The Fat Pipe - All of the Packet Pushers Podcasts

More enterprises are moving application to or developing applications in the cloud, whether on premises or in public clouds such as AWS, Azure, and Google. One problem is that each cloud has its own approach to networking, so trying to build a consistent networking strategy across multiple clouds becomes very difficult. Today’s sponsor, Avi Networks, offers a next-generation ADC, load balancer, and Web application firewall, entirely delivered in software, that can run in a multi-cloud environment. The software has two key components: a controller for global configuration and management, and service engines that are deployed in private and public cloud instances. Avi Networks can work across clouds while being managed from a central console. On today’s show we talk about why enterprises are adopting a multi-cloud strategy, and how Avi Networks can help customers ensure application delivery, provide security, and enable automation at scale across multiple cloud environments. Our guest is Steve Allie, Director of Systems Engineering for North America at Avi Networks. Show Links: Avi Networks Multi-Cloud Load Balancing: Separating Fact from Fiction – Avi Networks Blog

The following text is a transcript of the audio you can listen to in your podcatcher or the web player. Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary. I’m Ethan Banks, it’s September 13, 2018, and here’s what’s happening. I had a briefing with Amy Ariel, CMO and Etay Bogner, CEO of Meta Networks today. Who’s Meta Networks? Meta Networks is a remote access network provider. If you currently manage your own VPN concentrators or firewalls so that your remote workers can access the network, Meta Networks is a Network-as-a-Service alternative to that traditional VPN architecture familiar to many of us. In this briefing, Meta Networks discussed their… New Partnership With Talari Talari is an SD-WAN provider for enterprises. Meta is providing remote access. Therefore, what you’ve got with the Talari/Meta partnership is a full-featured WAN solution. Talari provides the SD-WAN part, and Meta provides the software defined perimeter part. (That’s right, folks…software defined perimeter is a category now.) How Does All Of This Work? First, I’m going to assume you have a sense of what SD-WAN is all about. Your wide area network, multiple circuits terminated on a forwarding device at each of your sites, optimizing traffic in accordance with a policy you’ve defined. That includes forwarding traffic between branch offices and headquarters, as well as traffic to and from the cloud and cloud-based services. SD-WAN, such as what Talari has, doesn’t usually give you remote access capability. You still need a VPN service for that. Enter Meta Networks. Meta’s got a Network-as-a-Service. As a Meta Networks customers, you get a virtual network that assumes zero-trust. That is, a Meta network isn’t just about access. It’s also about strict policy control. That means that endpoints don’t get access to something on the network just because they connected and authenticated successfully. Rather, a network administrator sets a policy defining exactly what resources endpoints have access to. Meta tracks user identity of each remote endpoint based on the IPSEC overlay tunnel connecting it to your virtual Meta network. Meta describe their network as a “sun” architecture. Think of that big bright thing in the sky that you sometimes see when leaving a data center to get coffee or go out for lunch. Meta imagines the sun as a ring connecting all of their global POPs together. Endpoints connect to the sun, like rays of light. Endpoints could be laptops or a device at your headquarters office. Or a Talari SD-WAN box. Meta Described The Partnership As At Stage One The integration is not very tight as yet. You’ll be managing a security policy for remote access users on the Meta side, and a network policy for your wide area network on the Talari side. The magic here is the connection between your Talari appliances and your Meta Networks virtual network, giving you some traffic optimization to cloud for your remote access users, as well as secure access everywhere. A good way to think about what you end up with is an interconnected, remote access, wide area network that caters to security-conscious shops spread out over a large geographic area. You’ll work with channel partners to bring the combined solution to life. For More Information …about these solutions, go to metanetworks.com and talari.com. You can also do a search on packetpushers.net for Meta Networks as well as Talari, where you can find more podcasts and articles we’ve created about these companies.

Today’s Priority Queue was recorded live in August 2018 at the Future:Net conference at VMworld 2018. Greg Ferro and Ethan Banks interview Bruce Davie, VMware’s VP & CTO, VMware Asia Pacific & Japan; and Guido Appenzeller, VMware’s CTO, Cloud and Networking. The Packet Pushers and their guests discuss: * Whether blockchain has legitimate enterprise uses * Key differences between multi-cloud and hybrid cloud deployments * The difficulty of day-2 operations in cloud deployments * The bifurcation of networking into the underlay and overlay * What needs to happen to bring intent-based networking from vision to reality * VMware’s notion of the self-driving data center * Why security needs to be a feature, not a product This episode peeks at the promises of new and emerging ideas in networking, but with a practical eye for the realities of real-world operations, and a bit of push-back on grand visions.

