NetworkingNexus.net

The Case for Self-Healing Networks

Digital transformation has changed the way applications are deployed and consumed. The end-user to application journey has become increasingly complex and is a key objective for the Modern Network. End-users are more distributed, and applications run on heterogenous infrastructure often delivered from on-prem data centers, IaaS, SaaS, and public cloud locations. On average, enterprises use hundreds of applications. The number of end-user and IoT devices have also increased exponentially. They include infusion pumps in hospitals to Point of Sale systems in retail. These devices access applications from manufacturing floor, carpeted offices, homes or while users are on the move. As more devices and applications are enabled, the network increases in both complexity and value to the enterprise.

What has become increasingly clear is the need for advanced self-healing solutions that compensate for this complexity by helping IT teams shift to a proactive mode of operating a network. Several tools exist that provide domain or service-specific insights, but it is left to the IT teams to make sense of the volumes of data generated by these fragmented solutions to detect issues and perform root cause analysis. The dynamic nature of the network, device density, and the volume of data and Continue reading

Fault Tolerant Network Design for Application High Availability

Enterprises are growing increasingly dependent on modern distributed applications to innovate and respond quickly to new market challenges. As applications grow in significance, the end-user experience of the application has become a key differentiator for most businesses. Understanding what kind of application performance the end-users experience, optimizing the infrastructure, and quickly identifying the source of any issues has become extremely critical.

The Modern Network framework puts the end-user experience at the forefront. It helps our customers provide the public cloud experience on-premise with an on-demand network that enforces secure connectivity and service objectives across on-premise and cloud environments. As applications become more distributed, the increased application resiliency and efficiency often comes at the cost of increased contention for shared resources. The dynamic nature of the network, device density, and the volume of data and transactions generated makes this even more challenging. Managing network complexity and simplifying network operations in such environments requires a well architected network with support for modern cloud concepts such as availability zones that provide fault tolerance. Similarly, effective network-level fault isolation requires the ability to create self-contained fault domains that facilitate network resiliency, disaster recovery and avoidance, and end-to-end root cause(s) analysis throughout the Continue reading

Achieving 100Gbps intrusion prevention on a single server

Achieving 100 Gbps intrusion prevention on a single server, Zhao et al., OSDI’20

Papers-we-love is hosting a mini-event this Wednesday (18th) where I’ll be leading a panel discussion including one of the authors of today’s paper choice: Justine Sherry. Please do join us if you can.

We always want more! This stems from a combination of Jevon’s paradox and the interconnectedness of systems – doing more in one area often leads to a need for more elsewhere too. At the end of the day, there are three basic ways we can increase capacity:

Increasing the number of units in a system (subject to Amdahl’s law).
Improving the efficiency with which we can coordinate work across a collection of units (see the Universal Scalability Law)
Increasing the amount of work we can do on a single unit

Options 1 and 2 are of course the ‘scale out’ options, whereas option 3 is ‘scale up’. With more nodes and more coordination comes more complexity, both in design and operation. So while scale out has seen the majority of attention in the cloud era, it’s good to remind ourselves periodically just what we really can do on a single Continue reading

Networking and Infrastructure News Roundup: November 13 Edition

Five trial deployments by the Wireless Broadband Alliance confirm the benefits of Wi-Fi 6, new infrastructure and security offerings address long-term work-from-home needs.

Zero-Touch Provisioning for Juniper

Juniper’s official documentation on ZTP explains how to configure the ISC DHCP Server to automatically upgrade and configure on first boot a Juniper device. However, the proposed configuration could be a bit more elegant. This note explains how.

TL;DR

Do not redefine option 43. Instead, specify the vendor option space to use to encode parameters with vendor-option-space.

When booting for the first time, a Juniper device requests its IP address through a DHCP discover message, then request additional parameters for autoconfiguration through a DHCP request message:

Dynamic Host Configuration Protocol (Request)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x44e3a7c9
    Seconds elapsed: 0
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: 02:00:00:00:00:01 (02:00:00:00:00:01)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (54) DHCP Server Identifier (10.0.2.2)
    Option: (55) Parameter Request List
        Length: 14
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (51) IP  Continue reading

Self-promotion Disguised as Research Paper

From AI is wrestling with a replication crisis (HT: Drew Conry-Murray)

Last month Nature published a damning response written by 31 scientists to a study from Google Health that had appeared in the journal earlier this year. Google was describing successful trials of an AI that looked for signs of breast cancer in medical images. But according to its critics, the Google team provided so little information about its code and how it was tested that the study amounted to nothing more than a promotion of proprietary tech (emphasis mine).

No surprise there, we’ve seen it before (not to mention the “look how awesome we are, but we can’t tell you the details” Jupiter Rising article).

