NetworkingNexus.net

A story about AF_XDP, network namespaces and a cookie

A crash in a development version of flowtrackd (the daemon that powers our Advanced TCP Protection) highlighted the fact that libxdp (and specifically the AF_XDP part) was not Linux network namespace aware.

This blogpost describes the debugging journey to find the bug, as well as a fix.

flowtrackd is a volumetric denial of service defense mechanism that sits in the Magic Transit customer’s data path and protects the network from complex randomized TCP floods. It does so by challenging TCP connection establishments and by verifying that TCP packets make sense in an ongoing flow.

It uses the Linux kernel AF_XDP feature to transfer packets from a network device in kernel space to a memory buffer in user space without going through the network stack. We use most of the helper functions of the C libbpf with the Rust bindings to interact with AF_XDP.

In our setup, both the ingress and the egress network interfaces are in different network namespaces. When a packet is determined to be valid (after a challenge or under some thresholds), it is forwarded to the second network interface.

For the rest of this post the network setup will be the following:

e.g. eyeball packets Continue reading

Nvidia launches quantum computing platform

Nvidia, the darling of high performance computing (HPC), is bringing new attention to quantum computing. The company has launched its Nvidia Quantum Optimized Device Architecture, or QODA. This hybrid platform is designed to make quantum computing more accessible by enabling programming of both quantum applications and classical applications in a single, consolidated environment. According to Nvidia, it's aimed at speeding breakthroughs in quantum research and development across AI, HPC, health, finance and other disciplines.To read this article in full, please click here

Nvidia launches quantum computing platform

Automation 15. The Good, The Bad and the Ugly of Model-Driven Network Automation Featuring Cisco, Nokia, and OpenConfig YANG

Hello my friend,

All of us (definitely me, at least) are always thrilled hearing news from network vendors on their implementation of model-driven interfaces for network management. Having spent years automating network devices in a text-based paradigm (i.e., from CLI-based automation to full fledged configuration rendering with a replacement), I’m a firm believer that model-driven approach based on YANG modules and protocols such as GNMI, NETCONF, and RESTCONF, is a proper way to go. Recently we disclosed the development we are doing in terms of network topology visualization with DANT. And today we’d like to share lessons learned based on that experience.

We planned to write this blogpost for a few weeks if not months, but due to various reasons it was delayed. We are delighted to finally post it, so that you can get some useful ideas how you can build your own CI/CD pipeline with GitHub, probably the most popular platform for collaborative software development.


1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission  Continue reading

Configuring BGP and open-source FRR docker on AWS — Advanced Networking

MEDIUM: <https://raaki-88.medium.com/configuring-bgp-and-open-source-frr-docker-on-aws-advanced-networking-d21fd0d76b33>

What is FRR?
a. License based AWS internal routing platform 
b. Only supports static routing and IPSEC vpn 
c. Open-source internet routing protocol suite for *nix platforms
d. Support BGP along with ISIS,OSPF networking protocols

Answer is at the end of the post, feel free to skip it, I just did not want to make a spoiler residing just below the question

Before I write anything on implementation, I can vouch for FRR stability. It’s an open source internet routing protocol suite and used by many organisations on bare-metal and cloud instances as well, its very stable and

https://frrouting.org/

Simply put, FRR can make your bare metal or a cloud instance a routing platform to connect various networks together. The reason why we explore this is that this setup builds onto other posts on how AWS interacts with various routing platforms hosted from on-premises and to show the possibility if someone is considering FRR as an alternative.

Setup is extremely simple but there is one caveat which consumed almost a day for me to figure out and at last it was an answer to a known problem. FRR builds on Quagga which provided Continue reading

Traffic Mirroring- Interesting one — AWS Advanced Networking

MEDIUM: <https://raaki-88.medium.com/traffic-mirroring-interesting-one-aws-advanced-networking-a7e41027c75>

What is Traffic Mirroring ? 
a. Used for Content Inspection,Threat Monitoring,Troubleshooting 
b. Can only be implemented with a Load Balancer 
c. Needs Elastic Fabric Adapter 
d. Flow logs capture mirrored traffic   

Answer is at the end of the post, feel free to skip it, I just did not want to  make a spoiler residing just below the question

Traffic Mirroring is an awesome concept which can now be implemented with an AWS VPC. You can mirror the traffic and send packets to a EC2 instance or specific appliances for further processing.

Used for Content Inspection, Threat Monitoring and Troubleshooting.
An interesting as aspect is Packet-Format

*So when a packet gets mirrored it gets VXLAN encapsulated, end host/appliance should be able to decapsulate VXLAN header( we will see a PCAP ).

