Juniper ARP Policer on PTX

I’ve written before about the default ARP policer on Juniper MX. It can create some odd failure conditions when you’re connected to noisy networks such as large Internet Exchanges. Junos OS Evolved, as used on platforms like the PTX10003 has low default values for ARP and ICMPv6 ND DDoS protections. It will cause the same problems, but is easier to diagnose and mitigate.

Juniper DDoS Protection

Platforms like MX, QFX, PTX have Control Plane DDoS protections built in. These will automatically rate-limit various traffic types that hit the CPU. This is generally a Good Thing. Certain packet types get punted from the ASIC to the CPU, but the CPU can’t handle anywhere near the traffic levels that the forwarding ASIC can. Send enough special packets to a router, choke the CPU, and you might be able to knock things offline. So having default policies to rate-limit traffic makes sense.

Platform Defaults

Juniper might have “One Junos” but we know it’s not that simple. Behavior varies between platforms. Check these default values for some DDoS protections for different platforms:

Protocol MX QFX PTX
ARP 20,000 500 500
NDPv6 20,000 N/A 500
ICMP 20,000 N/A 500
BGP 20,000 3,000 5,000

Note Continue reading

Using Calico with Kubespray

In the Kubernetes ecosystem there are a variety of ways for you to provision your cluster, and which one you choose generally depends on how well it integrates with your existing knowledge or your organization’s established tools.

Kubespray is a tool built using Ansible playbooks, inventories, and variable files—and also includes supplemental tooling such as Terraform examples for provisioning infrastructure. If you’re already using Ansible for configuration management, Kubespray might be a good fit, and there’s even documentation for integrating with your existing Ansible repository.

There are other reasons Kubespray might be a good solution: maybe you want to use the same tooling to deploy clusters on both bare metal and in the cloud, or you might have a niche use case where you have to support different Linux distributions. Or perhaps you want to take advantage of the project’s composability, which allows you to select which components you’d like to use for a variety of services, such as your container runtime or ingress controller, or—particularly relevant to this blog post—your CNI.

In this post, we’ll go over enabling Calico when following the Quick Start tutorial or using Vagrant to deploy Kubernetes locally, as well as how to configure your Continue reading

Tech Bytes: DDOS and State Exhaustion With Netscout Arbor

Its not widely that DDOS attacks also cause damage from state exhaustion in devices. A recent study why Netscout surprised me that many engineers are aware of overload bandwidth or routing devices but give less considerations to state exhaustion in application aware devices. 

Firewalls, IPS and reverse proxies are subject to overload failure when the internal state is exceeded. This includes server side caches (Varnish, memcache etc) and all this elements should be part of your DDOS strategy. 

Roland Dobbins talks about the nature of these attacks and how to implement stateful protection while using stateless DDOS technology. 

The post Tech Bytes: DDOS and State Exhaustion With Netscout Arbor appeared first on Packet Pushers.

The Centralization of the Internet

My article on Internet centralization just published over at The Public Discourse—

Most of the Internet’s traffic now flows through the networks of a few large companies rather than a multitude of small transit providers, and the Internet’s physical infrastructure is being reshaped to meet this new reality. But relying on a few providers to host all the content on the Internet makes it possible for just a few companies to shut down entire services or control speech.

Network Break 346: Extreme Gets SDWAN, Huawei Struggles and SpaceX Swarms

The world of virtual donuts is supply constrained. Extreme Networks finally gets SDWAN buying Ipanema from Infovista at a bargain price. Research firms that does the numbers Dell'oro pitches that Education and Government markets will be spending big on WiFi6E - we aren't so sure that campus spending will be big just some spending but Dell'oro told us that government economic stimulus is the driver. Most will focus on distributed work. Huawei posted 29% revenue reduction as the trade sanctions impact their overall business. A reminder that political solutions are slow if you have to make plans. And in space networking, SpaceX acquires pico-satellite company Swarm for IOT networking.

Network Break 346: Extreme Gets SDWAN, Huawei Struggles and SpaceX Swarms

The world of virtual donuts is supply constrained. Extreme Networks finally gets SDWAN buying Ipanema from Infovista at a bargain price. Research firms that does the numbers Dell'oro pitches that Education and Government markets will be spending big on WiFi6E - we aren't so sure that campus spending will be big just some spending but Dell'oro told us that government economic stimulus is the driver. Most will focus on distributed work.

Huawei posted 29% revenue reduction as the trade sanctions impact their overall business. A reminder that political solutions are slow if you have to make plans. And in space networking, SpaceX acquires pico-satellite company Swarm for IOT networking.

The post Network Break 346: Extreme Gets SDWAN, Huawei Struggles and SpaceX Swarms appeared first on Packet Pushers.

It’s Time to Rethink Security Across the Software Supply Chain

Open Source has proven instrumental in accelerating software development — providing developers with feature velocity, ease of customization, and quality reusable code. However, the open-source security landscape has clearly changed: it’s clear that the unwritten rule among the open-source community has expired, and open season on hacking open-source software projects has begun. Today’s threat actors have no qualms about injecting malicious code upstream as a way to target downstream applications. Developers need to recognize this new reality and rethink security across the software supply chain.

