Human Infrastructure 372: Tough Choices and Ripping Band-Aids

Author

Drew Conry-Murray
October 03, 2024

HPE and Juniper: Tough Choices and Ripping Band-Aids

When a vendor has multiple products in its portfolio that do pretty much the same thing, the vendor positions this overlap as providing customers with “choice.” This is the argument that HPE and Juniper are making as they barrel toward their acqui-merger. HPE has its well-known and widely deployed Aruba wireless gear. Juniper has its AI-powered, incumbent-disrupting Mist wireless gear. You, the customer, get to choose. Sounds good, yes?

In a recent Forrester blog, Andre Kindness argues that “choice” is just another way to describe a messy portfolio that doesn’t actually serve the best interests of customers. He says enterprises have neither the time nor skills to integrate and operate different products from the same vendor, so “choice” is a false promise. If HPE wants to be a strategic enterprise partner, it shouldn’t foist a portfolio full of overlapping products onto customers.  Executives in the new HPE “should eliminate a lot of product lines, mostly on the Aruba side,” he writes.

He doesn’t say which products, but I presume he’s gesturing toward WLANs. That’s where HPE and Juniper have the most significant overlap. Kindness writes “Like it or not, tough decisions will need to be made and the Band-Aid must be ripped off.”[emphasis added] 

HPE dumping its WLAN product in favor of Juniper’s would be a tough decision. By contrast, HPE dumping Aruba switches in favor of Juniper switches wouldn’t. That’s why I assume Kindness is nodding toward the WLAN products.

Kindness writes “The new executive team after the merger needs to be up-front about the future of product lines. Customers know that certain ones will go away… .”

Or will they?

Two Paths

In my opinion, customers should expect that the new HPE/Juniper will offer two separate WLAN products for the foreseeable future. Aruba WLAN has a bigger customer base and larger market share than Mist, and HPE execs would recoil at giving up those customers. But Mist AI is the new hotness and is the primary reason HPE is buying Juniper, so of course they won’t ditch Mist.

So what happens? Among the possibilities, here are two. In one, HPE/Juniper figures out how to sustain two separate wireless platforms. That means sustaining WLAN products that are built on top of separate AI models and data lakes; managed by separate software; and supported by two separate engineering, marketing, and sales teams. Cisco has made this work (more or less) in the past, so why not HPE/Juniper?

The other possibility is that “choice” strategy fails. The organization will be beset by cultural conflicts, internal squabbling, fiefdom battles, and legitimately difficult product development decisions. Investor pressure to cut the costs of running two separate product lines will become untenable.

HPE/Juniper will then try to roll out an awful, terrible “manager of managers” that sits above both portfolios. It won’t work and it will make everyone unhappy. At that point, one or the other of the WLAN products will get spun out. (Maybe to Extreme?)

I suspect that HPE/Juniper is hoping for the first path. But perhaps Kindness will be proved right in the long term; at some point, the company will have to make tough decisions and rip Band-Aids. Maybe it’s better to start now, but that seems unlikely. - Drew

THIS WEEK’S MUST-READ BLOGS 🤓

Pat Allen offers some helpful tips to try to make the practice of network documentation more sustainable, including tools and technologies that can help automate the documentation process and track the inevitable and ongoing changes. - Drew

Laura Chappell shows you how to interpret Selective ACK (SACK) packets captured in Wireshark. But first, what is a SACK? Laura writes “Selective Acknowledgment (SACK) is used to acknowledge receipt of data packets after the point of packet loss.” The post includes a downloadable sample so you can play along. - Drew

Szymon Durak explains the challenges networking introduces to distributed systems. He’s got a flare for the dramatic, and I feel slightly overstates his case at times. Even so…it’s refreshing to read a dev who understands networking well enough to understand how the network can impact application behavior. This piece is a huge step up from the default position of “I dunno what’s wrong. Probably those network engineers screwing with things again.” I’m not sure how many times I’ve been faced with some version of “WHAT DID YOU CHANGE?!?” Many. Duck! Blamethrower incoming!! So here’s to you, Szymon. We’d have worked well together. - Ethan

Mike provides a solid overview of OSPF, essential elements of the protocol, and how it differs from other routing protocols. He also includes configurations for setting up OSPF using Nexus 9300s if you want to lab it up. It looks like Mike plans to write a series of posts on networking fundamentals, so we’ll stay tuned. - Drew

Ronnie offers this recipe for installing the open source SONiC NOS with VPP on GCP. Why would you want to do this? To get your head around SONiC. SONiC has a lot to offer and runs on several switches you’ve heard of. VPP adds a significant performance boost. - Ethan

Hank Yeomans discusses the emergence of the Enterprise Browser. An Enterprise Browser is a browser, likely based on Chrome, that has been created as an endpoint that can be managed centrally. In other words, build your security policies centrally and push them to an Enterprise Browser. Enforcement happens right on the user’s machine, with no man-in-the-middle decryption required.

