IPv6 Buzz 055: The Good, Bad, And Ugly Of IPv6 With Geoff Huston
We discuss the challenges and opportunities of IPv6 with Geoff Huston, APNIC's chief scientist and network analyst nonpareil. Topics include how dual-stack and Happy Eyeballs have papered over v6 deficiencies, why the address space may not be as vast as advertised, and why v6 is still the future.
The post IPv6 Buzz 055: The Good, Bad, And Ugly Of IPv6 With Geoff Huston appeared first on Packet Pushers.
From Docker Straight to AWS
Just about six years ago to the day Docker hit the first milestone for Docker Compose, a simple way to layout your containers and their connections. A talks to B, B talks to C, and C is a database. Fast forward six years and the container ecosystem has become complex. New managed container services have arrived bringing their own runtime environments, CLIs, and configuration languages. This complexity serves the needs of the operations teams who require fine grained control, but carries a high price for developers.
One thing has remained constant over this time is that developers love the simplicity of Docker and Compose. This led us to ask, why do developers now have to choose between simple and powerful? Today, I am excited to finally be able to talk about the result of what we have been working on for over a year to provide developers power and simplicity from desktop to the cloud using Compose. Docker is expanding our strategic partnership with Amazon and integrating the Docker experience you already know and love with Amazon Elastic Container Service (ECS) with AWS Fargate. Deploying straight from Docker straight to AWS has never been easier.
Today this functionality is Continue reading
HS. Part 6. First impression from Nokia SRLinux.
Hello my friend,
In this HS blog series we have covered so far the automated build of the network topology for hyper scale data centre using Microsoft Azure SONiC. Today Nokia has announced a new product for data centre, which is called SRLinux. In the next couple of articles we’ll review it from the architectural and automation standpoint.
2
3
4
5
retrieval system, or transmitted in any form or by any
means, electronic, mechanical or photocopying, recording,
or otherwise, for commercial purposes without the
prior permission of the author.
Thanks
We want to thank Nokia team for providing us the details and assisting in creating these materials. It won’t be possible without your help, dear partners.
Network automation training – now as a self-paced course as well
Following your asks we open a new format for the network automation training – self-paced format:
- It doesn’t matter what your timezone is.
- It doesn’t matter how much hours weekly do you have to study.
- It doesn’t matter how solid is your current background in automation, scripting and software development.
Because you decide on your own when, how often and Continue reading
From Docker Straight to AWS
Just about six years ago to the day Docker hit the first milestone for Docker Compose, a simple way to layout your containers and their connections. A talks to B, B talks to C, and C is a database. Fast forward six years and the container ecosystem has become complex. New managed container services have arrived bringing their own runtime environments, CLIs, and configuration languages. This complexity serves the needs of the operations teams who require fine grained control, but carries a high price for developers.
One thing has remained constant over this time is that developers love the simplicity of Docker and Compose. This led us to ask, why do developers now have to choose between simple and powerful? Today, I am excited to finally be able to talk about the result of what we have been working on for over a year to provide developers power and simplicity from desktop to the cloud using Compose. Docker is expanding our strategic partnership with Amazon and integrating the Docker experience you already know and love with Amazon Elastic Container Service (ECS) with AWS Fargate. Deploying straight from Docker straight to AWS has never been easier.
Today this functionality is Continue reading
IXPs: Keeping Local Infrastructure Resilient during COVID-19
The COVID-19 pandemic has proven how important a strong Internet infrastructure is.
Internet exchange points are a vital part of that. They are key to bringing better, faster, and more affordable Internet to people.
Recently, the Asia Pacific Internet Exchange Association (APIX) and the Internet Society did a comprehensive survey to understand the impact of COVID-19 on IXP operations in the region.
IXPs from Japan, Hong Kong, Taiwan, Thailand, Myanmar, Philippines, Singapore, Vietnam, Indonesia, Malaysia, Nepal, and Australia provided data. Here are some of the key findings.
What is an Internet Exchange Point?
If you want to see your neighbor, taking a route that sends you across town and back again is not the quickest or most efficient way to get there. And yet, in many parts of the world, that is what happens with Internet traffic. IXPs help create shorter, more direct routes for Internet traffic.
Read the Explainer
Changes in Internet Traffic
There was a significant increase in Internet exchange traffic, between 7- 40%. Traffic patterns during the pandemic show that there is either no difference left between peak and off-peak time or the peak time has increased from a few to more hours.
