The IPv6 Buzz crew answers listener questions on today's episode, including use cases for Network Prefix Translation v6, challenges of asymmetric routing in IPv6, why Cisco supports LDPv6 on IOS-XR but not XE, and more.
The post IPv6 Buzz 059: More Listener Questions Asked And Answered appeared first on Packet Pushers.
Want to try open networking for free? Try NVIDIA® Cumulus VX – a free virtual appliance that provides all the features of NVIDIA Cumulus Linux. You can preview and test NVIDIA Cumulus Linux in your own environment, at your own pace, without organizational and economic barriers. You can also produce sandbox environments for prototype assessment, pre-production rollouts, and script development.
NVIDIA Cumulus VX runs on all popular hypervisors, such VirtualBox and VMware VSphere, and orchestrators, such as Vagrant and GNS3.
Our website has the images needed to run NVIDIA Cumulus VX on your preferred hypervisor—download is simple. What’s more, we provide a detailed guide on how to install and set up NVIDIA Cumulus VX to create this simple two leaf, one spine topology:
With these three switches up and running, you are all set to try out NVIDIA Cumulus Linux features, such as traditional networking protocols (BGP and MLAG), and NVIDIA, formally Cumulus Networks-specific technologies, such as ONIE and Prescriptive Topology Manager (PTM). And, not to worry, the NVIDIA Cumulus Linux user guide is always close at hand to help you out, as well as the community Slack channel, where you can submit questions and engage with the wider Continue reading
When working from home or from a remote place, there is an added pressure of trying to figure out how you can network with other co-workers or professionals from the same field. This is why remote networking is a new phenomenon that is the talk of the town. Even when you are working remotely, you need to be able to network with other people so that you can think outside the box, make decisions, and make professional connections with others in your field.
Networking events can be a bit tricky. Knowing who to talk to and how to communicate in person and keep it interesting is hard but useful. Remote networking, on the other hand, is a whole different ballpark. This means that you are not physically present at the event but you still have to figure out a way to be in touch with most people and talk to them professionally. Here are a few ways and tips with which you can actually make remote networking easier.
By being a part of a networking group online, you can easily be in connection with people from different professions Continue reading
The following is a guest post from Josh Larson, Engineer at Vox Media.
Imagine you’re the maintainer of a high-traffic media website, and your DNS is already hosted on Cloudflare.
Page speed is critical. You need to get content to your audience as quickly as possible on every device. You also need to render ads in a speedy way to maintain a good user experience and make money to support your journalism.
One solution would be to render your site statically and cache it at the edge. This would help ensure you have top-notch delivery speed because you don’t need a server to return a response. However, your site has decades worth of content. If you wanted to make even a small change to the site design, you would need to regenerate every single page during your next deploy. This would take ages.
Another issue is that your site would be static — and future updates to content or new articles would not be available until you deploy again.
That’s not going to work.
Another solution would be to render each page dynamically on your server. This ensures you can return a dynamic response for new or updated articles.
What makes a great leader? Earlier this year, 473 Chapter Members participated in the 2020 Chapters Training Program. The Internet Society kicked off the program with a lot of hope and excitement. This was an opportunity to harness the power of us – our global community – to incubate innovative ideas and tomorrow’s Internet leaders.
The program aimed to develop new community leaders to work with their Chapters, create local awareness of the Internet Society’s mission-driven work, and become involved in Action Plan projects, including Encryption.
Each time we share information on the Internet, we assume that only our selected recipients – and no one else – will receive and read it. But how can we be sure? Ursula Wyss of the Switzerland Chapter says, this is “where end-to-end encryption comes in, since it ensures that only you and those people who are intentionally included in the conversation can read the messages that are being exchanged. This is done by scrambling the message in a way that it can only be read by those who have the right encryption key to unscramble it. For everyone else, the messages remain scrambled.”
The Encryption Chapters Training Program was developed Continue reading
This is a guest blog post by Matthias Luft, Principal Platform Security Engineer @ Salesforce, and a regular ipSpace.net guest speaker.
