the rest of this post.

Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

This blog reports and summarizes the contents of a Cloudflare research paper which appeared at the ACM Internet Measurement Conference, that measures and prototypes connection coalescing with ORIGIN Frames.

Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

Some readers might be surprised to hear that a single visit to a web page can cause a browser to make tens, sometimes even hundreds, of web connections. Take this very blog as an example. If it is your first visit to the Cloudflare blog, or it has been a while since your last visit, your browser will make multiple connections to render the page. The browser will make DNS queries to find IP addresses corresponding to blog.cloudflare.com and then subsequent requests to retrieve any necessary subresources on the web page needed to successfully render the complete page. How many? Looking below, at the time of writing, there are 32 different hostnames used to load the Cloudflare Blog. That means 32 DNS queries and at least 32 TCP (or QUIC) connections, unless the client is able to reuse (or coalesce) some of those connections.

Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

Each new web connection not only introduces additional load on a server's processing capabilities – potentially leading to scalability challenges during peak usage hours Continue reading

Microsoft blames Aussie data center outage on staff strength, failed automation

Microsoft has blamed staff strength and failed automation for a data center outage in Australia that took place on August 30, disabling users from accessing Azure, Microsoft 365, and Power Platform services for over 24 hours.In a post-incident analysis report, Microsoft said the outage occurred due to a utility power sag in Australia’s East region, which in turn “tripped a subset of the cooling units offline in one data center, within one of the Availability Zones.”As the cooling units were not working properly, the rise in temperature forced an automated shutdown of the data center in order to preserve data and infrastructure health, affecting compute, network, and storage services.To read this article in full, please click here

Microsoft blames Aussie data center outage on staff strength, failed automation

Microsoft has blamed staff strength and failed automation for a data center outage in Australia that took place on August 30, disabling users from accessing Azure, Microsoft 365, and Power Platform services for over 24 hours.In a post-incident analysis report, Microsoft said the outage occurred due to a utility power sag in Australia’s East region, which in turn “tripped a subset of the cooling units offline in one data center, within one of the Availability Zones.”As the cooling units were not working properly, the rise in temperature forced an automated shutdown of the data center in order to preserve data and infrastructure health, affecting compute, network, and storage services.To read this article in full, please click here

Microsoft blames Aussie data center outage on staff strength, failed automation

Microsoft has blamed staff strength and failed automation for a data center outage in Australia that took place on August 30, disabling users from accessing Azure, Microsoft 365, and Power Platform services for over 24 hours.In a post-incident analysis report, Microsoft said the outage occurred due to a utility power sag in Australia’s East region, which in turn “tripped a subset of the cooling units offline in one data center, within one of the Availability Zones.”As the cooling units were not working properly, the rise in temperature forced an automated shutdown of the data center in order to preserve data and infrastructure health, affecting compute, network, and storage services.To read this article in full, please click here

Arm unveils project to rapidly develop server processors

Arm Holdings unveiled a program that it says will simplify and accelerate the adoption of Arm Neoverse-based technology into new compute solutions. The program, called Arm Neoverse Compute Subsystems (CSS), was introduced at the Hot Chips 2023 technical conference held at Stanford University.Neoverse is Arm’s server-side technology meant for high performance while still offering the power efficiency that Arm’s mobile parts are known for. CSS enables partners to build specialized silicon more affordably and quickly than previous discrete IP solutions.The first-generation CSS product, Arm CSS N2, is based on the Neoverse N2 platform first introduced in 2020. CSS N2 provides partners with a customizable compute subsystem, allowing them to focus on features like memory, I/O, acceleration, and so on.To read this article in full, please click here

Arm unveils project to rapidly develop server processors

Arm Holdings unveiled a program that it says will simplify and accelerate the adoption of Arm Neoverse-based technology into new compute solutions. The program, called Arm Neoverse Compute Subsystems (CSS), was introduced at the Hot Chips 2023 technical conference held at Stanford University.Neoverse is Arm’s server-side technology meant for high performance while still offering the power efficiency that Arm’s mobile parts are known for. CSS enables partners to build specialized silicon more affordably and quickly than previous discrete IP solutions.The first-generation CSS product, Arm CSS N2, is based on the Neoverse N2 platform first introduced in 2020. CSS N2 provides partners with a customizable compute subsystem, allowing them to focus on features like memory, I/O, acceleration, and so on.To read this article in full, please click here

BGP Labs: Simple Routing Policy Tools

The first set of BGP labs covered the basics; the next four will help you master simple routing policy tools (BGP weights, AS-path filters, prefix filters) using real-life examples:

The labs are best used with netlab (it supports BGP on almost 20 different devices), but you could use any system you like (including GNS3 and CML/VIRL). For more details, read the Installation and Setup documentation.

BGP Labs: Simple Routing Policy Tools

The first set of BGP labs covered the basics, the next four will help you master simple routing policy tools (BGP weights, AS-path filters, prefix filters) using real-life examples:

The labs are best used with netlab (it supports BGP on almost 20 different devices), but you could use any system you like (including GNS3 and CML/VIRL). If you’re stubborn enough it’s possible to make them work with the physical gear, but don’t ask me for help. For more details, read the Installation and Setup documentation.

Valley-free Routing in Leaf and Spine Topology

Valley-free routing is a concept that may not be well known but that is relevant to datacenter design. In this post, we’ll valley-free routing based on a leaf and spine topology.

There are many posts about leaf and spine topology and the benefits. To summarize, some of the most prominent advantages are:

  • Predictable number of hops between any two nodes.
  • All links are available for usage providing high amount of bisection bandwidth (ECMP).
  • The architecture is easy to scale out.
  • Redundant and resilient.

