Human Infrastructure 344: BGP Security, Service Meshes, And More

Author

Drew Conry-Murray
March 07, 2024

Blog Highlight: Geoff Huston on DNS and UDP Truncation

I feel like “blog” isn’t the right category for posts from Geoff. “Text book chapter” feels more appropriate. However you describe it, I learned a lot about how DNS and UDP work together. I also learned that packet fragmentation throws a wrinkle into the process.

Geoff writes “...if the DNS response using UDP is large enough to require IP packet fragmentation, and the path contains an active element that discards packet fragments due to the heightened security risk, then there needs to be a different DNS response to ensure transmission of the DNS data. The DNS’ response is to require implementations of the DNS to support both UDP and TCP transports. DNS transactions should use UDP by preference, but if there is a signal in the DNS response to indicate that the entire response cannot be loaded into UDP, then the querier should re-query using TCP.” 

He then goes on to examine answers to two questions related to this problem:

  1. How prevalent is the behaviour of using the data in a truncated DNS response?

  1. Do all name resolution systems successfully followup with a re-query using TCP after receiving a truncated UDP DNS responses?

Plan to set aside some time if you want the answers to these questions, but Geoff’s chapters are always worth it. - Drew

THIS WEEK’S MUST-READ BLOGS 🤓

We hear a lot about AI as LLMs (Large Language Models) which understand prompts and them mimic a human reply when inferring responses from the model. This is only one type of AI model and the emergence of other fundamentally different models has started. Large Action Models are aligned with reasoning and decision making ie “taking action” compared to LLMs.  - Greg

Starlink hardware used to have traditional RJ-45 Ethernet ports, but the current version does not. If you’d like to hack your Starlink hardware and bring those ports back, this article is for you. - Ethan

Mat reviews the major service mesh offerings, noting that at this point, none of them are truly free. Mat gives overviews of Linkerd, Cilium, Istio, and Consul Connect as well as the cloud provider offerings of Google Anthos, AWS App Mesh, and Azure’s use of Open Service Mesh (deprecated but still recommended by Azure according to Mat’s research). Mat’s got a lot of opinions, and shares in the blunt, useful way engineers often appreciate. - Ethan

 

Lee Badman is as blunt and pointed as he could possibly get about the JuniHPEr acquisition and what it means for Aruba and Mist. - Ethan

Alex aka Lexie recommends a simple step to help you remember where an IaC resource is defined--a tag with the URL where that definition lives (a specific path in your GitHub repo, for instance). That way, if you need to update a resource definition, you can do it the right way, and not just patch it in your code and forget to update the formal definition everyone should be working with. - Ethan

Just getting started with network automation? Dive in with NetBox + Ansible.

This on-demand session is your gateway to mastering network automation. NetBox is the world’s most popular Network Source of Truth — and the key to new levels of productivity by using NetBox as a dynamic inventory source for Ansible.

  • Learn efficient inventory management, device fact gathering, and visualizing LLDP neighbors with Ansible.

  • Master the art of safely backing up device configurations.

Elevate your automation skills: Watch the NetBox + Ansible webinar here.

TECH NEWS 📣

AI agents designed to automate simple tasks have become an attack surface. At the moment, the vulnerability is a proof of concept contained in a research lab, but the demonstration is concerning. “The researchers show how the AI worm can attack a generative AI email assistant to steal data from emails and send spam messages—breaking some security protections in ChatGPT and Gemini in the process.” The trick is creating a self-replicating prompt. “In short, the AI system is told to produce a set of further instructions in its replies.” If not protected against, data leaks can occur similar to SQL injection and buffer overflow attacks. - Ethan

Author Mike Dano takes a look at the undercurrents of Mobile World Congress, one of the biggest telco & service provider events each year. In his opinion, all the noise around AI translates to tasks being automated, and that means some folks at MWC might be replaced by a robot fairly soon. Similar down notes were 5G being overhyped and the world realizing it, and the limits of network APIs as revenue streams. And yet…the demand for more capacity continues. - Ethan

