Lab: Dual-Stack IS-IS Routing

Contrary to the OSPF world, where we have to use two completely different routing protocols to route IPv4 and IPv6 (unless you believe in the IPv4 address family in OSPFv3), IS-IS provided multi-protocol support from the very early days of its embracement by IETF. Adding IPv6 support was only a matter of a few extra TLVs, but even there, IETF gave us two incompatible ways of making IPv6 work with IS-IS.

Want to know more? You’ll find the details in the Dual-Stack (IPv4+IPv6) IS-IS Routing lab exercise.

OpenVPN or WireGuard? A Detailed Performance Breakdown

OpenVPN has been a dominant player in the VPN space since its release in 2001. With a 23-year history, OpenVPN has proven to be a reliable and secure protocol. However, it has some downsides, particularly regarding performance and ease of use. OpenVPN creates a secure tunnel between two endpoints using SSL/TLS for encryption. While robust, the protocol is complex and requires considerable resources to run efficiently. Setting up and managing OpenVPN can be cumbersome, especially for DevOps teams juggling multiple environments and configurations. It wouldn’t be the first time an OpenVPN server stopped working because the TLS certificates expired. WireGuard, on the other hand, is the new kid on the block, having been introduced in recent years. What sets WireGuard apart from OpenVPN is its simplicity and efficiency. While OpenVPN relies on older, more complex cryptographic algorithms, WireGuard uses modern encryption that is both faster and more secure. Unlike OpenVPN, WireGuard is integrated directly into the Linux kernel, meaning it operates at a lower level and with less overhead. This results in faster connection times and lower resource usage. One of the significant benefits of WireGuard is its minimal codebase — about 10% the size of OpenVPN’s — which reduces Continue reading

IPv6 Support for Multiple Routers and Multiple Interfaces

Fernando Gont published an Individual Internet Draft (meaning it hasn’t been adopted by any IETF WG yet) describing the Problem Statement about IPv6 Support for Multiple Routers and Multiple Interfaces. It’s so nice to see someone finally acknowledging the full scope of the problem and describing it succinctly. However, I cannot help but point out that:

Anyway, Fernando wraps up his draft with:

Read more …

Post-Quantum Cryptography

If we ever get to the point of being able to build capable quantum computers when much of the security infrastructure of today's digital world is at risk. For some its not "if" but "when" and if that's the case then its already time to prepare.

Technology Short Take 184

Welcome to Technology Short Take #184! This Tech Short Take is a bit shorter than the usual ones, but then again this week—at least in the US—is a bit shorter than most weeks due to the Thanksgiving holiday. Even so, I hope that I’ve managed to include some information that folks find useful. Also, thanks to some feedback from readers, I’ve tried hard to ensure that links are more descriptive and informative than they’ve sometimes been in the past; let me know how I did. Now, on to the content!

Networking

Security

Cloud Computing/Cloud Management

HPE Upgrades Supercomputer Lineup Top To Bottom In 2025

If you want to buy an exascale-class supercomputer, or a portion of one so you can scale up, there are not a lot of places to go shopping because there are not a lot of companies who have a balance sheet that is big enough to get all of the parts to build the machines.

HPE Upgrades Supercomputer Lineup Top To Bottom In 2025 was written by Timothy Prickett Morgan at The Next Platform.

Cloudflare incident on November 14, 2024, resulting in lost logs

On November 14, 2024, Cloudflare experienced an incident which impacted the majority of customers using Cloudflare Logs. During the roughly 3.5 hours that these services were impacted, about 55% of the logs we normally send to customers were not sent and were lost. We’re very sorry this happened, and we are working to ensure that a similar issue doesn't happen again.

This blog post explains what happened and what we’re doing to prevent recurrences. Also, the systems involved and the particular class of failure we experienced will hopefully be of interest to engineering teams beyond those specifically using these products.

Failures within systems at scale are inevitable, and it’s essential that subsystems protect themselves from failures in other parts of the larger system to prevent cascades. In this case, a misconfiguration in one part of the system caused a cascading overload in another part of the system, which was itself misconfigured. Had it been properly configured, it could have prevented the loss of logs.

