Kyoto Tycoon Secure Replication

Kyoto Tycoon is a distributed key-value store written by FAL Labs, and it is used extensively at CloudFlare. Like many popular key-value stores, Kyoto Tycoon uses timestamp-based replication to ensure eventual consistency and guarantee ordering. Kyoto Tycoon is an open source project, and in the spirit of the holidays, we’re contributing our internal changes back to the open source project.

_{CC BY-ND 2.0 image by Moyan Brenn}

CloudFlare uses Kyoto Tycoon to replicate data from a Postgres Database to our 30 data centers around the world. In practice, it takes around 3 seconds for full propagation in normal conditions. This is our pipeline for distributing sensitive data like our session ticket keys and DNS data to the CloudFlare edge.

Protecting data in transit

If the Internet is not a dangerous place, it at least has dangerous neighborhoods. To move from one datacenter to another, data has to pass through the public Internet. Data could end up going though some network with a wire-tap in place, or through a network with an unscrupulous network operator.

Datacenter-to-datacenter encryption has been brought into the international spotlight since the surveillance revelations. One of the leaked slides contained the expression “SSL added Continue reading

Fabric visibility with Cumulus Linux

A leaf and spine fabric is challenging to monitor. The fabric spreads traffic across all the switches and links in order to maximize bandwidth. Unlike traditional hierarchical network designs, where a small number of links can be monitored to provide visibility, a leaf and spine network has no special links or switches where running CLI commands or attaching a probe would provide visibility. Even if it were possible to attach probes, the effective bandwidth of a leaf and spine network can be as high as a Petabit/second, well beyond the capabilities of current generation monitoring tools.

The 2 minute video provides an overview of some of the performance challenges with leaf and spine fabrics and demonstrates Fabric View - a monitoring solution that leverages industry standard sFlow instrumentation in commodity data center switches to provide real-time visibility into fabric performance.

Fabric View is free to try, just register at http://www.myinmon.com/ and request an evaluation. The software requires an accurate network topology in order to characterize performance and this article will describe how to obtain the topology from a Cumulus Networks fabric.

Complex Topology and Wiring Validation in Data Centers describes how Cumulus Networks' prescriptive topology manager (PTM) provides Continue reading

SDN in 2014: A year of non-stop action

The past year was a frantic one in the SDN industry as many players made strategic and tactical moves to either get out ahead of the curve on software-defined networking, or try to offset its momentum. Here’s a rundown of what transpired in 2014 as a place setter for the year ahead in SDN. + ALSO ON NETWORK WORLD See a list of all our 2014 wrap ups + December Juniper unveils a version of its Junos operating system for Open Compute Platform switches, commencing a disaggregation strategy that’s expected to be followed by at least a handful of other major data center switching players in an effort to appeal to white box customers.To read this article in full or to leave a comment, please click here

Automation Isn’t Just About Speed

In talking with folks about automation, the conversation almost always come around to “speed, speed, speed”. It’s easy to see why this is the first benefit that pops into mind – we’ve all spent gratuitous amounts of time doing repetitive, time-consuming tasks. It’s obvious why the prospect of automating these tasks and getting the time back is such an attractive one, even though most of us that have tried know that this is an absolute reality:

All kidding (but some…..seriousing?) aside, is speed the only benefit? In the realm of IT infrastructure, should we pursue automation only when this other piece of brilliance tells us it’s worth it?

Consider a small deployment of a few switches, a router, maybe some servers. Using manual methods to configure the relatively small amount of infrastructure isn’t really sexy, but it’s also not a huge time suck either. There’s just not a lot of infrastructure in these small deployments, and manual configuration doesn’t really impact the rate of change.

As a result, when discussing automation concepts with small, and even medium-size shops, I’m usually met with understandable skepticism. There’s a huge part of IT industry that assumes that all of our Continue reading

Check your Control Plane

Here it's a short post to explain how you can monitor the control plane activity with ddos-protection's statistics and a simple op-script. ddos-protection is a default feature only available on MPC cards which allows to secure the linecard's CPU and the...