[https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring- packet-formats.html]

* Two encapsulations – outer GENEVE(from LB if used) and inner VX-LAN

Connectivity options are good — Inter-region using Transit-VPC or VPC-peering, other post describing Transit VPC — https://towardsaws.com/transit-vpc-aws-advanced-networking-44ca09b80905
4 Things for Implementation

* Source (which should be monitored — Network Interface)

*Target (Destination of mirrored Traffic)

*Filter (What traffic types should be Continue reading

Getting Your CIO to Say Yes to Automation: Gluware LiveStream June 28, 2022 (3/7) – Video

Network engineers need to make a business case to get an automation project off the ground, and it needs to describe the benefits and value in language that non-techincal executives can understand. This video offers tips and a simple blueprint to help engineers make the case to CIOs. Host Drew Conry-Murray from the Packet Pushers […]

The post Getting Your CIO to Say Yes to Automation: Gluware LiveStream June 28, 2022 (3/7) – Video appeared first on Packet Pushers.

HTTP/3 Is Now a Standard: Why Use It and How to Get Started

I’m sure, like me, you welcomed the IETF standard (Internet Engineering Task Force). No, of course, you didn’t — the web just works, so why worry about it? But if you are vaguely intrigued about why the change is happening, here is a short breakdown of the history behind it. Then we will get into the reasons why you should adopt it for your company. HTTP/3 is the third version of the Hypertext Transfer Protocol (HTTP), and was previously known as HTTP-over-QUIC. QUIC was initially developed by Google and is the successor of HTTP/2. Companies such as Google and Facebook already use QUIC to speed up the web. A Very Short History of HTTP Back in the day, there were two internet protocols that you could choose to work with. Even before the web, we still had to squirt packets of information (or datagrams) from one machine to another across the internet. For a games developer, the important protocol was UDP (User Datagram Protocol). This was the quick, fire and forget standard: you threw a packet across the network Continue reading

Google Follows Suit With Microsoft On Ampere Arm Instances

A long time ago, when we first started The Next Platform, Urs Hölzle, then senior vice president of the Technical Infrastructure team at Google, told us that to gain a 20 percent improvement in price/performance it would absolutely change from the X86 architecture to Power architecture – or indeed any other architecture – and even for one generation of machines. …

Google Follows Suit With Microsoft On Ampere Arm Instances was written by Timothy Prickett Morgan at The Next Platform.

The Best Outcome Of Automation? Visibility

This post originally appeared on the Packet Pushers’ now-defunct Ignition site on October 28, 2019. I was recently asked a question about the best business outcome of automation. My immediate thought was improved speed of operations by mechanizing operational tasks, like automated software upgrades, creating VLANs, updating ACLs or routing, and so forth. This […]

The post The Best Outcome Of Automation? Visibility appeared first on Packet Pushers.

Weekend Reads 071522

After more than a decade when cryptocurrencies and related technologies have surged, boomed, and busted in a regulatory vacuum, lawmakers in both the US and Europe are writing new rules for a sector that has grown dangerously large in both value and reach,

With the emergence of privacy regulations that assign penalties based on a business’ profit, or those that calculate a value for each compromised record, it is possible to calculate the cost of a breach based on those metrics.

What is the most expensive component in the more generic, non-accelerated servers that comprise the majority of their server fleets? Main memory, correct again.

Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.

After nearly two years of legal wrangling, the European Parliament on Tuesday passed the Digital Markets Act and the Digital Services Act, teeing up a showdown between the continent and US tech giants.

The new PCI DSS Standard, version 4.0, contains all the steps, best practices, and explanations required for full compliance. In fact, even an organization that does not process cardholder data could follow the Continue reading

Friday Mobility Field Day Thoughts

I’m finishing up Mobility Field Day 7 this week and there’s been some exciting discussion here around a lot of technology. I think my favorite, and something I’m going to talk about more, is the continuing battle between 5G and Wi-Fi. However, there’s a lot going on that I figured I’d bring up to whet your appetite for the videos.

What is mission critical? When you think about all the devices that are in your organization that absolutely must work every time what does that look like? And what are you prepared to do to make them work every time? If it’s a safety switch or some other kind of thing that prevents loss of life are you prepared to spend huge amounts of money to make it never fail?
Operations teams don’t need easier systems. They need systems that remove complexity. The difference in those two things is subtle but important. Easier means that things are simplified to the point of almost being unusable. Think Apple Airport or even some Meraki devices. Whereas reduced complexity means that you’ve made the up front configuration easy but enabled the ability to configure other features in different places. Maybe that’s by giving Continue reading

Advizex: Automating Security Audits & Remediation with Gluware: LiveStream June 28, 2022 (2/7) – Video

Advizex, a reseller and Gluware customer, discusses how it uses Gluware for security audits and remediation with its clients. This includes network and device discovery, addressing configuration drift, and managing multiple vendors using the Gluware platform. Packet Pushers host Greg Ferro is joined by Michael Burns, Network Architect at Advizex to discuss real-world use cases. […]

The post Advizex: Automating Security Audits & Remediation with Gluware: LiveStream June 28, 2022 (2/7) – Video appeared first on Packet Pushers.

