Catalyst SD-WAN Enhanced Application Aware Routing

Traditionally, Cisco has leveraged BFD to monitor tunnels and their performance and Application Aware Routing (AAR) to reroute traffic. BFD has been used to measure:

  • Latency.
  • Loss.
  • Jitter.

Additionally, BFD is also used to verify liveliness of the tunnels. This works well, but there are some drawbacks to using a separate protocol for measuring performance:

  • You are adding control plane packets competing for bandwidth with packets in data plane.
  • Sending control plane packets frequently may overload the control plane.
    • This may lead to false positives.
  • It’s not guaranteed that control plane packets and data plane packets are treated equally.
  • AAR did take some time to react to poor transports as it had to collect enough measurements before reacting.
  • AAR didn’t have a built-in dampening mechanism.

With the default BFD settings, BFD packets are sent every second. The default AAR configuration consists of six buckets that hold 10 minutes of data each. This means that with the default settings, AAR will react in 10-60 minutes depending on how poorly the transport is performing. The most aggressive AAR configuration recommended by Cisco was to have 5 buckets holding 2 minutes of data each. AAR would then react in 2-10 minutes which I Continue reading

Boat build phase – Part1

Now I had a design and a half empty shell it was time to get work. The biggest problem with working on a boat is space, you are forever moving things and constantly tidying up. All the materials had to be orderd to arrive just in time for when they were needed as there is no space on the boat to store them. The remoteness of the marina and not having a car didn’t help, I wasted a lot of hours getting local buses to go hire a van or waiting on deliveries.

VPP on FreeBSD – Part 2

About this series

FreeBSD

Ever since I first saw VPP - the Vector Packet Processor - I have been deeply impressed with its performance and versatility. For those of us who have used Cisco IOS/XR devices, like the classic ASR (aggregation services router), VPP will look and feel quite familiar as many of the approaches are shared between the two. Over the years, folks have asked me regularly “What about BSD?” and to my surprise, late last year I read an announcement from the FreeBSD Foundation [ref] as they looked back over 2023 and forward to 2024:

Porting the Vector Packet Processor to FreeBSD

Vector Packet Processing (VPP) is an open-source, high-performance user space networking stack that provides fast packet processing suitable for software-defined networking and network function virtualization applications. VPP aims to optimize packet processing through vectorized operations and parallelism, making it well-suited for high-speed networking applications. In November of this year, the Foundation began a contract with Tom Jones, a FreeBSD developer specializing in network performance, to port VPP to FreeBSD. Under the contract, Tom will also allocate time for other tasks such as testing FreeBSD on common virtualization platforms to improve the desktop experience, improving Continue reading

Keeping the Pipe Just Full

In this post, I will be discussing a paper published by the Internet pioneer Leonard Kleinrock, titled “Keep the Pipe Just Full, But No Fuller”. The paper’s conclusion is that it is best to keep the internet “pipe” full, without overloading it. This idea is a take on Einstein’s famous quote, “Make everything as simple as possible, but not simpler.”

Keeping the Pipe Just Full

In this post, I will be discussing a paper published by the Internet pioneer Leonard Kleinrock, titled “Keep the Pipe Just Full, But No Fuller”. The paper’s conclusion is that it is best to keep the internet “pipe” full, without overloading it. This idea is a take on Einstein’s famous quote, “Make everything as simple as possible, but not simpler.”

Introduction

It’s not always true that using the network to its fullest capacity will lead to better performance. When the network is overloaded, congestion and queueing delays can occur, which can affect the rate at which useful data is delivered and the time it takes for data to be delivered. This means there is a tradeoff between goodput and latency. To avoid network issues, congestion management is important. TCP regulates data flow from source to destination by sending packets while monitoring the delivery rate and response time to manage congestion. The challenge is to regulate traffic flow, as both underutilizing and overloading the capacity can waste resources and cause congestion.

For many years, TCP congestion control algorithms have relied on loss as a measure of congestion. However, loss causes sawtooth behaviors as flow expands until packets are dropped, then Continue reading

Weekend Reads 021624


This year, I’ve had the opportunity to work alongside some of the highest- performing individuals in our profession. I’ve taken that opportunity to observe their work, look for patterns, and to try to identify the attributes that contribute to their success, not only as technologists but as humans.


OpenAI CEO Sam Altman’s dream of establishing a network of chip factories to fuel the growth of AI may be much, much wilder than feared.


Advanced persistent threat (APT) groups are more dangerous than your run-of-the-mill cybercriminals. They, after all, trail their sights not only on financial gain but loftier targets such as wreaking havoc on entire nations.


In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the role of the Domain Name System (DNS) in directing where your applications connect to, and where content comes from.


As you awoke one morning from uneasy dreams you found yourself transformed in your bed into a software engineer. A calamity that I find all too familiar.


Whether you want to land a new job or make your contributions count, effective communication goes a long way.


