Source Specific Multicast (SSM) VII

Source Specific Multicast (SSM) VII

In this post, we will look at Source Specific Multicast, or SSM. This is a different approach to multicast that simplifies the overall architecture by removing the need for an RP entirely.

In the previous posts, we covered PIM Sparse Mode, where receivers join a shared tree rooted at the RP and then optionally switch to the shortest path tree toward the source. We also looked at Auto-RP and BSR, which solve the problem of dynamically distributing RP information to all routers. SSM takes a different approach by eliminating the shared tree concept altogether.

Multicast PIM Sparse Mode
Sparse Mode only sends traffic to parts of the network that explicitly request it. Routers with interested receivers send Join messages toward

Any Source Multicast (ASM)

Before we look at SSM, let's briefly talk about Any Source Multicast, or ASM. This is the traditional multicast model we have been using throughout this series.

With ASM, receivers join a multicast group without specifying a source. They simply say 'I want traffic for group 239.1.1.1' and the network figures out how to deliver traffic from any source sending to that group. This is why it is called Any Source Multicast.

Continue reading

NB582: Infoblox Adds Network Observability with Kentik Buy; Satellite Data Centers vs. the Environment

Take a Network Break! We start with a critical vulnerability in Adobe Coldfusion. On the news front, Infoblox acquires Kentik to add network observability to its portfolio, data center electricity consumption jumps worldwide, and Exabeam rolls out AI-agent focused detection in its Agent Behavior Analytics platform. DriveNets and WhiteFiber connect two AI data centers over... Read more »

Introducing Precursor: detecting agentic behavior with continuous client-side signals

Bot mitigation is an adversarial game: attackers adapt, defenders respond, and the cycle continues. At Cloudflare, we stay ahead by combining visibility across our global network with signals from the client-side environment. At the network level, we analyze over 1 trillion requests per day to understand reputation, patterns, and anomalies across more than 20% of the web. On the client side, we’ve pushed detection deeper with Cloudflare Turnstile, which has evolved from a CAPTCHA replacement to a risk-based managed challenge that adapts the amount of friction needed to verify the user is authentic.

Today, Turnstile runs nearly 3 billion times per day on some of the most sensitive endpoints on the Internet, helping verify users at key moments like login, signup, and checkout. This improves protection on the most important areas of customer applications, but still leaves limited visibility into the rest of the application — how humans and bots actually interact across the full user journey.

This is the visibility gap we’re closing today with our launch of Precursor.

Introducing Precursor

Precursor is a client-side, session-based verification system, built with privacy in mind, that uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your Continue reading

SONiC: Populating CONFIG_DB

Introduction

Before a switch can forward data traffic, its ASIC must first be programmed with the device's port configuration. This includes information such as the number of front-panel ports, their supported speeds, the number of lanes assigned to each port, the speed of each lane, and the administrative and operational state of every port.

SONiC relies heavily on a Redis-based database model. During startup, the configuration stored in config_db.json is loaded into CONFIG_DB. The *mgrd daemons running inside the SWSS container then receive the changes relevant to them through Redis Pub/Sub notifications. After a daemon has processed its part of the configuration, it publishes the corresponding application-level state to APPL_DB.

The orchagent process in the SWSS container monitors changes in APPL_DB, translates the application-level state into hardware objects suitable for ASIC programming, and publishes the resulting hardware objects to ASIC_DB. The actual ASIC programming takes place in the next stage: the syncd container monitors ASIC_DB changes and passes them through the SAI interface to the vendor-specific SDK, which interacts with the ASIC driver stack to program the physical switch ASIC.

This chapter focuses on port programming because it clearly illustrates the complete programming pipeline. Other configuration objects follow the Continue reading

Prescribed Enterprise AI Architectures for Small, Mid-Size, and Large Organizations

The first article in this series, Enterprise AI Adoption: Requirements for Security, Governance, and Scale, defined the problem: enterprises consume AI through coding tools, standalone hosted applications, custom agents, and enterprise knowledge systems, but need consistent controls across identity, credentials, data, cost, providers, and operations. The second article, A Reference Architecture for Governed Enterprise AI, … Continue reading Prescribed Enterprise AI Architectures for Small, Mid-Size, and Large Organizations