The increase is highest Continue reading
draft-knodel-terminology-03 – Terminology, Power, and Inclusive Language in Internet-Drafts and RFCs
Add to your documentation style guide.
The post draft-knodel-terminology-03 – Terminology, Power, and Inclusive Language in Internet-Drafts and RFCs appeared first on EtherealMind.
No Humans Involved: Mitigating a 754 Million PPS DDoS Attack Automatically
On June 21, Cloudflare automatically mitigated a highly volumetric DDoS attack that peaked at 754 million packets per second. The attack was part of an organized four day campaign starting on June 18 and ending on June 21: attack traffic was sent from over 316,000 IP addresses towards a single Cloudflare IP address that was mostly used for websites on our Free plan. No downtime or service degradation was reported during the attack, and no charges accrued to customers due to our unmetered mitigation guarantee.
The attack was detected and handled automatically by Gatebot, our global DDoS detection and mitigation system without any manual intervention by our teams. Notably, because our automated systems were able to mitigate the attack without issue, no alerts or pages were sent to our on-call teams and no humans were involved at all.
During those four days, the attack utilized a combination of three attack vectors over the TCP protocol: SYN floods, ACK floods and SYN-ACK floods. The attack campaign sustained for multiple hours at rates exceeding 400-600 million packets per second Continue reading
Sponsored Post: StackHawk, InterviewCamp.io, Educative, Triplebyte, Stream, Fauna
Who's Hiring?
- InterviewCamp.io has hours of system design content. They also do live system design discussions every week. They break down interview prep into fundamental building blocks. Try out their platform.
- Triplebyte lets exceptional software engineers skip screening steps at hundreds of top tech companies like Apple, Dropbox, Mixpanel, and Instacart. Make your job search O(1), not O(n). Apply here.
- Need excellent people? Advertise your job here!
Cool Products and Services
- Developers care about shipping secure applications. Application security products and processes, however, have not kept up with advances in software development. There are a new breed of tools hitting the market that enable developers to take the lead on AppSec. Learn how engineering teams are using products like StackHawk and Snyk to add security bug testing to their CI pipelines.
- Learn the stuff they don't teach you in the AWS docs. Filter out the distracting hype, and focus on the parts of AWS that you'd be foolish not to use. Learn the Good Parts of AWS. Created by former senior-level AWS engineers of 15 years.
- Stateful JavaScript Apps. Effortlessly add state to your Javascript apps with FaunaDB. Generous free tier. Try Continue reading
Getting Started with IBM QRadar and Red Hat Ansible Automation Platform
IBM Security QRadar is a Security Information and Event Management (SIEM), which can help security teams to accurately detect and prioritize threats across the organization, providing intelligent insights that enable organisations to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints, users and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerate incident analysis and remediation.
Ansible and QRadar, better together
Ansible is the open and powerful language security teams can use to interoperate across the various security technologies involved in their day-to-day activities.
Customers can take advantage of the IBM QRadar Content Collection to create sophisticated security workflows through the automation of the following functionalities:
- Log sources configuration
- Offense rules enablement
- Offense management
Ansible allows security organizations to integrate QRadar into automated security processes, enabling them to automate QRadar configuration deployments in recurring situations like automated test environments, but also in large scale deployments where similar tasks have to be rolled out and managed across multiple nodes.
Security practitioners can automate investigation activities enabling QRadar to programmatically access newdata sources. Also, they now have Continue reading
Working Around Docker Desktop’s Outdated Kubernetes Version
As of the time that I published this blog post in early July 2020, Docker Desktop for macOS was at version 2.2.0.4 (for the “stable” channel). That version includes a relatively recent version of the Docker engine (19.03.8, compared to 19.03.12 on my Fedora 31 box), but a quite outdated version of Kubernetes (1.15.5, which isn’t supported by upstream). Now, this may not be a problem for users who only use Kubernetes via Docker Desktop. For me, however, the old version of Kubernetes—specifically the old version of kubectl—causes problems. Here’s how I worked around the old version that Docker Desktop supplies.
First, you’ll note that Docker Desktop automatically symlinks its version of kubectl into your system path at /usr/local/bin. You can verify the version of Docker Desktop’s kubectl by running this command:
/usr/local/bin/kubectl version --client=true
On my macOS 10.14.6-based system, this returned a version of 1.15.5. According to GitHub, v1.15.5 was released in October of 2019. Per the Kubernetes version skew policy, this version of kubectl would work with with 1.14, 1.15, and 1.16. What if I need to Continue reading
The Hedge Pdocast Episode 43: Ivan Pepelnjak and Trusting Routing Protocols
Can you really trust what a routing protocol tells you about how to reach a given destination? Ivan Pepelnjak joins Nick Russo and Russ White to provide a longer version of the tempting one-word answer: no! Join us as we discuss a wide range of issues including third-party next-hops, BGP communities, and the RPKI.
