Our commitment to open networking

On Monday we released our latest version of Cumulus Linux, 3.5. It includes symmetric VxLAN routing, Voice VLAN and 10 new hardware platforms. This includes General Availability (GA) of our two supported chassis, the four slot Backpack and eight slot OMP800. We announced Early Access (EA) support for both chassis in our previous release, Cumulus Linux 3.4.

At Cumulus, moving fast to fix problems and get features in the hands of our customers is core to our culture. In today’s webscale networks, it’s hard for even the largest of organizations to operate on classic 18+ month buying cycles. Some folks want the ability to use new technology as soon as possible.

The EA process gives customers the ability to use working software or hardware and provide direct feedback on the final product. That feedback improves all aspects of the product, from purchasing, delivery, default configurations or operations.

When we announced EA for our chassis systems, we had many Fortune 500 customers express interest. For some, the EA process allowed them to start the purchasing process knowing that it would take months until a final purchase order was ready. For others, they were able to put working, stable Continue reading

Programming Unbound

I’m doing some research on Facebook’s Open/R routing platform for a future blog post. I’m starting to understand the nuances a bit compared to OSPF or IS-IS, but during my reading I got stopped cold by one particular passage:

Many traditional routing protocols were designed in the past, with a strong focus on optimizing for hardware-limited embedded systems such as CPUs and RAM. In addition, protocols were designed as purpose-built solutions to solve the particular problem of routing for connectivity, rather than as a flexible software platform to build new applications in the network.

Uh oh. I’ve seen language like this before related to other software projects. And quite frankly, it worries me to death. Because it means that people aren’t learning their lessons.

New and Improved

Any time I see an article about how a project was rewritten from the ground up to “take advantage of new changes in protocols and resources”, it usually signals to me that some grad student decided to rewrite the whole thing in Java because they didn’t understand C. It sounds a bit cynical, but it’s not often wrong.

Want proof? Check out Linus Torvalds and his opinion about rewriting the Linux kernel in Continue reading

Reflections on the Internet’s Past

Earlier this year, as part of the Internet Society’s 25th anniversary celebration, we asked you to share your memories of the early Internet. As we look forward to the new year, it’s fun to read through the stories and look back at where we started.

One of the earliest memories was from Stanford University.

There was also this dose of funny reality from nearly ten thousand kilometers away, in Moscow:

Another member shared this memory from INET ’93 San Francisco:

Episode 18 – Whitebox Networking

In Episode 18 of Network Collective, Pete Lumbis of Cumulus Networks and Kevin Myers of IP Architechs join us to talk about the pros and cons of running whitebox or commodity hardware in your network. There’s no denying that the price point on commodity hardware is attractive but we discuss all you should consider when you’re looking to transition away from a major network hardware vendor.

Show Notes

What is whitebox networking?

• Has a variety of definitions depending on the person answering
• Associated with ONIE and Oss like Cumulus Linux, BigSwitch, IPI
• Commodity hardware not mainstream vendor with OS that may or may not be from the same vendor
• To some, hardware has more to do with hardware
• Commodity hardware has to do with using chipset, board, or even layout that someone else created
• Component of disaggregation to consider
• Britebox is the larger vendors offering disaggregation options
• Whietbox equipment isn’t about homemade devices soldered together in our garages

Why whitebox networking?

• The original impetus for whitebox was often around cost, and sometimes it still is
• Current reasons are to have more options like customized operating systems
• Whitebox utilizes the equipment to move to an x86 model that compute Continue reading

Top 5 blogs of 2017: LinuxKit, A Toolkit for building Secure, Lean and Portable Linux Subsystems

In case you’ve missed it, this week we’re highlighting the top five most popular Docker blogs in 2017. Coming in the third place is the announcement of LinuxKit, a toolkit for building secure, lean and portable Linux Subsystems.

LinuxKit includes the tooling to allow building custom Linux subsystems that only include exactly the components the runtime platform requires. All system services are containers that can be replaced, and everything that is not required can be removed. All components can be substituted with ones that match specific needs. It is a kit, very much in the Docker philosophy of batteries included but swappable. LinuxKit is an open source project available at https://github.com/linuxkit/linuxkit.

To achieve our goals of a secure, lean and portable OS,we built it from containers, for containers.  Security is a top-level objective and aligns with NIST stating, in their draft Application Container Security Guide: “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.”