Self-promotion Disguised as Research Paper

From AI is wrestling with a replication crisis (HT: Drew Conry-Murray)

Last month Nature published a damning response written by 31 scientists to a study from Google Health that had appeared in the journal earlier this year. Google was describing successful trials of an AI that looked for signs of breast cancer in medical images. But according to its critics, the Google team provided so little information about its code and how it was tested that the study amounted to nothing more than a promotion of proprietary tech (emphasis mine).

No surprise there, we’ve seen it before (not to mention the “look how awesome we are, but we can’t tell you the details” Jupiter Rising article).

sFlow Monitoring for AI

A Proposal towards sFlow Monitoring Dashboards for AI-controlled NRENs is a recent talk by Mariam Kiran (Esnet) presented at the recent GÉANT Telemetry and Big Data Workshop.

In the talk, Miram describes the set open source tools (Netdata, Prometheus, Zabbix, Ntopng, and PerfSONAR) that they attempted to synthesize a complete picture of the network.

A number of tools were combined since each tool provides a different subset of the measurements needed to drive the AI controller.

Integrating the data from the different sources was a challenge, but they were able to pull the data together into a single Grafana dashboard. Unfortunately, there was a lot of noise in legacy measurement schemes, making the data set unsuitable for training the AI controller.

The team decided to go toward sFlow, replacing the legacy monitoring tools with sFlow enabled devices, in order to generate the very clean data needed for machine learning.

For background, the talk, Real-time network telemetry for automation, describes why sFlow is uniquely suited to automation, providing the comprehensive, real-time, system-wide, visibility needed to make networked systems observable.

Xilinx partnerships with Samsung, Kameleon yield products

Xilinx may be in the middle of an acquisition by AMD, but the partnerships and deals continue.Most recently, Samsung and Xilinx have partnered to deliver the SmartSSD CSD flash drive, a compute-on-storage SSD device that uses a Xilinx FPGA to offload the processing work. READ MORE: Folding@home supercomputer targets COVID-19 cureTo read this article in full, please click here

Xilinx partnerships with Samsung, Kameleon yield products

SAD DNS Explained

This week, at the ACM CCS 2020 conference, researchers from UC Riverside and Tsinghua University announced a new attack against the Domain Name System (DNS) called SAD DNS (Side channel AttackeD DNS). This attack leverages recent features of the networking stack in modern operating systems (like Linux) to allow attackers to revive a classic attack category: DNS cache poisoning. As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack.

In this post, we’ll explain what the vulnerability was, how it relates to previous attacks of this sort, what mitigation measures we have taken to protect our users, and future directions the industry should consider to prevent this class of attacks from being a problem in the future.

DNS Basics

The Domain Name System (DNS) is what allows users of the Internet to get around without memorizing long sequences of numbers. What’s often called the “phonebook of the Internet” is more like a helpful system of translators that take natural language domain names (like blog.cloudflare.com or gov.uk) and Continue reading

Heavy Networking 550: Automation Readiness Isn’t About Your Routers (Sponsored)

Today's Heavy Networking podcast examines cross-domain automation. Our sponsor is Cisco and our guest is Omar Sultan, Leader, Product Management for Cisco's Network Services Orchestrator (NSO) product. While the discussion starts with NSO, the conversation also covers dealing with automation complexity, the need for tool choice, and the critical roles that organizational structure and teams play in a successful automation/orchestration effort.

Heavy Networking 550: Automation Readiness Isn’t About Your Routers (Sponsored)

The post Heavy Networking 550: Automation Readiness Isn’t About Your Routers (Sponsored) appeared first on Packet Pushers.

Weekend Reads 111320

With so many organizations’ employees working remotely due to the pandemic, what security teams can do to help secure their home routers/firewalls is getting renewed attention.

PUE, thanks to its simplicity and universal applicability, has become the critical benchmark for scoring data centers for efficiency and “greenness” (environmental responsibility). But it is often used uncritically.

Google’s Project Zero says that hackers have been actively exploiting a Windows zero-day that isn’t likely to be patched until almost two weeks from now.

Every few years; some self-proclaimed academic imparts an article on the future of work, with conflicting information from various experts leaving many uncertain about its impact on jobs, skills, and wages.

The video downloading utility youtube-dl, like other large open source projects, accepts contributions from all around the globe. It is used practically wherever there’s an Internet connection.

Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

Using this technique means that the manager is not a “boss” but a partner, someone who provides guidelines, but Continue reading

Looking For a Mentor? Don’t Forget This Important Step!

