Message Signatures are now part of our Verified Bots Program, simplifying bot authentication

As a site owner, how do you know which bots to allow on your site, and which you’d like to block? Existing identification methods rely on a combination of IP address range (which may be shared by other services, or change over time) and user-agent header (easily spoofable). These have limitations and deficiencies. In our last blog post, we proposed using HTTP Message Signatures: a way for developers of bots, agents, and crawlers to clearly identify themselves by cryptographically signing requests originating from their service. 

Since we published the blog post on Message Signatures and the IETF draft for Web Bot Auth in May 2025, we’ve seen significant interest around implementing and deploying Message Signatures at scale. It’s clear that well-intentioned bot owners want a clear way to identify their bots to site owners, and site owners want a clear way to identify and manage bot traffic. Both parties seem to agree that deploying cryptography for the purposes of authentication is the right solution.     

Today, we’re announcing that we’re integrating HTTP Message Signatures directly into our Verified Bots Program. This announcement has two main parts: (1) for bots, crawlers, and agents, we’re simplifying enrollment into the Verified Continue reading

IS-IS 3-Way Handshake and the Power of SHOULD

Yesterday, I mentioned that a Cisco router running pre-standard IS-IS 3-way handshake (this is why you need it) interoperates with multiple implementations of RFC 5303. How’s that possible, and does it matter whether you configure the ancient Cisco routers (release 15.x) to use IETF 3-way handshake instead of the “proprietary” one?

TL&DR: It SHOULD NOT matter, but the more I explore the RFCs, the more I’m amazed anything works at all.

I took a trip to the Wireshark land to figure out the details (you can download the capture file):

Read more …

TCG000: The Cloud Gambit Podcast Joins the Packet Pushers Network!

The Cloud Gambit is joining the Packet Pushers network! Launched in 2023 as an independent podcast, The Cloud Gambit cuts through the hype to deliver what actually matters in cloud and AI. Hosts William Collins and Eyvonne Sharp decode the strategies, technologies, and market forces reshaping enterprise infrastructure. Built for engineers who lead, leaders who... Read more »

Start netlab Tools without Changing Topology File

Dan Partelly figured out that we have to configure the standard (IETF) 3-way IS-IS handshake on old IOSv images. On the other hand, all IS-IS integration tests pass for IOSv and IOSvL2. I wondered what was going on.

Fortunately, a few months ago, I spent some time installing the client-side Edgeshark components on my laptop. All I needed to do was enable the edgeshark tool in my lab topology and restart the lab.

Read more …

🚀 A Guide for Aspiring B.Tech CS Students: Navigating Your Journey & Preparing for the Real World

👋 Introduction My daughter will be starting her B.Tech in Computer Science at MIT, Manipal this year. As a huge AI proponent, I often share the latest AI trends and tools with my family. When my daughter decided to pursue CS, she asked me several questions about AI, which inspired this blog. I hope this … Continue reading 🚀 A Guide for Aspiring B.Tech CS Students: Navigating Your Journey & Preparing for the Real World

HN787: Are We In a Post-SNMP Era?

SNMP is still widely used in today’s networks. But modern telemetry and network observability are bringing changes to network monitoring. Today’s Heavy Networking is a roundtable discussion about alternatives to SNMP and real-world use cases for those alternatives. This episode was inspired by a request from listener Nikolay. He says… While telemetry (gRPC, etc.) is... Read more »

TNO034: Doing the Work of Workflows With Greg Freeman

On today’s show we talk about NetDevOps and AI Ops with Greg Freeman, VP of Network and Customer Transformation at Lumen. Greg spearheads network automation, orchestration ,and AI strategy, guiding the highest technical tier in operations and championing NetDevOps methodologies. We talk about the people and work culture that’s influenced the development of automation and... Read more »

Celebrate Micro-Small, and Medium-sized Enterprises Day with Cloudflare

On June 27, the United Nations celebrates Micro-, Small, and Medium-sized Enterprises Day (MSME) to recognize the critical role these businesses play in the global economy and economic development. According to the World Bank and the UN, small and medium-sized businesses make up about 90 percent of all businesses, between 50-70 percent of global employment, and 50 percent of global GDP. They not only drive local and national economies, but also sustain the livelihoods of women, youth, and other groups in vulnerable situations. 

As part of MSME Day, we wanted to highlight some of the amazing startups and small businesses that are using Cloudflare to not only secure and improve their websites, but also build, scale, and deploy new serverless applications (and businesses) directly on Cloudflare's global network. 

A startup for startups

Cloudflare started as an idea to provide better security and performance tools for everyone. Back in 2010, if you were a large enterprise and wanted better performance and security for your website, you could buy an expensive piece of on-premise hardware or contract with a large, global Content Delivery Network (CDN) provider. Those same types of services were not only unaffordable for most website owners Continue reading

Russian Internet users are unable to access the open Internet

Since June 9, 2025, Internet users located in Russia and connecting to web services protected by Cloudflare have been throttled by Russian Internet Service Providers (ISPs).

As the throttling is being applied by local ISPs, the action is outside of Cloudflare’s control and we are unable, at this time, to restore reliable, high performance access to Cloudflare products and protected websites for Russian users in a lawful manner. 

Internal data analysis suggests that the throttling allows Internet users to load only the first 16 KB of any web asset, rendering most web navigation impossible.

