0

Q4 2023 Internet disruption summary

Cloudflare’s network spans more than 310 cities in over 120 countries, where we interconnect with over 13,000 network providers in order to provide a broad range of services to millions of customers. The breadth of both our network and our customer base provides us with a unique perspective on Internet resilience, enabling us to observe the impact of Internet disruptions.

During previous quarters, we tracked a number of government directed Internet shutdowns in Iraq, intended to prevent cheating on academic exams. We expected to do so again during the fourth quarter, but there turned out to be no need to, as discussed below. While we didn’t see that set of expected shutdowns, we did observe a number of other Internet outages and disruptions due to a number of commonly seen causes, including fiber/cable issues, power outages, extreme weather, infrastructure maintenance, general technical problems, cyberattacks, and unfortunately, military action. As we have noted in the past, this post is intended as a summary overview of observed disruptions, and is not an exhaustive or complete list of issues that have occurred during the quarter.

Government directed

Iraq

In a slight departure from the usual subject of Continue reading

0

How To Get Over The Memory Wall

SPONSORED: MemCon 2024 is billed as a one stop shop for emerging technologies in the memory and storage domain, and a hub for efficient data movement and management. …

How To Get Over The Memory Wall was written by David Gordon at The Next Platform.

0

Simulate a Silent Host in a VXLAN Network

I’m working on a blog post explaining route type 5 in EVPN. To demonstrate a scenario with a silent host, I want to simulate this behavior. Normally, hosts can be quite chatty and ARP for their GW, for example. In this post I will show how arptables on Linux can be used to simulate a silent host.

Currently the leaf switch has an ARP entry for the host:

Leaf4# show ip arp vrf Tenant1

Flags: * - Adjacencies learnt on non-active FHRP router
       + - Adjacencies synced via CFSoE
       # - Adjacencies Throttled for Glean
       CP - Added via L2RIB, Control plane Adjacencies
       PS - Added via L2RIB, Peer Sync
       RO - Re-Originated Peer Sync Entry
       D - Static Adjacencies attached to down interface

IP ARP Table for context Tenant1
Total number of entries: 1
Address         Age       MAC Address     Interface       Flags
198.51.100.44   00:15:20  0050.56ad.7d68  Vlan10           

It is possible to ping the host from the leaf switch:

Leaf4# ping 198.51.100.44 vrf Tenant1
PING 198.51.100.44 (198.51.100.44): 56 data bytes
64 bytes from 198.51.100.44: icmp_seq=0 ttl=63 time=1.355 ms
64 bytes from 198.51.100.44:  Continue reading

0

Secure Access Service Edge (SASE) Boosts Your Company Cybersecurity

Many enterprises view SASE as the right technology to provide their increasingly distributed workforce with access to corporate resources in a way that protects users, data, and the company.

0

Why The New England Patriots Tapped Cisco to Modernize Its Stadium Network

Cisco revamped Gillette Stadium’s network infrastructure focusing on the delivery of stellar video and fan experiences while meeting the Wi-Fi needs of retailers, security services, and more.

0

HN717: Network Source(s) Of Truth – A Roundtable Discussion

On today’s episode, we discuss networking sources of truth. That’s right, sources of truth, because you’re likely to have more than one depending on your environment and your point of view. On LinkedIn, Ethan quoted someone at the AutoCon0 conference who essentially said that the network itself shouldn’t be used as a source of truth.... Read more »

0

Weekend Reads 011924

Pressure to resolve incidents quickly that often comes from peers, leadership, and members of affected teams only adds to the chaos of incident management, causing more human errors. Coordinating incidents such as this through the process of having an Incident Commander role has shown more controllable outcomes for organizations around the world.

The Kimsuky Group, believed to be a North Korea-based advanced persistent threat (APT) group active since 2013, struck again several times this year.

QUIC supports connection migration, allowing the client to migrate an established QUIC connection from one path to the other. QUIC’s path validation mechanism can be used to attack the peer and make it consume an unbounded amount of memory.

The NVM Express consortium has updated its specifications by adding a Computational Storage Feature, creating a standardized way for applications to talk to storage devices that include some processing capability.

Post Office chief exec Nick Read left British politicians shocked with his evidence before a Parliamentary committee yesterday after he admitted he could not say when the public body at the center of the historic miscarriage of justice knew when its system was at fault.

We’re only a few weeks into 2024, and violations of people’s Continue reading

0

BGP EVPN Part III: BGP EVPN Local Learning Fundamentals

Multi-Protocol BGP (MP-BGP) is a BGP-4 extension that enables BGP speakers to encode Network Layer Reachability Information (NLRI) of various address types, such as IPv4/6, VPNv4, and MAC addresses, into BGP Update messages. MP-BGP features an MP_REACH_NLRI Path-Attribute (PA), which utilizes an Address Family Identifier (AFI) to describe service categories. Subsequent Address Family Identifier (SAFI), in turn, defines the solution used for providing the service. For example, L2VPN (AFI 25) is a primary category for Layer-2 VPN services, and the Ethernet Virtual Private Network (EVPN: SAFI 70) provides the service. Another L2VPN service is Virtual Private LAN Service (VPLS: SAFI 65). The main differences between these two L2VPN services are that only EVPN supports active/active multihoming, has a control-plane-based MAC address learning mechanism, and operates over an IP-routed infrastructure.

