Calico eBPF Source IP Preservation: The Unexpected Story of High Tail Latency

The Calico eBPF data plane is your choice if latency is your primary concern. It was very disturbing that some benchmarking brought to our attention that eBPF had higher tail latency than iptables. The 99+% percentiles were higher by as much as a few hundred milliseconds. We did a whole bunch of experiments and we could not crack the nut until we observed that there are some occasional and unexpected TCP reset (RST) packets, but no connections were reset.

We noticed that the RST belongs to a connection that was already completed and finished a while ago. That was strange, but it pointed us in the right direction. We also knew that this happens only if the benchmark uses a LoadBalancer and we have connections going through multiple nodes to the same backend pod. That was enough to get to the root cause, but let’s start at the beginning…

External Clients and Kubernetes Services

One of the shortcomings of iptables/nftables based networking in Kubernetes is that if an external client connects to your cluster via a NodePort or a LoadBalancer, you may lose its IP address along the way. The reason for this is that the client may connect to Continue reading

Capturing Traffic in Virtual Networking Labs

When I announced the Stub Networks in Virtual Labs blog post on LinkedIn, I claimed it was the last chapter in the “links in virtual labs” saga. I was wrong; here comes the fourth part of the virtual links trilogy – capturing “on the wire” traffic in virtual networking labs.

While network devices provide traffic capture capabilities (usually tcpdump in disguise generating a .pcap file), it’s often better to capture the traffic outside of the device to see what the root cause of the problems you’re experiencing might be.

Read more …

Anthropic Raises 285 Million GPU-Hours Equivalent In Series E Funding

Rather than measure the funding rounds and valuations of AI startups building foundation models in US dollars, perhaps we should just convert that right into GPU-hours rented to train models, since this accounts for the vast majority of spending that OpenAI, Anthropic, and a handful of others do in their day to day operations.

Anthropic Raises 285 Million GPU-Hours Equivalent In Series E Funding was written by Timothy Prickett Morgan at The Next Platform.

Banish bots from your Waiting Room and improve wait times for real users

With Cloudflare Waiting Room, you can safeguard your site from traffic surges by placing visitors in a customizable, virtual queue. Previously, many site visitors waited in the queue alongside bots, only to find themselves competing for inventory once in the application. This competition is inherently unfair, as bots are much faster and more efficient than humans. As a result, humans inevitably lose out in these high-demand situations, unable to secure inventory before bots sweep it all up. This creates a frustrating experience for real customers, who feel powerless against the speed and automation of bots, leading to a diminished experience overall. Those days are over! Today, we are thrilled to announce the launch of two Waiting Room solutions that significantly improve the visitor experience.

Now, all Waiting Room customers can add an invisible Turnstile challenge to their queueing page, robustly challenging traffic and gathering analytics on bot activity within their queue. With Advanced Waiting Rooms, you can select between an invisible, managed, or non-interactive widget mode. But, we won’t just block these bots! Instead, traffic with definite bot signals that have failed the Turnstile challenge can be sent to an Infinite Queue, a completely customizable page that mimics a real Continue reading

Training Neural Networks: Backpropagation Algorithm

 Introduction 


The previous chapter explained the operation of a single artificial neuron. It covered how input values are multiplied by their respective weight parameters, summed together, and combined with a bias term. The resulting value, z, is then passed through a non-linear sigmoid function, which squeezed a neuron’s output value y ̂ between 0 and 1.

In this chapter, we form the smallest possible Feed Forward Neural Network (FFNN) model using only two neurons. While this is far from a Deep Neural Network (DNN), a simple NN with two neurons is sufficient to explain the Backpropagation algorithm, which is the focus of this chapter.

The goal is to demonstrate the training process and illustrate how the Forward Pass (computation phase) first generates a model output, y ̂. The algorithm then evaluates the model’s accuracy by computing the error term using Mean Squared Error (MSE). The first training iteration rarely, if ever, produces a perfect output. To gradually bring the training result closer to the expected value, the Backward Pass (adjustment and communication phase) calculates the magnitude and direction by which the weight values should be adjusted. The Backward Pass is repeated as many times as necessary until an acceptable model Continue reading

Weekend Reads 022825


Over time, experience—and sometimes hard lessons—have shown that security is more than just technology, processes, or a team of IT specialists. Without a strong corporate culture that prioritizes cybersecurity, even the best efforts can be overlooked or misunderstood.


Perhaps this is more important: Did you hear that many scientists are “sceptical”? Perhaps not; the headline wouldn’t sound as good.


ChatGPT and other large language models (LLMs) are very much like a magic act in that their confident responses to almost any query conceal the fact that they are not intelligent in any meaningful sense of the word.