How did we get here? The push to accelerate digital transformation may be inadvertently introducing vulnerabilities into the software supply chain. Developers, under constant pressure to deliver new software to market faster, often rely on containerized open-source software and public repositories to meet dynamic, agile needs. According to Gartner, nearly three-quarters of global organizations will be running three or more containerized applications in their production environments by 2023. The Cloud Native Computing Foundation (CNCF) also confirmed a similar pattern in its survey, which found the use of containers in production has increased to 92 percent since 2019. With Kubernetes the dominant container orchestration solution, 32% of respondents in the CNCF survey indicated that security Continue reading

Are enterprises loving managed services?

There's a lot in networking that never measures up to the hype, so maybe it's good that this is balanced sometimes by areas where the hype falls far short of reality. Managed services is one of those things.It always seems to be bubbling just below the surface of attention, and yet it may be the most important topic in networking today. I had a chance to chat with 59 enterprises that were involved with or launching managed-service projects and another 118 who had no current managed-service projects. I'll summarize what I found here.SD-WAN buyers guide: Key questions to ask vendors All of these enterprises had been aware of managed services for at least 20 years, and all but 31 had considered them at one point or another. Interestingly, 141 of the 177 total enterprises believe that MPLS VPNs are a form of managed service, and when I dug into this, the response was that “managed services” are about reducing the user's management burden. VPNs do that, so they're a sort-of-managed service.To read this article in full, please click here

Introducing Shadow IT Discovery

Introducing Shadow IT Discovery
Introducing Shadow IT Discovery

Your team likely uses more SaaS applications than you realize. The time your administrators spend vetting and approving applications sanctioned for use can suddenly be wasted when users sign up for alternative services and store data in new places. Starting today, you can use Cloudflare for Teams to detect and block unapproved SaaS applications with just two clicks.

Increasing Shadow IT usage

SaaS applications save time and budget for IT departments. Instead of paying for servers to host tools — and having staff ready to monitor, upgrade, and troubleshoot those tools — organizations can sign up for a SaaS equivalent with just a credit card and never worry about hosting or maintenance again.

That same convenience causes a data control problem. Those SaaS applications sit outside any environment that you control; the same reason they are easy for your team is also a potential liability now that your sensitive data is kept by third parties. Most organizations keep this in check through careful audits of the SaaS applications being used. Depending on industry and regulatory impact, IT departments evaluate, approve, and catalog the applications they use.

However, users can intentionally or accidentally bypass those approvals. For example, if your organization Continue reading

MUST Read: Operational Security Considerations for IPv6 Networks (RFC 9099)

After almost a decade of bickering and haggling (trust me, I got my scars to prove how the consensus building works), the authors of Operational Security Considerations for IPv6 Networks (many of them dear old friends I haven’t seen for way too long) finally managed to turn a brilliant document into an Informational RFC.

Regardless of whether you already implemented IPv6 in your network or believe it will never be production-ready (alongside other crazy stuff like vaccines) I’d consider this RFC a mandatory reading.

MUST Read: Operational Security Considerations for IPv6 Networks (RFC 9099)

After almost a decade of bickering and haggling (trust me, I got my scars to prove how the consensus building works), the authors of Operational Security Considerations for IPv6 Networks (many of them dear old friends I haven’t seen for way too long) finally managed to turn a brilliant document into an Informational RFC.

Regardless of whether you already implemented IPv6 in your network or believe it will never be production-ready (alongside other crazy stuff like vaccines) I’d consider this RFC a mandatory reading.

Infrastructure 2. Building Multi Server Cloud with Proxmox (Debian Linux) and Local Storage

Hello my friend,

In the previous blogpost we covered the installation of Proxmox as a core platform for building open source virtualisation environment. Today we’ll continue this discussion and will show how to create a multi server cloud in order to better spread the load and provide resiliency for your applications.



1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

How to Automate Infrastructure?

In many cases, Linux is a major driving power behind modern clouds. In fact, if you look across all current big clouds, such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, you will see Linux everywhere: on servers and on network devices (e.g., data centre switches). Therefore, knowledge how to deal with Linux and how to automate it is crucial to be successful in automation current IT systems.

At our trainings, advanced network automation and automation with Nornir (2nd step after advanced network automation), we give you detailed knowledge of all the technologies relevant:

Controversial Reads 081421


However, in the last 5-10 years it has felt that technology is actually running the other way. We aren’t getting more productive with our technology — we’re getting less productive. Even as technology grows, it is not providing significant gains, and in fact is giving us problems.


Here’s a paper worth revisiting, “On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?” (March 3, 2021), if only for the principal author’s trouble associated with publishing it.


Silicon Valley was created in the Second World War to help the U.S. Army win the war. The government funded companies such as Fairchild Semiconductor.


How many messaging services do you use? Slack, Discord, WhatsApp, Apple iMessage, Signal, Facebook Messenger, Microsoft Teams, Instagram, TikTok, Google Hangouts, Twitter Direct Messages, Skype?


There’s uncertainty among executives and managers who must ensure that individual and team productivity remains high, customer demands are met, and employees are engaged. How can they meet these requirements when their workers aren’t corralled in offices?


Why should you care about data brokers? Reporting this week about a Substack publication outing a priest with location data from Grindr shows once again how easy it is for anyone to take Continue reading

1 715 716 717 718 719 3,877