At the beginning of the year, I wrote a bit about the resolution to “stay human” in Continue reading

Hedge 213: Batfish with Ratul Mahajan

Network configuration analysis has always been the domain of commercial-grade software. Batfish changes all that with an open source, community-supported tool that can find errors and guarantees the correctness of planned or current network configurations. Ratul Mahajan joins Tom Ammon and Russ White to talk about this new tool, its capabilities, and the importance of network configuration analysis.
 

 
download
 
You can find out more about Batfish at the project home page, and in this paper by Ratul.

Monitoring machine learning models for bot detection

Cloudflare’s Bot Management is used by organizations around the world to proactively detect and mitigate automated bot traffic. To do this, Cloudflare leverages machine learning models that help predict whether a particular HTTP request is coming from a bot or not, and further distinguishes between benign and malicious bots. Cloudflare serves over 55 million HTTP requests per second — so our machine learning models need to run at Cloudflare scale.

We are constantly making improvements to the models that power Bot Management to ensure they are incorporating the latest threat intelligence. This process of iteration is an important part of ensuring our customers stay a step ahead of malicious actors, and it requires a rigorous process for experimentation, deployment, and ongoing observation.

We recently shared an introduction to Cloudflare’s approach to MLOps, which provides a holistic overview of model training and deployment processes at Cloudflare. In this post, we will dig deeper into monitoring, and how we continuously evaluate the models that power Bot Management.

Why monitoring matters

Before bot detection models are released, we undergo an extensive model testing/validation process to ensure our detections perform as expected. Model performance is validated across a wide number of web traffic Continue reading

KU048: Platforms in the Clouds

What are we talking about when we are all talking about private clouds? On-prem? Hybrid? Virtualization? Where does hardware fit into it all– and would younger engineers even know what to do with a physical piece of hardware? Driven by Broadcom’s acquisition of VMare and the anticipated rising costs of VMare licenses, enterprises are exploring... Read more »

Safeguarding your brand identity: Logo Matching for Brand Protection

In an era dominated by digital landscapes, protecting your brand’s identity has become more challenging than ever. Malicious actors regularly build lookalike websites, complete with official logos and spoofed domains, to try to dupe customers and employees. These kinds of phishing attacks can damage your reputation, erode customer trust, or even result in data breaches.

In March 2023 we introduced Cloudflare’s Brand and Phishing Protection suite, beginning with Brand Domain Name Alerts. This tool recognizes so-called “confusable” domains (which can be nearly indistinguishable from their authentic counterparts) by sifting through the trillions of DNS requests passing through Cloudflare’s DNS resolver, 1.1.1.1. This helps brands and organizations stay ahead of malicious actors by spotting suspicious domains as soon as they appear in the wild.

Today we are excited to expand our Brand Protection toolkit with the addition of Logo Matching. Logo Matching is a powerful tool that allows brands to detect unauthorized logo usage: if Cloudflare detects your logo on an unauthorized site, you receive an immediate notification.

The new Logo Matching feature is a direct result of a frequent request from our users. Phishing websites often use official brand logos as part of their facade. In Continue reading

Traefik Proxy v3 Adds WebAssembly and Kubernetes Gateway API Support

A leading open source reverse proxy and load balancer, Emile Vauge, Traefik’s creator, said previously in The New Stack, “Traditional reverse proxies were not well-suited for these dynamic environments.” Now, the Traefik Labs, the project’s parent company, introduced the first Release Candidate of Traefik Proxy v3. This new version now supports WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. A Game-Changer for WebAssembly? WebAssembly support inclusion may prove a game-changer. Besides offering high-performance, language-agnostic capabilities for serverless and containerized applications, Traefik’s support provides Wasm with a larger potential market. “This is a major step towards a low friction extensibility story for Traefik as it brings broader plugins into its growing ecosystem while providing a great developer experience. with plugins that can be written in different languages and compiled directly into Wasm,” said Open Worldwide Application Security Project (OWASP) OpenTelemetry protocol (OTLP), will provide users with improved visibility into their applications. Since the Prometheus and Jesse Haka, a cloud architect at

C can be memory safe, part 2

This post from last year was posted to a forum, so I thought I'd write up some rebuttals to their comments.

The first comment is by David Chisnall, creator of CHERI C/C++, which proposes we can solve the problem with CPU instruction set extensions. It's a good idea, but after 14 years, CPUs haven't had their instruction-sets upgraded. Even mainstream RISC V processors haven't been created using those extensions.

Chisnall: "If your safety requires you to insert explicit checks, it’s not safe". This is true from one perspective, false from another. My proposal includes compilers spitting out warnings whenever bounds information doesn't exist.

C is full of problems in theory that doesn't exist in practice because the compiler spits out warnings telling programmers to fix the problem. Warnings can also note cases where programmers probably made mistakes. We can't achieve perfect guarantees, because programmers can still make mistakes, but we can certainly achieve "good enough".

Chisnall: ....tread safety..... I'm not sure I full understand the comment. I understand that CHERI can guarantee atomicity of bounds checking, which would require multiple (interruptible) instructions otherwise. The number of cases where this is a problem, and the C proposal would be Continue reading

1 184 185 186 187 188 3,858