Scaling Akvorado BMP RIB with sharding

To associate routing information—like AS paths or BGP communities—to flows, Akvorado can import routes through the BGP Monitoring Protocol (BMP). As the Internet routing table contains more than 1 million routes, Akvorado needs to scale to tens of millions of routes.¹ This has been a long-standing challenge,² but I expect this issue is now fixed by using RIB sharding, a method that splits the routing database into several parts to enable concurrent updates.

Previous implementation

Akvorado connects 2 elements to build its RIB:

a prefix tree, and
a list of routes attached to each prefix.

Akvorado BMP RIB implementation before sharding with the memory layout of each
structure and a single lock. — Akvorado BMP RIB implementation without sharding. One single read/write lock.

In the diagram above, the RIB stores five IPv4 prefixes and two IPv6 prefixes. One of them, 2001:db8:1::/48, contains three routes:

from peer 3, next hop 2001:db8::3:1, AS 65402, AS path 65402, community 65402:31,
from peer 4, next hop 2001:db8::4:1, same ASN, AS path, and community,
from peer 5, next hop 2001:db8::5:1, AS 65402, AS path 65401 65402 Continue reading

The Five Pillars of AI Agent Accountability: A Diagnostic Framework for Engineering Leaders

You’re in a board meeting. The CISO is presenting on AI risk. The CFO asks a simple question:

“When that finance agent we deployed last quarter accessed a customer payment record, can we tell who authorized it, what policy permitted it, and produce the full audit trail?”

The CISO looks at the head of the platform. The head of the platform looks at security. Nobody answers.

If you can picture that meeting happening at your company, you’re not alone. McKinsey found that only one-third of organizations have AI agent governance maturity at level 3 or higher. The other two-thirds are exactly the silence in that boardroom.

This post is the diagnostic framework that closes that gap. It’s part 2 of a five-part series on AI agent accountability, and if you only have time to read one post in the series, read this one. By the end you’ll have a five-question assessment to run with your team this week, and a maturity model to score where you stand today.

Not all governance equals AI agent accountability. Many enterprises believe they’re covered because they have network policies or an API gateway, but governance without accountability is a security theater: it Continue reading

Hedge 306: RPKI Transport

Synchronizing information across the Internet, at an initial glance, looks like a fairly simple problem to solve. Just copy a file to a host and create a magic protocol, right? Not really. Each kind of data has a fairly unique set of requirements–and RPKI data, used to provide security information for BGP, is no different. Job Snijders joins Tom and Russ to talk about ERIK, a protocol developed to synchronize RPKI records.

For more information, check out Job’s web site and the IETF draft.

download

Technology Short Take 196

Welcome to Technology Short Take 196! Just in time for the US Memorial Day holiday, I am back with another list of articles related to various data center technologies like networking, security, operating systems, and applications. You will find articles on VPNs, Linux local privilege escalation (LPE) vulnerabilities, browser quirks and workarounds, the death of Terraform (again), and so much more. Enjoy your weekend reading!

Networking

Andrew Ward shares an Ansible role to block abusive subnets using IPSet.
From this article on switching to WireGuard from Tailscale, I learned about Headscale (an open source implementation of the Tailscale control plane).

Servers/Hardware

Doug Dawson looks at some innovations that continue to improve computing power. Doug’s article includes a few items I hadn’t yet heard of.

Security

Bitwarden confirmed a compromise of its CLI package on NPM.
First, we had CopyFail. Now we have Dirty Frag and Fragnesia.
Daniel Stenberg talks about how Mythos found a single vulnerability—yes, just one—in curl.
I don’t really have words for this…security incident? That doesn’t seem like the correct way to describe such a massive oversight, especially when you realize it happened to a cybersecurity agency. “Oops” doesn’t even begin to describe it.

Continue reading

Public Videos: OpenFlow Deep Dive

Remember OpenFlow, the One Protocol to Bind Them All¹? I haven’t heard anyone even mention it in ages, and I never bothered to ask whether anyone is still using it after the dismal results of the 2022 poll.

