Worth Reading: Building the Tools I Wished I Had
Tony Mattke built several networking-focused CLI tools and released them on GitHub. You might find them useful.
SR-MPLS over Unnumbered Interfaces
After the simple SR-MPLS demo and the dual-stack SR-MPLS setup, it was time for the next obvious question: Does SR-MPLS work over unnumbered IPv4 interfaces1, assuming the implementation of the underlying routing protocol supports them? Of course it does; let’s go through the details, using the same topology I used throughout the Segment Routing workshop @ ITNOG10.
DNS Delegation
A presentation, by ISC's Ondřej Surý, at RIPE 92 was on the topic of DNS provisioning, looking at how to strike a balance between resilience and efficiency in the provisioning of nameservers of DNS zones and the performance of DNS resolvers. lets dive into this topic!HN829: EVPN/VXLAN Vs. TradCore
Drew and Ethan sit down with Tony Bourke to determine whether TradCore or EVPN VXLAN is right for your network. Tony is a seasoned instructor in automation, network design, and more. They explore the key factors for choosing a design, including scale and redundancy, operational complexity, and workload mobility. AdSpot Sponsor: Auvik Sponsor Auvik Network... Read more »Hedge 307: bgproutes.io
If you advertise routes into the default free zone (or global Internet), you might struggle with seeing and understanding what they look like “on the other side.” While there are many manual tools to help operators with this process, bgproutes.io gives you visibility in the global routing table through interfaces like BMP. Listen to this episode of the Hedge to learn more.
You can find bgprotues.io here.
download
130 Years of Wireless Communications
Here’s a short glimpse into the history of telecommunications: in a building at the top of this mountain (barely noticeable blip across the saddle from the radio tower; search for Capo Figari for more details), Guglielmo Marconi conducted experiments in the ~1930s (after inventing the wireless telegraph system in the late 1890s).
The original radio could “transmit” at most 40-60 words per minute (the limit of a skilled Morse Code operator). 130 years later, I’m writing this blog post using a 200 Mbps Internet connection via a low-earth-orbit satellite with response times low enough that I can run an interactive SSH session with no noticeable delay. It’s almost incomprehensible how far we’ve come in such a short time.
IPB201: The Never-Ending Prefix Debate: Revisiting Best Current Practices
Today’s conversation centers around a new Best Current Practices (BCP) RFC draft written by Jordi Martinez. Our hosts explore the document for service providers and enterprises, including prefix sizing for point-to-point links, the pros and cons of numbering choices, and best practices for prefix pool allocation. Episode Links: IPv6 Prefix Assignment to End-Sites – RFC... Read more »N4N056: A Wireless NAC Walkthrough
In the previous episode of N is for Networking, Jennifer “JJ” Jabbusch gave us a thorough overview of Network Access Control (NAC) for wired networks. This week we’re going wireless! JJ walks us through the major differences between wired and wireless NAC, how 802.1X is more seamless in Wi-Fi deployments, the unpredictability of web portals,... Read more »How we built Cloudflare’s data platform and an AI agent on top of it
Cloudflare processes more than a billion events every second. Our network spans 330+ cities in 120+ countries. Behind every HTTP request, every Worker invocation, every R2 read operation, there is data, and a lot of it.
For years, that data was not very easy to access. It lived in dozens of production databases, ClickHouse clusters, Kafka streams, Google Cloud buckets, BigQuery datasets, and a long tail of pipelines. To answer a simple question like "How many domains that signed up today are in the Top 100 by traffic?", an analyst at Cloudflare had to know which system to ask, what credentials to use, what query language to write, and whether the data they were looking at was sampled, fresh, or seven-days stale. As a result, it was difficult to glean informed insights from the data.
To solve this problem, we built two in-house tools: Town Lake, Cloudflare's unified data analytics platform, and Skipper, an AI data agent that runs on top of it. Town Lake is a single SQL interface to everything Cloudflare knows, and Skipper is how anyone at Cloudflare can ask questions in plain English and get correct, auditable answers back in seconds.
