Kubernetes networking with OpenContrail

OpenContrail can be used to provide network micro-segmentation to kubernetes, providing both network isolation as well as the ability to attach a pod to a network that may have endpoints in using different technologies  (e.g. bare-metal servers on VLANs or OpenStack VMs).

This post describes how the current prototype works and how packets flow between pods. For illustration purposes we will focus on 2 tiers of the k8petstore example on kubernetes: the web frontend and the redis-master tier that the frontend uses as a data store.

The OpenContrail integration works without modifications to the kubernetes code base (as off v1.0.0 RC2). An additional daemon, by the name of kube-network-manager, is started on the master. The kubelets are executed with the option: “–network_plugin=opencontrail”, which instructs the kubelet to execute the command:
/usr/libexec/kubernetes/kubelet-plugins/net/exec/opencontrail/opencontrail. The source code for both the network-manager and the kubelet plugin are publicly available.

When using OpenContrail as the network implementation the kube-proxy process is disabled and all pod connectivity is implemented via the OpenContrail vrouter module which implements an overlay network using MPLS over UDP as encapsulation. OpenContrail uses a standards based control plane in order to distribute the mapping between endpoint (i.e. pod) and Continue reading

Most Google de-listing requests are from everyday folk, leaked data shows

Newly leaked figures reveal that the vast majority of people who exercised their right to be “forgotten” by Google’s services in Europe are everyday members of the public, with just 5 percent of requests coming from criminals, politicians and high-profile public figures.Europe’s highest court affirmed last year that people have the right to ask Google to remove certain results from its search engine, on the grounds that the information might be outdated or otherwise unfairly cast them in a negative light.Google has protested the decision, arguing that removing links requires “difficult value judgments” and can go against the public interest. It has pointed to “former politicians wanting posts removed that criticize their policies in office; serious, violent criminals asking for articles about their crimes to be deleted; bad reviews for professionals like architects and teachers; comments that people have written themselves (and now regret).”To read this article in full or to leave a comment, please click here

Most Google de-listing requests are from everyday folk, leaked data shows

Newly leaked figures reveal that the vast majority of people who exercised their right to be “forgotten” by Google’s services in Europe are everyday members of the public, with just 5 percent of requests coming from criminals, politicians and high-profile public figures.Europe’s highest court affirmed last year that people have the right to ask Google to remove certain results from its search engine, on the grounds that the information might be outdated or otherwise unfairly cast them in a negative light.Google has protested the decision, arguing that removing links requires “difficult value judgments” and can go against the public interest. It has pointed to “former politicians wanting posts removed that criticize their policies in office; serious, violent criminals asking for articles about their crimes to be deleted; bad reviews for professionals like architects and teachers; comments that people have written themselves (and now regret).”To read this article in full or to leave a comment, please click here

Hacking Team CEO insists tools were not compromised

The founder of the Italian surveillance software company that suffered a disastrous data breach last week sought to reassure clients on Tuesday about the gravity of the intrusion, insisting that Hacking Team’s anti-terrorism work has not been jeopardized.“If the client has followed our instructions there are no problems for security. Only a part of the source code has been stolen,” Hacking Team CEO David Vincenzetti told reporters at Milan’s Palace of Justice after a five-hour interrogation by Prosecutor Alessandro Gobbis.“We have provided clients with instructions which will enable them to restore complete security with the next update,” Vincenzetti said. The CEO said the hack, which resulted in the theft of 400GB of data and the publication of around 1 million company emails on the WikiLeaks website, had not compromised its most innovative products, which were “capable of combatting the phenomenon of terrorism and appreciated by all Western governments.”To read this article in full or to leave a comment, please click here

Vietnamese man gets 13 years for massive ID theft scheme

A Vietnamese man linked to a data breach of 200 million personal records at a subsidiary of credit monitoring firm Experian has been sentenced to 13 years in prison, the U.S. Department of Justice said.Hieu Minh Ngo, 25, was sentenced Tuesday on charges including wire fraud and identity fraud in the U.S. District Court for the District of New Hampshire, the DOJ said.Ngo was linked to a data breach at Court Ventures, a data broker Experian purchased in 2012.Ngo apparently tricked Court Ventures into giving him access to a personal records database by posing as a private investigator from Singapore, according to news reports. Much of the information about the breach came out when he pleaded guilty to multiple charges in March 2014 in the New Hampshire court.To read this article in full or to leave a comment, please click here

Célébrer le 14 Juillet avec Marseille, le 36ème point de présence de CloudFlare

What better day than the 14th of July (Bastille Day) to announce the latest addition to our network in Marseille, France? Our data center in the southern city of Marseille is our 2nd in France, 12th in Europe and 36th globally.

