0

BGP Policies (Part 2)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

In the following network—

From AS65004’s perspective…

Transit providers primarily choose the most optimal exit from their AS to reduce the amount of peering settlement they are paying by using and maintaining settlement-free peering where possible and reducing the amount of time and distance traffic is carried through their network (through hot potato routing, discussed in more detail below).
If, for instance, AS65004 has a paid peering relationship with AS65002, and a contract with AS65003 which Continue reading

0

#VMwareNSXChat Recap: NSX-T 3.2

In our most recent Twitter chat, we were joined by Vivek Bhandari, Varun Santosh, and Srini Nimmagadda to answer common questions about NSX-T 3.2, its benefits, how it works, and more. Dive in below for the full recap of our NSX-T 3.2 #VMwareNSXChat.

 

Question 1: If you had to describe NSX-T 3.2 to a friend using just one sentence (or using just 280 characters) what would you say? #VMwareNSXChat

Varun: Stronger security, simplified networking, easy operations – what’s not to like #VMwareNSXchat!

Vivek: It’s like going from a flip phone to a touch screen smartphone. Gamechanger! #VMwareNSXChat

 

Question 2: What are the key Networking and Policy enhancements? #VMwareNSXChat

Varun: NSX-T 3.2 simplifies network provisioning thru prescriptive NSX deployment from vCenter, deeper integration with Antrea, Federation support for VM tag replication, enhanced migration coordinator, and enhanced monitoring and troubleshooting. #VMwareNSXChat

 

Question 3: What are the key security enhancements? #VMwareNSXChat

Vivek: NSX-T 3.2 is a quantum leap forward bringing advanced security in a distributed architecture. It now includes network traffic analysis (NTA) and network detection and response (NDR), malware prevention with sandboxing, L7 gateway firewall, and more. #VMwareNSXChat

Vivek: Of Continue reading

0

Network Break 373: Google Buys Mandiant To Bolster Security Ops; Network OS DENT 2.0 Released

Today's Network Break examines why Google spent billions of dollars to acquire Mandiant for security ops, the latest release of the DENT network OS, NVIDIA's software revenue strategy, and more tech news.

0

Architecting Memory Pools For HPC And AI Applications Using CXL

Over the past decade, much of the focus with machine learning has been on CPUs and accelerators, primarily GPUs but also custom ASICs, with advances in the chip architecture aimed at boosting parallel math performance. …

Architecting Memory Pools For HPC And AI Applications Using CXL was written by Jeffrey Burt at The Next Platform.

0

Real-time EVPN fabric visibility

Real-time telemetry from a 5 stage Clos fabric describes lightweight emulation of realistic data center switch topologies using Containerlab. This article builds on the example to demonstrate visibility into Ethernet Virtual Private Network (EVPN) traffic as it crosses a routed leaf and spine fabric.

docker run --rm -it --privileged --network host --pid="host" \
  -v /var/run/docker.sock:/var/run/docker.sock -v /run/netns:/run/netns \
  -v ~/clab:/home/clab -w /home/clab \
  ghcr.io/srl-labs/clab bash

Start Containerlab.

curl -O https://raw.githubusercontent.com/sflow-rt/containerlab/master/evpn3.yml

Download the Containerlab topology file.

containerlab deploy -t evpn3.yml

Finally, deploy the topology.

docker exec -it clab-evpn3-leaf1 vtysh -c "show running-config"

See configuration of leaf1 switch.

Building configuration...

Current configuration:
!
frr version 8.1_git
frr defaults datacenter
hostname leaf1
no ipv6 forwarding
log stdout
!
router bgp 65001
 bgp bestpath as-path multipath-relax
 bgp bestpath compare-routerid
 neighbor fabric peer-group
 neighbor fabric remote-as external
 neighbor fabric description Internal Fabric Network
 neighbor fabric capability extended-nexthop
 neighbor eth1 interface peer-group fabric
 neighbor eth2 interface peer-group fabric
 !
 address-family ipv4 unicast
  network 192.168.1.1/32
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor fabric activate
  advertise-all-vni
 exit-address-family
exit
!
ip nht resolve-via-default
!
end

The loopback address on the switch, 192.168.1.1/32, is advertised to neighbors so that the VxLAN tunnel endpoint Continue reading

0

Two Simple Ways Automation Can Save You Money on Your AWS Bill

Red Hat Ansible Automation Platform is an excellent automation and orchestration tool for public clouds. For this post, I am going to walk through two common scenarios where Ansible Automation Platform can help out. I want to look outside the common public cloud use-case of provisioning and deprovisioning resources and instead look at automating common operational tasks.