 

The issue referenced in the title is tied to massive growth by the largest companies, requiring ever more power and land to house their data centers. There’s not enough power available to meet demand, and not enough coming online to catch up in the near future. Naturally, this is driving up costs. And all of this was happening before AI datacenters, with their massive power requirements, became the things everyone wanted to build. - Ethan

 

It used to be that morse code radio stations were how we communicated widely. Long since retired as a standard communication system, there are a few that keep morse code chatter alive. This short article talks about them. - Ethan

Forrester Consulting analyzed real-world case studies of financial efficiencies gained from implementing Prisma® SASE. They then created a dynamic calculator where you can estimate your own potential ROI. Prisma SASE offers cost savings and business benefits for organizations of any size. Check it out here.

FOR THE LULZ 🤣

RESEARCH & RESOURCES 📒

Seabird - Bird’s-eye view for Kubernetes 
https://getseabird.github.io/

This open-source project self-describes as “Kubernetes for Humans. Seabird makes exploring Kubernetes clusters easier than ever before.” At a quick glance, the UI looks decent to my eye. Written in Go based on what I see in the repo. Pre-built binaries available for download for Windows and macOS. - Ethan

In the Packet Pushers Slack community, Renato Westphal posted this announcement…

“Hello everyone, I'm excited to announce that Holo v0.4 has been released! Holo is an experimental routing protocol suite, licensed under MIT and written entirely in safe Rust. It is designed to support the high-scale and automation-driven networks of the future. The highlight of this release is the debut of an initial BGP implementation, alongside support for static routes and opaque route attributes.

Moreover, I'm thrilled to share that Holo has received a grant from NLnet to implement the IS-IS protocol. Details are available here:https://nlnet.nl/project/HoloRouting/ 

Holo is evolving rapidly. Currently standing at around 90k lines of code, Holo supports seven different protocols, adheres to 49 IETF RFCs (plus 20 IETF YANG models), and contains hundreds of unit and conformance tests. Anyone interested on Holo is welcome to join our discord server (link available in the README). We welcome assistance with testing, feedback, and bug reporting from anyone.

Links:

Thanks for sharing, Renato! - Ethan

This rather remarkable advice from a political wing of the US government, the Whitehouse no less, is worth a look. It talks about memory safe programming languages and hardware in a very accessible way.  - Greg

This isn’t a resource, it’s just really cool. Enjoy! - Drew

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

If you have a need to plumb your Oracle Cloud Infrastructure environment to your private infrastructure really, really (really) fast, now you can. 400G is available. If you need even more bandwidth, OCI will sell you as much as a 400Gx8 ECMP or link-aggregation setup. MACsec is also supported. - Ethan

This press release goes back to December 2023, but I think we might have missed it due to the busyness of the holidays. Anuta makes service orchestration software. It’s a sophisticated platform with broad multi-vendor support that allows you to build and publish a catalog of services your customers can consume. Anuta’s made a lot of headway in the service provider space, and they’re well-positioned for enterprises as well. This announcement echoes what many vendors have been on about in recent months--an AI assistant added to their platform that helps to build whatever the complex thing is you’re trying to build, troubleshoot more quickly, or make documentation as accessible as asking the right question in plain English. Why bring up an announcement that’s a couple of months old? Anuta published a video demonstrating AVA’s Co-Pilot feature. It’s a solid piece showing where AI tech is right now for these sorts of tasks. It gets you a significant part of the way you need to go. The result probably needs to be tweaked to get the result you need, but it saves you time up front. - Ethan

AWS wants you to feel you can move to another provider anytime you want without incurring a data transfer fee. To that end, they have announced that if you need to move data beyond the already free 100GB of transfer you get from AWS Regions to the Internet, you’ll be able to do that. You’ll have to call support to get the credits applied to your account, as AWS wouldn’t otherwise know you’re moving to a new provider. AWS does not require you to terminate your relationship if you invoke the data transfer out credit, a jab at Google Cloud who does require termination. - Ethan

LAST LAUGH 😆