With the insanity of the pandemic and the knowledge drain that we’re seeing across IT in general, there’s never been a more important time than right now to help out those that are getting started on this rise. The calls for mentors across the community is heartwarming. I’ve been excited personally to see many recognizable names and faces in the Security, Networking, and Wireless communities reaching out to let people know they are available to mentor others or connect them with potential mentors. It’s a way to give back and provide servant leadership to those that need it.

If you’re someone that’s reading this blog right now and looking for a mentor you’re in luck. There are dozens of people out there that are willing to help you out. The kindness of the community is without bounds and there are those that know what it was like to wander through the wilderness for a while before getting on the right track. They are the ones that will be of the most help to you. However, before you slide into someone’s DMs looking for help, you need to keep a few things in mind.

Make Me One With Everything

The single Continue reading

Linkerd Adds Default mTLS to Kubernetes to Enable Zero Trust

Linkerd, the open source service mesh, has been updated with a number of new features, including support for the ARM architecture, a new multicore proxy runtime, and the automatic enabling of mutual TLS (mTLS) security for all TCP connections. Buoyant, the company behind AWS Graviton, and support for Kubernetes’s new service topology feature will again increase operating efficiency with the ability to decide routing preferences. A complete rundown of Linkerd improvements, performance enhancements, and bug fixes can be found in the Ralf Skirr on

NTC – A Conversation With Daren Fulwell

In this podcast, we sit down with Daren Fulwell. Daren is a long-time network engineer, CCIE and CCDE, and is now a network automation evangelist. Tune in to hear about not only Daren’s journey, but a great discussion dissecting the intersection of SDN, intent-based networking, and how we need more focus on understanding operational processes and workflows to really make a dent within a network automation journey.

Reference Links:

Daren Fulwell

Guest

Jason Edelman

Host

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

The post NTC – A Conversation With Daren Fulwell appeared first on Network Collective.

Taking Your App Live with Docker and the Uffizzi App Platform

Tune in December 10th 1pm EST for our
Live DockTalk: Simplify Hosting Your App in the Cloud with Uffizzi and Docker

We’re excited to be working with Uffizzi on this joint blog. Docker and Uffizzi have very similar missions that naturally complement one another. Docker helps you bring your ideas to life by reducing the complexity of application development and Uffizzi helps you bring your ideas to life by reducing the complexity of cloud application hosting.

This blog is a step-by-step guide to setting up automated builds from your Github repo via Docker Hub and enabling Continuous Deployment to your Uffizzi app hosting environment.

Prerequisites
To complete this tutorial, you will need the following:

Free Docker Account
- You can sign-up for a free Docker account and receive free unlimited public repositories
An IDE or text editor to use for editing files. I would recommend VSCode
Free Uffizzi App Platform Account
Free Github Account

Docker Overview

Docker is an open platform for developing, shipping, and running applications. Docker containers separate your applications from your infrastructure so you can deliver software quickly.

With Docker, you can manage your infrastructure in the same ways you manage your applications. By Continue reading

Automated Origin CA for Kubernetes

In 2016, we launched the Cloudflare Origin CA, a certificate authority optimized for making it easy to secure the connection between Cloudflare and an origin server. Running our own CA has allowed us to support fast issuance and renewal, simple and effective revocation, and wildcard certificates for our users.

Out of the box, managing TLS certificates and keys within Kubernetes can be challenging and error prone. The secret resources have to be constructed correctly, as components expect secrets with specific fields. Some forms of domain verification require manually rotating secrets to pass. Once you're successful, don't forget to renew before the certificate expires!

cert-manager is a project to fill this operational gap, providing Kubernetes resources that manage the lifecycle of a certificate. Today we're releasing origin-ca-issuer, an extension to cert-manager integrating with Cloudflare Origin CA to easily create and renew certificates for your account's domains.

Origin CA Integration

Creating an Issuer

After installing cert-manager and origin-ca-issuer, you can create an OriginIssuer resource. This resource creates a binding between cert-manager and the Cloudflare API for an account. Different issuers may be connected to different Cloudflare accounts in the same Kubernetes cluster.

apiVersion: cert-manager.k8s.cloudflare.com/v1
kind: OriginIssuer
metadata:
   Continue reading

How to sort ps output

The ps command is key to understanding what's running on your Linux system and the resources that each process is using. It's useful to know how to display the information that ps provides in whatever way helps you focus on the problem you're trying to resolve. One aspect of this is being able to sort the output of the ps aux command by any column to highlight particular information, such as how much memory processes are using or how long they've been running.The trick involves using the ps command's --sort option and knowing how to specify the column that you want to use for the sort. By default, ps sorts by process IDs (PIDs), showing the smallest first. PID 1 will appear at the top of the list, right under the column headings. The rest will follow in numeric order.To read this article in full, please click here

« Previous 1 … 798 799 800 801 802 … 3,788 Next »