Hank theorizes that this is going to be a standard part of Secure Service Edge (SSE) offerings, and might serve to replace other functions within an SSE stack. I agree with that. If I was an enterprise, I’d be interested in an Enterprise Browser strategy as a way to simplify endpoint security management and improve user experience. - Ethan

Join Palo Alto Networks at SASE Converge 2024, a two-hour virtual event, that will delve into all the latest SASE advancements designed to safeguard your data, streamline your operations and secure your hybrid workforce.

TECH NEWS 📣

An Australian think tank that produces policy analysis for leaders in Australia and elsewhere is raising concerns about the impact of US hyperscalers on the usage and ownership of subsea cables that provide access to global Internet services: specifically, the report calls out Meta, Amazon, Microsoft, and Google. 

The report notes that these four companies now account for 71% of used capacity in subsea cables, up from about 10% prior to 2012. What’s more, these four companies are investing heavily in subsea cable deployments. For instance, Google is part owner or sole owner of 33 existing and planned cables. 

What’s the big deal? The report notes “Such a concentration creates a digital supply-chain dependency risk, where potential disruptions could lead to widespread consequences. Additionally, as their bandwidth needs increase, hyperscalers are transitioning from being primary customers of network capacity to owning and operating subcable systems. As a result, they are managing even more of the ‘internet services stack’—content services, data centres and now network transport. This further compounds the dependency risk and the consolidation of control raises concerns about the principle of an open internet.”

The report considers the risks and benefits that come with more widespread global connectivity at the cost of greater concentration by a few large actors,  as well as the impact of geopolitical struggles between the US and China, and more. While the report is primarily focused on the strategic implications for Australia and the Pacific region more broadly, it does raise questions worth considering. The Register article linked above has a good summary, or you can download the full ungated report yourself. - Drew 

Given Microsoft’s track record of releasing buggy, insecure software, and a tech media environment absolutely primed for that narrative, you’d think the company would consider the security and privacy implications of a feature that takes screenshots of your computer at regular intervals. Whatever happened to be on the screen at that time–passwords, bank info, work stuff, medical stuff, private stuff–would be photographed and saved unencrypted on your hard drive.

Microsoft did not consider the implications. And when it announced this feature–Recall–to great fanfare, it was greeted with a resounding “WTF are you doing?”

Instead of dumping Recall, Microsoft went back to the drawing board. The company is now highlighting significant security and privacy improvements. They include making the feature opt-in, encrypting the snapshots, and protecting those encryption keys in a TPM. What’s more, the keys “can only be used by operations within a secure environment called a Virtualization-based Security Enclave,” according to a Microsoft blog announcing the reboot.

Clearly, Microsoft knew how to build strong controls for this feature, and could have done so from the start. Why Microsoft has to learn this lesson over and over is a question for the ages. - Drew

Counterfeit keys fed to Brocade switches by three conspirators cost Brocade (remember them?) an estimated amount between $5 and $363 million. That’s quite a spread, with no explanation as to why the estimated losses were so broadly stated. Still. We can assume Brocade lost a bunch of money, whatever the actual loss might have been—at least 3,637 counterfeit keys were sold to end users. Sentence is coming October 10th, and the penalty could include jail time and significant fines. - Ethan

Of course they did. While this project was done by student researchers, it’s well known that there are creeps, weirdos, and surveillance bros who will glom onto any technology that enables them to be creeps, weirdos, and surveillance bros. We’ve done this dance already with Google Glass, and there was a good reason Google Glass owners were quickly labeled Glassholes. I guess we need a new appellation for Mark Zuckerberg’s Meta version. Motherzuckers? Go Zuck yourself? I’m open to workshopping this. - Drew

You’ve got some time to move to a new vendor, but Cisco is killing their LoRaWAN products. Looks like EoS is 1-Jan-2025, and EoL is 31-Dec-2029. - Ethan

FOR THE LULZ 🤣

RESEARCH & RESOURCES 📒

From the README.md. “OSPF Watcher is a monitoring tool of OSPF topology changes for network engineers. It works via passively listening to OSPF control plane messages through a specially established OSPF adjacency between OSPF Watcher and one of the network device.” You can also dump the events to ELK, Zabbix, WebHooks, and Topolograph. Monitoring, alerting, and history—very useful! - Ethan

DocFlex (Paid App) - Markdown-To-Anything Converter
https://docflex.app/

DocFlex is a native Mac app. What’s it do? The web page says, “Convert multiple Markdown documents at once, entirely offline. Choose from over 30 markup formats like PDF, HTML, EPUB, LaTeX, and many more!” I work in Markdown for many documents. Exporting my MD docs to any other format is usually a pain in the butt. DocFlex looks like a possible answer. Pricing is £9.99 for a personal license, or £19.99 for a standard license. Free eval (which I just installed). - Ethan

These free books from Cisco cover Catalyst 9000, Wireless, SD-WAN, SD-Access, DNA Assurance, and AIOps. Links to the books are provided in Giuliano’s post. Each link is directly to an ungated PDF. The PDFs are between about 180 and 300 pages a piece. I downloaded them all. Seems like interesting fodder for Google’s NotebookLM. - Ethan