Check your Control Plane

Automation Isn’t Just About Speed

In talking with folks about automation, the conversation almost always come around to “speed, speed, speed”. It’s easy to see why this is the first benefit that pops into mind - we’ve all spent gratuitous amounts of time doing repetitive, time-consuming tasks. It’s obvious why the prospect of automating these tasks and getting the time back is such an attractive one, even though most of us that have tried know that this is an absolute reality:

Automation Isn’t Just About Speed

Making the Most of Wi-Fi Calling

I n the time since Apple’s revelation that iOS 8 would support a form of Wi-Fi calling, the industry has seen a barrage of announcements, even TV commercials, around Wi-Fi calling. Come to find out that many of them are...

Ask a nerd

One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It's on the right side of the debate (FBI's evidence pointing to North Korea is bad), but it's still crap.

For example, it says: "One hears a lot in cybersecurity circles that the government has “solved” the attribution problem". That's not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he's not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality -- you really ought to consult technical people.

He then says: "it is at least possible that some other nation is spoofing a North Korean attack". This is moronic, accepting most of the FBI's premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security -- it required no special sophistication by the hacker. Anybody Continue reading

Facebook’s AIs want you to stop you making a fool of yourself

I’ve always found the tendency of Facebook users to over-share a little strange. You see people exposing their lives in ways that are occasionally charming, often inexplicable, and frequently downright ridiculous or ill-advised (or often both of the latter at the same time).

drunk kids — Probably shouldn't be posted on Facebook.

In the latter category are the posts of people who are obviously in advanced states of inebriation doing things that don’t require a caption to reveal that they are being idiots. These kind of posts are the sort of thing that, once sober, will be regretted and will never, ever disappear becoming fodder for the poster’s mother’s disapproval and unwanted attention from employers both current and future.

To read this article in full or to leave a comment, please click here

My Podcasts

Since taking a new role at Cisco, my drive time is less consistent. As a result, finding opportunities to listen to podcasts is more of a challenge. Earlier this week, a road trip I took provided some time to start getting caught up on my listening. Using iCatcher allows me to easily tweet what I’m listening too. As a result of sharing what I listened to, I received some requests regarding the podcasts I listen to. I wanted to share this ever changing list with the PacketU community.

Technology Podcasts

Cisco Champion Radio
Cisco TAC Security Podcast Series
No Strings Attached Show
Packet Pushers Podcast
Risky Business
Software Gone Wild by ipSpace.net
The Class-C Block
The IPv6 Show
The Southern Fried Security Podcast
VUPaaS – Virtualization as a Service

Business and Leadership

Freakonomics Radio
Home Work
The EntreLeadership Podcast

Also beyond the technology focus of this audience, I often listen to Cold Case Christianity–a Christian Apologetics podcast and Focus on the Family–a faith based podcast focused on strengthening families.

I’m always looking for new sources for good information. If you have podcasts that you enjoy listening to, please share them by sending them to @packetu or commenting below.

Disclaimer: This Continue reading

iPexpert’s Newest “CCIE Wall of Fame” Additions 12/19/2014

Please Join us in congratulating the following iPexpert clients who have passed their CCIE lab!

Mark Walbank, CCIE #45915 (Data Center)
David Vernum , CCIE #45880 (Data Center)
Wilson Huang, CCIE #46040 (Wireless)

We Want to Hear From You!

Have you passed your CCIE lab exam using any iPexpert or Proctor Labs self-study products, or attended our CCIE Bootcamps? If so, we’d like to add you to our CCIE Wall of Fame!

Sony hack was the work of SPECTRE

The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn't work -- hacking needs to be understood in its own terms.

But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrosist organization in the James Bond films that is independent of all governments. Let's imagine that it's SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.

This trope adequately explains the FBI "evidence" pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren't controlled by North Korea.

The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn't make sense if the Sony hack were purely the work of the Continue reading

The FBI’s North Korea evidence is nonsense

The FBI has posted a press release describing why they think it's North Korea. While there may be more things we don't know, on its face it's complete nonsense. It sounds like they've decided on a conclusion and are trying to make the evidence fit. They don't use straight forward language, but confusing weasel words, like saying "North Korea actors" instead of simply "North Korea". They don't give details.

The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it's own malware from scratch.

Here's the thing with computer evidence: you don't need to keep it secret. It wouldn't harm Sony and wouldn't harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don't need to take the FBI's word for it, we should be able to see the evidence ourselves. In other words, instead of saying "IP addresses associated with North Korea", then can tell us what those IP addresses are, like "203.131.222.102".