Pourquoi Marseille?

Marseille, France’s second largest city following Paris, is home to 2 million Internet users across the surrounding metropolitan area. It also serves as another point of redundancy to our Paris data center, one of our most trafficked facilities in the whole of Europe.

However, the true importance of Marseille is not just redundancy or its size. Marseille’s southern location makes it a major Internet gateway for networks throughout the Mediterranean, including many African and Middle Eastern countries. This is reflected by the fact that a substantial number of undersea submarine cables carrying Internet traffic are routed through Marseille (7 to be exact, and for those fastidious followers of our blog).

Marseille: a key interconnection point for traffic throughout the Mediterranean

These undersea cables are the principal means by which many countries are able to access the rest of the Internet—that is to say, access all of the other global networks that make up this big Continue reading

How to build your own ProxyHam

"ProxyHam" created controversy because the talk was supposedly suppressed by the US government. In this post, I'll describe how you can build your own, with off-the-shelf devices, without any code.

First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.

Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you'll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.

Now grab your two locoM9 devices and configure them for "transparent bridging". In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.

Now grab the second WiFi device and configure it as a normal WiFi router.

Now, assuming you aim the localM9's correct toward each other with reasonable line-of-sight, you've got a "ProxyHam".



The reason Continue reading

NASA algorithms keep unmanned aircraft away from commercial aviation

It is one of the major issues of letting large unmanned aircraft share the sky with commercial airliners: preventing a disaster by keeping the two aircraft apart – or “well clear” in flight.Commercial airliners and many larger private planes have onboard technology (and air traffic controllers as well as live pilots) to detect and avoid other aircraft in the sky but unmanned systems do not.  +More on Network World: NASA’s cool, radical and visionary concepts+To read this article in full or to leave a comment, please click here

ACLU asks court to immediately kill NSA phone snooping

A U.S. appeals court should immediately shut down the National Security Agency’s bulk collection of domestic telephone records because the practice is illegal, the American Civil Liberties Union said.The ACLU, in a request for an injunction filed Tuesday, asked the U.S. Court of Appeals for the Second Circuit to act now on its ruling from May that the bulk collection of U.S. phone records is illegal.To read this article in full or to leave a comment, please click here

ACLU asks court to immediately kill NSA phone snooping

A U.S. appeals court should immediately shut down the National Security Agency’s bulk collection of domestic telephone records because the practice is illegal, the American Civil Liberties Union said.The ACLU, in a request for an injunction filed Tuesday, asked the U.S. Court of Appeals for the Second Circuit to act now on its ruling from May that the bulk collection of U.S. phone records is illegal.To read this article in full or to leave a comment, please click here

Technology Short Take #52

Welcome to Technology Short Take #52, the latest collection of news, links, and articles from around the web on data center technologies.

Networking

  • Want to know a bit more about how OVN (Open Virtual Network) plans to integrate support for containers? See this. You might also find it useful to review this OVN presentation from the recent OpenStack Summit in Vancouver. A video recording of the presentation is also available on YouTube.
  • QualiSystems has a series of articles on open networking standards. A couple of the articles really jumped out at me—part 2 covers Open vSwitch, part 3 discusses OpenStack, part 4 discusses OpenFlow, and part 6 talks about OVSDB. There are also posts on OpenDaylight and OpFlex as well.
  • P4 is getting all the attention in the SDN world these days. What is P4? Craig Matsumoto has an overview at SDx Central; the “TL;DR” is that P4 is a high-level language aimed at describing how data plane devices process packets. If you want even more detail, then head over to the P4.org site for more information.
  • Jason Edelman, whose focus has been on network automation, recently posted an article on programming an ACI (Application Centric Infrastructure) Continue reading