Ansible For Network Automation Lesson 6: Ansible Vault And Loops – Video

In this lesson on using Ansible for network automation, Josh VanDeraa looks at how to get started with Ansible Vault, re-using tasks in multiple playbooks with include_tasks, and leveraging loops in your playbooks. Josh has created a GitHub repo to store additional material, including links and documentation: https://github.com/jvanderaa/AnsibleForNetworkAutomation You can subscribe to the Packet Pushers’ […]

The post Ansible For Network Automation Lesson 6: Ansible Vault And Loops – Video appeared first on Packet Pushers.

Heavy Networking 638: Don’t Block DNS Over TCP

DNS is our subject on today's Heavy Networking. More specifically, DNS transport over TCP. We talk with John Kristoff, one of the forces behind RFC9210, which covers the operational requirements for DNS transport over TCP. This is not an esoteric document covering a tiny, nuanced DNS use case. Instead this doc will likely affect most of you listening, whether you’re a network operator or a name server operator. We talk with John about the implications of this RFC.

Heavy Networking 638: Don’t Block DNS Over TCP

The post Heavy Networking 638: Don’t Block DNS Over TCP appeared first on Packet Pushers.

Mobile Edge Computing: Lightning Speed from Factory to Personal Devices

It seems like we’ve been hearing about 5G for years now, and how when it’s here, it will revolutionize connectivity as we know it. Steve Dalby Steve is a director in the MongoDB Industry Solutions team, where he focuses on how MongoDB technology can be leveraged to solve challenges faced by organizations working in the telecommunications industry. Prior to this role, Steve held numerous leadership roles with MongoDB’s professional services team in EMEA. Well, 5G is here, but beyond faster or more reliable cell service, few companies have begun to tap into the potential 5G holds for both business-to-business and business-to-consumer innovation. In fact, this potential extends beyond the telecommunications industry into nearly all sectors that rely on connectivity, like the manufacturing, automotive and even agricultural industries, among others. By using the power of 5G networks and pairing that with intelligent software, enterprises can embrace the next generation of industry by launching IoT solutions and enabling enhanced data collection at the edge. This article will explore key questions around the slow move toward 5G innovation and how mobile edge computing can accelerate the push to near-instantaneous network connectivity. What’s Standing in the Way of Innovation? When COVID-19 hit, numerous companies Continue reading

Setting Up Public-Private Keys For SSH Authentication

This post originally appeared on the Packet Pushers’ Ignition site on February 18, 2020. The more pedantic in the tech community argue about the merits of public-private key authentication vs. simple password authentication when logging into an SSH host. I have no strong opinion regarding your security posture when using one vs. the other. […]

The post Setting Up Public-Private Keys For SSH Authentication appeared first on Packet Pushers.

Working in public — our docs-as-code approach

Docs-as-code is an approach to writing and publishing documentation with the same tools and processes developers use to create code. This philosophy has become more popular in recent years, especially in tech companies. Automatic link checking is part of this process, which ensures that writer's changes are sound and safe to deploy. By setting the stage with a docs-as-code approach, technical writers can focus on what they do best: ensure that our readers get useful and accurate information that is easy to find, and our documentation speaks a single language.

Besides following a docs-as-code approach, at Cloudflare we handle our documentation changes in public, in our cloudflare-docs GitHub repository. Having our documentation open to external contributions has helped us improve our documentation over time — our community is great at finding issues! While we need to review these contributions and ensure that they fit our style guide and content strategy, the contributions provided by the Cloudflare community have been instrumental in making our documentation better every day. While Cloudflare helps build a better Internet, our community helps build better documentation.

Docs-as-code at Cloudflare

At Cloudflare, we follow a docs-as-code approach to create and publish product documentation in Developer Docs.

Such Continue reading

Are you doing enough to secure your network infrastructure?

It’s time to take a hard look at whether you’re devoting enough resources to securing your network infrastructure. Short answer: You’re probably not.If you work for a hyperscaler, your organization is probably doing everything it can to secure the network. For almost everyone else, it is pretty safe to assume that the answer is no.This is not necessarily a blameworthy failing. In many cases it is down to available resources and perceived risk: Given too little money for cybersecurity and too little time from too few people to tackle all possible risks in the network, what should network cybersecurity staff focus on? They tend to focus less on the inward-facing aspects of their networks and more on explicitly outward-facing pieces.To read this article in full, please click here

« Previous 1 … 423 424 425 426 427 … 3,794 Next »