EVPN utilizes various Route Types (EVPN RT) to describe the Network Layer Reachability Information (NLRI) associated with Unicast, BUM (Broadcast, Unknown unicast, and Multicast) traffic, as well as ESI Multihoming. The following sections explain how EVPN RT 2 (MAC Advertisement Route) is employed to distribute MAC and IP address information of Tenant Systems enabling the expansion of VLAN over routed infrastructure. 

The Tenant System refers to a host, virtual machine, Continue reading

0

Hedge 209: User Interface Stupidity

User interface design is notoriously bad for networking gear–but why, and what can we do about it? Frank Seesink joins Tom and Russ to talk about user interface stupidity.

download

0

Technology Short Take 173

Welcome to Technology Short Take #173! After a lull in links to share last time around, it looks like things have rebounded and folks are in full swing writing new content for me to share with you. I think I have a decent round-up of links for you; hopefully you can find something useful here. Enjoy!

Networking

• This article on running WireGuard in Docker may prove useful if that’s an approach I decide to adopt for my AWS lab infrastructure.
• Natalie Marek educates readers on VPC endpoints.
• Russ White laments some of the issues facing network engineering.

Servers/Hardware

• Alex Ellis provides some details on his workflow for booting Raspberry Pi 5 from NVMe.
• Tom Hummel finds himself veering back into a hardware-based home lab (instead of a cloud-based lab).

Security

• Rory McCune shares some information about a change in kubeadm version 1.29 pertaining to administrative credentials.
• Quintessence Anx of SPIRL shares some guidance on how to construct SPIFFE IDs.
• A set of vulnerabilities in the open source reference implementation of the UEFI specification has been uncovered. The flaws, referred to as PixieFail, specifically affect the PXE network boot process. BleepingComputer has more details.

Cloud Computing/Cloud Management

• Dean has published Continue reading

0

BGP Labs: Work with FRR and Cumulus Linux

FRR or (pre-NVUE) Cumulus Linux are the best bets if you want to run BGP labs in a resource-constrained environment like your laptop or a small public cloud instance. However, they both behave a bit differently from what one might expect from a networking device, including:

• Interfaces are created through standard Linux tools;
• You have to start the FRR management CLI from the Linux shell;
• If you need a routing daemon (for example, the BGP daemon), you must enable it in the FRR configuration file and restart FRR.

A new lab exercise covers these intricate details and will help you get fluent in configuring BGP on FRR or Cumulus Linux virtual machines or containers.

0

BGP Labs: Work with FRR and Cumulus Linux

FRR or (pre-NVUE) Cumulus Linux are the best bets if you want to run BGP labs in a resource-constrained environment like your laptop or a small public cloud instance. However, they both behave a bit differently from what one might expect from a networking device, including:

• Interfaces are created through standard Linux tools;
• You have to start the FRR management CLI from the Linux shell;
• If you need a routing daemon (for example, the BGP daemon), you must enable it in the FRR configuration file and restart FRR.

A new lab exercise covers these intricate details and will help you get fluent in configuring BGP on FRR or Cumulus Linux virtual machines or containers.

0

Taming Network Complexity with Digital Twins

Digital twins can help manage and troubleshoot complex networks by providing an accurate replica of the network's configuration and state.

0

KU046: Do Kubernetes Certs Prepare You For Real-World Production?

Technical trainer Benjamin Muschko joins hosts Kristina Devochko and Michael Levan to discuss the gap between Kubernetes certifications and real-world production skills. All three critique the focus on command-line proficiency in certifications, advocating for a practical approach that tests real-life scenarios. Muschko proposes a “capture the flag” style exam with hands-on projects, while the hosts... Read more »

0

IT Spending In 2024 Cools Thanks To “Change Fatigue”

Change may be inevitable, but it is also a pain in the neck. …

IT Spending In 2024 Cools Thanks To “Change Fatigue” was written by Timothy Prickett Morgan at The Next Platform.

0

When the Cloud is the Problem, Not the Answer

Taking cloud costs into consideration, more businesses today are adopting a hybrid or multi-cloud strategy to leverage the benefits of different deployment models for different parts of their applications.

0

D2C229: Standing Out From The Crowd With Tim Banks

We talk with Tim Banks about a wide range of topics including career development, how to stand out as an interview candidate, building a resume, finding your blind spots, diversity in tech (or lack thereof), and more. Let’s get into all the things with Tim! Episode Guest: Tim Banks | Lead Developer Advocate at Dell... Read more »

0

Tangoe State of IT Spending: A Look Back and Ahead

Tangoe’s annual IT Trends and Savings Recommendation report recaps IT spending in 2023 and provides savings tips for 2024.

0

Chip Packaging Trumps EDA: Why Synopsys Is Paying $35 Billion For Ansys

Here is how you know that the way chiplets are linked together to create what might have otherwise been a monolithic device is now more important than the way that the chiplets themselves are designed. …

Chip Packaging Trumps EDA: Why Synopsys Is Paying $35 Billion For Ansys was written by Timothy Prickett Morgan at The Next Platform.

0

Locking Down The Edge

COMMISSIONED: Edge security is a growing headache. The attack surface is expanding as more operational functions migrate out of centralized locations and into distributed sites and devices. …

Locking Down The Edge was written by Timothy Prickett Morgan at The Next Platform.