Having spent my career in various roles in IT security, Ivan and I always bounced thoughts on the overlap between networking and security (and, more recently, Cloud/Container) around. One of the hot challenges on that boundary that regularly comes up in network/security discussions is the topic of this blog post: microsegmentation and host-based firewalls (HBFs).
Time is critical for many of the systems that make the Internet and other operational networks “go,” but we often just assume the time is there and it’s right. In this episode of the Hedge, Karen O’Donoghue joins Alvaro and Russ to talk about some of the many attacks and failures that can be caused by an incorrect time, and current and ongoing work in securing network time in the IETF.
The community.mysql
collection from Ansible Galaxy
provides a mysql_query
module to run arbitrary MySQL queries.
Unfortunately, it does not support check mode nor the --diff
flag.
It is also unable to tell if there was a change. Let’s write a
specific Ansible module to workaround these issues.
Notice
I recommend that you read “Writing a custom Ansible module” as an introduction.
The module has the following signature and it executes the provided SQL statements in a single transaction. It needs a list of the affected tables to be able to detect and show the changes.
mysql_sync: sql: | DELETE FROM rules WHERE name LIKE 'CMDB:%'; INSERT INTO rules (name, rule) VALUES ('CMDB: check for cats', ':is(object, "CAT")'), ('CMDB: check for dogs', ':is(object, "DOG")'); REPLACE INTO webhooks (name, url) VALUES ('OpsGenie', 'https://opsgenie/something/token'), ('Slack', 'https://slack/something/token'); user: monitoring password: Yooghah5 database: monitoring tables: - rules - webhooks
The module does not enforce idempotency, but it is expected you
provide appropriate SQL queries. In the above example, idempotency is
achieved because the content of the rules
table is deleted and
recreated from scratch while the rows in the webhooks
table are
Continue reading
The cisco.iosxr
collection from Ansible Galaxy
provides an iosxr_user
module to manage local users,
along with their SSH keys. However, the module is quite slow, do not
display a diff for changed SSH keys, never signal change when a key is
modified, and does not delete obsolete keys. Let’s write a custom
Ansible module managing only the SSH keys while fixing these issues.
Notice
I recommend that you read “Writing a custom Ansible module” as an introduction.
Adding SSH keys to users in Cisco IOS-XR is quite undocumented. First, you need to encode the key with the “ssh-rsa” key ASN.1 format, like an OpenSSH public key, but without the base64-encoding:
$ awk '{print $2}' id_rsa.pub \ | base64 -d \ > publickey_vincent.raw
Then, you upload the key with SCP to harddisk:/publickey_vincent.raw
and import it for the current user with the following IOS command:
crypto key import authentication rsa harddisk:/publickey_vincent.b64
However, if you want to import a key for another user, you need to be
part of the root-system
group:
username vincent group root-lr group root-system
With the following admin command, you Continue reading
Ansible ships a lot of modules you can combine for your configuration management needs. However, the quality of these modules may vary widely. Sometimes, it may be quicker and more robust to write your own module instead of shopping and assembling existing ones.1
In my opinion, a robust module exhibits the following characteristics:
In a nutshell, it means the module can run with --diff --check
and
shows the changes it would apply. When run twice in a row, the second
run won’t apply or signal changes. The last bullet point suggests the
module should be able to delete outdated objects configured during
previous runs.2
The module code should be minimal and tailored to your needs. Making the module generic for use by other users is a non-goal. Less code usually means less bugs and easier to understand.
I do not cover testing here. It is undeniably a good practice, but it requires a significant effort. In my opinion, it is preferable to have a well written module matching the above characteristics rather than a module that is well tested but without them or a module requiring Continue reading
I’ve written a bit here and there about Cluster API (aka CAPI), mostly focusing on the Cluster API Provider for AWS (CAPA). If you’re not yet familiar with CAPI, have a look at my CAPI introduction or check the Introduction section of the CAPI site. Because CAPI interacts directly with infrastructure providers, it typically has to have some way of authenticating to those infrastructure providers. The AWS provider for Cluster API is no exception. In this post, I’ll show how to update the AWS credentials used by CAPA.