Now, what does this have to do with valley-free routing? To understand what valley-free routing is, first let’s take a look at the expected traffic flow in a leaf and spine topology:

For traffic between Leaf1 and Leaf4, the two expected paths are:

  • Red path – Leaf-1 to Spine-1 to Leaf-4.
  • Blue path – Leaf-1 to Spine-2 to Leaf-4.

This means that there is only one intermediate hop between Leaf1 and Leaf4. Let’s confirm with a traceroute:

Leaf1# traceroute 203.0.113.4
traceroute to 203.0.113.4 (203.0.113.4), 30 hops max, 48 byte packets
 1  Spine2 (192.0.2.2)  1.831 ms  1.234 ms  1.12 ms
 2  Leaf4 (203. Continue reading

Weekend Reads 090123


However, unlike most of the world, which is taking a flexible, adaptive Zero Trust Model approach of continuous controls for cyberdefense, the EU government is pursuing a vastly expanded version of the failed Common Criteria certification model coupled with regulatory extremism and exceptionalism strategies.


Enabled by SD-WAN, internet-first networking strategies are now the order of the day for wide-area connectivity and have been for some time.


The European Union’s Digital Services Act comes into effect today, August 25, and it’s unclear if the hoped-for consumer protections are going to have their desired impact.


Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows.


I like monitoring stuff. That’s what I do at work and when my home ISP started giving me random problems I decided it would be nice to monitor my home network as well.


Although we cannot fix humans, we can put extra measures in place to minimize the risk of having wrongly issued certificates operational in the wild. In comes Certificate Transparency (CT), a concept introduced by Google in 2013.

Linux Networking – Source IP address selection

Any network device, be it a transit router or a host, usually has multiple IP addresses assigned to its interfaces. One of the first things we learn as network engineers is how to determine which IP address is used for the locally-sourced traffic. However, the default scenario can be changed in a couple of different ways and this post is a brief documentation of the available options.

The Default Scenario

Whenever a local application decides to connect to a remote network endpoint, it creates a network socket, providing a minimal amount of details required to build and send a network packet. Most often, this information includes a destination IP and port number as you can see from the following abbreviated output:

$ strace -e trace=network curl http://example.com
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(6, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0
setsockopt(6, SOL_TCP, TCP_KEEPINTVL, [60], 4) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("93.184.216.34")}, 16)

While this output does not show the DNS resolution part (due to getaddrinfo() not being a syscall), we can see that the only user-specific input information provided by an application ( Continue reading

What Would You Do With A 16.8 Million Core Graph Processing Beast?

If you look back at it now, especially with the advent of massively parallel computing on GPUs, maybe the techies at Tera Computing and then Cray had the right idea with their “ThreadStorm” massively threaded processors and high bandwidth interconnects.

The post What Would You Do With A 16.8 Million Core Graph Processing Beast? first appeared on The Next Platform.

What Would You Do With A 16.8 Million Core Graph Processing Beast? was written by Timothy Prickett Morgan at The Next Platform.

Hedge 193: Network Automation with the Network Automation Forum

Year after year network engineering media, vendors, and influencers talk about the importance of network automation—and yet according to surveys, most network operators still have not automated their network operations. In this episode of the Hedge, part 1 of 2, Chris Grundemann and Scott Robohn join the Hedge to give their ideas on why network automation isn’t happening, and how we can resolve the many blockers to automation.

download

To find out more about the Network Automation Forum and their upcoming meeting, check out their web site.

Calico monthly roundup: August 2023

Welcome to the Calico monthly roundup: August edition! From open source news to live events, we have exciting updates to share—let’s get into it!

 

*NEW* The State of Calico Open Source: Usage & Adoption Report 2023

Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies.

Read the report.

Customer case study: HanseMerkur

Using Calico, HanseMerkur was able to reduce infrastructure overhead and achieve organizational compliance. Read our new case study to find out how.

Get case study.

Open source news

  • Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on LinkedIn or YouTube.
  • CNCF webinar – Watch the recording of our CNCF live webinar, where we talk about eBPF advantages and troubleshooting. Watch now.
  • Calico for Microsoft Azure – Learn technical differences between different Azure networking options for Microsoft AKS environments and tradeoff analysis. Read blog post.
  • Podcast – Listen to this joint podcast with Calico Big Cat, Parth Goswami, where they answer the Continue reading

Heavy Networking 697: Getting Operational Visibility Into The Networks That Matter (Sponsored)

In today's sponsored Heavy Networking we explore new features in Cisco Thousand Eyes, an operational tool based on visibility and observability of public and private network. Thousand Eyes has continued to grow into complex operational areas such AWS Network Path, Webex performance, and integrations with Meraki to help you identify and fix network and application performance problems.

Heavy Networking 697: Getting Operational Visibility Into The Networks That Matter (Sponsored)

In today's sponsored Heavy Networking we explore new features in Cisco Thousand Eyes, an operational tool based on visibility and observability of public and private network. Thousand Eyes has continued to grow into complex operational areas such AWS Network Path, Webex performance, and integrations with Meraki to help you identify and fix network and application performance problems.

The post Heavy Networking 697: Getting Operational Visibility Into The Networks That Matter (Sponsored) appeared first on Packet Pushers.

Dell Making The Most Of Its GPU Allocations, Like Everyone Else

In a world where Nvidia is allocating proportional shares of its GPU hotcakes to all of the OEMs and ODMs, companies like Dell, Hewlett Packard, Lenovo, and Supermicro get their shares and then they turn around and try to sell systems using them at the highest possible price.

The post Dell Making The Most Of Its GPU Allocations, Like Everyone Else first appeared on The Next Platform.

Dell Making The Most Of Its GPU Allocations, Like Everyone Else was written by Timothy Prickett Morgan at The Next Platform.

1 162 163 164 165 166 3,763