A Look at the New Calico eBPF Dataplane
Calico was designed from the ground up with a pluggable dataplane architecture. The Calico 3.13 release introduced an exciting new eBPF (extended Berkeley Packet Filter) dataplane targeted at those ready to adopt newer kernel versions and wanting to push the Linux kernel’s latest networking capabilities to the limit. In addition to improved throughput and latency performance compared to the standard Linux networking data plane, Calico’s eBPF data plane also includes native support for Kubernetes services without the need to run kube-proxy. One of the ways Calico’s eBPF dataplane realizes these improvements is through source IP preservation and Direct Server Return (DSR)
Kube-proxy and Source IP
The application of Network Address Translation (NAT) by kube-proxy to incoming network connections to Kubernetes services (e.g. via a service node port) is a frequently encountered friction point with Kubernetes networking. NAT has the unfortunate side effect of removing the original client source IP address from incoming traffic. When this occurs, Kubernetes network policies can’t restrict incoming traffic from specific external clients. By the time the traffic reaches the pod it no longer has the original client IP address. For some applications, knowing the source IP address is desirable or required. For example, Continue reading
Dictionary: TANSTAAFL: There Ain’t No Such Thing As A Free Lunch
Obvious really
The post Dictionary: TANSTAAFL: There Ain’t No Such Thing As A Free Lunch appeared first on EtherealMind.
Automating Mitigation of the F5 BIG-IP TMUI RCE Security Vulnerability Using Ansible Tower (CVE-2020-5902)
On June 30, 2020, a security vulnerability affecting multiple BIG-IP platforms from F5 Networks was made public with a CVSS score of 10 (Critical). Due to the significance of the vulnerability, network administrators are advised to mitigate this issue in a timely manner. Doing so manually is tricky, especially if many devices are involved. Because F5 BIG-IP and BIG-IQ are certified with the Red Hat Ansible Automation Platform, we can use it to tackle the issue.
This post provides one way of temporarily mitigating CVE-2020-5902 via Ansible Tower without upgrading the BIG-IP platform. However, larger customers like service providers might struggle to upgrade on a short notice, as they may have to go through a lengthy internal validation process. For those situations, an automated mitigation may be a reasonable workaround until such time to perform an upgrade.
Background of the vulnerability
The vulnerability is described in K52145254 of the F5 Networks support knowledgebase:
The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
And describes the impact is serious:
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Continue reading
The Hedge Podcast 44: Pete Lumbis and Open Source
Open source software is everywhere, it seems—and yet it’s nowhere at the same time. Everyone is talking about it, but how many people and organizations are actually using it? Pete Lumbis at NVIDIA joins Tom Ammon and Russ White to discuss the many uses and meanings of open source software in the networking world.
Are Your Virtual Meetings Accessible for People with Disabilities? Start with This Checklist
The COVID-19 pandemic has changed the way humans interact with one another. With an emphasis on less physical interaction and more social distancing, institutions and organizations are moving their work and meetings online.
People with disabilities form about 15 percent of world population, so it is all the more important these online meetings are made accessible.
The Internet Society Accessibility Special Interest Group (Accessibility SIG) aims to make the Internet and its attendant technologies accessible to the largest audience possible, regardless of disabilities. The digital divide is not just about having the access to digital technology, it could also be about having the access to technology and not being able to use it. Our digital products must be usable by all. Many laws and the Internet Society’s vision – the Internet is for everyone – demand that we provide everyone with an equal experience.
The Accessibility SIG is planning a series of seven webinars discussing this very topic. Our first one was titled When Rhetoric Meets Reality: Digital Accessibility, Persons With Disabilities and COVID-19 and was held on May 28.
The way we design and build can make it hard – and sometimes impossible – for people with disabilities to access Continue reading
Cumulus content roundup: June 2020
June seems like a lifetime ago but there was so much content we wanted to make sure was on your radar. We know you may be thinking but wait, didn’t something big happen to Cumulus Networks in June? You would be right! We’re excited to share that we are now officially NVIDIA®. Along with the news, we kept very busy with fresh podcast episodes, informative blog posts and much more so take a minute to dive on in and catch up on it all here.
