Intel Datacenter Chief Departs To Run Nokia – Now What?
After only a little more than a year of running Intel’s Data Center and AI group – which is probably about as much fun right now as falling down the stairs – Justin Hotard has departed the chip maker to become the next chief executive officer of Nokia, which interestingly enough has a renewed interest in building cloud networks and making money at that. …
Intel Datacenter Chief Departs To Run Nokia – Now What? was written by Timothy Prickett Morgan at The Next Platform.
Tech Bytes: When the Internet Is Your Network, Catchpoint IPM Provides Critical Visibility (Sponsored)
Today on the Tech Bytes podcast we dive into Digital Experience Monitoring and Internet Performance Monitoring with sponsor Catchpoint. As more users rely on SaaS and cloud for applications, the Internet has essentially become a business-critical network. But how can you, a network engineer, be expected to manage the Internet? Enter Internet Performance Monitoring, or... Read more »QUIC action: patching a broadcast address amplification vulnerability
Cloudflare was recently contacted by a group of anonymous security researchers who discovered a broadcast amplification vulnerability through their QUIC Internet measurement research. Our team collaborated with these researchers through our Public Bug Bounty program, and worked to fully patch a dangerous vulnerability that affected our infrastructure.
Since being notified about the vulnerability, we've implemented a mitigation to help secure our infrastructure. According to our analysis, we have fully patched this vulnerability and the amplification vector no longer exists.
QUIC is an Internet transport protocol that is encrypted by default. It offers equivalent features to TCP (Transmission Control Protocol) and TLS (Transport Layer Security), while using a shorter handshake sequence that helps reduce connection establishment times. QUIC runs over UDP (User Datagram Protocol).
The researchers found that a single client QUIC Initial packet targeting a broadcast IP destination address could trigger a large response of initial packets. This manifested as both a server CPU amplification attack and a reflection amplification attack.
When using TCP and TLS there are two handshake interactions. First, is the TCP 3-way transport handshake. A client sends a SYN packet to a server, it responds with Continue reading
BGP Routing Information Base (RIB) Deep Dive
The post BGP Routing Information Base (RIB) Deep Dive appeared first on Noction.
Combining URL Categories on Palo Alto
We know that in Palo Alto, or in any NGFW, we can allow or block various URL categories. Speaking specifically about the Palo Alto firewall, let's say you have a strict URL filtering policy and decide to block the 'Shareware and Freeware' category.
When you do this, you'll likely have frustrated users complaining that they can't access sites like GitHub, for example.
But, What Did I Do?
So, what did I do now to cause another network issue? Well, Palo Alto categorizes github.com as 'Shareware and Freeware', so the firewall simply blocks it. There’s a high chance that many other useful sites will get blocked too.
A quick fix is to create a Custom URL Category and add the GitHub URL to it. However, this isn’t a scalable solution.
For instance, if I start with *.github.com, the firewall may block github.com. Then, if I add github.com, the firewall might block URLs like www.github.githubassets.com. To address this, I’d need to use a different wildcard, but we can’t keep doing this for every affected site.
Combining URL Categories
Instead of managing each URL individually like before, we Continue reading
Lab: Passive IS-IS Interfaces
The initial IS-IS labs covered the IS-IS basics. It’s time to move on to interesting IS-IS features (and why you might want to use them), starting with passive IS-IS interfaces.
BGP Zombies at NANOG 93
The internet is held together by the Border Gateway Protocol (BGP). Its a flooding protocol whose intended outcome is to ensure that every BGP speaker has the same information base as every other BGP speaker. What happens when this flooding algorithm fails? What happens if the information in a BGP speaker falls out of sync?Large Language Models (LLM) – Part 1/2: Word Embedding
Introduction
This chapter introduces the basic operations of Transformer-based Large Language Models (LLMs), focusing on fundamental concepts rather than any specific LLM, such as OpenAI’s GPT (Generative Pretrained Transformer).The chapter begins with an introduction to tokenization and word embeddings, which convert input words into a format the model can process. Next, it explains how the transformer component leverages decoder architecture for input processing and prediction.
This chapter has two main goals. First, it explains how an LLM understands the context of a word. For example, the word “clear” can be used as a verb (Please, clear the table.) or as an adjective (The sky was clear.), depending on the context. Second, it discusses why LLMs require parallelization across hundreds or even thousands of GPUs due to the large model size, massive datasets, and the computational complexity involved.
Tokenizer and Word Embedding Matrix
As a first step, we import a vocabulary into the model. The vocabulary used for training large language models (LLMs) typically consists of a mix of general and domain-specific terms, including basic vocabulary, technical terminology, academic and formal language, idiomatic expressions, cultural references, as well as synonyms and antonyms. Each word and character is Continue reading
From Python to Go 014. Templating Configuration Files.