A Reference Architecture for Governed Enterprise AI

In the first article in this series, Enterprise AI Adoption: Requirements for Security, Governance, and Scale, we identified four ways enterprises consume AI and seven requirements that apply across them. Those requirements cover identity, non-human credentials, cost governance, security and data controls, model flexibility, optimization, and observability. This article translates those requirements into a reference … Continue reading A Reference Architecture for Governed Enterprise AI

Enterprise AI Adoption: Requirements for Security, Governance, and Scale

AI adoption inside enterprises rarely begins with a coordinated platform strategy. It usually starts with individuals and teams selecting tools that solve immediate problems. A developer subscribes to an AI coding assistant. Another team builds an application using a foundation-model API. Employees begin using standalone cloud applications such as ChatGPT, Claude, Gemini, or Codex. A … Continue reading Enterprise AI Adoption: Requirements for Security, Governance, and Scale

Tiered Network Policy: Scaling Kubernetes Security

As Kubernetes clusters scale from a few development sandboxes to massive, multi-tenant production environments, platform teams often find themselves facing a configuration management crisis. A small number of microservices suddenly demand hundreds of individual Kubernetes NetworkPolicy objects. Managing them becomes operationally expensive, auditing them is difficult, and a single developer misconfiguration can easily drop critical production traffic or open a massive security hole.

To scale cluster security without slowing down engineering velocity, we must abandon the flat, uncoordinated rule planes of the past. The solution lies in establishing a clear, multi-layered framework: a hierarchy of trust powered by tiered network policies.

The Core Problem with Standard Kubernetes NetworkPolicy

Standard Kubernetes NetworkPolicy resources are genuinely useful for basic application microsegmentation, but they have major architectural and organizational bottlenecks when scaled across an enterprise:

  1. Namespace-Scoped by Design: Standard network policies are inherently scoped to a namespace. If your security team mandates a cluster-wide rule, such as blocking all internal pods from querying the cloud provider’s metadata API (169.254.169.254), you have to copy-paste that policy into every single namespace. If a developer creates a new namespace, that guardrail doesn’t exist until someone manually applies it.
  2. Organizational Friction: Because anyone with Continue reading

Improving Smart Tiered Cache for Public Cloud Regions

In 2021, we shipped Smart Tiered Cache. The idea: for each origin behind your site, Cloudflare picks the single best upper-tier data center to route through, based on real-time latency. Flip one switch, and we find the fastest path from our network to your origin.

That works as long as an origin IP lives in one fixed place. Public cloud origins usually don't. They sit behind anycast or regional unicast front ends, so one origin IP can look equally close to a dozen Cloudflare data centers at once — and the latency probes have nothing to lock onto. Smart Tiered Cache handles this the safe way: when there's no clear winner, it falls back to several upper tiers. Nothing breaks. You just lose the thing that made a single closest tier worth it, which is cache efficiency.

Smart Tiered Cache for Public Cloud Regions fixes this by letting you provide a cloud region hint. With that hint, Cloudflare can map public cloud origins to the right region and select better primary and fallback upper tiers, even when the origin IP itself looks anycast or ambiguous.

We made our most popular tiered cache topology smarter

Since it was launched, Smart Tiered Continue reading

Why we cannot wait for better post-quantum signature algorithms

RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition.

The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure.

ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be Continue reading

Save the Address, Save the Cloud: A Hands-on KubeVirt Live Migration Workshop

In the previous post in this series, we covered why Virtual Machine (VM) Live Migration in Kubernetes is difficult: a VM’s IP is its identity, and the “new” VM on the destination node has to come up with the same IP, this something that Kubernetes is not known for, and on top of that, traffic has to switch over only after network security policies are in place. Calico v3.32.0 delivers all the above and allows you to Live Migrate a VM without any network disruptions and this post is a short, do-it-yourself workshop to achieve it.

In about 5 minutes you’ll bring up a 3-node cluster, install Calico + KubeVirt, run a VM, and migrate it live.

Requirements

Note: In many Linux distros the default for most kernel parameters are too low, for a kind cluster running KubeVirt. Use the following command to temporarily increase these limits.

sudo sysctl -w fs.inotify.max_user_instances=2048
sudo sysctl -w fs.inotify.max_user_watches=1048576

If you face any Continue reading

Hedge 311: The Dangers of AI

We are often told that if engineers who don’t go “all in” on AI will be left behind. While there are a few voices who argue that AI can be a dangerous tool, impacting not only the quality of our work, but the very quality of our thinking skills. Doug Smith, a critic of using AI for engineering, joins this episode of the Hedge to argue the contrary view of AI.