The market for dielectric liquid required for immersion cooling is dominated by a small number of players that are aware of their market power.


Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought.

Hedge 261: The NTIA, Spectrum, and Broadband

In the United States, the National Telecommunications and Infrastructure Administration manages spectrum and researches the current state of Internet connectivity for policy makers. Henning Schulzrinne joins Tom and Russ to discuss the role of the NTIA, spectrum management, and broadband management.
 
You can read the NTIA’s reports here.
 

 
download

HN770: Deploying A Global Network in Minutes With Megaport (Sponsored)

In our conversation today with CTO Cameron Daniel of Megaport, we discuss their global WAN architecture, PoPs, use cases, the Megaport Cloud Router, and more. Megaport is our sponsor today. It’s accurate to describe Megaport as providing Network-as-a-Service. Megaport’s automated connectivity solutions enable rapid provisioning of circuits, contrasting sharply with traditional telcos. The discussion also... Read more »

Cloudflare’s 2024 Transparency Reports – now live with new data and a new format

Cloudflare’s 2024 Transparency Reports are now live — with new topics, new data points, and a new format. For over 10 years, Cloudflare has published transparency reports twice a year in order to provide information to our customers, policymakers, and the public about how we handle legal requests and abuse reports relating to the websites using our services. Such transparency reporting is now recognized as a best practice among companies offering online services, and has even been written into law with the European Union’s Digital Service Act (DSA).

While Cloudflare has been publishing transparency reports for a long time, this year we chose to revamp the report in light of new reporting obligations under the DSA, and our goal of making our reports both comprehensive and easy to understand. Before you dive into the reports, learn more about Cloudflare’s longstanding commitment to transparency reporting and the key updates we made in this year’s reports.

Cloudflare’s approach to transparency reporting

Cloudflare started issuing transparency reports early on, because we have long believed that transparency is essential to earning trust. In addition to sharing data about the number and nature of requests we receive, our transparency reports have provided a forum Continue reading

Lab as Code – Part1

I wrote a post a while back about how the world of labbing changed during my time in networking, this is a follow on to see what options I have in terms of ‘labbing as Code’. I want a way to declaratively deploy the initial lab setup (devices, links, addressing, remote access, etc) so that I can concentrate on the features I am actually trying to lab. My idea is to try and use existing tools rather than writing my own, the following repo has all the code and files I used as part of this blog.

Palo Alto Automated Scheduled Configuration Backup

Palo Alto Automated Scheduled Configuration Backup

I'm writing this in February 2025, and as far as I know, Palo Alto firewalls (not Panorama) don’t have a built-in mechanism for automatic configuration backups. Panorama, on the other hand, supports scheduled backups and allows you to send them to various locations like an SCP or FTP server. I’m not sure why this feature isn’t available on standalone firewalls, but in any case, let’s look at how you can use the API to periodically fetch the configuration from the Palo Alto firewall.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy this type of content.

Trying to Automate Palo Alto Firewall Objects/Rules Cleanup
In this blog post, we will walk you through how to clean up Palo Alto Firewall Objects and Rules using a Python script. The script is designed to search for a
Palo Alto Automated Scheduled Configuration BackupPacketswitchSuresh Vina
Palo Alto Automated Scheduled Configuration Backup

Overview

The Palo Alto KB article explains how to use the XML API with cURL to fetch the configuration and then use a cron job to run it periodically. This method works, but I want to make some tweaks to ensure we have Continue reading

Calico at KubeCon + CloudNativeCon Europe 2025

Tigera is getting ready for KubeCon + CloudNativeCon Europe this year!

Join us for exciting demos, networking opportunities, meaningful community connections, and fun celebrations. We can’t wait to share what’s in store!

This blog post covers all the ways you can engage with us and dive deeper into your favorite tool, Calico, at KubeCon + CloudNativeCon Europe 2025.

CalicoCon 2025

CalicoCon 2025 is your go-to event for the latest in Kubernetes networking, security, and observability. Hosted by the Calico team, it offers an in-depth look at the state of Project Calico.

Attendees will have the chance to connect with Calico engineers and leadership, ask questions, and share their experiences.

Add CalicoCon to your existing KubeCon + CloudNativeCon registration ‌to secure your spot. If you are not attending KubeCon + CloudNativeCon Europe but would still like to attend CalicoCon, please reach out to us ‌on the Calico User Slack.


Event Details

Date: April 1, 2025
Time: 1:00pm – 4:30pm BST
Location: Good Hotel London

<Register Now>

Party with Calico Cool Cats

This is your chance to connect with fellow Kubernetes enthusiasts, Calico users, and the brilliant minds behind Project Calico in a relaxed setting.

Engage in insightful conversations, share your Kubernetes Continue reading

1 20 21 22 23 24 3,787