What is an operational task? It is simply anything that an administrator has to do outside of creating and deleting cloud resources (e.g. instances, networks, keys, etc.) to help maintain their company's public cloud account. One of the problems I’ve encountered is instances being left on, running up our public cloud bill in the background while we were focusing our attention elsewhere. The more users you have, the more likely problems are to occur; automation can help address these issues and maintain control of your account. There are two common scenarios I want to address here:

1. Bespoke AWS instances were manually created for a one-off initiative, usually to test something, then instances were forgotten about and left running.
2. Continuous Integration (CI) instances were spun up to test changes programmatically every time a Pull Request (PR) went into our project, and would Continue reading

0

Democratizing email security: protecting individuals and businesses of all sizes from phishing and malware attacks

Since our founding, Cloudflare has been on a mission to take expensive, complex security solutions typically only available to the largest companies and make them easy to use and accessible to everyone. In 2011 and 2015 we did this for the web application firewall and SSL/TLS markets, simplifying the process of protecting websites from application vulnerabilities and encrypting HTTP requests down to single clicks; in 2020, during the start of the COVID-19 pandemic, we made our Zero Trust suite available to everyone; and today—in the face of heightened phishing attacks—we’re doing the same for the email security market.

Once the acquisition of Area 1 closes, as we expect early in the second quarter of 2022, we plan to give all paid self-serve plans access to their email security technology at no additional charge. Control, customization, and visibility via analytics will vary with plan level, and the highest flexibility and support levels will be available to Enterprise customers for purchase.

All self-serve users will also get access to a more feature-packed version of the Zero Trust solution we made available to everyone in 2020. Zero Trust services are incomplete without an email security solution, and CISA’s recent report makes that clearer Continue reading

0

Investigating threats using the Cloudflare Security Center

Cloudflare blocks a lot of diverse security threats, with some of the more interesting attacks targeting the “long tail” of the millions of Internet properties we protect. The data we glean from these attacks trains our machine learning models and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that.

All customers will soon be granted access to our new threat investigations portal, Investigate, in the Cloudflare Security Center (first launched in December 2021). Additionally, we’ll be annotating threats across our analytics platform with this intelligence to streamline security workflows and tighten feedback loops.

What sorts of data might you want to look up here? Let’s say you’re seeing an IP address in your logs and want to learn which hostnames have pointed to it via DNS, or you’re seeing a cluster of attacks come from an autonomous system (AS) you’re not familiar with. Or maybe you want to investigate a domain name to see how it’s been categorized from a threat perspective. Simply enter any of those items into the omni search box, and we’ll tell you everything we know.

IPs and hostnames will be Continue reading

0

Get full observability into your Cloudflare logs with New Relic

Building a great customer experience is at the heart of any business. Building resilient products is half the battle — teams also need observability into their applications and services that are running across their stack.

Cloudflare provides analytics and logs for our products in order to give our customers visibility to extract insights. Many of our customers use Cloudflare along with other applications and network services and want to be able to correlate data through all of their systems.

Understanding normal traffic patterns, causes of latency and errors can be used to improve performance and ultimately the customer experience. For example, for websites behind Cloudflare, analyzing application logs and origin server logs along with Cloudflare’s HTTP request logs give our customers an end-to-end visibility about the journey of a request.

We’re excited to have partnered with New Relic to create a direct integration that provides this visibility. The direct integration with our logging product, Logpush, means customers no longer need to pay for middleware to get their Cloudflare data into New Relic. The result is a faster log delivery and fewer costs for our mutual customers!