What are the dangers of relying on AI?

download

You can find Doug’s blog here.

Save the Address, Save the Cloud (KubeVirt VM Migration Story)

Kubernetes is built for containers, and it’s been doing that since it used to run docker as an engine for its containers. But what if you want to add VMs to the mix? After all, containers are ephemeral and don’t require fixed IPs as they shift the identity toward labels, but VMs on the other hand are tied to IP addresses and in some cases MAC addresses.

This brings us to this blog about VM migration and IP preservation. Unlike a pod that can be part of a deployment and run in a swarm of stateless endpoints, a VM is a stateful machine run by hypervisor like QEMU and extended to Kubernetes via KubeVirt Custom Resource Definitions (CRDs).

There Is Something About KubeVirt

KubeVirt is an abstraction layer between the underlying hypervisor (QEMU) on your machine and Kubernetes. Its job is to manage a VM’s lifecycle and provide the necessary requirements for a VM to be a native resident in Kubernetes. These requirements are CPU, Memory, Networking, etc.

KubeVirt does this by wrapping each VM in an ordinary Kubernetes pod called virt-launcher. Inside that pod, KubeVirt runs libvirt and QEMU, and the “VM” is really just a process scheduled, networked, Continue reading

Introducing Meerkat: an experiment in global consensus

Many internal services at Cloudflare need to read and modify the same control-plane state from across our 330+ global data centers. They need guarantees that different readers never see inconsistent state, and that the system remains available for writes even when some data centers or links fail.

But Cloudflare’s network runs across the entire Internet, and the Internet is an unpredictable place. Servers and data centers go down. Queues fill up. Links and cables get cut. These conditions make it difficult to run a globally available data system that guarantees strong consistency (e.g., that all readers are guaranteed to read all prior writes) because hostile conditions hinder distributed system replicas’ ability to reliably synchronize data with one another.

One way to synchronize data safely despite adverse network conditions is via a consensus algorithm, which allows a set of machines to agree on the same sequence of values, such as key-value store put and get operations, as long as a majority remains alive and able to communicate. 

Unfortunately, commonly deployed consensus algorithms like Raft suffer in wide-area networks like Cloudflare’s because they rely on leaders and timeouts. The leader is the only replica allowed to make writes, and Continue reading

Mengenal Mantis Shrimp: Pukulan Tercepat di Dunia Hewan

Ikan mantis shrimp menjadi salah satu makhluk laut yang paling menarik untuk dipelajari saat ini, terutama karena kemampuannya yang luar biasa dalam dunia hewan. Dengan pukulan tercepat di antara semua spesies hewan, mantis shrimp menarik perhatian para ilmuwan dan penggemar biologi di seluruh dunia. Fenomena ini tidak hanya unik dalam hal kekuatan, tetapi juga dalam mekanisme biologis dan perilakunya yang kompleks. Artikel ini akan membahas secara mendalam tentang mantis shrimp, mulai dari biologi, keunikan pukulannya, hingga relevansinya dalam penelitian dan aplikasi teknologi terbaru.

Apa Itu Mantis Shrimp?

Mantis shrimp adalah hewan laut yang termasuk dalam ordo Stomatopoda. Meskipun namanya mengandung kata “shrimp” (udang), ikan mantis shrimp sebenarnya jauh berbeda dari udang biasa karena memiliki bentuk tubuh dan perilaku yang unik. Hewan ini dikenal dengan warnanya yang cerah dan cakar yang sangat kuat, yang digunakannya untuk berburu dan mempertahankan diri di habitat alaminya, yaitu perairan hangat di sepanjang terumbu karang tropis dan perairan dangkal pantai.

Keistimewaan utama dari mantis shrimp ini adalah kemampuan pukulannya yang sangat cepat dan kuat, yang menjadi fokus utama banyak studi terkini. Mereka mampu menghasilkan pukulan dengan kecepatan dan tenaga yang melebihi banyak predator lain di lautan.

Mantis Shrimp dan Pukulan Tercepat di Dunia Hewan

Fenomena paling Continue reading

1 2 3 3,886