Today's fully caffeinated Network Break episode examines an Azure outage, a NIST specification for BGP security, eBay's open-source server design, and more tech news. Then stay tuned for a sponsored Coffee Talk with 128 Technology on session-oriented routing.

The following is a transcript of the audio you can listen to in your podcatcher or the player above. I had a briefing with Ian Eyberg, CEO of NanoVMs today. Who is NanoVMs? NanoVMs makes software to help you create and deploy unikernels. In this briefing, Ian discussed with me the state of the unikernel ecosystem and how NanoVMs fits into things. Quick context for you if you don’t know what a unikernel is. Quoting from unikernel.org, “Unikernels are specialised, single-address-space machine images constructed by using library operating systems. They are built by compiling high-level languages directly into specialised machine images that run directly on a hypervisor, such as Xen, or on bare metal.” A big point with unikernels is that of security. Since unikernels are single process with a minimal attack surface, they aren’t interesting targets for hackers. A hacker can’t do anything with a unikernel, even if they were to find a vulnerability. If that context didn’t help, search for datanauts + unikernels for several podcasts we’ve recorded on the subject. Let’s jump back to the conversation I had with Ian. One point Ian made was that unikernels, even though you haven’t been hearing much about them lately, are seeing a lot of interest and adoption. Unikernels are in production in shops both large and small, and there are several startups in the space. That said, there are some barriers to unikernel adoption, the main one being that they are a challenge to work with if you come from a typical operations background. You gotta create the unikernel before you can deploy it, and making a unikernel isn’t like firing up apt-get and installing all the stuff you need into an base operating system until you get to a golden image. Instead, unikernel creation requires working with source code and binaries, compiling everything required for the machine image to run. That’s a knowledge gap for many operators, as most of us aren’t really systems-level people. We work above that layer. This is at the core of what NanoVMs helps with–handling that system level work that’s required to make a unikernel so that anyone could do it using their GUI. Speaking of their GUI, I did get a passing glance at it at VMworld in late August. Ian was there at the NanoVMs booth, and I did an on-the-spot interview with him for our YouTube channel, so Google Ian Eyberg and Packet Pushers if you want a distant look at the GUI through the lens of our camera. In addition to helping you create unikernels, NanoVMs helps you deploy them. Maybe you’re equating unikernels with just a different sort of container, and thinking that you’d rather use Kubernetes for unikernel deployment than NanoVMs tooling. Ian pointed out to me that while unikernels have many parallels with containers, they are different beasts. Kubernetes is very good at container orchestration, but not optimized for unikernel orchestration. You’d actually be incurring a needless performance penalty using K8s to deploy unikernels. So, sure…you COULD integrate NanoVMs with a Kubernetes environment, but Ian is pretty sure you don’t actually want to do that. Furthermore, the unikernel orchestration process will vary depending on the unikernel use case. Unikernels are finding uses in IoT, embedded systems, NFV, edge computing, and cloud infrastructure. Those use cases differ dramatically, meaning a different sort of orchestrator might be appropriate in each. Kubernetes isn’t a fit everywhere. Another issue I raised with Ian about the barriers to unikernel adoption ...

Today’s show is just Ethan, Greg and Drew having a chat. We spend a little time discussing some behind-the-scenes Website activities, including migrating to a new hosting platform, making the transition to SSL, and rolling out Ignition. We also preview some upcoming content on Ignition, and welcome the IPv6 Buzz podcast to its official channel. The Packet Pushers crew went onsite at VMworld so we share what we were up to, including experimenting with video and attending VMware’s Future:Net sessions. We also riff on service meshes as the next holy grail in IT. Last but not least, we talk about our struggles to stay physically and mentally healthy.

