That’s It for 2021
It’s hard to believe, but another year has swooshed by, and it’s time to shut down my virtual office and disappear until mid-January. Of course I’ll be around in case of urgent support problems – I will read my email, but won’t reply to 90% of the stuff coming in.
I hope you’ll be able to find a few days to disconnect from the crazy pace of networking world and focus on your loved ones. I would also like to wish you all the best in 2022!
That’s It for 2021
It’s hard to believe, but another year has swooshed by, and it’s time to shut down my virtual office and disappear until mid-January. Of course I’ll be around in case of urgent support problems – I will read my email, but won’t reply to 90% of the stuff coming in.
I hope you’ll be able to find a few days to disconnect from the crazy pace of networking world and focus on your loved ones. I would also like to wish you all the best in 2022!
Hedge 112: The TME with Pete Lumbis
The Technical Marketing role is often misunderstood—or simply forgotten—in the vendor world. What does the TME do, and why? What value does the TME bring to the development and release of new products? Pete Lumbis joins Tom Ammon and Russ White to discuss the importance and value of the TME.
IPv6 Buzz 91: Thanks For Listening To IPv6 Buzz In 2021!
In this episode we discuss presentations at the recent UK IPv6 Council meeting. More importantly, we say thanks to you, our listeners, for keeping IPv6 Buzz in your IT podcast playlist this tumultuous year---as well as for all the great listener questions and feedback. We'll see you again in 0x7e6 (2022, that is) for even more adventures in the 128-bit IPv6 wormhole!IPv6 Buzz 91: Thanks For Listening To IPv6 Buzz In 2021!
In this episode we discuss presentations at the recent UK IPv6 Council meeting. More importantly, we say thanks to you, our listeners, for keeping IPv6 Buzz in your IT podcast playlist this tumultuous year---as well as for all the great listener questions and feedback. We'll see you again in 0x7e6 (2022, that is) for even more adventures in the 128-bit IPv6 wormhole!
The post IPv6 Buzz 91: Thanks For Listening To IPv6 Buzz In 2021! appeared first on Packet Pushers.
What’s new: network automation using Red Hat Ansible Automation Platform 2.1
A financial customer explained his first automation priority in the most visual and understandable way: “I want to paint all of my network devices with the color of the company.” What I like about that analogy is that it clearly describes the first rule for automation: customers must define their golden configurations (the color to paint) to be able to automate configurations and later assess compliance, and remediate any issues accordingly.
A “golden configuration” usually refers to a Day 1 configuration, and covers the minimal settings needed for a network device to be configured after a fresh network operating system installation. This usually includes common services such as NTP, DNS, AAA, Syslog, SNMP, and ACLs for management connectivity.
As part of this blog, I will provide an overview for new automation capabilities available to achieve some of these Day 1 configuration activities. In addition to the enhancements for network configuration management, I will cover new Ansible Automation Platform capabilities that are frequently required by our network customers, such as:
- Detailing common operational benefits of Ansible Automation Platform.
- Measuring the value of automation use cases.
- Leveraging execution environments and automation mesh.
Certified Collections available in Ansible automation hub
From 0 to 20 billion – How We Built Crawler Hints
In July 2021, as part of Impact Innovation Week, we announced our intention to launch Crawler Hints as a means to reduce the environmental impact of web searches. We spent the weeks following the announcement hard at work, and in October 2021, we announced General Availability for the first iteration of the product. This post explains how we built it, some of the interesting engineering problems we had to solve, and shares some metrics on how it's going so far.
Before We Begin...
Search indexers crawl sites periodically to check for new content. Algorithms vary by search provider, but are often based on either a regular interval or cadence of past updates, and these crawls are often not aligned with real world content changes. This naive crawling approach may harm customer page rank and also works to the detriment of search engines with respect to their operational costs and environmental impact. To make the Internet greener and more energy efficient, the goal of Crawler Hints is to help search indexers make more informed decisions on when content has changed, saving valuable compute cycles/bandwidth and having a net positive environmental impact.