Multi-arch build, what about Travis?
Following the previous article where we saw how to build multi arch images using GitHub Actions, we will now show how to do the same thing using another CI. In this article, we’ll consider Travis, which is one of the most tricky ones to use for this use case.
To start building your image with Travis, you will first need to create .travis.yml file at the root of your repository.
language: bash
dist: bionic
services:
- docker
script:
- docker version
You may notice that we specified using “bionic” to have the latest version of Ubuntu available – Ubuntu 18.04 (Bionic Beaver). As of today (May 2020), if you run this script, you’ll be able to see that the Docker Engine version it provides is 18.06.0-ce which is too old to be able to use buildx. So we’ll have to install Docker manually.
language: bash
dist: bionic
before_install:
- sudo rm -rf /var/lib/apt/lists/*
- curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
- sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) edge"
- sudo apt-get update
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
script:
Continue reading
Day Two Cloud 056: (Not) Streaming Telemetry
Streaming telemetry is all the rage, but today's show dives into an architecture that forgoes streaming telemetry in favor of other options. We talk about why our guests went in a different direction, the problems they're trying to solve, and how it's working out. Our guests are Kevin Landreth, Director, Service Reliability; and Carl Montanari, Network Reliability Engineer, both at Packet Fabric.Day Two Cloud 056: (Not) Streaming Telemetry
Streaming telemetry is all the rage, but today's show dives into an architecture that forgoes streaming telemetry in favor of other options. We talk about why our guests went in a different direction, the problems they're trying to solve, and how it's working out. Our guests are Kevin Landreth, Director, Service Reliability; and Carl Montanari, Network Reliability Engineer, both at Packet Fabric.
The post Day Two Cloud 056: (Not) Streaming Telemetry appeared first on Packet Pushers.
NTC – A Chat With Jason Edelman
In today’s episode we sit down with Network to Code’s founder, Jason Edelman, to discuss his personal networking journey, how Network to Code came to be, and how he views the networking industry through the lens of network automation and orchestration.
Jason Edelman
Guest
Jordan Martin
Host
Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/
The post NTC – A Chat With Jason Edelman appeared first on Network Collective.
Member News: Chapters Focus on Encryption
Lock it down: Several Internet Society chapters across the globe have written about the importance of encryption in recent weeks. The Namibia Chapter wrote about the way encryption can improve privacy and fight against the big business of criminal hacking. “Cybercrime is a global business, often run by multinational outfits,” the Chapter wrote. The Hong Kong Chapter, meanwhile, wrote that “encryption matters to all of us.” Internet users need to work together to protect encryption, the Chapter added. “No party can stand alone to persuade governments to stop creating laws or policies that harm encryption and digital security.”
Freedom for all: The Hong Kong Chapter also called for Internet freedoms to continue in the region as the Chinese government pushes for new security laws there. “We are convinced that the freedoms of speech, press and publication guaranteed by the Basic Law are also applicable to the media industry on the Internet,” the chapter wrote. “Internet users have the freedom and right to obtain, share information and express their expressions, and are protected from being censored, blocked or criminalized.”
Expanding the community: The Nepal Chapter recently wrote about community networks in the country, by highlighting the Rural Continue reading
Sandboxing in Linux with zero lines of code
Modern Linux operating systems provide many tools to run code more securely. There are namespaces (the basic building blocks for containers), Linux Security Modules, Integrity Measurement Architecture etc.
In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code.
Tux by Iwan Gabovitch, GPL
Sandbox, Simplified Pixabay License
Linux system calls
System calls (syscalls) is a well-defined interface between userspace applications and the operating system (OS) kernel. On modern operating systems most applications provide only application-specific logic as code. Applications do not, and most of the time cannot, directly access low-level hardware or networking, when they need to store data or send something over the wire. Instead they use system calls to ask the OS kernel to do specific hardware and networking tasks on their behalf:
Apart from providing a generic high level way for applications to interact with the low level hardware, the system call architecture allows the OS kernel to manage available resources between applications as well as enforce policies, like application permissions, networking access control lists etc.
Linux seccomp
Linux seccomp is yet another syscall on Linux, but it is a bit Continue reading