This book is available for pre-order with delivery expected 9-January-2025. Here’s the table of contents…

  1. Introduction to MPLS

  2. Lab 1 - Getting Started with LDP-Based MPLS Network

  3. Lab 2 - Introducing SRMPLS (Segment Routing MPLS)

  4. Lab 3 - SR - LDP Interworking

  5. Lab 4 - Introducing TI-LFA (Topology Independent - LoopFree Alternate)

  6. Lab 5 - Zero Segment FRR

  7. Lab 6 - Single Segment FRR

  8. Lab 7 - Double Segment FRR

  9. Lab 8 - Micro-loop Avoidance

  10. Lab 9 - TI-LFA Node Protection

  11. Lab 10 - TI-LFA Local SRLG-Disjoint Protection

  12. Lab 11 - TI-LFA Global Weighted SRLG Protection

  13. Lab 12 - TI-LFA Node + SRLG Protection

  14. Lab 13 - TI-LFA Tiebreaker

Enjoy! - Ethan

TAKE OUR SHORT & HILARIOUS AUDIENCE SURVEY

Okay, our audience survey is not that hilarious. It is a little funny, as we ask some questions designed to make you smile, laugh, chortle, guffaw, snicker, teehee, lol, smirk, or…uh…I’m out of synonyms. Taking the survey won’t take much of your time, and it helps us out as we set direction for our independent little enterprise. Over 6,000 of you sub to this newsletter. If all of you filled out the survey, that would be amazing. That is, don’t leave it to someone else to fill it out for you. There’s only one you, and your thoughts are unique—the stats we gather are nice, but we value your comments the most. THANK YOU. - Ethan

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

If you’re a Cloudflare customer using the company’s Web App Firewall, you can now set policies for how AI bots interact with your site’s content. For instance, if you don’t want AI bots to scrape your content to feed models, you can block them. If you don’t want AI search engines to index your site (and thus provide search result summaries that don’t result in clicks back to your site) you can block them. If you just want to see which, if any, AI bots are hitting your site, you can monitor and get reports. If you want to set more fine-grained policies on which to allow and which to block, you can do that too. The feature is free for WAF customers. - Drew

Lumen’s CTO and CPO Dave Ward puts the world on notice that old networking is no longer adequate for the multi-cloud, AI workload-driven computing needs of today. Lumen is building something different. The blog post is an overview of the concepts, but read through Dave’s ungated PDF for more detail and perspective. A clear vision is laid out for what Lumen believes the world needs from a network now and in the future.

TL;DR. Lots of bandwidth. Exclusively programmatic interfaces. Easy reconfiguration & composability. Waves (optical switching), Ethernet, and IP as a service. A massive fiber infrastructure that breaks away from the fiber hotel model. “Seeing the world as a mesh of connectivity instead of a bicycle wheel.” And more. Dave’s always a provocative read, and these latest pieces are no exception. - Ethan

DDI vendor BlueCat bought Indeni a while back, and now has bought observability tool LiveAction. Off the top of my head, I see this is adding to BlueCat’s capabilities, not replacing anything they already have. This acquisition strategy is making BlueCat into a more interesting product offering for engineers. We requested a briefing. If we get that scheduled, we’ll have more information to share later. - Ethan

Security researchers are warning about potential security threats from browser extensions in Google Chrome–despite Google taking steps to reduce the risks of browser extensions. The researchers said they found ways to use malicious extensions to do things such as spy on live video streams, steal site cookies, and redirect users to pages disguised as password managers, among others. You can see a PDF of the presentation here if you want more details. - Drew

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

  1. The push to make network engineering cool again - TechTarget

  2. Is Tcl/Tk Dying Out?! (Humor) - Mark Roseman

  3. How Discord Stores Trillions of Messages - Discord Blog

  4. Why strength training? A programmer's perspective - fhur.me

  5. Cobol Has Been "Dead" For So Long, My Grandpa Wrote About It - Wumpus Cave

  6. Bridge46 (bridge between IPv4 & IPv6) - xlmnxp on GitHub

  7. New Email Scam Includes Pictures of Your House. Don’t Fall For It. - EFF

  8. I am tired of AI - Bas Dijkstra (no, not that one)

  9. CPU Performance Since 1972 (chart) - Richard Bejtlich via Mastodon infosec.exchange

  10. Let the network tell you where you are: a nerd snipe story - Rachel By The Bay

  11. The fix for BGP's weaknesses has big, scary, issues of its own, boffins find - The Register

  12. Why TCP needs 3 handshakes - PixelsTech

  13. Falling Down? (Analysis of Amazon’s business in 2024) - The Radar

  14. Impact of Verizon’s September 30 outage on Internet traffic - CloudFlare Blog

  15. Forcing people to change their passwords is officially a bad idea - NewScientist

LAST LAUGH 😆