An In-Depth Look at Istio Ambient Mode with Calico

The Next Step Toward a Unified Kubernetes Platform: Istio Ambient Mode

Organizations are struggling with rising operational complexity, fragmented tools, and inconsistent security enforcement as Kubernetes becomes the foundation for modern application platforms. As a result of this complexity and fragmentation, platform teams are increasingly burdened by the need to stitch together separate solutions for networking, network security, and observability. This fragmentation also creates higher operating costs, security gaps, inefficient troubleshooting, and an elevated risk of outages in mission-critical environments. The challenge is even greater for companies running multiple Kubernetes distributions, as relying on each platform’s unique and often incompatible networking stack can lead to significant vendor lock-in and operational overhead.

The Tigera Unified Strategy: Addressing Fragmentation

Tigera’s unified platform strategy is designed to address these challenges by providing a single solution that brings together all the essential Kubernetes networking and security capabilities enterprises need, that includes Istio Ambient Mode, delivered consistently across every Kubernetes distribution.

Istio Ambient Mode brings sidecarless service-mesh functionality that includes authentication, authorization, encryption, L4/L7 traffic controls, and deep application-level (L7) observability directly into the unified Calico platform. By including Istio Ambient Mode with Calico and making it easy to install and manage with the Tigera Continue reading

React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques

On December 3, 2025, immediately following the public disclosure of the critical, maximum-severity React2Shell vulnerability (CVE-2025-55182), the Cloudforce One Threat Intelligence team began monitoring for early signs of exploitation. Within hours, we observed scanning and active exploitation attempts, including traffic originating from infrastructure associated with Asian-nexus threat groups.

Early activity indicates that threat actors quickly integrated this vulnerability into their scanning and reconnaissance routines. We observed systematic probing of exposed systems, testing for the flaw at scale, and incorporating it into broader sweeps of Internet‑facing assets. The identified behavior reveals the actors relied on a combination of tools, such as standard vulnerability scanners and publicly accessible Internet asset discovery platforms, to find potentially vulnerable React Server Components (RSC) deployments exposed to the Internet.

Patterns in observed threat activity also suggest that the actors focused on identifying specific application metadata — such as icon hashes, SSL certificate details, or geographic region identifiers — to refine their candidate target lists before attempting exploitation. 

In addition to React2Shell, two additional vulnerabilities affecting specific RSC implementations were disclosed: CVE-2025-55183 and CVE-2025-55184. Both vulnerabilities, while distinct from React2Shell, also relate to RSC payload handling and Server Function semantics, and are described in more detail Continue reading

IETF v6ops Working Group with Nick Buraglio

The first IPv6 specs were published in 1995, and yet 30 years later, we still have a pretty active IETF working group focused on “developing guidelines for the deployment and operation of new and existing IPv6 networks.” (taken from the old charter; they updated it in late October 2025). Why is it taking so long, and what problems are they trying to solve?

Nick Buraglio, one of the working group chairs, provided some answers in Episode 203 of the Software Gone Wild podcast.

Listen to the podcast

Driving HPC Performance Up Is Easier Than Keeping The Spending Constant

We are still mulling over all of the new HPC-AI supercomputer systems that were announced in recent months before and during the SC25 supercomputing conference in St Louis, particularly how the slew of new machines announced by the HPC national labs will be advancing not just the state of the art, but also pushing down the cost of the FP64 floating point operations that still drives a lot of HPC simulation and modeling work.

Driving HPC Performance Up Is Easier Than Keeping The Spending Constant was written by Timothy Prickett Morgan at The Next Platform.

TCG065: AutoCon 4 Recap, AI Tools, MCP’s First Birthday, and More

In this year-end episode, William and Eyvonne recap their experiences at AutoCon 4 in Austin, Texas. They discuss the conference’s new multi-track format, including Eyvonne’s presentation in the leadership track on why technical projects fail. The conversation dives into how AI tools like Google Gemini can augment – not replace – human creativity, from research... Read more »

UET Protocol: How the NIC constructs packet from the Work Entries (WRE+SES+PDS)

 Semantic Sublayer (SES) Operation 

[Rewritte 12. Dec-2025]

After a Work Request Entity (WRE) is created, the UET provider generates the parameters needed by the Semantic Sublayer (SES) headers. At this stage, the SES does not construct the actual wire header. Instead, it provides the header parameters, which are later used by the Packet Delivery Context (PDC) state machine to construct the final SES wire header, as explained in the upcoming PDC section. These parameters ensure that all necessary information about the message, including addressing and size, is available for later stages of processing.

Fragmentation Due to Guaranteed Buffer Limits

In our example, the data to be written to the remote GPU is 16 384 bytes. The dual-port NIC in figure 5-5 has a total memory capacity of 16 384 bytes, divided into three regions: a 4 096-byte guaranteed per-port buffer for Eth0 and Eth1, and an 8 192-byte shared memory pool available to both ports. Because gradient synchronization requires lossless delivery, all data must fit within the guaranteed buffer region. The shared memory pool cannot be used, as its buffer space is not guaranteed.

