BGP Policies (part 1)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

In the following network—

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

Examining this from AS65006’s Perspective …

Assuming AS65006 is an edge operator (commonly called enterprise, but generally just originating and terminating traffic, and never transiting traffic), there are several reasons the operator may prefer one exit point (through an upstream provider), including:

• An automated system may determine AS65004 has some sort of brownout; in this case, the operator at 65006 has configured the system to prefer the exit through AS65005
• The traffic Continue reading

How to Migrate your Ansible Playbooks to Support AWS boto3

Red Hat Ansible Automation Platform is known for automating Linux, Windows and networking infrastructure. While both the community version of Ansible and our enterprise offering, Red Hat Ansible Automation Platform, are prominently known for configuration management, this is just a small piece of what you can really achieve with Ansible’s automation. There are many other use-cases that Ansible Automation Platform is great at automating, such as your AWS, Azure or Google public cloud. 

Ansible Automation Platform can automate deployments, migrations and operational tasks for your public cloud. This is extremely powerful because you can orchestrate your entire infrastructure workflow, from cloud deployment, to instance configuration, to retirement, rather than requiring a point tool for each separate use-case. This also allows IT administrators to concentrate on automating business outcomes rather than individual technology silos.

Specifically for this blog, I wanted to cover converting your Ansible Playbooks for provisioning an instance on AWS from the unsupported ec2 module to the fully supported ec2_instance module. Amazon has deprecated their Software Development Kit (SDK) Boto in favor of the newer fully supported SDK Boto3. Alina Buzachis announced What's New: The Ansible AWS Collection 2.0 Release back in October 2021, which includes Continue reading

Who monitors the monitoring systems?

This article offers a response, describing how to introduce an uncorrelated monitor-of-monitors into the data center to provide real-time visibility that survives when the primary monitoring systems fail.

Summary of the AWS Service Event in the Northern Virginia (US-EAST-1) Region, This congestion immediately impacted the availability of real-time monitoring data for our internal operations teams, which impaired their ability to find the source of congestion and resolve it. December 10th, 2021

Standardizing on a small set of communication primitives (gRPC, Thrift, Kafka, etc.) simplifies the creation of large scale distributed services. The communication primitives abstract the physical network to provide reliable communication to support distributed services running on compute nodes. Monitoring is typically regarded as a distributed service that is part of the compute infrastructure, relying on agents on compute nodes to transmit measurements to scale out analysis, storage, automation, and Continue reading

Cloudflare, CrowdStrike, and Ping Identity launch the Critical Infrastructure Defense Project

Today, in partnership with CrowdStrike and Ping Identity, Cloudflare is launching the Critical Infrastructure Defense Project (CriticalInfrastructureDefense.org). The Project was born out of conversations with cybersecurity and government experts concerned about potential retaliation to the sanctions that resulted from the Russian invasion of Ukraine.

In particular, there is a fear that critical United States infrastructure will be targeted with cyber attacks. While these attacks may target any industry, the experts we consulted with were particularly concerned about three areas that were often underprepared and could cause significant disruption: hospitals, energy, and water.

To help address that need, Cloudflare, CrowdStrike, and Ping Identity have committed under the Critical Infrastructure Defense Project to offer a broad suite of our products for free for at least the next four months to any United States-based hospital, or energy or water utility. You can learn more at: www.CriticalInfrastructureDefense.org.

We are not powerless against hackers. Organizations that have adopted a Zero Trust approach to security have been successful at mitigating even determined attacks. There are three core components to any Zero Trust security approach: 1) Network Security, 2) Endpoint Security; and 3) Identity.

Cloudflare, CrowdStrike, and Ping Identity are three of Continue reading

Dictionary : Face Mute

Gartner: SSE is SASE minus the SD-WAN

SASE adoption has been skyrocketing since the start of the pandemic. Secure access service edge, a term Gartner coined in 2019, combines security and networking in a single, scalable, cloud-based platform that fits well in a world in which employees work from home and mostly access cloud-based apps and services.Now Gartner is pushing a new acronym. Turns out, companies might prefer to get their SASE without the “A” — just security service edge, or SSE. Gartner this month published a Magic Quadrant for SSE (something the company never did for SASE); it's available from vendors listed in the report (here and here, for example).To read this article in full, please click here