But Continue reading

Is Juniper About To Kill Their Entire Security Line? It Seems Not.

This is a quick follow up to a post I made a bit ago about rumored changes to Juniper’s security portfolio. I left that article with one big question in my mind. Is Juniper on the verge of shuttering their entire security portfolio, including the SRX firewall platform and Firefly Perimeter (vSRX)? The answer […]

GigaOm: NASA Uses Ansible to launch web infrastructure into the cloud

GigaOm published a great article on how NASA launches their web infrastructure into the cloud today. The article features our own Jonathan Davila.

To help with the nitty gritty details of transferring those applications to AWS and setting up new servers, NASA used the Ansible configuration-management tool, said Davila. When InfoZen came, the apps were stored in a co-located data center where they weren’t being managed well, he explained, and many server operating systems weren’t being updated, leaving them vulnerable to security threats.

Without the configuration-management tool, Davila said that it would “probably take us a few days to patch every server in the environment” using shell scripts. Now, the team can “can patch all Linux servers in, like, 15 minutes.”

Read the full article on GigaOm.

Read our case study on How NASA Uses Ansible Tower.

Policy-based Tunnel Selection (PBTS) on Cisco IOS-XR

Recently, I had to look after PBTS on Cisco ASR9K platform and faced some issues, here are some results about my tests. PBTS has the same goal as CBTS on Cisco IOS (Class-Based Tunnel selection) but for Cisco IOS-XR. It provides a tool to direct traffic into specific RSVP-TE tunnels (in the future Segment-Routing tunnels) […]

Author information

Youssef El Fathi

Youssef is a network engineer working for a french service provider. He is also a dual CCIE (RS, SP). You can find him on Twitter.

The post Policy-based Tunnel Selection (PBTS) on Cisco IOS-XR appeared first on Packet Pushers Podcast and was written by Youssef El Fathi.

PlexxiPulse—Networking For Agile Datacenters, Distributed Cloud Environments and Big Data Applications

This week, we announced new product starter kits that will make it easier for companies to adopt software-defined networking in a way that fits their unique networking environments. The kits are designed for three distinct uses — agile datacenters, distributed cloud environments and Big Data applications — avoiding the “one-size-fits-all” starter kit approach of some other vendors. Visit our product page to learn more. Below are our top picks for networking stories this week.

In this week’s PlexxiTube of the week, Dan Backman discusses the benefits of Plexxi’s Big Data fabric beyond Hadoop applications.

eWEEK: Plexxi Launches SDN Starter Kits for Cloud, Big Data
By Jeff Burt
Plexxi officials want to make it easier for organizations to adopt software-defined networking. Plexxi, a startup in the increasingly crowded software-defined networking (SDN) space, is unveiling three starter kits aimed at agile data centers, cloud environments and big data applications. Company officials said the goal of the starter kits is to give businesses and service providers the tools they need to deploy SDN infrastructures that are tailored to their particular workloads, avoiding what they said is a more one-size-fits-all approach that other vendors are taking.

TechTarget: Networking pros describe their 2015 SDN projects
Continue reading

Juniper OCX – Welcome to the Revolution

Early December 2014, Juniper announced their OCX products that are focused on open, disaggregated networking systems. As one of the instigators of the revolution, it will be intriguing to see which side Juniper is really on.

While competing with Juniper will be interesting, we’re happy to see them recognize the customer drive towards Open Networking. Juniper indicates that they are joining the ranks of start-ups like Cumulus Networks and industry leaders such as Dell in this inevitable industry transition… avoiding the “head in the sand” perspective maintained by some other networking vendors.

There were four main sources of information as part of the announcement.

Initial reading shows us a focus very aligned with Open Networking. They say things like…

Juniper announced the OCX1100 that combines … Junos® operating system with Open Compute Project (OCP) enabled hardware

Let me say that again: Customers will have the ability to remove Junos and deploy another vendor’s operating system

To some not familiar with Juniper, news that we are embracing an open hardware design might sound counterintuitive in that anything “open” is not aligned with our strategy. On the contrary, Juniper has always embraced open architectures and open Continue reading

« Previous 1 … 3,500 3,501 3,502 3,503 3,504 … 3,681 Next »