Anyway, if you still have to deal with that ancient blunder, six hours of deep dive videos I recorded a decade ago might still be useful. You can watch them without an ipSpace.net account.

Watch the videos

Looking for more binge-watching materials? You’ll find them here.

Announcing Claude Compliance API support with Cloudflare CASB

Today, we are extending Cloudflare’s cloud access security broker (CASB) to support the Claude Compliance API. Security and compliance teams can now monitor Claude usage directly in the Cloudflare dashboard. No endpoint agents required.

Enterprise security teams have long struggled to see how users interact with sanctioned and unsanctioned applications. The rapid adoption of AI applications has made this harder. Employees spend significant time in these new surface areas, and their interactions differ from traditional SaaS: users upload files, share freeform prompts, and providers generate content that may contain sensitive data.

Cloudflare CASB helps solve this problem. One API integration gives you out-of-band visibility and control over the applications your organization uses. This integration builds on our existing support for AI governance, extending coverage over the most common tools security teams now manage.

The fast path to safe AI adoption

AI adoption has outpaced security governance. While IT and security teams raced to enable AI tools for productivity, the controls lagged behind. Most organizations today operate with partial visibility: they may block unauthorized AI tools at the network layer, but they cannot see what happens inside sanctioned ones.

This matters because AI tools are not like traditional SaaS Continue reading

Oak Ridge Starts Weaving Together A Quantum, Classical HPC, And AI System Stack

Worth Reading 052126

The Technocratic State represents a new invisible risk of the 21st century, as it does not present itself as a conventional political authority. It appears as a technical solution that seems inevitable.

Author and journalist Michael Pollan characterizes our era as the “Second Copernican Shock,” a civilizational turning point where the boundary between human empathy and algorithmic calculation is increasingly blurred.

It’s always difficult for ISPs to fully understand how changes in the economy might impact them. Folks in the industry see the usual statistics on unemployment and inflation, but those don’t really tell much about the future as it relates to broadband adoption.

Companies rushing to adopt AI and LLMs without a clear strategy may be creating new risks.

Power failures are to blame for the most impactful data center outages, while network issues are the most frequent culprits for IT service disruptions, according to Uptime Institute’s latest analysis.

Dual-Stack SR-MPLS

After the introduction to SR-MPLS demo I did during the Segment Routing workshop @ ITNOG10, we moved to dual-stack SR-MPLS – can we assign node segment identifiers (SIDs) to IPv4 and IPv6 prefixes? The demo used the same three-router network as the previous one, with IPv4 SIDs starting at one and IPv6 SIDs starting at 101:

Cisco Launches Major Updates to Certifications

Cisco just announced major updates to their certification portfolio. Here’s what’s changing:

CCNA v2.0
CCIE practical exam AI DOO module
CCIE automation v1.2

CCNA v2.0

Effective February 2027, the CCNA is getting a major update. The future networking administrator/engineer will be more of an orchestrator than operator. Meaning that punching commands on the CLI will only be a small part of the future job role. Instead, you must be able to design, secure, and optimize increasingly autonomous networks. To be job-ready, you’ll need to learn how to:

Troubleshoot production issues under pressure
Evaluate what an AI assistant recommends and know when it’s wrong
Secure an environment by design, not an afterthought

The CCNA is about to get a whole lot more practical! Here’s what’s changing:

Troubleshooting gets a front seat. Employers value troubleshooting over reciting commands. Every domain will diagnostics and problem resolution. Think of the old TSHOOT CCNP exam, but instead of a separate exam, this is the format of the CCNA now. I’m really excited about this!

Security everywhere. We can no longer afford to think of security only as a separate domain, it needs to be part of everything we do. The new exam Continue reading

BGP and Multi-Cloud Routing

For years, enterprise cloud networking was built around a simple assumption: pick a primary cloud provider, connect the data center to it, and expand from there.