Background

Cloudflare’s network is a globally distributed system enabling and supporting a wide variety of services. Every part of this system generates event logs which contain detailed metadata about what’s happening with our systems around Continue reading

Intel Xeon 6 With P-Cores Makes the Case For The Host CPU

PARTNER CONTENT  Since OpenAI first released ChatGPT into the world two years ago, generative AI has been a playground mostly for GPUs and primarily those from Nvidia, even though graphics chips from others and AI-focused silicon have tried to make their way in.

Intel Xeon 6 With P-Cores Makes the Case For The Host CPU was written by Timothy Prickett Morgan at The Next Platform.

Palo Alto Auto-Tagging to Automate Security Actions

Palo Alto Auto-Tagging to Automate Security Actions

Auto-tagging allows the firewall to tag a policy object when it receives a log that matches specific criteria, creating an IP-to-tag or user-to-tag mapping. For example, when the firewall generates a traffic or threat log, you can configure it to tag the source IP address or User associated with that log using a specific tag name. These tags can then be used to automatically populate policy objects like Dynamic User Groups or Dynamic Address Groups, which in turn can automate security actions within security policies.

For example, let's say I have a policy that denies traffic from the Internet to the firewall's public IP or subnet whenever someone attempts to access random ports. This policy blocks the traffic and generates a traffic log. Now, if someone tries to target our public IP on port 22 (SSH), we might want to add them to a blacklist, which is a Dynamic Address Group. We can then create another policy that references this Dynamic Address Group to block any further traffic from this IP address.

A Realistic Use Case

A realistic use case is when you want to block a source IP after multiple failed authentication attempts to GlobalProtect. Typically, you can use Continue reading

Topology aware flow analytics with NVIDIA NetQ

NVIDIA Cumulus Linux 5.11 for AI / ML describes how NVIDIA 400/800G Spectrum-X switches combined with the latest Cumulus Linux release deliver enhanced real-time telemetry that is particularly relevant to the AI / machine learning workloads that Spectrum-X switches are designed to handle.

This article shows how to extract Topology from an NVIDIA fabric in order to perform advanced fabric aware analytics, for example: detect flow collisions, trace flow paths, and de-duplicate traffic.

In this example, we will use NVIDIA NetQ, a highly scalable, modern network operations toolset that provides visibility, troubleshooting, and validation of your Cumulus and SONiC fabrics in real time.

netq show lldp json
For example, the NetQ Link Layer Discovery Protocol (LLDP) service simplifies the task of gathering neighbor data from switches in the network, and with the json option, makes the output easy to process with a Python script, for example, lldp-rt.py.

The simplest way to try sFlow-RT is to use the pre-built sflow/topology Docker image that packages sFlow-RT with additional applications that are useful for monitoring network topologies.

docker run -p 6343:6343/udp -p 8008:8008 sflow/topology
Configure Cumulus Linux to steam sFlow telemetry to sFlow-RT on UDP port 6343 (the default for Continue reading

Deciphering the Open Systems Interconnection Model

Unless you’ve studied for a network cert, the Open Systems Interconnection (OSI) model is probably somewhat of a mystery to you. Maybe you heard of it from a coworker, or maybe you saw it in a marketing campaign for something on AWS. Maybe you thought “Layer 3” was just some new buzzword. Such shorthand references to the OSI model, however, can be useful if you can decode them, as they can help you understand where in your network stack a tool could fit or where to look for a problem during an incident call. Before we get too far, let me address a point of contention. Many people will say the theoretical OSI model is outdated. The model is theoretical, true, and the real world is certainly more complex than it may lead you to believe. Its layers don’t neatly map to specific devices, and other models exist that more accurately reflect the real world, such as the Transmission Control Protocol/Internet Protocol (TCP/IP) model. Image 1 It’s useful to think of the OSI model as an abstraction that allows us to reason about the separation of concerns on a network. We use it to think through troubleshooting steps should Continue reading

1 81 82 83 84 85 3,832