Cloudflare has not received any formal outreach or communication from Russian government entities about the motivation for such an action. Unfortunately, the actions are consistent with longstanding Russian efforts to isolate the Internet within its borders and reduce reliance on Western technology by replacing it with domestic alternatives. Indeed, Russian President Vladimir Putin recently publicly threatened to throttle US tech companies operating inside Russia. 

External reports corroborate our analysis, and further suggest that a number of other service providers are also affected by throttling or other disruptive actions in Russia, including at least Hetzner, DigitalOcean, and OVH.

The impact

Cloudflare is seeing disruptions across Continue reading

N4N032: OSPF Basics

By popular request (and now that we have some other background topics covered) we start our series on the Open Shortest Path First (OSPF) routing protocol. We kick off the series with OSPF basics including Link State Advertisements, Link State Database, and other related essentials. We’ll explore additional OSPF topics over subsequent episodes. This week’s... Read more »

Hedge 272: Are we addicted to the CLI?

Is the CLI the best way to configure, manage, and troubleshoot routers and other networking gear? Or should we move past the CLI towards automation and (possibly even) GUI-based tools? Mark Posser joins Russ and Tom to discuss on this episode of the Hedge.
 

 
download
 
For more reading on this topic, please check out this post by Chris Grundemann.

Orange Me2eets: We made an end-to-end encrypted video calling app and it was easy

Developing a new video conferencing application often begins with a peer-to-peer setup using WebRTC, facilitating direct data exchange between clients. While effective for small demonstrations, this method encounters scalability hurdles with increased participants. The data transmission load for each client escalates significantly in proportion to the number of users, as each client is required to send data to every other client except themselves (n-1).

In the scaling of video conferencing applications, Selective Forwarding Units (SFUs) are essential.  Essentially a media stream routing hub, an SFU receives media and data flows from participants and intelligently determines which streams to forward. By strategically distributing media based on network conditions and participant needs, this mechanism minimizes bandwidth usage and greatly enhances scalability. Nearly every video conferencing application today uses SFUs.

In 2024, we announced Cloudflare Realtime (then called Cloudflare Calls), our suite of WebRTC products, and we also released Orange Meets, an open source video chat application built on top of our SFU.

We also realized that use of an SFU often comes with a privacy cost, as there is now a centralized hub that could see and listen to all the media contents, even though its sole job is Continue reading

Worth Reading 062625


If you’ve worried that AI might take your job, deprive you of your livelihood, or maybe even replace your role in society, it probably feels good to see the latest AI tools fail spectacularly.


The Virginia Supreme Court issued a ruling against Cox Communications that should trouble anybody building a fiber network that must cross railroad tracks. The case involves a dispute brought by the Norfolk Southern Railroad that challenged a new right-of-way law related to railroads.


Julia Angwin’s opinion piece clutches at courtroom verdicts and minor regulatory wins like a child gripping a plastic sword in the middle of an actual war. Yes, there are lawsuits.


This makes a huge difference to the way ChatGPT works: it can now behave as if it has recall over prior conversations, meaning it will be continuously customized based on that previous history.


Traditionally, Cilium’s BGP implementation required users to explicitly specify peer IP addresses in BGP cluster configurations to establish BGP sessions with Top-of-Rack (ToR) switches. While this approach functions adequately in small environments, it becomes difficult to manage for large-scale deployments involving thousands of Kubernetes nodes distributed across numerous racks.

SwiNOG 40: A Day of Awesomeness

A few days ago, I attended a SwiNOG meeting for the first time and realized what a mistake I was making — I should have been there years ago.

Not only was the event impeccably organized (what else would you expect in Switzerland) and at the best event location I have ever experienced (it’s hard to beat this view), it was also full of short, interesting, up-to-the-point presentations (you can already view the slide decks, YouTube videos should be available shortly). Plus, I met so many old friends I haven’t seen in years, and people I communicated with for years but never met before.

It’s not like the organizers would need any more publicity (the event was sold out), but if you happen to be near Switzerland in time for the next meeting, make sure to be there.

Thanks again to the wonderful SwiNOG core team for a fantastic experience! I hope we’ll meet again at the next SwiNOG meeting!

Switching to eBPF One Step at a Time with Calico DNS Inline Policy

Calico Enterprise lets users write network policies using domain names instead of IP addresses. This is done by dynamically mapping domain names to IP addresses and matching the egress traffic against these IPs. We have discussed this feature in detail when we introduced the Inline mode for the eBPF data plane in Calico Enterprise 3.20 release! It addresses the latency and performance issues of the various modes used by Calico in iptables/nftables data planes. It is a shame that Calico users who are not yet ready to switch completely to eBPF would miss out on this big DNS policy improvement. Don’t worry! We found a way to port it to iptables to enhance our users’ experience without forcing users to make a huge leap.

In Calico Enterprise v3.21, we have extended the Inline DNS policy mode to iptables. In this mode, DNS policies are updated in real time as DNS responses are parsed by eBPF within the data plane, thus improving the performance.

Calico iptables – DNS Inline policy

In all the existing modes in the iptables data plane, the DNS response packets are sent to Felix – Calico’s userspace agent. It parses the packets and updates the Continue reading

1 44 45 46 47 48 3,841