We’ve invited the New Relic team to dig into how New Relic One can Continue reading

0

Leverage IBM QRadar SIEM to get insights from Cloudflare logs

It’s just gone midnight, and you’ve just been notified that there is a malicious IP hitting your servers. You need to triage the situation; find the who, what, where, when, why as fast and in as much detail as possible.

Based on what you find out, your next steps could fall anywhere between classifying the alert as a false positive, to escalating the situation and alerting on-call staff from around your organization with a middle of the night wake up.

For anyone that’s gone through a similar situation, you’re aware that the security tools you have on hand can make the situation infinitely easier. It’s invaluable to have one platform that provides complete visibility of all the endpoints, systems and operations that are running at your company.

Cloudflare protects customers’ applications through application services: DNS, CDN and WAF to name a few. We also have products that protect corporate applications, like our Zero Trust offerings Access and Gateway. Each of these products generates logs that provide customers visibility into what’s happening in their environments. Many of our customers use Cloudflare’s services along with other network or application services, such as endpoint management, containerized systems and their own servers.

We’re excited Continue reading

0

Introducing: Backup Certificates

At Cloudflare, we pride ourselves in giving every customer the ability to provision a TLS certificate for their Internet application — for free. Today, we are responsible for managing the certificate lifecycle for almost 45 million certificates from issuance to deployment to renewal. As we build out the most resilient, robust platform, we want it to be “future-proof” and resilient against events we can’t predict.

Events that cause us to re-issue certificates for our customers, like key compromises, vulnerabilities, and mass revocations require immediate action. Otherwise, customers can be left insecure or offline. When one of these events happens, we want to be ready to mitigate impact immediately. But how?

By having a backup certificate ready to deploy — wrapped with a different private key and issued from a different Certificate Authority than the primary certificate that we serve.

Events that lead to certificate re-issuance

Cloudflare re-issues certificates every day — we call this a certificate renewal. Because certificates come with an expiration date, when Cloudflare sees that a certificate is expiring soon, we initiate a new certificate renewal order. This way, by the time the certificate expires, we already have an updated certificate deployed and ready to use for Continue reading

0

Russia’s internet is still connected — but with stiff limits

Cyberwarfare has been become a prominent aspect of Russia's invasion of neighboring Ukraine, but the basic infrastructure connecting both countries to the internet has remained largely unaffected, even as the Russian government may be considering imposing new limitations on access to its domestic networks.Russian network operators continue to participate in peering agreements with transit providers, meaning that the physical infrastructure connecting Russia to the internet at large is still completely intact, according to a report from network intelligence and monitoring company ThousandEyes.Yet ThousandEyes head of internet intelligence and product marketing, Angelique Medina, said that DDoS attacks and self-imposed traffic restrictions may be making the on-the-ground experience of internet use in Russia somewhat complicated.To read this article in full, please click here

0

5 SD-WAN gotchas to avoid

Software-defined WANs (SD-WAN) are becoming key components of modern IT infrastructures. Because they use a centralized control function to securely direct network traffic over the Internet, they can deliver benefits such as increased application performance, better user experience and lower costs.SD-WAN technology simplifies the management and operation of a WAN by decoupling networking hardware from its control mechanism. As organizations look to support a hybrid workforce and cloud-native network architectures, SD-WAN infrastructure has become an important technology for enabling flexible, agile, and optimized connectivity.To read this article in full, please click here

0

Multilink technology and big spectrum gains will drive Wi-Fi 7

Even as businesses continue to make the move to Wi-Fi 6, standards bodies and contributor companies are hard at work creating Wi-Fi 7, or 802.11be, the next generation of Wi-Fi technology that promises even greater capabilities than the latest in unlicensed wireless tech.A combination of new technologies focused on efficient spectrum usage and the recent FCC decision to make a huge swath of the airwaves available to Wi-Fi will push Wi-Fi 7’s peak throughput numbers as high as 40Gbit/s in certain configurations.Dorothy Stanley is the chair of the IEEE SA 802.11 working group. She said that the focus of the new standard is extremely high throughput, which is accomplished, in large part, by the wider channels enabled by the new availability of  6GHz spectrum (5.925 GHz to 7.125 GHz).To read this article in full, please click here

0

What is beamforming and how does it make wireless better?