The top 10 supercomputers in the world, 20 years ago

In 1995, the top-grossing film in the U.S. was Batman Forever. (Val Kilmer as Batman, Jim Carrey as the Riddler, Tommy Lee Jones as Two-Face. Yeah.) The L.A. Rams were moving back to St. Louis, and Michael Jordan was moving back to the Bulls. Violence was rife in the Balkans. The O.J. trial happened.It was a very different time, to be sure. But all that was nothing compared to how different the world of supercomputing was.+ MORE: The 10 most powerful supercomputers on Earth |  Can Dropbox go from consumer hit to business success? +To read this article in full or to leave a comment, please click here

CloudFlare Lands a New Office in Singapore

After months of preparation, my teammates Algin, Marty, Adam, Jono and I touched down in Singapore and were greeted by skyscrapers, malls, Singlish, chili crab, and Marty’s special sweet and sour chicken. It immediately hit us that we were no longer in San Francisco.

The Internet never sleeps, which means it is crucial for us to have a presence in Asia to operate our globally distributed network. Singapore was a natural choice for us given the thriving tech community, the business friendliness of the country, the delicious hawker stalls, and our harbor view rooftop hangout:


Since we are new in town, if there are meetups or groups in Singapore that you think we should be part of (or any good restaurants we should try) – let us know. We will be at RSA Asia Pacific & Japan on Friday July 24 here in Singapore. Come meet us in person and learn more about CloudFlare during Nick Sullivan’s session on The New Key Management - Unlocking the Safeguards of Keeping Keys Private.

As one global company, we took team members from both our San Francisco and London offices to be the foundation for the local team. We are actively looking to Continue reading

July 2015 Patch Tuesday: Microsoft closes holes being exploited in the wild

For July 2015, Microsoft released 14 security bulletins, with four patches rated as "critical" remote code execution (RCE) fixes. At least one of the fixes rated "critical" and some rated as "important" are currently being exploited in the wild.Patches rated CriticalMS15-065 resolves 28 flaws in Internet Explorer that could otherwise "modify how IE, VBScript and Jscript handle objects in memory." Qualys CTO Wolfgang Kandek pointed out that three of these were previously known (CVE-2051-2413, CVE-2015-2419 and CVE-2015-2421 ). "CVE-2015-2425 seems to come from the data dump at Hacking Team as well and I am impressed by the fix speed that Microsoft showed here. Of the other vulnerabilities a full 19 are of type RCE and allow the attacker to take over the targeted machine simply by browsing to a malicious, or infected site."To read this article in full or to leave a comment, please click here

Fake Bloomberg news story causes Twitter shares to spike

Twitter’s stock spiked in midday trading Tuesday after a fake Bloomberg news report said the company had received an offer to be acquired for US$31 billion.The story appeared convincing, with a Bloomberg Business logo, but Bloomberg quickly tweeted that it was fake. There were some telltale signs it wasn’t authentic: the URL was businessweek.market rather than businessweek.com, and CEO Dick Costolo’s name was misspelled.That didn’t stop Twitter investors from reacting. The company’s shares on the New York Stock Exchange spiked briefly just before noon Eastern Time, surging about 10 percent from Monday’s close to more than $38 before settling back down as news spread that the report was fake.To read this article in full or to leave a comment, please click here

Extracting Traffic from Rolling Capture Files

Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.

But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?

The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:

> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap

Translated:
  1. Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
  2. Using xargs, filter each file with the "host 8.8.8. Continue reading

Extracting Traffic from Rolling Capture Files

Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.

But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?

The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:

> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap

Translated:
  1. Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
  2. Using xargs, filter each file with the "host 8.8.8. Continue reading

Salesforce erects Shield for better enterprise-app security

Security has been an increasingly dominant theme in the enterprise software chorus in recent months, and on Tuesday Salesforce added a new voice to the mix with Shield, a set of platform services designed to help companies build secure apps.Designed as part of the Salesforce1 platform, Shield offers four security-minded components intended to make it easier for companies with regulatory, compliance or governance requirements to build cloud apps with built-in auditing, encryption, archiving and monitoring functions.A platform encryption feature, for instance, means that companies can easily designate sensitive data to be encrypted while preserving key business capabilities and workflow. A health insurance company, say, could manage personally identifiable information (PII) and protected health information (PHI) without compromising its agents’ ability to perform key functions using that data, such as searching claims, determining coverage eligibility and approving payments.To read this article in full or to leave a comment, please click here

1 3,417 3,418 3,419 3,420 3,421 3,861