In this episode of IPv6 Buzz, we examine how and why to make the transition from a dual-stack to an all-v6 world. Topics discussed include: * Why individual advocacy and evangelism of IPv6 inside large companies is so important * How IoT is devouring IP addresses * The challenges of IPv6-only in the enterprise today * Why buying and using IPv4 addresses from resellers can be problematic * Why you should dual-stack your VPN servers * What strategies have helped Microsoft deploy IPv6 internally Our guest is Veronika McKillop, network architect at Microsoft and president/chair of the UK IPv6 Council (as well as Cisco alum and IPv6 presenter at many CiscoLive events). Your Hosts: * Ed Horley @ehorley * Tom Coffeen @ipv6tom * Scott Hogg @scotthogg

Imagine you’ve got to build a network that delivers data no matter what, because the mission is critical. And not just “mission critical” in the business sense–sometimes actual lives are at stake. However, the constraints are enormous. All you’ve got to work with are satellite links with high latency and low throughput, no terrestrial infrastructure unless you provide it yourself, the very highest imaginable security requirements, and a limited budget. This scenario is normal for the military. Here to chat with us about networking in this highly specialized environment is PC Drew. We discuss issues such as working with bandwidth constraints, hostile environments, training and skills development, and more. Drew is a major in the Marine Corps Reserve and was on active duty for ten years. He’s currently CTO at SchoolBlocks, and has a background in network and software engineering. There’s a lot of interesting points in this show, so we’ve pasted the entirety of our show notes below. Show Notes: * We did a show with Peter Wohlers on the future of networking, which was also a bit of a look back at some evolution…QoS, SDN, etc. Some of that conversation had you both agreeing and disagreeing with us. Explain. * Snowflake networks * Unique configurations vs unique requirements/constraints vs unique networks * Often, a “snowflake network” is a sign that it is misconfigured (not always…there are some actual unique requirements!) * “QoS is the devil’s work” and “just get a bigger pipe”. * It is the devil’s work–it’s hard, but necessary * Many people can’t “just get a bigger pipe”–need to understand how to maximize what you have * Overlaying networks adds significant complexity to an already complex environment (avoid tunnels!) * Although we need tunnels, they make our lives harder.  Sometimes they’re required and other times they’re an indicator of an architecture that was not designed appropriately. * Path MTU issues that Peter described also happen on overlay networks, where <1500 byte frames are common. * MSS and TCP Windowing also play a role here * Commoditization of network skills.  Deep technical experience is hard to come by in public AND private sectors.  How do you run global operations with less experienced people? * Military networks are rather specialized. Can you describe some of the common constraints? * Running military communications is often like someone walking into a field in the middle of nowhere and telling you: “I want all the capabilities that I have in my office….right here…in a few hours.” * We’re often given very little requirements and asked to just “build it.”  Sometimes with very little notice. * In practice, everything is limited by survivability, logistics, and bandwidth. * Survivability * Elements such as sand, water, heat/cold, unstable power, etc * Mobility challenges (a force on the move) * A thinking enemy (kinetic and cyber attacks) * Physical security (concertina wire, barriers, being able to inspect cables for tampering, etc) * Cyber security (evaluating your own posture, understanding the enemy’s capabilities and limitations, having tools that detect and potentially respond to network anomalies) * Logistics * In many cases, you have to pack up everything you need and take it with you.

Mode briefed Ethan Banks about their cloud private network. Whoa! Thought Mode was an SD-WAN company? Not quite. Mode partners with several SD-WAN platforms so that it’s easy to stand up a tunnel from your SD-WAN forwarders to Mode’s private network. That makes Mode a network alternative to private MPLS that integrates with your SD-WAN fabric. As a Mode customer, you can spin up and spin down virtual networks on the fly, optimizing each virtual network for whatever characteristics you find most important–jitter, latency, loss, etc. How does Mode enforce the SLA required to meet your goals? Math! Math that was sorted out at Cornell University and is brought to life as HALO, a link-state algorithm that reacts to changes in traffic flows across the network, flooding link state changes in 150ms. The result is a dynamic, routed network that is optimized for your specific needs. Listen in the audio player above for Ethan’s impressions. For More Information * https://www.mode.net * HALO: Hop-by-Hop Adaptive Link-State Optimal Routing (PDF, academic research paper)

