Use YANG Data Models to Configure Network Device with Ansible

It took years after NETCONF RFCs were published before IETF standardized YANG. It took another half-decade before they could agree on how to enable or disable an interface, set interface description, or read interface counters. A few more years passed by, and finally some vendors implemented some of the IETF or OpenConfig YANG data models (with one notable exception).

Now that we have the standardized structure, it’s easy to build automated multi-vendor networks, right? Not so fast…

The problematic Wannacry North Korea attribution

It was an accident

Understanding the Container Network Interface (CNI)

Container Network Interface (CNI) is a framework and an interface that abstracts away the network stack from the container runtime. This abstraction helps separate container management and networking thereby providing different players in the market, target the two problems independently. CNI is one of the two frameworks that make this abstraction possible, the other being the Container Network Model (CNM) that Docker implements as libNetwork. When Docker developed libNetwork (based on CNM) for docker container networking, CoreOS came up with a competing model for rkt (pronounced rocket) their container runtime. CNI being the network interface of choice for Kubernetes, the most popular container orchestration platform, it has gained popularity. CNI is now part of the CNCF consortium.

The CNI"nterface" is composed of two components - NetPlugin and the IPAM plugin. While NetPlugin is responsible for setting up network plumbing i.e. conduit between the container & the host, the IPAM plugin is responsible for IP address allocation. Since these two are designed to be pluggable, we can pick-and-choose plugins from different sources/vendors for each of them. CNI takes in a JSON configuration file from the container runtime or from an orchestrator like Kubernetes, that specifies the choice for each Continue reading

New Role, Same Goal

New Role, Same Goal

I recently gave a presentation at Network Field Day 17 wherein I announced that not only was I about to give probably the most compressed talk of my life (time constraints are unforgiving) but that I also was now working for Juniper. Until today, this was pretty much the most explanation I had time to give:

I decided to accept a position with Juniper over the 2017 holiday, and I started last week. There were a few reasons for moving on from the StackStorm team, some of which are personal and have nothing to do with either day job. Despite the move, all of these things are still true:

• StackStorm is and continues to be an awesome project. Regular updates are happening all the time, each full of tons of new features and fixes.
• The StackStorm team and Extreme Networks as a whole are some of my favorite people ever. I will never forget everything I learned from them, and will try my best to stay in contact with all of them.
• The concepts behind StackStorm, such as infrastructure-as-code, and autonomous response to events, are still top-of-mind for me. I still strongly believe that each of these concepts are Continue reading

New Role, Same Goal

I recently gave a presentation at Network Field Day 17 wherein I announced that not only was I about to give probably the most compressed talk of my life (time constraints are unforgiving) but that I also was now working for Juniper. Until today, this was pretty much the most explanation I had time to give:

I decided to accept a position with Juniper over the 2017 holiday, and I started last week. There were a few reasons for moving on from the StackStorm team, some of which are personal and have nothing to do with either day job. Despite the move, all of these things are still true:

• StackStorm is and continues to be an awesome project. Regular updates are happening all the time, each full of tons of new features and fixes.
• The StackStorm team and Extreme Networks as a whole are some of my favorite people ever. I will never forget everything I learned from them, and will try my best to stay in contact with all of them.
• The concepts behind StackStorm, such as infrastructure-as-code, and autonomous response to events, are still top-of-mind for me. I still strongly believe that each of these concepts are Continue reading

BGP design options for EVPN in Data Center Fabrics

Ivan Pepelnjak described his views regarding BGP design options for EVPN-based Data Center Fabrics in this article. In comments to following blog post we briefly discussed sanity of eBGP underlay + iBGP overlay design option and come to conclusion that we disagree on this subject. In this blog post I try to summarize my thoughts about this design options.

Let’s start with the basics – what’s the idea behind underlay/overlay design? It’s quite simple – this is logical separation of duties of “underlying infrastructure” (providing simple IP transport in case of DC fabrics) and some “service” overlayed on top of it (be it L3VPN or EVPN or any hypervisor-based SDN solution). The key word in previous sentence – “separation”. In good design overlay and underlay should be as separate and independent from each other as possible. This provides a lot of benefits – most important of which is the ability to implement “smart edge – simple core” network design, where your core devices (= spines in DC fabric case) doesn’t need to understand all complex VPN-related protocols and hold customer-related state.

We use this design option for a long time – OSPF for underlay and iBGP for overlay is de-facto Continue reading

BiB 027: Juniper Networks At NFD17 – A Platform Emerges

Juniper Networks presented for a second day at Network Field Day 17, this time focusing on Appformix for analytics & automation; and PeerBot, a BGP configuration application.