Verizon Business adds VMware SD-WAN to its managed services

Verizon Business has added VMware to its global managed-SD-WAN portfolio as part of its Network as a Service (NaaS) strategy. Verizon made the announcement at the Mobile World Conference event in Barcelona.Verizon’s Managed SD-WAN is designed for hybrid-cloud environments and uses application-aware routing to make sure customer data takes the right path to its destination. This allows customers to use their private network for demanding, latency-sensitive apps while sending less critical data over public networks.VMware SD-WAN features orchestration around centralized policy, monitoring, reporting, and analytics via Verizon Enterprise Center. It also offers SD WAN gateways with controllers. VMware Gateways are points of presencelocated around the world to provide physically close, low-latency connectivity to customer edge devices.To read this article in full, please click here

Gartner: SSE is SASE minus the SD-WAN

SASE adoption has been skyrocketing since the start of the pandemic. Secure access service edge, a term Gartner coined in 2019, combines security and networking in a single, scalable, cloud-based platform that fits well in a world in which employees work from home and mostly access cloud-based apps and services.Now Gartner is pushing a new acronym. Turns out, companies might prefer to get their SASE without the “A” — just security service edge, or SSE. Gartner this month published a Magic Quadrant for SSE (something the company never did for SASE); it's available from vendors listed in the report (here and here, for example).To read this article in full, please click here

SKINCARE TRENDS; TRY EXFOLIATING GLOVES AND CLEANSERS.

Everyone wants smooth, shiny, and vibrant skin. But unfortunately, not everyone is privileged to have it. Various methods have been used to give this result and one of the popular methods is the manual use of exfoliating gloves. This trend has been acceptably used by many. It’s a very convenient and easy way to fix dry and even oily skin. It is a coarse-textured glove that could be worn by anyone for convenient use. The following about exfoliating gloves shall be considered:

• Benefits of using exfoliating gloves
• Cons of using exfoliating gloves
• How to use exfoliating gloves
• How often you should use an exfoliating glove.

Benefits of using exfoliating gloves:

Exfoliating gloves work by getting rid of the dead skin cells on your skin. The skin naturally sheds and most times, the dead cells stay on the skin and could even clog your pores. Using exfoliating gloves could help scrub out the dead cells away thereby allowing products to penetrate the skin. With consistent use, it can also increase the production of collagen leading to clearer and smoother skin and improving the overall look of your skin. It could also reduce the appearance of acne and acne scars and give Continue reading

Back to basics: Make sure VMs don’t exceed host capacity

At the agency where I work we recently bought software products that required new virtual machines, and that provided the opportunity to review some of the important basices of properly assigning the hardware memory and compute to each VM.That’s important so we stay in a failover-ready state, and in our environment, that means appropriately allocating resources of the two clustered physical hosts that run VMs for our production applications. It’s even more important now because the new software is particularly resource-intensive.What is a virtual machine? The task also provided the opportunity to review and adjust the resources assigned to all of our existing virtual servers so they, too, were properly sized.To read this article in full, please click here

Back to basics: Make sure VMs don’t exceed host capacity

At the agency where I work we recently bought software products that required new virtual machines, and that provided the opportunity to review some of the important basices of properly assigning the hardware memory and compute to each VM.That’s important so we stay in a failover-ready state, and in our environment, that means appropriately allocating resources of the two clustered physical hosts that run VMs for our production applications. It’s even more important now because the new software is particularly resource-intensive.What is a virtual machine? The task also provided the opportunity to review and adjust the resources assigned to all of our existing virtual servers so they, too, were properly sized.To read this article in full, please click here

Tier 1 Carriers Performance Report: February, 2022

The post Tier 1 Carriers Performance Report: February, 2022 appeared first on Noction.

netsim-tools Release 1.1.3

netsim-tools release 1.1.3 brings a number of goodies, including:

• OSPFv3 support on a few platforms (we’re still looking for contributors to implement OSPFv3 on other platforms)
• EIGRP implementation of common routing protocol features (router ID, passive and external interfaces)
• Configurable address family support for IS-IS, OSPF and EIGRP
• Support for /31 IPv4 P2P links
• Configurable MTU for VyOS and RouterOS

netsim-tools Release 1.1.3

netsim-tools release 1.1.3 brings a number of goodies, including:

• OSPFv3 support on a few platforms (we’re still looking for contributors to implement OSPFv3 on other platforms)
• EIGRP implementation of common routing protocol features (router ID, passive and external interfaces)
• Configurable address family support for IS-IS, OSPF and EIGRP
• Support for /31 IPv4 P2P links
• Configurable MTU for VyOS and RouterOS

If you’re building your own libvirt boxes, you might also appreciate:

Steps we’ve taken around Cloudflare’s services in Ukraine, Belarus, and Russia

At Cloudflare, we've watched in horror the Russian invasion of Ukraine. As the possibility of war looked more likely, we began to carefully monitor the situation on the ground, with the goal of keeping our employees, our customers, and our network safe.

Helping protect Ukraine against cyberattacks

Attacks against the Internet in Ukraine began even before the start of the invasion. Those attacks—and the steady stream of DDoS attacks we’ve seen in the days since—prompted us to extend our services to Ukrainian government and telecom organizations at no cost in order to ensure they can continue to operate and deliver critical information to their citizens as well as to the rest of the world about what is happening to them.

Going beyond that, under Project Galileo, we are expediting onboarding of any Ukrainian entities for our full suite of protections. We are currently assisting more than sixty organizations in Ukraine and the region—with about 25% of those organizations coming aboard during the current crisis. Many of the new organizations are groups coming together to assist refugees, share vital information, or members of the Ukrainian diaspora in nearby countries looking to organize and help. Any Ukrainian organizations that are facing Continue reading

Ukraine Fallout: Connectivity and Cloud Services Access in Flux

Automation 12. Automated EVPN Customer Deployment with Ansible, NETCONF, and NetBox. 6WIND version.

Hello my friend,

We’ve been preparing this blogpost for quite a while, but for various reasons it was put on the back burner. Now we finally are bringing this back to light. We’ll go over a practical use case of automation of 6WIND configuration with Ansible and NetBox relying NETCONF.

1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

Do I Need to Automate Everything?

The answer is, as usual: it depends. With our passion to automation, we would say: yes, definitely you should automate everything. But this is possible, only if you have unlimited resources (time, money, people). In reality, all the resources are limited and, moreover, may be even scarce. In such a case you would need to choose, where would you obtain the biggest leverage from automation. For example, some tasks are more frequent or time consuming than others. Clearly they are to be automated.

How to find them? Join our automation training and you will find that out!

We offer the Continue reading

Worth Reading: Misconceptions about Route Origin Validation

Use the email sent by Randy Bush to RIPE routing WG mailing list every time a security researcher claims a technology with no built-in security mechanism is insecure (slightly reworded to make it more generic).

Lately, I am getting flak about $SomeTechnology not providing protection from this or that malicious attack. Indeed it does not.

Worth Reading: Misconceptions about Route Origin Validation

Use the email sent by Randy Bush to RIPE routing WG mailing list every time a security researcher claims a technology with no built-in security mechanism is insecure (slightly reworded to make it more generic).

Lately, I am getting flak about $SomeTechnology not providing protection from this or that malicious attack. Indeed it does not.

Weekend Reads 030422

The notion that email security should be prioritized is emphasized during this time where more and more businesses are still working in a remote or hybrid dynamic environment.

After quizzing 8,000 job applicants and 2,250 hiring managers in the U.S., Germany, and Great Britain, researchers at Harvard Business School, working with the consultancy Accenture, discovered that many tens of millions of people are being barred from consideration for employment by résumé screening algorithms that throw out applicants who do not meet an unfeasibly large number of requirements, many of which are utterly irrelevant to the advertised job.

We developed attacks that exploit the transparency of the DNS lookups to tunnel injection payloads over DNS records. These attacks exploit two key factors. Firstly, DNS resolvers do not alter the DNS records received in lookups, so the malicious payload is preserved intact

In response to what industry observers call the second quantum revolution, Israel announced on Feb. 15 an ambitious goal to build its first quantum computer within a year.

PCIe 6.0 was announced on January 11, 2022, so at the earliest, we’re looking at PCIe 6.0 products rolling out at the end of 2022 or early 2023.

Continue reading