Hello my friend,
Congratulations if you reach this blog post starting from the beginning of our series. I look in the list of topic I’m going to cover with respect Python to Go (Golang) transition and I see that I’ve already written more than 50% of blog posts; so we are over the half! Secondly, from today we start talking solely about practical network and IT infrastructure automation topics, as all the foundational things are already covered, such as data types, code flow control, reading and parsing files, using CLI arguments, exceptions handling to name a few. Today we’ll talk about how we can template text files. With respect to network and IT infrastructure automation that means we look how to prepare configuration of our network devices, Linux servers or further appliances.
Isn’t AI Going to Replace All Software Developers Anyway?
Almost daily I see in LinkedIn posts about how cool AI is in generating code. It is cool, I agree with that. And I myself use Co-pilot for my private projects for already more than a year and ChatGPT for certain things. However, my experience is that at this stage they don’t yet replace engineers Continue reading
HN767: Effective Networking on the Cheap
Unless you’re building out AI infrastructure at a hyperscaler, you probably don’t have unlimited dollars. On today’s Heavy Networking we talk with guest Frank Seesink about how to build and operate networks effectively when money’s tight. We look at free and open source tools, talk about the trade-offs that come with free software, and how... Read more »Resolving a Mutual TLS session resumption vulnerability
On January 23, 2025, Cloudflare was notified via its Bug Bounty Program of a vulnerability in Cloudflare’s Mutual TLS (mTLS) implementation.
The vulnerability affected customers who were using mTLS and involved a flaw in our session resumption handling. Cloudflare’s investigation revealed no evidence that the vulnerability was being actively exploited. And tracked as CVE-2025-23419, Cloudflare mitigated the vulnerability within 32 hours after being notified. Customers who were using Cloudflare’s API shield in conjunction with WAF custom rules that validated the issuer's Subject Key Identifier (SKI) were not vulnerable. Access policies such as identity verification, IP address restrictions, and device posture assessments were also not vulnerable.
The bug bounty report detailed that a client with a valid mTLS certificate for one Cloudflare zone could use the same certificate to resume a TLS session with another Cloudflare zone using mTLS, without having to authenticate the certificate with the second zone.
Cloudflare customers can implement mTLS through Cloudflare API Shield with Custom Firewall Rules and the Cloudflare Zero Trust product suite. Cloudflare establishes the TLS session with the client and forwards the client certificate to Cloudflare’s Firewall or Zero Trust products, where customer policies are enforced.
mTLS operates Continue reading
Amazon Will Spend Nearly A Year Of AWS Revenue On AI Investments
There is a bit of AI spending one-upmanship going on among the hyperscalers and cloud builders – and now the foundation model builders who are partnering with their new sugar daddies to be able to afford to build vast AI accelerator estates to push the state of the art in model capabilities and intelligence. …
Amazon Will Spend Nearly A Year Of AWS Revenue On AI Investments was written by Timothy Prickett Morgan at The Next Platform.
TNO015: Revolutionizing Telecom with NetOps Automation and Collaboration
Today’s episode with guest Joan Garcia provides valuable insights into the complexities of modern network operations at a telco, the importance of collaboration across technical domains, and the strategic decisions that drive innovation in the telecom industry. Joan’s experiences and perspectives offer ideas for navigating the challenges of integrating different layers of network architecture while... Read more »Hedge 258: pyATS and Testing Through Automation
We often think of network automation as a configuration tool, but automation can also be used for one-off, integration, and even continuous testing. Dan Wade joins Tom Ammon and Russ White to talk about pyATS and the concept of automated testing. To find out more about pyATS, check here.
Cloudflare incident on February 6, 2025
Multiple Cloudflare services, including our R2 object storage, were unavailable for 59 minutes on Thursday, February 6, 2025. This caused all operations against R2 to fail for the duration of the incident, and caused a number of other Cloudflare services that depend on R2 — including Stream, Images, Cache Reserve, Vectorize and Log Delivery — to suffer significant failures.
The incident occurred due to human error and insufficient validation safeguards during a routine abuse remediation for a report about a phishing site hosted on R2. The action taken on the complaint resulted in an advanced product disablement action on the site that led to disabling the production R2 Gateway service responsible for the R2 API.
Critically, this incident did not result in the loss or corruption of any data stored on R2.
We’re deeply sorry for this incident: this was a failure of a number of controls, and we are prioritizing work to implement additional system-level controls related not only to our abuse processing systems, but so that we continue to reduce the blast radius of any system- or human- action that could result in disabling any production service at Cloudflare.
How Much Money Does Arm Make In The Datacenter?
As we have been saying for quite some time, when it comes to datacenter CPUs, we think that homegrown Arm processors (as well as those made by independents Ampere Computing and Huawei Technologies) will eventually represent at least half of the computing capacity that the hyperscalers and major cloud builders install. …
How Much Money Does Arm Make In The Datacenter? was written by Timothy Prickett Morgan at The Next Platform.