Human Infrastructure 424: Ansible Agonies, VRFing with WireGuard, Debugging Wi-Fi 7, and More

THIS WEEK’S MUST-READ BLOGS 🤓 

Ansible Release 12: the Windows Vista Moment - ipSpace
https://blog.ipspace.net/2025/11/ansible-12-different/

Ivan Pepelnjak documents several breaking changes that were introduced in Ansible 12 that’s impacted his open source netlab project. If you rely heavily on Ansible in your network automation stack, you should look this article over. - Ethan

WireGuard and VRFs - SDN Clinic 
https://blog.sdn.clinic/2025/03/wireguard-and-vrfs/ 

Maximilian provides detailed instructions for setting up VRFs using WireGuard in a Linux environment. He discusses his rationale for setting up VRFs and provides  example IP tables rules and WireGuard configs. - Drew 

You’ll never see attrition referenced in an RCA - Surfing Complexity
https://surfingcomplexity.blog/2025/11/02/youll-never-see-attrition-referenced-in-an-rca/

When we write root cause analysis documents, they tend to explain the technical details of what happened with a follow up of what’s being done so that it never happens again. I’ve written that report, and I bet you have to.

What we don’t talk about is attrition. We don’t make observations like, “If Bobby hadn’t quit due the horrible toxicity of our working environment, this wouldn’t have happened.” Or, “The real problem isn’t the network design. It’s how understaffed we are since we’re not backfilling positions after people leave. And it’s been three years.”

This piece is a thought exercise on the unspoken impact attrition can have on IT departments, pondering whether or not we should start including that impact in RCA reports. - Ethan

Microsoft Azure October 2025 Outage Explained - Let’s Learn Something New 
https://arnav.au/2025/11/03/microsoft-azure-october-2025-outage-explained/ 

A good breakdown (pun intended) of a global Azure outage caused by a bad config change. The blog walks through a timeline of the outage, which services were affected, and some lessons learned. - Drew  

From 400 Mbps to 1.7 Gbps: A WiFi 7 Debugging Journey - Tymscar
https://blog.tymscar.com/posts/wifi7speedhunt/

In Oscar Molnar’s intro, he mentions, “On WiFi 7 (6 GHz, 160 MHz width), standing literally a foot from the router, I was getting around 400 Mbps with iperf3. With 10 concurrent streams it went up to 650 Mbps, but that’s still pathetic.”

He documents his troubleshooting to get to the sort of throughput he was expecting. It was DNS. Kidding, kidding. It turned out to be primarily channel width along with a few other less important things, like standing too close to the router when testing and iperf3 test configuration. But he got there. - Ethan

MORE BLOGS

1. Entering the Growing IPv4 Market: What Enterprises Should Do Now - CircleID

2. I kicked my Synology NAS to the curb and replaced it with a custom-built server running Proxmox and I should have done it sooner - XDA

3. Using AI to open pull requests for dependency bumps - Natalie Somersall   

TECH NEWS 📣

What’s the Difference Between AI Glasses and an iPhone? A Helpful Guide for Meta PR - 404 Media 
https://www.404media.co/whats-the-difference-between-ai-glasses-and-an-iphone-a-helpful-guide-for-meta-pr/ 

I suppose there may be valid use cases for dorky shades with easy-to-hide video cameras built in, but the kinds of people who want such glasses are exactly the people who shouldn’t be allowed anywhere near them.

