NetworkingNexus.net

Project Jengo for Sable — final winners!

With Cloudflare’s victory against patent trolls Sable IP and Sable Networks in the books, it’s time to close out the case’s Project Jengo competition.

In our last update, we talked about the conclusion of Sable’s 3+ year campaign to extort a payment from Cloudflare based on meritless patent infringement claims. After Cloudflare’s victory at trial in February 2024, Sable finally — and fully — capitulated, agreeing to: (1) pay Cloudflare $225,000, (2) grant Cloudflare a royalty-free license to Sable’s entire patent portfolio, and (3) dedicate all of Sable’s patents to the public.

With the fight against Sable ended, we announced the Conclusion of the Case under the Project Jengo Sable Rules. Now that the Grace Period has passed, we are pleased to announce the final winners of Project Jengo for the Sable case!

Read on for background on the case, details on the Project Jengo final winners, and other patent troll-related updates.

The Sable win

For anyone unfamiliar with the Sable case, the story can be traced back all the way to 2006, when patent troll Sable bought patents from a company going out of business. In 2021, fifteen years after buying the patents, Sable filed suit Continue reading

Upstart Xsight Labs Raises Up The Programmable Switch Banner High

The best minds in networking spent the better part of two decades wrenching the control planes of switches and routers out of network devices and putting them into external controllers. …

Upstart Xsight Labs Raises Up The Programmable Switch Banner High was written by Timothy Prickett Morgan at The Next Platform.

PP055: News Roundup – BotNet Targets TP-Link, Threat Hunting In the Electric Grid, Apple Vs. UK Snoops, and More

This week we dive into security headlines including a botnet bonanza that includes TP-Link routers, Chinese attackers targeting Juniper and Fortinet, and a case study of nation-state actors penetrating the operator of a small US electric utility. We also discuss ransomware attacks targeting critical infrastructure, a backdoor in an Android variant used in streaming devices,... Read more »

Scaling The Storage Pyramid With Micron’s Datacenter Memory And Flash

SPONSORED CONTENT Consider, for a moment, the current state of AI accelerators and datacenter GPUs. …

Scaling The Storage Pyramid With Micron’s Datacenter Memory And Flash was written by Timothy Prickett Morgan at The Next Platform.

HS098: Just Following Orders?

What do you do when your colleagues or senior leaders ask you to do something illegal? It’s hardly hypothetical; recent years have seen high-profile firings and convictions of CIOs and CISOs who’ve been ordered to break the law. John and Johna discuss steps that tech leaders can take if they’re put on the spot. Episode... Read more »

Build and deploy Remote Model Context Protocol (MCP) servers to Cloudflare

It feels like almost everyone building AI applications and agents is talking about the Model Context Protocol (MCP), as well as building MCP servers that you install and run locally on your own computer.

You can now build and deploy remote MCP servers to Cloudflare. We’ve added four things to Cloudflare that handle the hard parts of building remote MCP servers for you:

workers-oauth-provider — an OAuth Provider that makes authorization easy
McpAgent — a class built into the Cloudflare Agents SDK that handles remote transport
mcp-remote — an adapter that lets MCP clients that otherwise only support local connections work with remote MCP servers
AI playground as a remote MCP client — a chat interface that allows you to connect to remote MCP servers, with the authentication check included

The button below, or the developer docs, will get you up and running in production with this example MCP server in less than two minutes:

Unlike the local MCP servers you may have previously used, remote MCP servers are accessible on the Internet. People simply sign in and grant permissions to MCP clients using familiar authorization flows. We think this is going to be a massive deal — connecting coding agents Continue reading

Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH

OPKSSH makes it easy to SSH with single sign-on technologies like OpenID Connect, thereby removing the need to manually manage and configure SSH keys. It does this without adding a trusted party other than your identity provider (IdP).

We are excited to announce OPKSSH (OpenPubkey SSH) has been open-sourced under the umbrella of the OpenPubkey project. While the underlying protocol OpenPubkey became an open source Linux foundation project in 2023, OPKSSH was closed source and owned by BastionZero (now Cloudflare). Cloudflare has gifted this code to the OpenPubkey project, making it open source.

In this post, we describe what OPKSSH is, how it simplifies SSH management, and what OPKSSH being open source means for you.

Background

A cornerstone of modern access control is single sign-on (SSO), where a user authenticates to an identity provider (IdP), and in response the IdP issues the user a token. The user can present this token to prove their identity, such as “Google says I am Alice”. SSO is the rare security technology that both increases convenience — users only need to sign in once to get access to many different systems — and increases security.