From Cumulus Networks, now NVIDIA
Cumulus Networks’ President and Chief Product Officer, Partho Mishra, on the NVIDIA-Cumulus acquisition.: Partho Mishra answers your questions regarding the strategic focus of the new networking business unit at NVIDIA & the future of open networking.
Open source — the great equalizer.: Technology is a great equalizer and the open source movement has played a huge role in making this true and accelerating the process.
Remote work makes network visibility more critical than ever: We’re living through a major shift in the way employees work, extending the boundaries of what was once a tightly controlled environment.
Kernel of Truth season 3 episode 8: Cumulus Linux in action Continue reading
Containerized Python Development – Part 1
Developing Python projects in local environments can get pretty challenging if more than one project is being developed at the same time. Bootstrapping a project may take time as we need to manage versions, set up dependencies and configurations for it. Before, we used to install all project requirements directly in our local environment and then focus on writing the code. But having several projects in progress in the same environment becomes quickly a problem as we may get into configuration or dependency conflicts. Moreover, when sharing a project with teammates we would need to also coordinate our environments. For this we have to define our project environment in such a way that makes it easily shareable.
A good way to do this is to create isolated development environments for each project. This can be easily done by using containers and Docker Compose to manage them. We cover this in a series of blog posts, each one with a specific focus.
This first part covers how to containerize a Python service/tool and the best practices for it.
Requirements
To easily exercise what we discuss in this blog post series, we need to install a minimal set Continue reading
Cloudflare Network expands to more than 100 Countries
2020 has been a historic year that will forever be associated with the COVID-19 pandemic. Over the past six months, we have seen societies, businesses, and entire industries unsettled. The situation at Cloudflare has been no different. And while this pandemic has affected each and every one of us, we here at Cloudflare have not forgotten what our mission is: to help build a better Internet.
We have expanded our global network to 206 cities across more than 100 countries. This is in addition to completing 40+ datacenter expansion projects and adding over 1Tbps in dedicated “backbone” (transport) capacity connecting our major data centers so far this year.
Pandemic times means new processes
There was zero chance that 2020 would mean business as usual within the Infrastructure department. We were thrown a curve-ball as the pandemic began affecting our supply chains and operations. By April, the vast majority of the world’s passenger flights were grounded. The majority of bulk air freight ships within the lower deck (“belly”) of these flights, which saw an imbalance between supply and demand with the sudden 74% decrease in passenger belly cargo capacity relative to the same period last year.
We were fortunate to have Continue reading
Day Two Cloud 057: See Your Data With Grafana
Day Two Cloud gets into data visualization with the open-source Grafana project. Grafana helps you visualize, alert on, and query all kinds of data and metrics. We look at how Grafana works, how it manipulates and stores data, and common use cases. Our guest is Ryan McKinley, VP of Applications at Grafana.Day Two Cloud 057: See Your Data With Grafana
Day Two Cloud gets into data visualization with the open-source Grafana project. Grafana helps you visualize, alert on, and query all kinds of data and metrics. We look at how Grafana works, how it manipulates and stores data, and common use cases. Our guest is Ryan McKinley, VP of Applications at Grafana.
The post Day Two Cloud 057: See Your Data With Grafana appeared first on Packet Pushers.
Introduction to Segment Routing
Jeff Tantsura and Nick Buraglio bring a wealth of knowledge to this Network Collective Introduction to Segment Routing webinar. In this webinar we cover the fundamental SR technologies and how they work, as well as some of the practical implementation details that can only be learned by working with the technology directly.
Jeff Tantsura
Host
Nick Buraglio
Host
Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/
The post Introduction to Segment Routing appeared first on Network Collective.