I really hope this product goes the way of Google Glass, but it seems Meta is banking on a new generation of influencers and their followers for whom the Panopticon is their natural habitat. - Drew  

ISPs more likely to throttle netizens who connect through carrier-grade NAT: Cloudflare - The Register 
https://www.theregister.com/2025/11/03/cloudflare_cgnat_bias_research/ 

The Register reports on research from Cloudflare that finds end users in Asia and Africa are more likely to be rate-limited than users from other countries because of Carrier-Grade NAT being employed by these users’ service providers. The problem is that because many users are sharing a NAT’d IP address, IP-based security controls may block or throttle these connections under the assumption it must be bot traffic. From the research: “Despite bot scores that indicate traffic is more likely to be from human users, CGNAT IPs are subject to rate limiting three times more often than non-CGNAT IPs. This is likely because multiple users share the same public IP, increasing the chances that legitimate traffic gets caught by customers’ bot mitigation and firewall rules.” - Drew  

New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel - Ars Technica 
https://arstechnica.com/security/2025/10/new-physical-attacks-are-quickly-diluting-secure-enclave-defenses-from-nvidia-amd-and-intel/ 

Trusted Execution Environments (TEEs), or secure enclaves, are meant to protect sensitive data from attackers even if the OS kernel on a device has been compromised. Researchers have found a way to bypass TEEs from Nvidia, AMD, and Intel. While the ability to compromise a TEE is really bad, the attack relies on having physical access to a server, and requires the insertion of a small piece of hardware between “a single physical memory chip and the motherboard slot it plugs into,” according to the Ars story.  - Drew   

‘China is going to win the AI race’ — Nvidia CEO Jensen Huang decries the price of electricity in the US, contrasts it with China's subsidized pricing - Tom’s Hardware 
https://www.tomshardware.com/tech-industry/artificial-intelligence/china-is-going-to-win-the-ai-race-nvidia-ceo-jensen-huang-decries-the-price-of-electricity-in-the-us-contrasts-it-with-chinas-subsidized-pricing 

According to the article, Jensen Huang’s argument seems to be “If I’m not allowed to sell my most expensive chips to China, China will beat the US in AI.” That’s some extraordinarily self-serving logic. And what does “winning” even mean? Beware the selling of FUD when it’s the seller who stands to profit. - Drew 

MORE NEWS

1. Boom or bubble? Inside the $3tn AI datacentre spending spree - The Guardian

2. Malicious packages in npm evade dependency detection through invisible URL links: Report - CSO Online   

FOR THE LULZ 🤣

Shared on LinkedIn by Cecilia

RESEARCH & RESOURCES 📒

modern-unix - ibraheemdev via GitHub
https://github.com/ibraheemdev/modern-unix/tree/master

“A collection of modern/faster/saner alternatives to common unix commands.” I haven’t experimented with this little library yet, but I am intrigued. There are some cool-looking tools in this collection! - Ethan

Internet Cube - internetcu.be
https://internetcu.be/

Excerpts from the home page. “The Internet Cube, as presented in the video above, fulfills two complementary functions.

1. It cleans your Internet access. To achieve this, it broadcast its own WiFi network. By using it, all your internet traffic goes through an encrypted tunnel (VPN).

2. It allows you to have your very own piece of Internet. This is what is called self-hosting : to have your own server, hosting services like a blog, a mailbox, file synchronization, contact and calendar synchronization, etc.”

Neat little project. - Ethan

NAT Checker - NAT Type Detection Tool
https://natchecker.com/

Hit the button and NAT Checker will tell you what sort of network address translation you’re behind. For example, I’m in a hotel, and got the following report.

There’s more information NAT Checker provides along with some technical explanations of what’s going on and how to work around functionality problems you might be experiencing. - Ethan

MORE RESOURCES

1. Sniffnet 1.4.2 Release Notes

2. OpenWISP 25.10 Release Notes

3. Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks (research PDF) - arXiv

4. open.space - An open-source communications hardware & software initiative empowering the public to connect across the world by bouncing signals off the Moon.

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

Catching BGP Zombies: Announcing the ThousandEyes BGP Stuck Route Observatory - Cisco ThousandEyes Blog
https://www.thousandeyes.com/blog/bgp-stuck-route-observatory

A BGP zombie is a route present in the global BGP routing table that was withdrawn by the originating ASN. Somebody didn’t act on the withdrawal, and thus there’s a route present in the routing table that shouldn’t be there as the withdrawal propagation failed. That’s bad, because now there’s a route we can’t actually get to…but we think we can.