OpenID Connect

OpenID Connect (OIDC) is Continue reading

netlab 1.9.6: Static Routes to Default Gateways

Last week, I had to push out netlab release 1.9.6 to address a particularly nasty Python dependency hell to make netlab work (again) on Ubuntu 24.04 (more details). The release also brought these goodies (and a bunch of bug fixes):

Add default gateway (including anycast- and VRRP gateway )as a valid next-hop for static routes
Rewrite the default gateway processing and add IPv6 default gateways on links without anycast or VRRP gateways
Set libvirt MTU to 9500 on bridge-based networks to avoid the “transparent fragmentation” on Linux bridges.
Use device- or node variables to specify the Juniper vMX license file.

Cloudflare incident on March 21, 2025

Multiple Cloudflare services, including R2 object storage, experienced an elevated rate of errors for 1 hour and 7 minutes on March 21, 2025 (starting at 21:38 UTC and ending 22:45 UTC). During the incident window, 100% of write operations failed and approximately 35% of read operations to R2 failed globally. Although this incident started with R2, it impacted other Cloudflare services including Cache Reserve, Images, Log Delivery, Stream, and Vectorize.

While rotating credentials used by the R2 Gateway service (R2's API frontend) to authenticate with our storage infrastructure, the R2 engineering team inadvertently deployed the new credentials (ID and key pair) to a development instance of the service instead of production. When the old credentials were deleted from our storage infrastructure (as part of the key rotation process), the production R2 Gateway service did not have access to the new credentials. This ultimately resulted in R2’s Gateway service not being able to authenticate with our storage backend. There was no data loss or corruption that occurred as part of this incident: any in-flight uploads or mutations that returned successful HTTP status codes were persisted.

Once the root cause was identified and we realized we hadn’t deployed Continue reading

HBM Can Keep Micron Out Of The Next Memory Bust Cycle

An interesting thought experiment to do in 2025 when looking at the financial results of just about any of the key compute, storage, and networking component and system suppliers is to imagine how any given company’s numbers would look if you backed out the AI portions of its business. …

HBM Can Keep Micron Out Of The Next Memory Bust Cycle was written by Timothy Prickett Morgan at The Next Platform.

NB519: Google Bids $32 Billion for Cloud Security Startup; NVIDIA Makes Nice With Quantum Computing

Take a Network Break! This week we cover Google’s $32 billion acquisition of CNAPP provider Wiz, Cloudflare offerings for AI security and support for post-quantum encryption, and NVIDIA’s pledge to open a quantum research center in Boston. NVIDIA has also announced new switch platforms with co-packaged optics for greater efficiency, Cisco shares details on its... Read more »

0324 Tech Byte: Tech Bytes: How Fortinet Unified SASE Secures Hybrid Workers for Customer Liquid Networx (Sponsored)

Today on the Tech Bytes podcast, sponsored by Fortinet, we get a customer view of Fortinet’s SASE offering from Liquid Networx. Liquid Networx isn’t just a Fortinet customer; it also provides professional services for other customers of FortiSASE. We’ll talk about why Liquid Networx decided to adopt SASE, its evolution from on-prem to cloud-based security,... Read more »

Security Week 2025: in review

Thank you for following along with another Security Week at Cloudflare. We’re extremely proud of the work our team does to make the Internet safer and to help meet the challenge of emerging threats. As our CISO Grant Bourzikas outlined in his kickoff post this week, security teams are facing a landscape of rapidly increasing complexity introduced by vendor sprawl, an “AI Boom”, and an ever-growing surface area to protect.

As we continuously work to meet new challenges, Innovation Weeks like Security Week give us an invaluable opportunity to share our point of view and engage with the wider Internet community. Cloudflare’s mission is to help build a better Internet. We want to help safeguard the Internet from the arrival of quantum supercomputers, help protect the livelihood of content creators from unauthorized AI scraping, help raise awareness of the latest Internet threats, and help find new ways to help reduce the reuse of compromised passwords. Solving these challenges will take a village. We’re grateful to everyone who has engaged with us on these issues via social media, contributed to our open source repositories, and reached out through our technology partner program to work with us on the issues most Continue reading

New URLPattern API brings improved pattern matching to Node.js and Cloudflare Workers

Today, we are excited to announce that we have contributed an implementation of the URLPattern API to Node.js, and it is available starting with the v23.8.0 update. We've done this by adding our URLPattern implementation to Ada URL, the high-performance URL parser that now powers URL handling in both Node.js and Cloudflare Workers. This marks an important step toward bringing this API to the broader JavaScript ecosystem.