While the concepts of beamforming have been around since the 1940s, the technology is currently playing a key role in improving modern wireless communication standards such as Wi-Fi and 5G. In combination with MU-MIMO technologies, beamforming helps users get more precise connections that boost their data speeds.What is beamforming? Beamforming is a technique that focuses a wireless signal towards a specific receiving device, rather than have the signal spread in all directions, like from a broadcast antenna. The resulting direct connection is faster and more reliable than it would be without beamforming.To read this article in full, please click here

0

Feedback: Ansible for Networking Engineers

One of ipSpace.net subscribers sent me the following feedback on Ansible for Networking Engineers webinar:

The “Ansible for Network Engineers” webinar is of the highest caliber. I’ve taken Ansible courses with your CCIE peers, and though they are good, I objectively feel, that I get more of a total comprehensive understanding with network automation here at ipSpace. Also, I enjoy your professional care-free tone, and how you pepper humor into the subject matter.

I’ve setup a virtual lab with Ubuntu 18.04 LTS server, and am using both Aruba and Cisco switches/routers. Ansible has lots of nuances that will take me time to fully get a grip-on– but, that’s why I subscribe with the network pros like ipSpace.

0

Feedback: Ansible for Networking Engineers

One of ipSpace.net subscribers sent me the following feedback on Ansible for Networking Engineers webinar:

The “Ansible for Network Engineers” webinar is of the highest caliber. I’ve taken Ansible courses with your CCIE peers, and though they are good, I objectively feel, that I get more of a total comprehensive understanding with network automation here at ipSpace. Also, I enjoy your professional care-free tone, and how you pepper humor into the subject matter.

I’ve setup a virtual lab with Ubuntu 18.04 LTS server, and am using both Aruba and Cisco switches/routers. Ansible has lots of nuances that will take me time to fully get a grip-on– but, that’s why I subscribe with the network pros like ipSpace.

0

Tools 8. Monitoring Network Performance with Dockerised Prometheus, Iperf3 and Speedtest

Hello my friend,

in the time when the business is conducted online, it is vital to have a clear visibility into the health of your services and their performance, especially if they rely on the media or other components outside of your immediate control. Earlier in our blogpost we have covered how and why to use iperf3 for measurements of a performance between your hosts and speediest to measure a performance of an Internet connectivity. Today we’ll show how to automate this process with the help of Prometheus.

1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

How Can We Automate Monitoring?

Automation is not only about Ansible and Python. Knowing how you can properly use various applications, especially those great open source tools available on the market is a key to your success. At the same time, Ansible plays a key role in rolling out application these days, as it helps to ensure that deployment is done in a consistent way. Ansible is like Continue reading

0

Welcome to Security Week 2022!

Recent events are bringing cybersecurity to the forefront of many conversations.

Governments around the world are encouraging businesses to go “shields up” following Ukraine’s invasion. The current threat is significantly higher than before and any organization with Internet-facing infrastructure should put security as a top priority for the year.

To help keep services online, Cloudflare is also participating in the Critical Infrastructure Defense Project ensuring teams can get the best help to secure networks and applications more vulnerable to cyber threats, such as those in the medical, water and energy sectors.

As another example, not too long ago, Log4J, a high-severity vulnerability affecting many Java-based applications, also highlighted how important good security is on the Internet as attackers immediately started scanning for vulnerable applications within hours of the attack vector becoming public.

Unfortunately, these events are almost certainly not going to be our last reminders.

Over the next six days, we intend to tackle the broad topic of cyber security with a simple goal: ensure security is no longer an afterthought.

Security, however, is also hard, and you never know when “you’ve done enough”. The importance of good security practices should never be underestimated. Reliable and secure Continue reading

0

Worth Reading: Switching the Technology Stack

Did you ever wonder why a company would replace a working technology with an overhyped pile of half-baked code? Why we at $FAMOUS_COMPANY Switched to $HYPED_TECHNOLOGY by Saagar Jha is a hilarious take on the subject.

Want more? How about migrating your Exadata database to AWS?