The leanness directly helps with security by removing parts not Continue reading

From SD-WAN to the Network Edge: Here Are the Top Sponsored Posts of 2017

Here is a list of our Top 5 sponsored posts of 2017

IDG Contributor Network: New IDC report forecasts huge growth for IoT

In case you’re still not sure about the viability of the Internet of Things (IoT) as a business concept, some new findings from research firm International Data Corp. (IDC)—predicting significant growth for the market in the coming years—should be convincing.In addition to a rise in investments in IoT products and services, the IDC research describes how software and services will play a major role in the success of IoT project.According to the IDC study, worldwide spending on the IoT is forecast to reach $772.5 billion in 2018. That represents an increase of 15% over the $674 billion that will be spent on IoT in 2017. The new update to the firm’s Worldwide Semiannual Internet of Things Spending Guide forecasts worldwide IoT spending to sustain a compound annual growth rate (CAGR) of 14% through the 2017-2021 forecast period, surpassing the $1 trillion mark in 2020 and reaching $1.1 trillion in 2021.To read this article in full, please click here

IDG Contributor Network: Mega increase in cloud adoption underway

No matter how you look at it, the cloud is growing fast.To compare the market’s growth to the rest of IT, cloud computing is expanding seven times faster than non-cloud computing, according to a report from IDC released on February 21.To gauge the business decision-maker, the State of the cloud Survey gives us a good sense of how adoption decisions are changing, along with other internal insights. The 2017 version of the poll, based on the responses of 1,002 IT executives, found that the concerns related to cloud that have held back a higher degree of adoption are taking a nosedive. While 32% listed lacking expertise and resources as a top challenge last year, that number dropped to 25% this year.To read this article in full, please click here

From Trials to Use Cases – The Top 5G Developments in 2017

 Virtualization becomes a bigger part of 5G discussion.

5 Biggest HCI Movers and Shakers in 2017

Five companies stand out for their strong hyperconverged moves.

Can IoT help make the enterprise more secure?

It’s no secret that the rise of the Internet of Things (IoT) presents massive new security challenges. Heck, I’ve written about the issue here more than once. But one company claims that enterprise IoT also shows promise for addressing key security issues.Also on Network World: Is the U.S. finally about to take IoT security seriously? and The time to deal with IoT security is now Tim Lang, CTO at BI and data analytics firm MicroStrategy, notes that 70 percent of security breaches come from the inside, and he says Enterprise Internet of Things (EIoT) can help enterprises “monitor and prevent these breaches before they happen.” To read this article in full, please click here

Can IoT help make the enterprise more secure?

It’s no secret that the rise of the Internet of Things (IoT) presents massive new security challenges. Heck, I’ve written about the issue here more than once. But one company claims that enterprise IoT also shows promise for addressing key security issues.Also on Network World: Is the U.S. finally about to take IoT security seriously? and The time to deal with IoT security is now Tim Lang, CTO at BI and data analytics firm MicroStrategy, notes that 70 percent of security breaches come from the inside, and he says Enterprise Internet of Things (EIoT) can help enterprises “monitor and prevent these breaches before they happen.” To read this article in full, please click here

IoT Security Using BLE Encryption

Microsoft: ReFS is ridiculous

I’ve blogged before about how the new integrity-checking filesystem in Windows, ReFS, doesn’t actually have integrity checking turned on by default. It’s pretty silly that for a modern filesystem meant to compete with ZFS and BtrFS, to have the main 21st century feature turned off by default. But it’s not quite ridiculous. Not yet.

Now it turns out that scrubbing is only supported on Windows Server

1. Microsoft honestly shipped an integrity-checking filesystem in Windows 10 with no way to repair or scrub it.

I used to say that Windows 10 is the best Windows ever, and that Microsoft kinda won my trust back. But what the hell?

I contacted Microsoft support over chat, who first suggested I do a system restore (sigh). But after I insisted that they please confirm that it’s supposed to work confirmed that no that only ships with Windows Server.

It’s not even clear from their pricing if I need the $882 Standard Edition or the $6,155 Datacenter Edition. Either one is way too much for such a standard feature.

What the hell, Microsoft? All I want is a checksumming file system. Either provide it, or don’t. Don’t give me a checksumming filesystem that can’t be Continue reading

Why TLS 1.3 isn’t in browsers yet

Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now. Transport Layer Security (TLS), the protocol that keeps web browsing confidential (and many people persist in calling SSL), is getting its first major overhaul with the introduction of TLS 1.3. Last year, Cloudflare was the first major provider to support TLS 1.3 by default on the server side. We expected the client side would follow suit and be enabled in all major browsers soon thereafter. It has been over a year since Cloudflare’s TLS 1.3 launch and still, none of the major browsers have enabled TLS 1.3 by default.

The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous. The deeper truth of the Continue reading

Why TLS 1.3 isn’t in browsers yet

Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now. Transport Layer Security (TLS), the protocol that keeps web browsing confidential (and many people persist in calling SSL), is getting its first major overhaul with the introduction of TLS 1.3. Last year, Cloudflare was the first major provider to support TLS 1.3 by default on the server side. We expected the client side would follow suit and be enabled in all major browsers soon thereafter. It has been over a year since Cloudflare’s TLS 1.3 launch and still, none of the major browsers have enabled TLS 1.3 by default.

The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous. The deeper truth of the Continue reading

Concise (Post-Christmas) Cryptography Challenges

It's the day after Christmas; or, depending on your geography, Boxing Day. With the festivities over, you may still find yourself stuck at home and somewhat bored.