To detect ASNs that aren’t handling withdrawals consistently, ThousandEyes has launched the BGP Stuck Route Observatory. TL;DR. They’re announcing test prefixes and withdrawing them at predefined times. If they see the one of their withdrawn routes still being propagated by a particular ASN, they’ll list it as suspect.

If you find one of your ASNs on the list, you can reach to ThousandEyes to get more detail on what they’re seeing and hopefully track down root cause. - Ethan

State of the post-quantum Internet in 2025 - Cloudflare Blog
https://blog.cloudflare.com/pq-2025/

This is a monster blog post from the Cloudflare team, leading with the following jubilation (much to my surprise). “This week, the last week of October 2025, we reached a major milestone for Internet security: the majority of human-initiated traffic with Cloudflare is using post-quantum encryption mitigating the threat of harvest-now/decrypt-later.”

Lots of detailed data follows covering the state of quantum hardware, software, and more, so if this topic is interesting, dig in. - Ethan

Cisco Delivers AI Innovations across Neocloud, Enterprise and Telecom with NVIDIA - Cisco Newsroom
https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2025/m10/cisco-delivers-ai-networking-innovations-across-neocloud-enterprise-and-telecom-with-nvidia.html

If you’re building an AI data center on top of a Cisco network, this announcement likely interests you. TL;DR. There’s a new switch—the Cisco N9100 with 51.2Tbps based on NVIDIA Spectrum-X Ethernet silicon. It’ll run NX-OS or SONiC. There’s a Cisco Cloud Reference Architecture that’s NVIDIA Cloud Partner compliant so you can build your DC in a Cisco & NVIDIA validated way.

There’s a bit more to the announcement related to how Silicon One fits in along with Cisco Cloud ASICs, the Nexus Dashboard, and licensing some of which is referenced in this related post from Cisco here. - Ethan

Observe Introduces AI SRE and o11y.ai Agents, Accelerating Developer Productivity While Cutting Enterprise Observability Costs - Observe   
https://www.observeinc.com/news-pr/observe-introduces-ai-sre-and-o11y-ai-agents-accelerating-developer-productivity-while-cutting-enterprise-observability-costs 

Observe offers an observability platform targeted at DevOps and site reliability engineers. It’s just announced new AI agents: AI SRE to speed up incident investigations by providing “a contextual understanding of logs, metrics, and traces in real time”; and o11y.ai Agent, which “lets developers generate code instrumentation, debug, and ask questions about their application.” The announcement reflects a broader trend across all IT infrastructure stacks in which operators will interact with tools using natural language. - Drew 

MORE INDUSTRY NEWS

1. YANG Module Versioning and Semver: Importance and impact on Internet-Draft Authors - IETF Blog

2. Death by a Thousand Prompts: Open Model Vulnerability Analysis - Cisco Systems  

3. Keeper Security's Industry-First Forcefield™ Protects Against Memory-Based Attacks on Windows Endpoints - PR Newswire    

DYSTOPIA IRL 🐙

1. FBI Warns of Criminals Posing as ICE, Urges Agents to ID Themselves - Wired 

2. Whoops: Your ‘Smart’ Vacuum May Be Broadcasting A 3D Map Of Your Home - TechDirt 

3. Microsoft: Don't let AI agents near your credit card yet - The Register 

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

1. The internet was born this week in 1969, and immediately glitched — only two of the five letters in the first computer-to-computer message were received - Tom’s Hardware

2. A Brief History Of Terminal Emulators - charm_

3. Shipmap.org: A Visualization of Global Cargo Ships

LAST LAUGH 😆

It’s a little late in the season for this one, but I won’t remember it for next Halloween. (And it should include more than bearded white guys as engineers.) Shared on LinkedIn by the US Networking User Association.