This is the story Continue reading
The Hardware Crunch: How Supply Chain Turbulence Is Forcing a New IT Playbook
Infrastructure teams are facing a perfect storm: extended hardware lead times, rising costs driven by AI demand, and accelerated platform timelines.Worth Reading: Ephemeral BGP Leaks
Doug Madory wrote an interesting article (published on APNIC blog) arguing that we shouldn’t worry about ephemeral BGP leaks that can be observed only during the BGP path hunting process that follows a route withdrawal.
I have to disagree with that. It’s never a good idea to ignore a dead canary in the coal mine.
While the ephemeral leaks do not impact the end result (after all, the route is gone), they are an important indicator of the lack of BGP route policy enforcement in the autonomous systems that propagate them. If an autonomous system is propagating a bogus route when no better routes are available, it’s equally likely to propagate a bogus route when an intruder manages to inject it.
D2DO303: Commiserating About AI with Ned and Kyler
Hosts Ned and Kyler compare notes on everything they’ve been doing with AI, including the successes they’ve enjoyed and headaches they’ve suffered building and implementing AI agents. They talk about how AI has sped up their workflows, how managing multiple AI agents is akin to raising toddlers, the necessity of using deterministic scripts for increased... Read more »The AI Agent Accountability Gap: Why Network Policies, API Gateways, And RBAC Are Not Enough
In The Five Pillars of AI Agent Accountability: A Diagnostic Framework for Engineering Leaders, we walked through each pillar of AI agent accountability (traceability, authorization provenance, identity and ownership, policy at scale, and human oversight) and argued that most enterprises today sit at Level 0 or Level 1 of the Accountability Maturity Model.
The most common reaction we get when we share that framework is some version of: “We’re already covered. We have network policies. We have an API gateway. We have RBAC.”
This article is for that reaction.
Enterprises aren’t starting from zero. Most have invested in security, networking, and identity infrastructure that works well for traditional workloads. The problem isn’t a lack of tools. It’s that existing tools were designed for model outputs, not autonomous actions; a world where services are deterministic, communication patterns are predictable, and humans make all the decisions.
Agentic AI breaks every one of those assumptions. Here’s where the most common approaches each leave a critical accountability gap.
Network policies: the wrong abstraction level
Kubernetes Network Policies are essential for securing any cluster. They restrict which pods can communicate with which other pods at the network level, and they should absolutely Continue reading
Iran’s Internet is partially restored, Cloudflare Radar data shows
On Tuesday, May 26, Iran’s vice president announced that Internet access had started to be restored in the country after being cut off almost three months ago, following the launch of U.S. and Israeli attacks on February 28.
Cloudflare Radar data confirms increased activity and indicates a partial restoration of the Internet in Iran. In this blog post, we’ll examine a range of data points that provide a lens into this prolonged shutdown – and the signs that Iran’s citizens are increasingly able to connect once again. As the situation continues to unfold, Radar will have the latest data on Iran’s connectivity.
Iranian citizens have experienced two national Internet shutdowns this year. The first began on January 8 around 16:30 UTC (20:00 local time), and we explored the impact seen over the first few days in a blog post. Traffic from Iran remained near zero until January 21, when a small amount of traffic returned, only to disappear a little over 24 hours later. A similar brief restoration also occurred on January 25, before traffic recovered more fully beginning on January 27.
In late February, as military strikes on Iran escalated, a second Continue reading
Chesterton’s Fence
Imagine yourself walking down a country lane, lush green grass around you, no farm animals anywhere, when suddenly you see a fence right in the middle of the path. You think, now, that’s a bit silly, that fence is blocking the path, somebody should have this fence removed. And by thinking that you’d fall right into the predicament known as Chesterton’s Fence. That is, you see something that you instinctively feel does not belong and you want to remove it. And perhaps that is exactly what needs to be done, but not before you ask a very important question, “why”? Why is the fence here? What function does it serve? Who put it there? What were they trying to achieve?
In any complex system, and most of the systems we work with these days are complex, problems often arise as a result of relationships and interactions between components. Our systems contain many components, some with special optimizations, some acting as local stabilizers, that might appear inefficient and unintuitive. Other components, or parts of the system seem to serve no apparent purpose at all.
Any given component is usually self-contained and can be understood, reasoned about, modified and improved by one Continue reading