The post BiB 027: Juniper Networks At NFD17 – A Platform Emerges appeared first on Packet Pushers.

SEO Performance in 2018 Using Cloudflare

For some businesses SEO is a bad word, and for good reason. Google and other search engines keep their algorithms a well-guarded secret making SEO implementation not unlike playing a game where the referee won’t tell you all the rules. While SEO experts exist, the ambiguity around search creates an opening for grandiose claims and misinformation by unscrupulous profiteers claiming expertise.

If you’ve done SEO research, you may have come across an admixture of legitimate SEO practices, outdated optimizations, and misguided advice. You might have read that using the keyword meta tag in your HTML will help your SEO (it won’t), that there’s a specific number of instances a keyword should occur on a webpage (there isn’t), or that buying links will improve your rankings (it likely won’t and will get the site penalized). Let’s sift through the noise and highlight some dos and don’ts for performance-based SEO in 2018.

SEO is dead, long live SEO!

Nearly every year since its inception, SEO is declared dead. It is true that the scope of best practices for search engines has narrowed over the years as search engines have become smarter, and much of the benefit Continue reading

The Lazy Person’s Guide to Better Online Privacy

I consider myself a high-functioning lazy person. I do my laundry regularly, but leave clean clothes in a pile on the floor. I make it to work on time, but have to set my alarm for an hour earlier than I’d like because I hit the snooze button so many times. I will wear a blazer to my business casual office, but only to cover up my terribly wrinkled shirts… which I pick up off my bedroom floor each morning.

At the Internet Society, I work primarily on topics related to security and privacy. Through my work, I have the pleasure of learning about new vulnerabilities or computer viruses, how different apps and devices can or already are spying on me and selling my data, and all other manner of scary online threats. As you can imagine I’ve become increasingly paranoid about my online privacy.

Yet, when it comes to online privacy, lazy and paranoid is a terrible combination.

I know what I should be doing to better protect my online privacy. I know I should update my devices regularly. I know I should be using two factor authentication when its available. But, like the clothes I know I should be folding, I Continue reading

List of EVPN and DC-related RFCs

In this post I try to collect links to all interesting RFCs and drafts related to DC, EVPN and network overlays.

Some of this documents are complete industry standards, some are drafts aiming to become such standarts, and others are just informational documents, often already outdated and forgotten, but despite this still interesting and useful. So don’t forget to pay attention to time frame each particular document was created and updated.

RFC 7209 – Requirements for Ethernet VPN (EVPN)

This document specifies the requirements for an Ethernet VPN (EVPN) solution, which addresses various VPLS issues.

RFC 7432 – BGP MPLS-Based Ethernet VPN

This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN-MPLS).

RFC 7938 – Use of BGP for Routing in Large-Scale Data Centers

This document summarizes operational experience in designing and operating large-scale data centers using BGP as the only routing protocol.

RFC 7348 – Virtual eXtensible Local Area Network (VXLAN)

This document describes Virtual eXtensible Local Area Network (VXLAN), which is used to address the need for overlay networks within virtualized data centers accommodating multiple tenants.

RFC 7364 – Problem Statement: Overlays for Network Virtualization

This document describes issues associated with providing multi-tenancy Continue reading

Don’t focus on trivia…

Found this great quote in Algorithms to Live By: The Computer Science of Human Decisions - a must-read for all nerds:

Depend upon it there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones.

Sherlock Holmes

Now you know why you should focus on how things work instead of memorizing commands ;)

Lessons learned from adapting Site Search 360 for Cloudflare Apps

This is a guest post by David Urbansky, CEO and Co-Founder of SEMKNOX and Site Search 360. David is a search enthusiast having built natural language search experiences for e-commerce sites and recipe search engines.

As a startup founder, there are always key product decisions to be made when Site Search 360, our key product, is embedded in one context versus another. I’d like to share some experiences, choices, and challenges in our process packaging Site Search 360 for Cloudflare Apps.

What is Site Search 360?

Site Search 360 is a search solution for websites. Offering a search bar on a website improves user experience tremendously if the site has more than just a handful of pages. According to a eConsultancy study, up to 30% of web visitors use the search feature on e-commerce sites and searchers sometimes make up 40% of the revenue. Additionally, Nielsen Group found that 51% of people who did not find what they were looking for with the first query, gave up without refining the search - the search had better work very well then.

Why use the Cloudflare App?

