What’s inside net/http? Late binding in the Go standard library
It's well known that we're heavy users of the Go programming language at CloudFlare. Our work often involves delving into the standard library source code to understand internal code paths, error handling and performance characteristics.
Recently, I looked at how the standard library's built-in HTTP client handles connections to remote servers in order to provide minimal roundtrip latency.
CC By 2.0 Image by Dean Hochman
Connection pooling
A common pattern that aims to avoid connection setup costs (such as the TCP handshake and TLS setup) and confer control over the number of concurrently established connections is to pool them. net/http maintains a pool of connections to each remote host which supports Connection: keep-alive. The default size of the pool is two idle connections per remote host.
More interestingly, when you make a request with net/http, a race happens. Races in code are often an unwanted side effect, but in this case it's intentional. Two goroutines operate in parallel: one that tries to dial a connection to the remote host, and another which tries to retrieve an idle connection from the connection pool. The fastest goroutine wins.
To illustrate, let's look at the code executed when transport.RoundTrip(req) is Continue reading
Merry Christmas!
I’m taking a little break from the blog ’til the beginning of the year… See you on the front side of 2016.
The post Merry Christmas! appeared first on 'net work.
IT Pros Brace For Holiday Nightmares
While other employees are taking time off or partying it up during the holiday season, IT teams are busy fixing problems, according to an Ipswitch poll.OpenConfig, Data Models, and APIs
[Special thanks to Rob Shakir for taking the time to talk about OpenConfig and the related work he has going on. He definitely helped make the second half of this post happen- thank you, Rob. Note: all of the BGP code examples are borrowed from Rob and his original work can be found here.]
Introduction
As more devices continue to add support for APIs, and the industry migrates from CLI to API, the question often arises, “is there ever going to be a common multi-vendor network device API?”
Let me answer that for you, “No!” Why? Think about it. What’s in it for the vendors?
If you keep reading, you may see that there is in fact a reason for vendors to develop a common API.
That said, this is the reason I initiated CPAL almost 2 years ago, which didn’t go anywhere for a number of reasons, and as an aside, we are re-visiting the idea beyond CPAL, and you should see something within a few weeks! And this is also the reason we have projects such as netmiko, ntc-ansible, NAPALM, and one that is the focus of this post, OpenConfig.
This Continue reading
Why It’s Time to Build a Zero Trust Network
Network security, for a long time, has worked off of the old Russian maxim, “trust but verify.” Trust a user, but verify it’s them. However, today’s network landscape — where the Internet of Things, the Cloud, and more are introducing new vulnerabilities — makes the “verify” part of “trust but verify” difficult and inefficient. We need a simpler security model. That model: Zero Trust. Continue reading
VMware NSX Reference Design Guide Update
The VMware NSX reference design guide has been a trusted source for NSX implementers to ensure a smooth and successful deployment. The NSX design guide has been incorporated as a baseline in industry recognized and validated architectures such as VCE VxBlock, Federation Enterprise Hybrid Cloud and the VMware Validated Designs.
We are introducing a new updated version of the NSX design guide just in time for the holiday break to add to your yearend reading list. This design guide incorporates tons of feedback we have received from our readers and is based on the learnings of over 200+ production customer deployments of NSX.
The updated design guide provides a detailed overview of how NSX works, the components and core design principles.
The main updates include:
Routing Design
We are diving deeper into distributed routing and edge routing best practices. NSX connectivity options from the virtual to physical infrastructure are often left to interpretation which generates confusion with established best practice. While NSX offers multiple options for connectivity we are taking the position of offering more prescriptive guidance in this document. The reader will get a better understanding of the design principles and availability guidance.
Security Policy Design
DNC – What does “dropped the firewall” even mean?
In a CNN article that discusses Sander’s access to the Clinton campaign information, I found the following statement–
The breach occurred when the vendor, NGP VAN, which supplies access to the database of voter information for both campaigns dropped the firewall, and at least one Sanders campaign staffer accessed Clinton campaign voter data. The accused staffer, Josh Uretsky, Sanders’ national data director, was fired from the campaign.
I have to ask, what does that even mean. So NGP VAN is using a firewall to isolate data between candidates? Are there no controls in the application? And what does it mean to drop a firewall?
I have to assume that this would indicate a “permit any” or maybe some other bypass. I’d love to know the technical details around this situation.
Firewalls aren’t magical boxes and this is a “dumbed down” if not inaccurate response.
I’d love to hear from you, so share your experiences by commenting below.
Continue reading