Cloudflare Workers has, from the beginning, embraced a standards-based JavaScript programming model, and Cloudflare was one of the founding companies for what has evolved into ECMA's 55th Technical Committee, focusing on interoperability between Web-interoperable runtimes like Workers, Node.js, Deno, and others. This contribution highlights and marks our commitment to this ongoing philosophy. Ensuring that all the JavaScript runtimes work consistently and offer at least a minimally consistent set of features is critical to ensuring the ongoing health of the ecosystem as a whole.

URLPattern API contribution is just one example of Cloudflare’s ongoing commitment to the open-source ecosystem. We actively contribute to numerous open-source projects including Node.js, V8, and Ada URL, while also maintaining our own open-source initiatives like workerd and wrangler. By upstreaming improvements Continue reading

KubeCon EU 2025: Aviatrix’s Enterprise Firewall for Kubernetes

Kubernetes networking admins attending Aviatrix will be demonstrating its new Kubernetes firewall. “One of the things which we didn’t have in the Kubernetes space is a really good Kubernetes-aware networking and security solution,” said Aviatrix Kubernetes Firewall brings enterprise-levels of

IPv6 and the Revenge of the Stupid Bridges

This blog post describes another “OMG, this cannot possibly be true” scenario discovered during the netlab VRRP integration testing.

I wanted to test whether we got the nasty nuances of VRRPv3 IPv6 configuration right on all supported platforms and created a simple lab topology in which the device-under-test and an Arista cEOS container would be connected to two IPv6 networks (Arista EOS is a lovely device to use when testing a VRRP cluster because it produces JSON-formatted show vrrp printouts).

Most platforms worked as expected, but Aruba CX, Cumulus Linux with NVUE, and Dell OS10 consistently failed the tests. We were stumped until Jeroen van Bemmel discovered that the Arista container forwards IPv6 router advertisements between the two LAN segments.

Exploring RISC-V vector instructions

It finally happened! A raspberry pi like device, with a RISC-V CPU supporting the v extension. Aka RVV. Aka vector instructions.

I bought one, and explored it a bit.

SIMD background

First some background on SIMD.

SIMD is a set of instructions allowing you to do the same operation to multiple independent pieces of data. As an example, say you had four 8 bit integers, and you wanted to multiply them all by 2, then add 1. You could do this with a single operation without any special instructions.

    # x86 example assembly.

    mov eax, [myvalues]  # load our four bytes.
    mov ebx, 2           # we want to multiply by two
    imul eax, ebx        # single operation, multiple data!
                         # After this, eax contains 0x02040608
    add eax, 0x01010101  # single operation, multiple data!
                         # After this, eax contains 0x03050709
    mov [myvalues], eax  # store back the new value.

section .data
  myvalues db 1,2,3,4

Success, right? No, of course not. This naive code doesn’t handle over/underflow, and doesn’t even remotely work for floating point data. For that, we need special SIMD instructions.

x86 and ARM have gone the way of fixed sized registers. In 1997 Intel introduced MMX, to great Continue reading

Lab as Code – Part2

This is the follow on to part1 where I was looking at how easy it is to deploy initial EVE-NG and CML lab setups from a declarative YAML file. Although both products are not really designed with that in mind I did manage to accomplish it with a relatively minimal amount of complexity in the topology file using a custom lab_builder tool. Next up is to give it a go with containerlab and netlab, I am expecting these to be a whole lot simpler as lab as code is the very ethos that they are designed for.

From Python to Go 017. Interaction With Network Devices Using NETCONF.

Hello my friend,

We continue exploring programmable network management using Python and Go (Golang) as programming languages. In today’s blog post we’ll cover how to interact with network devices using NETCONF.

How To Chose Which API To Use?

There are many APIs (Application Programmable Interfaces) out there. We already covered SSH and now covering NETCONF. And there are a few more existing, which we are going to cover. Cannot we just stick to a single API for all use cases. The truth is that each API has its own advantages and disadvantages, as well as design patterns and areas, where it shall be used. As such, each of them is important and valuable.

And in our training programs we do deep-dive in all these APIs. Enrol today:

We offer the following training programs in network automation for you:

During these trainings you will learn the following topics:

Success and failure strategies to build the automation tools.
Principles of software developments and the most useful and convenient tools.
Data encoding (free-text, XML, JSON, YAML, Protobuf).
Model-driven Continue reading

HN773: Optimizing Ethernet for AI – An Update On the Ultra Ethernet Consortium

The Ultra Ethernet Consortium (UEC) is an industry body that aims to optimize Ethernet for AI and HPC use cases. On today’s Heavy Networking we get an overview of the UEC and an update on its efforts. We’re joined by J Metz and Rip Sohan, both heavily involved with the UEC. We discuss the consortium’s... Read more »

« Previous 1 … 7 8 9 10 11 … 3,780 Next »