That model no longer reflects how many organizations actually operate.
Today, workloads often live across AWS, Azure, and Google Cloud at the same time. Sometimes this is intentional. Sometimes it is the result of acquisitions, separate engineering teams, SaaS dependencies, regional requirements, or SaaS platforms that depend on a specific cloud provider. Either way, the network has to make these environments behave like one reliable system.
That is where the hard part begins.

Cloud-native routing tools are useful inside each provider, but they do not automatically solve routing between providers, between clouds and colocation hubs, or between multiple cloud environments and an enterprise WAN. Once routing needs to become dynamic, policy-driven, and resilient across administrative boundaries, BGP becomes the common language.

BGP is not new, and it is not always simple. But in multi-cloud networking, it remains one of the few mechanisms that AWS, Azure, Google Cloud, carriers, colocation providers, SD-WAN platforms, and enterprise routers can all understand.

What inter-cloud routing actually means

The term “inter-cloud routing” is often used loosely, so it is Continue reading

TCG076: Packet Pushers Assemble! Bridging the Telemetry Divide

Today our Packet Pushers team assembles to discuss whether the grass is greener on the NetOps or DevOps side of the telemetry fence. William of The Cloud Gambit, Scott of Total Network Operations, and Ned and Kyler of Day Two DevOps discuss the difficulties and differences of getting telemetry and state from devices across different... Read more »

My Network is Talking Back Thanks to SuzieQ MCP and it’s Channeling Sam Kinison

Last Updated: 2025-05-19 Every SuzieQ Enterprise release quietly adds things that end up being genuinely useful in day-to-day network operations. Version 3.3 has had a few updates already. The GUI has seen a lot of attention. The new workbench makes it even easier to get at your data without jumping around, and you can now READ MORE

The post My Network is Talking Back Thanks to SuzieQ MCP and it’s Channeling Sam Kinison appeared first on The Gratuitous Arp.

Worth Reading: Agentic AI Setup: Sandboxes and Worktrees

Most of the hyperventilated AI “success stories” are as useful as the “ANSIBLE!!!” movement was a few years ago. It’s thus always a pleasure to find someone with well-established software development chops who took the time to describe what works for them.

One cannot argue with Mike McQuaid’s credentials (at least if you happen to be using homebrew on MacOS, which you REALLY SHOULD), and his Sandboxes and Worktrees: My secure Agentic AI Setup in 2026 article is full of relevant recommendations in case you’re brave enough to let AI agents loose on your GitHub repository.

Encrypted DNS at OARC 46

Much has been said about the use of the DNS as a means of tracking and controlling the online behaviour of users. The response has been to hide the DNS behind encrypted transport.

phpIPAM installation on Ubuntu Server 26.04 LTS

How to install phpipam on Ubuntu Server 26.04 LTS server.

Dell Bulks Up Hardware As AI Infrastructure Shifts To On-Premises

PP110: News Roundup–Linux Fragged, Edge’s Password Manager Dragged, Android Intrusions Tagged, and More

JJ and Drew unpack an overstuffed suitcase of infosec stories in today’s News Roundup. Microsoft’s Edge password manager stores credentials in plaintext and Microsoft says “Yup”, the Linux kernel takes a one-two punch from Dirty Frag and Fragnesia, and a new industry coalition takes critical infrastructure protection private. A Taiwanese radio enthusiast allegedly brings high-speed... Read more »

HS132: Heart of Glasswing

How can enterprise IT folks prepare for the age of Mythos? Anthropic says its Claude Mythos model is so much better at finding software vulnerabilities that it has delayed public release. Instead Anthropic launched Project Glasswing to give IT infrastructure and software makers early access, so they can have some lead time to address vulnerabilities... Read more »

HW079: Driving AI Efficacy in Wi-Fi (Sponsored)

Every wireless vendor has an AI story. What actually matters now? Efficacy. Recorded live at Mobility Field Day, Keith sits down with HPE’s Bob Friday right off the show floor to discuss how HPE’s announcements are driving toward an autonomous network and what features are the key to truly making a difference in day-to-day life... Read more »

1 2 3 … 3,872 Next »