Today on the Datanauts we tackle Virtual Desktop Infrastructure, or VDI. Our guest is Johan van Amersfoort, Technical Marketing Architect and EUC specialist at ITQ Consultancy. He’s author of the new book VDI Design Guide. Johan and the Datanauts explore the business requirements for undertaking a VDI project, including reducing OpEx, improving security, and addressing the challenges of a mobile workforce and BYOD. They review potential gotchas in a VDI design, and then drill into the elements your design must account for, including the network, CPU and RAM, host sizing, and failover. In part three, Johan discusses how to handle remote users, whether to run AV, and identity and access control issues. Sponsor: ITProTV Join ITProTV to learn the skills to pass the most in-demand IT certs. It’s binge-worthy learning! ITProTV’s extensive course library includes CEH v9, CISA, CompTIA A+, Mac Certified Support Professional, and more! Visit itpro.tv/data and use code DATANAUTS to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. Show Links: VDI Design Guide: A comprehensive guide to help you design VMware Horizon, based on 2018 standards – Amazon Johan on Twitter VDI Design Guide on Twitter

Today's Network Break analyzes key product announcements and news from VMware's VMworld 2018 conference, including vSphere Platinum, Amazon RDS on premises, and VMware's strategy to win in a multicloud world.

Software defined WAN is a more complicated conversation than optimized routing over multiple circuit types. Modern SD-WAN solutions bring in security, high availability, multi-tenancy, and deep application recognition. They even integrate with other tech in addition to the fancy routing. In today’s sponsored episode, Juniper Networks joins us to talk about its Contrail SD-WAN product. We discuss Contrail SD-WAN and how it differs from other vendors’ approaches, how SD-WAN use cases have evolved. We also dive into three key pillars of Contrail SD-WAN: routing, VPNs, and security. Our guest is Tony Sarathchandra, Director, Product Management – Software Defined Networking Technology and Solutions at Juniper Networks. Show Links: SD-WAN – Juniper Networks  

In today’s Priority Queue podcast I chat with Andrew Mortensen about Distributed Denial Of Service Open Threat Signaling, or DOTS, an active IETF working group. DOTS enables disparate DDoS products and services to interact so they can request, coordinate, and terminate mitigation efforts. We discuss the rationale for DOTS, examine use cases, and look at the architecture that enables communication and coordination. We also look at how DOTS relates to, and differs from, BGP Flowspec. Andrew is Principal Architect at Arbor Networks, the security division of NetScout. This episode was recorded live at the 102nd meeting of the Internet Engineering Task Force in Montreal. Show Links: DDoS Open Threat Signaling (dots) – IETF Distributed Denial of Service (DDoS) Open Threat Signaling Requirements – IETF Distributed Denial of Service (DDoS) Open Threat Signaling Architecture – IETF PQ Show 78: BGP Flowspec For DoS Mitigation – Packet Pushers

In this month’s episode of the Full Stack Journey podcast, Brett Johnson joins Scott to revisit the topic of automation and how IT professionals can (and should!) embrace automation as a core part of their skill set. You can follow Brett on Twitter, or visit his blog at https://sdbrett.com. During this episode, Scott and Brett discuss: * Challenges Brett encountered in embracing automation as a core part of his skill set (Hint: The challenges aren’t necessarily technical!) * Helpful tools and resources * The role of books in learning new technologies. Are they useless? * Where  blogs fit into an IT professional’s “toolset” when it comes to learning new technologies Sponsor: Linux Academy Linux Academy offers the most hands-on training content in AWS, Azure, OpenStack, Linux, DevOps, Containers, security, and Google Cloud. Beginners and advanced learners alike will find up-to-date courses in skills development and certification prep. Hands-on labs let you work in actual cloud environments. Find out about the newest courses available online–including free courses–here. Show Links Clean Code by Robert C. Martin (via Amazon) “Python Fundamentals” by Austin Bingham and Robert Smallshire on Pluralsight “Continuous Delivery Using Docker and Ansible” by Justin Menga on Pluralsight Safari Books Online Virtual Design Master

On today's Network Break, Arista and VMware integrate CloudVision and NSX, Microsoft pledges to open-source a network emulator, TLS 1.3 gets final approval, and more tech news analysis. And stay tuned after the news for a Coffee Talk with Silver Peak customer Blue Shield of California.