Why might you need to update the credentials being used by CAPA? Security professionals recommend that users rotate credentials on a regular basis, and when those credentials get rotated you’ll need to update what CAPA is using. There are other reasons, too; perhaps you started with one set of credentials but now want to move to a different set of credentials. Fortunately, the process for updating the CAPA credentials isn’t too terribly tedious.
CAPA stores the credentials it uses as a Secret in the “capa-system” namespace. You can use kubectl -n capa-system get secrets
and you’ll see the “capa-manager-bootstrap-credentials” Secret. The credentials themselves are stored as a key named credentials
; you Continue reading
It’s that time of year again — VMworld! And while this year, due to COVID-19, we’re pivoting to a virtual format, we’ll, we still be delivering a top-notch event with great sessions on cutting edge innovations. And the best part is, it’s FREE!
One of the hottest topics these days is service mesh, which is an abstraction that takes care of service to service communication, security, and observability. At VMware, we’re the “abstraction company” — but we’re not just working on the immediate use cases that the rest of the pack are working on, we’re ahead of the game, extracting a lot more value from our unique position vis a vis abstraction.
I’ve compiled a list of our service mesh sessions below so you can easily register for them:
This opinion piece was originally published in Dark Reading.
School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.
Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.
Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.
In recent years, schools have also seen Continue reading
As we continue to expand all the insightful content that our attendees can expect from AnsibleFest 2020, we are excited to share with you our Automation Architect channel. Here is a sneak peek of exactly what to expect from the Automation Architect channel at AnsibleFest 2020.
Automation Architect Channel
Automation has become a key discipline in large IT organizations, but introducing automation to new areas is likely going to invoke technical and non-technical challenges. As organizations focus on building end-to-end automation solutions and increasing the automation footprint, Automation Architects will play a pivotal role as the interface with both technologists and business owners.
In this track, you will learn more about Ansible best practices for building your organization’s automation architecture, how to best collaborate with the business it serves and how it can help in broader corporate initiatives, such as your cloud journey. Whether you are an Enterprise or Automation Architect today or are interested in developing the skills for this career path, you will learn the best practices to successfully implement an automation initiative at scale.
Understand how you can use and share automation assets and how customers automate across hybrid, scalable infrastructures. Learn about integrating Continue reading
Today's Day Two Cloud podcast makes the case for bringing Ansible into your Windows automation toolkit with guest Josh Duffney. Josh is an SRE, a Microsoft MVP, and author of a book on Ansible. We discuss key elements of Ansible, how it fits in a Windows shop, using Ansible with the Chocolately package manager, and more.
The post Day Two Cloud 064: Bringing Ansible Into A Windows Shop appeared first on Packet Pushers.
Many network engineers complain about their companies not giving them opportunities—but how many think about helping the company grow in a way that allows them to have the opportunities they desire? Scott Morris, aka “evil ccie,” joins Tom and Russ on this episode of the Hedge to talk about the challenges of certifications, growing people, and people learning how to grow in a way what improves the business. Sometimes growing means creating opportunities rather than just waiting for them to knock.
We are excited to announce the new Internet Society Comoros Chapter! ISOC Comoros officially launched in July in front of an in-person and online audience at the Retaj Hotel.
Journalists joined several distinguished guests, including:
Since the country’s very first connection to the Internet in July 1998, the Internet industry has continued to evolve, along with telecommunications. The country is beginning to benefit from the rise in competition in the ICT sector, and as such the establishment of ISOC Comoros brings an added dimension to the development, promotion, and use of the Internet for the greater good of the entire country.
The Internet is for everyone and Continue reading
For about a decade, Intel has sold GPUs, in recent years with its integrated CPU-GPU devices used in client and entry servers. …
Intel Puts Its Xe GPU Stakes In The Ground was written by Jeffrey Burt at The Next Platform.