Cloudflare is in an advantageous position to help inform Continue reading
Fast Failover: Marketing and Reality
I wanted to cover fast failover (at least the basics and Prefix Independent Convergence – PIC) in another live session of How Networks Really Work webinar in 2021, but unfortunately I ran out of time.
As a teaser, you might want to watch the recording of Fast Failover: Marketing and Reality presentation I had at the Seventh RSNOG Conference.
Fast Failover: Marketing and Reality
I wanted to cover fast failover (at least the basics and Prefix Independent Convergence – PIC) in another live session of How Networks Really Work webinar in 2021, but unfortunately I ran out of time.
As a teaser, you might want to watch the recording of Fast Failover: Marketing and Reality presentation I had at the Seventh RSNOG Conference.
Marvell’s Silicon Strategy: Optimized Components For Different Workloads
Marvell has been rapidly building itself into a diversified supplier of IT infrastructure components. Through a combination of organic growth and recent acquisitions, Marvell has expanded its quarterly revenue by almost 70 percent over the past two years to more than $3.9 billion over the last four quarters. 2021 sales were greatly aided by two […]
The post Marvell’s Silicon Strategy: Optimized Components For Different Workloads appeared first on Packet Pushers.
2022: Full IT Stack Ahead
Everyone in an IT role needs to pay close attention to two trends that will accelerate in 2022: observability and automation.Day Two Cloud 128: DevOps’ing All The Things
Today is a deeply technical episode on DevOps, Azure, Docker, Terraform, and more. Our guest is Kyler Middleton, Principal DevOps Network Architect. Kyler is also a Pluralsight author and blogger.Day Two Cloud 128: DevOps’ing All The Things
Today is a deeply technical episode on DevOps, Azure, Docker, Terraform, and more. Our guest is Kyler Middleton, Principal DevOps Network Architect. Kyler is also a Pluralsight author and blogger.
The post Day Two Cloud 128: DevOps’ing All The Things appeared first on Packet Pushers.
Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
Hot on the heels of CVE-2021-44228 a second Log4J CVE has been filed CVE-2021-45046. The rules that we previously released for CVE-2021-44228 give the same level of protection for this new CVE.
This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page.
Customers using the Cloudflare WAF have three rules to help mitigate any exploit attempts:
| Rule ID | Description | Default Action |
|---|---|---|
100514 (legacy WAF)6b1cc72dff9746469d4695a474430f12 (new WAF) |
Log4J Headers | BLOCK |
100515 (legacy WAF)0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF) |
Log4J Body | BLOCK |
100516 (legacy WAF)5f6744fa026a4638bda5b3d7d5e015dd (new WAF) |
Log4J URL | BLOCK |
The mitigation has been split across three rules inspecting HTTP headers, body and URL respectively.
In addition to the above rules we have also released a fourth rule that will protect against a much wider range of attacks at the cost of a higher false positive rate. For that reason we have made it available but not set it to BLOCK by default:
| Rule ID | Description | Default Action |
|---|---|---|
100517 (legacy WAF)2c5413e155db4365befe0df160ba67d7 (new WAF) |
Log4J Advanced URI, Headers | DISABLED |
Who Continue reading
An exposed apt signing key and how to improve apt security
Recently, we received a bug bounty report regarding the GPG signing key used for pkg.cloudflareclient.com, the Linux package repository for our Cloudflare WARP products. The report stated that this private key had been exposed. We’ve since rotated this key and we are taking steps to ensure a similar problem can’t happen again. Before you read on, if you are a Linux user of Cloudflare WARP, please follow these instructions to rotate the Cloudflare GPG Public Key trusted by your package manager. This only affects WARP users who have installed WARP on Linux. It does not affect Cloudflare customers of any of our other products or WARP users on mobile devices.
But we also realized that the impact of an improperly secured private key can have consequences that extend beyond the scope of one third-party repository. The remainder of this blog shows how to improve the security of apt with third-party repositories.
The unexpected impact
At first, we thought that the exposed signing key could only be used by an attacker to forge packages distributed through our package repository. However, when reviewing impact for Debian and Ubuntu platforms we found that our instructions were outdated and insecure. In fact, Continue reading