Either way; here are three relatively short cryptography challenges, you can use to keep you momentarily occupied. Other than the hints (and some internet searching), you shouldn't require a particularly deep cryptography knowledge to start diving into these challenges. For hints and spoilers, scroll down below the challenges!

Challenges

Password Hashing

The first one is simple enough to explain; here are 5 hashes (from user passwords), crack them:

$2y$10$TYau45etgP4173/zx1usm.uO34TXAld/8e0/jKC5b0jHCqs/MZGBi
$2y$10$qQVWugep3jGmh4ZHuHqw8exczy4t8BZ/Jy6H4vnbRiXw.BGwQUrHu
$2y$10$DuZ0T/Qieif009SdR5HD5OOiFl/WJaDyCDB/ztWIM.1koiDJrN5eu
$2y$10$0ClJ1I7LQxMNva/NwRa5L.4ly3EHB8eFR5CckXpgRRKAQHXvEL5oS
$2y$10$LIWMJJgX.Ti9DYrYiaotHuqi34eZ2axl8/i1Cd68GYsYAG02Icwve

HTTP Strict Transport Security

A website works by redirecting its www. subdomain to a regional subdomain (i.e. uk.), the site uses HSTS to prevent SSLStrip attacks. You can see cURL requests of the headers from the redirects below, how would you practically go about stripping HTTPS in this example?

$ curl -i http://www.example.com
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 26 Dec 2017 12:26:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
location: https://uk.example.com/

$ curl -i http://uk.example.com
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html;  Continue reading

Concise (Post-Christmas) Cryptography Challenges

It's the day after Christmas; or, depending on your geography, Boxing Day. With the festivities over, you may still find yourself stuck at home and somewhat bored.

Either way; here are three relatively short cryptography challenges, you can use to keep you momentarily occupied. Other than the hints (and some internet searching), you shouldn't require a particularly deep cryptography knowledge to start diving into these challenges. For hints and spoilers, scroll down below the challenges!

Challenges

Password Hashing

The first one is simple enough to explain; here are 5 hashes (from user passwords), crack them:

$2y$10$TYau45etgP4173/zx1usm.uO34TXAld/8e0/jKC5b0jHCqs/MZGBi
$2y$10$qQVWugep3jGmh4ZHuHqw8exczy4t8BZ/Jy6H4vnbRiXw.BGwQUrHu
$2y$10$DuZ0T/Qieif009SdR5HD5OOiFl/WJaDyCDB/ztWIM.1koiDJrN5eu
$2y$10$0ClJ1I7LQxMNva/NwRa5L.4ly3EHB8eFR5CckXpgRRKAQHXvEL5oS
$2y$10$LIWMJJgX.Ti9DYrYiaotHuqi34eZ2axl8/i1Cd68GYsYAG02Icwve

HTTP Strict Transport Security

A website works by redirecting its www. subdomain to a regional subdomain (i.e. uk.), the site uses HSTS to prevent SSLStrip attacks. You can see cURL requests of the headers from the redirects below, how would you practically go about stripping HTTPS in this example?

$ curl -i http://www.example.com
HTTP/1.1 302 Moved Temporarily  
Server: nginx  
Date: Tue, 26 Dec 2017 12:26:51 GMT  
Content-Type: text/html  
Transfer-Encoding: chunked  
Connection: keep-alive  
location: https://uk.example.com/  

$ curl -i http://uk.example.com
HTTP/1.1 200 OK  
Server: nginx  
Content-Type: text/html;  Continue reading

Top 5 blogs of 2017: Exciting new things for Docker with Windows Server 1709

We’ve rounded up the most-read Docker blogs of 2017. Topping our list at number two is, Exciting new things for Docker with Windows Server 1709.

What a difference a year makes… last September, Microsoft and Docker launched Docker Enterprise Edition (EE), a Containers-as-a-Service platform for IT that manages and secures diverse applications across disparate infrastructures, for Windows Server 2016. Since then we’ve continued to work together and Windows Server 1709 contains several enhancements for Docker customers.

Docker Enterprise Edition Preview

To experiment with the new Docker and Windows features, a preview build of Docker is required. Here’s how to install it on Windows Server 1709 (this will also work on Insider builds):

Install-Module DockerProvider
Install-Package Docker -ProviderName DockerProvider -RequiredVersion preview

To run Docker Windows containers in production on any Windows Server version, please stick to Docker EE 17.06.

Docker Linux Containers on Windows

A key focus of Windows Server version 1709 is support for Linux containers on Windows. We’ve already blogged about how we’re supporting Linux containers on Windows with the LinuxKit project.

To try Linux Containers on Windows Server 1709, install the preview Docker package and enable the feature. The preview Docker EE package includes a full LinuxKit Continue reading

Alibaba Cloud Gears Up for ‘Serious Combat’ Against AWS in 2018

Alibaba Cloud has 33 availability zones across 16 economic centers globally.