Since the message exceeds the size of the guaranteed buffer, it must be fragmented. The UET provider splits the 16 384-byte Continue reading

D2DO289: Instana: Leading the Future of Observability (Sponsored)

As AI tools and agentic AI become part of how applications are developed, delivered, and managed, application performance monitoring and observability have to adapt. Ned Bellavance sits down with Drew Flowers and Jacob Yackenovich from IBM Instana about where these fields sit today, and the potential impacts of AI. They detail the challenges of application... Read more »

Why AI Traffic Growth Demands Optical Network Automation Now

Demand for bandwidth continues to surge with increasing use of AI, high-definition video streaming, cloud and 5G mobile applications. In response, optical services need to become more dynamic and meet stricter service-level requirements. Consequently, metro-based networks owned by communications service providers (CSPs) and used for mobile transport, enterprise services or broadband access services face new demands relating to power, multiservice aggregation, security, AI integration and network slicing. Figure 1 shows a rich set of applications in a typical metro network. Figure 1 — A typical metro network supports a rich set of applications. As AI use grows, it will create a force multiplier that will drive significant traffic to transport networks. But the challenging throughput, latency and reliability requirements of AI workloads are already taking network scale and complexity to another level. CSPs are facing unprecedented pressure to deliver more, faster and better. Figure 2 shows the impact of AI traffic growth based on a recent Nokia Bell Labs study. This growth can range from 14% to 31%. Figure 2 — Traffic growth effects on CSP networks. CSPs’ access and aggregation network (orange) will bear the heaviest load, roughly 31% of the total AI traffic. CSPs’ metro network (pink) is Continue reading

Simplifying SR-TE with mesh templates

A big problem with deploying traffic engineering is configuration complexity. This has now been solved.

Why use Traffic Engineering

Typical reasons for using traffic engineering are:

  • Send some traffic via a low latency path
  • Send A/B streams via different paths

2026 INFINITI QX80 Autograph 4WD: SUV Mewah dengan Lompatan Teknologi Baru

Desain Eksterior yang Semakin Berwibawa

Generasi terbaru 2026 INFINITI QX80 Autograph 4WD hadir dengan tampilan yang lebih tegas dan modern. Desain bodinya terlihat tebal namun tetap elegan. Bentuk gril dark chrome kini memberi kesan premium sejak pandangan pertama. Selain itu, velg 22 inci dengan finishing two-tone membuat tampilannya semakin berkelas. Karena itu, QX80 Autograph 4WD tidak hanya sekadar SUV besar, tetapi juga simbol status yang nyata.

Selain tampilan solid, fitur eksteriornya juga mendukung kemudahan. Pengemudi mendapatkan akses pintu otomatis, INFINITI Light Path, serta puddle lights yang membantu saat malam. Lalu, roof dual-pane moonroof memberi atmosfer kabin yang lebih lapang dan mewah. Semua elemen tersebut bersatu menciptakan identitas baru yang lebih kuat.

Interior Ultra Mewah dengan Kemudahan Maksimal

Masuk ke dalam kabin, QX80 Autograph 4WD langsung menunjukkan standar kenyamanan kelas atas. Material semi-aniline leather dengan pola dot quilting terasa sangat lembut. Kursi baris pertama dan kedua punya fitur heated, ventilated, dan massage, sehingga perjalanan jauh terasa nyaman. Bahkan baris ketiga sudah Continue reading

PP090: Why Native Controls Aren’t Enough to Protect Your Cloud Workspaces (Sponsored)

Cloud-based workspaces such as Google Workspace are often the backbone of an organization. But they also face threats from spam and phishing, account takeovers, and illicit access to sensitive documents and files. On today’s Packet Protector we talk with sponsor Material Security about how it brings additional layers of protection to Google Workspace, including email... Read more »

Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code

The Cloudflare platform is a critical system for Cloudflare itself. We are our own Customer Zero – using our products to secure and optimize our own services. 

Within our security division, a dedicated Customer Zero team uses its unique position to provide a constant, high-fidelity feedback loop to product and engineering that drives continuous improvement of our products. And we do this at a global scale — where a single misconfiguration can propagate across our edge in seconds and lead to unintended consequences. If you've ever hesitated before pushing a change to production, sweating because you know one small mistake could lock every employee out of critical application or take down a production service, you know the feeling. The risk of unintended consequences is real, and it keeps us up at night.

This presents an interesting challenge: How do we ensure hundreds of internal production Cloudflare accounts are secured consistently while minimizing human error?

While the Cloudflare dashboard is excellent for observability and analytics, manually clicking through hundreds of accounts to ensure security settings are identical is a recipe for mistakes. To keep our sanity and our security intact, we stopped treating our configurations as manual point-and-click tasks and Continue reading

NB555: AI and APIs Drive HPE’s Dual-Platform WLAN Strategy; Dell, HPE Dangle VMware Alternatives

Take a Network Break! Our Red Alert calls out a dangerous vulnerability in the popular open-source React library. On the news front, HPE decides on a “both and” strategy for its two wireless portfolios and rolls out an option to let customers pick and choose among cross-platform features in Mist and Aruba Networking Central through... Read more »

Tech Bytes: How to Get DPUs from Niche to Transformative (Sponsored)

RG Nets builds gateways and centralized-authentication appliances to help manage and automate revenue-generating networks. On today’s Tech Bytes, we talk with RG Nets founder Simon Lok. But instead of talking about RG Nets, we delve into DPUs. This specialized hardware, which provides additional compute for network devices, has the potential to move from a niche... Read more »

HN807: A ‘CLI Lifer’ No More

Andy Lapteff once considered himself a ‘CLI lifer.’ As a network engineer he wasn’t interested in Python. He didn’t want to learn to code. He had no desire to embrace any of the developer-like processes and tools creeping into the profession, particularly around network automation. That’s changed. On today’s Heavy Networking, Andy shares the professional,... Read more »
1 3 4 5 6 7 3,835