Considering these facts, almost every website should have a search feature. However, implementing Continue reading

Networking Field Day 17 (NFD17) Redux

As I write this it’s Friday afternoon in Silicon Valley, Networking Field Day 17 (NFD17) is over, and I am truly exhausted after a week of presentations covering topics like Ethernet switch hardware, testing/simulation and network operating system (Mellanox, Ixia, Cumulus), Field Area Networks (Cisco), visibility and automation (Juniper AppFormix), distributed network monitoring (Thousand Eyes) and much more.

I will be posting in the coming weeks about some of the individual presentations, but while I dry off from the information firehose I thought I’d briefly summarize some of my personal highlights from the week.

Themes

One recurring theme throughout the week was automation. Cisco for example, spoke about the capabilities for Zero Touch Provisioning (ZTP) in IOS XR. Juniper presented the OpenContrail platform which, impressively, appears to have a new and very positive sense of direction after (in my opinion) floating around somewhat aimlessly for a while. Extreme Networks spoke about Workflow Composer, and its ability to integrate with tools like Splunk to auto-remediate detected issues. VMware demonstrated the impressive capabilities of NSX to configure distributed firewalling and microsegmentation down to the container level, while VeloCloud from VMware demonstrated another facet of automation, that of the software defined WAN.

Another Continue reading

China Mobile and China Unicom Deploy Huawei’s Cloud Fabric

Huawei says it has no expectations of doing business with the U.S. government.

Weekend Reads 012618: Mostly Security and Legal Stuff

Before we begin, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my personal account and for various work emails, but I stopped using it at a certain point out of convenience. —Cody Brow @Medium

This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies’ stock, with a focus on the results relative to the performance of the firms’ peer industries, as represented through selected indices rather than the market as a whole. financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement. —Russell Lange & Eric W. Burger @Journal of Information Privacy and Security

If it were not for the insatiable bandwidth needs of the twenty major hyperscalers and cloud builders, it is safe to say that the innovation necessary to get Ethernet switching and routing up to 200 Gb/sec or 400 Gb/sec might not have been done at the fast pace that the industry as been able to pull off. —Timothy Prickett Morgan @The Continue reading

Cavium Network Interface Cards Power HPE, VMware, and Microsoft HCI

Cavium plans to continue expanding into the popular HCI sector.

Watch the “State of the Net 2018” Live on Monday, January 29

Internet governance, blockchain, algorithms, free speech, net neutrality, IoT, cybersecurity, fragmentation … and so much more!  On Monday, January 29, 2018, the State of the Net 2018 conference will be streaming live out of the Newseum in Washington DC. You can watch starting at 9:00am US EST (UTC-5) Monday morning at:

http://www.stateofthenet.org/live/

The SOTN 2018 agenda is packed with many of the leading voices in US Internet policy, including Senators, Representatives, and even an FCC Commissioner. Global organizations and corporations will be represented, too, among the many speakers.

At 11:00am EST, our own Sally Shipman Wentworth, VP of Global Policy Development, will participate in a panel, Internet Governance: Are We In A Post Multi-Stakeholder World?, along with Larry Strickling. Larry is perhaps best known recently for the IANA transition work but has been working with us on efforts to expand the use of the multistakeholder model for Internet governance. Others panelists will be Dr. Jovan Kurbalija from our partner the DiploFoundation; Steve DelBianco of NetChoice; and the Hon. Robert Strayer of the US State Department. The session will be moderated by Shane Tews from the Internet Education Foundation. The abstract is:

It will have been Continue reading

Intel promises silicon-based fixes for Meltdown and Spectre this year

With the software fixes for the Spectre and Meltdown chip vulnerabilities slowing servers down by unacceptable amounts, a hardware fix is clearly what is needed, and Intel’s boss says one is coming this year.Intel CEO Brian Krzanich told analysts during the company's Q4 2017 earnings call earlier this week that "silicon-based" fixes for Spectre and Meltdown would arrive by the end of 2018. Intel has several launches set for this year and he did not specify which."We're working to incorporate silicon-based changed to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year," were his exact words.To read this article in full, please click here

Intel promises silicon-based fixes for Meltdown and Spectre this year

With the software fixes for the Spectre and Meltdown chip vulnerabilities slowing servers down by unacceptable amounts, a hardware fix is clearly what is needed, and Intel’s boss says one is coming this year.Intel CEO Brian Krzanich told analysts during the company's Q4 2017 earnings call earlier this week that "silicon-based" fixes for Spectre and Meltdown would arrive by the end of 2018. Intel has several launches set for this year and he did not specify which."We're working to incorporate silicon-based changed to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year," were his exact words.To read this article in full, please click here