BGP EVPN Underlay Network with BGP (Multi-AS)
Introduction
The focus of this chapter is to explain the BGP Multi-AS Underlay Network design in BGP EVPN/VXLAN Fabric. It starts by explaining the BGP configuration because this way explanation can be done by using show and debug command as well as taking packet captures. The next section discusses of BGP adjacency process and its related states (Idle, Connect/Active, OpenSent, Open Confirm and Established). After that, this chapter explains the BGP routing discussing how connected routes are sent from RIB to Loc-RIB and from there to Adj-RIB-Out (Pre/Post). This section also introduces how NLRIs received within BGP Update eventually ends up into the RIB of receiving BGP speaker. In addition, this chapter shortly introduces the MRAI timer as well as a non-disruptive device maintenance solution. The last section tries to give an answer which protocol best fits in the Underlay Network of BGP EVPN fabric.
Infrastructure AS Numbering and IP Addressing Scheme
The AS-numbering scheme used in this chapter is the same as what was used in chapter 1 but instead of using unnumbered interfaces, each inter-switch interface now has an IP address assigned to it. It is possible to use the Unnumbered interface also with BGP using IPv6 Link-Local addressing [RFC 5549]. However, this solution is not supported by all vendors.
Figure 2-1: IP addressing Scheme.
Continue reading
Worth Reading: Working with TC on Linux systems
Here’s one of the weirdest ideas I’ve found recently: patch together two dangling ends of virtual Ethernet cables with PBR.
To be fair, Jon Langemak used that example to demonstrate how powerful tc could be. It’s always fun to see a totally-unexpected aspect of Linux networking… even though it looks like the creators of those tools believed in Perl mentality of creating a gazillion variants of line noise to get the job done.
The Elegance (And Limitations Of) Precisely Engineered Accelerators
Let’s leave aside all the questions about the long-term viability of AI ASICs and appliances and focus instead on the beauty of a good architecture. …
The Elegance (And Limitations Of) Precisely Engineered Accelerators was written by Nicole Hemsoth at The Next Platform.
Squeezing Every Drop Of Value Out Of Data
To Patricia Harris – like most people in the rapidly changing worlds of IT and business – data is central to what she does. …
Squeezing Every Drop Of Value Out Of Data was written by Jeffrey Burt at The Next Platform.
Heavy Networking 529: Demystifying Automation With Low-Code Workflows (Sponsored)
Today's Heavy Networking explores a partnership between Juniper Networks and Anuta Networks to bring low-code network automation to service providers and enterprises. In this sponsored show, we'll dive into how Anuta's ATOM platform integrates with Juniper's NorthStar SDN controller and HealthBot diagnostic software to automate and orchestrate common networking tasks. Our guests are Peter Weinberger, Principal Product Manager at Juniper Networks; and Kiran Sirupa, Head of Marketing at Anuta Networks.Heavy Networking 529: Demystifying Automation With Low-Code Workflows (Sponsored)
Today's Heavy Networking explores a partnership between Juniper Networks and Anuta Networks to bring low-code network automation to service providers and enterprises. In this sponsored show, we'll dive into how Anuta's ATOM platform integrates with Juniper's NorthStar SDN controller and HealthBot diagnostic software to automate and orchestrate common networking tasks. Our guests are Peter Weinberger, Principal Product Manager at Juniper Networks; and Kiran Sirupa, Head of Marketing at Anuta Networks.
The post Heavy Networking 529: Demystifying Automation With Low-Code Workflows (Sponsored) appeared first on Packet Pushers.
Next Platform TV for July 14, 2020
A wide-ranging program for you today with everything from neuromorphic hardware and software research; some impressive FPGA acceleration for Caffe from Samsung AI Research; why the datacenter industry is booming (the answers might surprise you); the state of Lustre and OpenSFS; and where some unique opportunities are in HPC on the pandemic modeling front. …
Next Platform TV for July 14, 2020 was written by Nicole Hemsoth at The Next Platform.