site: blog.cloudflare.com
The day my ping took countermeasures
https://blog.cloudflare.com/the-day-my-ping-took-countermeasures/ [blog.cloudflare.com]
2023-07-12 00:08
tags:
development
investigation
linux
networking
swtools
While this doesn’t happen too often, a computer clock can be freely adjusted either forward or backward. However, it’s pretty rare for a regular network utility, like ping, to try to manage a situation like this. It’s even less common to call it “taking countermeasures”. I would totally expect ping to just print a nonsensical time value and move on without hesitation.
Ping developers clearly put some thought into that. I wondered how far they went. Did they handle clock changes in both directions? Are the bad measurements excluded from the final statistics? How do they test the software?
source: L
KEMTLS: Post-quantum TLS without signatures
https://blog.cloudflare.com/kemtls-post-quantum-tls-without-signatures/ [blog.cloudflare.com]
2021-01-16 02:37
tags:
beta
crypto
networking
quantum
security
web
KEMTLS, therefore, achieves the same goals as TLS 1.3 (authentication, confidentiality and integrity) in the face of quantum computers. But there’s one small difference compared to the TLS 1.3 handshake. KEMTLS allows the client to send encrypted application data in the second client-to-server TLS message flow when client authentication is not required, and in the third client-to-server TLS message flow when mutual authentication is required. Note that with TLS 1.3, the server is able to send encrypted and authenticated application data in its first response message (although, in most uses of TLS 1.3, this feature is not actually used). With KEMTLS, when client authentication is not required, the client is able to send its first encrypted application data after the same number of handshake round trips as in TLS 1.3.
Intuitively, the handshake signature in TLS 1.3 proves possession of the private key corresponding to the public key certified in the TLS 1.3 server certificate. For these signature schemes, this is the straightforward way to prove possession; another way to prove possession is through key exchanges. By carefully considering the key derivation sequence, a server can decrypt any messages sent by the client only if it holds the private key corresponding to the certified public key. Therefore, implicit authentication is fulfilled. It is worth noting that KEMTLS still relies on signatures by certificate authorities to authenticate the long-term KEM keys.
Speeding up Linux disk encryption
https://blog.cloudflare.com/speeding-up-linux-disk-encryption/ [blog.cloudflare.com]
2020-03-25 18:16
tags:
linux
perf
programming
storage
At one point we noticed that our disks were not as fast as we would like them to be. Some profiling as well as a quick A/B test pointed to Linux disk encryption. Because not encrypting the data (even if it is supposed-to-be a public Internet cache) is not a sustainable option, we decided to take a closer look into Linux disk encryption performance.
To be fair the request does not always traverse all these queues, but the important part here is that write requests may be queued up to 4 times in dm-crypt and read requests up to 3 times. At this point we were wondering if all this extra queueing can cause any performance issues. For example, there is a nice presentation from Google about the relationship between queueing and tail latency. One key takeaway from the presentation is: A significant amount of tail latency is due to queueing effects
source: HN
The History of the URL
https://blog.cloudflare.com/the-history-of-the-url/ [blog.cloudflare.com]
2020-03-08 03:24
tags:
article
networking
retro
web
On the 11th of January 1982 twenty-two computer scientists met to discuss an issue with ‘computer mail’ (now known as email). Attendees included the guy who would create Sun Microsystems, the guy who made Zork, the NTP guy, and the guy who convinced the government to pay for Unix. The problem was simple: there were 455 hosts on the ARPANET and the situation was getting out of control.
More consistent LuaJIT performance
https://blog.cloudflare.com/more-consistent-luajit-performance/ [blog.cloudflare.com]
2018-12-13 02:34
tags:
benchmark
jit
lua
perf
So, did we achieve everything we wanted to in 12 months? Inevitably the answer is yes and no. We did a lot more benchmarking than we expected; we’ve been able to make a lot of programs (particularly large programs) have more consistent performance; and we’ve got a fair way down the road of implementing a new GC. To whoever takes on further LuaJIT work – best of luck, and I look forward to seeing your results!
source: L
Know your SCM_RIGHTS
https://blog.cloudflare.com/know-your-scm_rights/ [blog.cloudflare.com]
2018-11-30 19:44
tags:
c
networking
programming
unix
So how do you make two different processes, written in two different programming languages, share the same TCP socket? Fortunately, Linux (or rather UNIX) provides us with just the tool that we need. You can use UNIX-domain sockets to pass file descriptors between applications, and like everything else in UNIX connections are files.
Every 7.8μs your computer’s memory has a hiccup
https://blog.cloudflare.com/every-7-8us-your-computers-memory-has-a-hiccup/ [blog.cloudflare.com]
2018-11-23 21:10
tags:
hardware
investigation
perf
programming
systems
I was particularly interested in one of the consequences of how dynamic RAM works. You see, each bit of data is stored by the charge (or lack of it) on a tiny capacitor within the RAM chip. But these capacitors gradually lose their charge over time. To avoid losing the stored data, they must regularly get refreshed to restore the charge (if present) to its original level. This refresh process involves reading the value of every bit and then writing it back. During this “refresh” time, the memory is busy and it can’t perform normal operations like loading or storing bits.
This has bothered me for quite some time and I wondered... is it possible to notice the refresh delay in software?
source: L
RPKI - The required cryptographic upgrade to BGP routing
https://blog.cloudflare.com/rpki/ [blog.cloudflare.com]
2018-09-26 14:20
tags:
crypto
networking
security
standard
Today we need to talk about why existing operational practices for BGP routing and filtering have to significantly improve in order to finally stop route leaks and hijacks; which are sadly pervasive in today’s Internet routing world. In fact, the subtle art of running a BGP network and the various tools (both online and within your a networks subsystems) that are vital to making the Internet routing world a safe and reliable place to operate need to improve.
Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number. RPKI is defined in RFC6480 (An Infrastructure to Support Secure Internet Routing). Cloudflare commits to RPKI.
A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ [blog.cloudflare.com]
2018-08-13 18:36
tags:
crypto
networking
security
standard
The latest version of TLS, TLS 1.3 (RFC 8446) was published today. It is the first major overhaul of the protocol, bringing significant security and performance improvements. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.
Abusing Linux's firewall: the hack that allowed us to build Spectrum
https://blog.cloudflare.com/how-we-built-spectrum/ [blog.cloudflare.com]
2018-04-30 01:39
tags:
linux
networking
Soon after we started building Spectrum, we hit a major technical obstacle: Spectrum requires us to accept connections on any valid TCP port, from 1 to 65535. On our Linux edge servers it’s impossible to “accept inbound connections on any port number”. This is not a Linux-specific limitation: it’s a characteristic of the BSD sockets API, the basis for network applications on most operating systems.
Writing complex macros in Rust: Reverse Polish Notation
https://blog.cloudflare.com/writing-complex-macros-in-rust-reverse-polish-notation/ [blog.cloudflare.com]
2018-02-05 07:53
tags:
functional
programming
rust
So, here is my take on describing the principles behind writing such macros. It assumes you have read the Macros section from The Book and are familiar with basic macros definitions and token types. I’ll take a Reverse Polish Notation as an example for this tutorial. It’s interesting because it’s simple enough, you might be already familiar with it from school, and yet to implement it statically at compile time, you already need to use a recursive macros approach.
Why TLS 1.3 isn't in browsers yet
https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/ [blog.cloudflare.com]
2017-12-29 22:01
tags:
browser
development
networking
security
standard
turtles
web
Pretty simple, right? As it turns out, some servers didn’t implement this correctly and this led to a chain of events that exposed web users to a serious security vulnerability.
However, insecure downgrades are called insecure for a reason.
This unexpected setback caused a crisis of sorts for the people involved in the protocol’s design.
Removing features that have been part of a protocol for 20 years and expecting it to simply “work” was wishful thinking.
The original protocol negotiation mechanism is unrecoverably burnt.
The History of Stock Quotes
https://blog.cloudflare.com/history-of-stock-quotes/ [blog.cloudflare.com]
2017-12-29 21:59
tags:
finance
history
networking
retro
tech
It’s should be no secret that money motivates. Stock trading presents one of the most obvious uses of fast long-distance communication. If you can find out about a ship sinking or a higher than expected earnings call before other traders, you can buy or sell the right stocks and make a fortune.
Go, don't collect my garbage
https://blog.cloudflare.com/go-dont-collect-my-garbage/ [blog.cloudflare.com]
2017-11-13 21:27
tags:
benchmark
concurrency
garbage-collection
go
perf
programming
I started playing with the GOGC variable. First I set it to 2,400, which made sense since we have 24 cores, perhaps collecting garbage 24 times less frequently will do the trick: ECDSA-P256 Sign,671538.90, op/s, oh my that is getting better.
source: HN
ARM Takes Wing: Qualcomm vs. Intel CPU comparison
https://blog.cloudflare.com/arm-takes-wing/ [blog.cloudflare.com]
2017-11-09 04:33
tags:
benchmark
cpu
hardware
perf
vapor
I tested the Qualcomm Centriq server, and compared it with our newest Intel Skylake based server and previous Broadwell based server.
source: L
Perfect locality and three epic SystemTap scripts
https://blog.cloudflare.com/perfect-locality-and-three-epic-systemtap-scripts/ [blog.cloudflare.com]
2017-11-08 20:28
tags:
concurrency
investigation
linux
networking
perf
In this blog post we’ll explain the REUSEPORT socket option, how it can help with packet locality and its performance implications. We’ll show three advanced SystemTap scripts which we used to help us understand and measure the packet locality.
How to Monkey-Patch the Linux Kernel
https://blog.cloudflare.com/how-to-monkey-patch-the-linux-kernel/ [blog.cloudflare.com]
2017-10-29 16:21
tags:
development
linux
programming
swtools
systems
That was mostly fine, until recently, when my machine, unannounced, updated to Wayland.
It wold be nice if that didn’t happen, but given that it does...
SystemTap’s command-line tool, stap, compiles your script into a Linux kernel module and loads it. The module, on load, will find the function you want to probe and will overwrite it with a jump to your probing code. The probe code does what you specify, then jumps back to the original function body to continue as usual.
Helping to make LuaJIT faster
https://blog.cloudflare.com/helping-to-make-luajit-faster/ [blog.cloudflare.com]
2017-10-22 00:48
tags:
jit
lua
perf
update
This project will also naturally help us advance our wider research interests centred around understanding how VM performance can be improved. I’m hopeful that what we learn from LuaJIT will, in the long run, also help other VMs improve. Indeed, we have big ideas for what the next generation of VMs might look like, and we’re bound to learn important lessons from this project.
The Languages Which Almost Became CSS
https://blog.cloudflare.com/the-languages-which-almost-became-css/ [blog.cloudflare.com]
2017-08-03 18:14
tags:
development
html
retro
web
So then I get to tell people, “Well, you get to learn this language to write your document, and then you get to learn that language for actually making your document look like you want it to.” Oh, they’ll love that.
LuaJIT Hacking: Getting next() out of the NYI list
https://blog.cloudflare.com/luajit-hacking-getting-next-out-of-the-nyi-list/ [blog.cloudflare.com]
2017-02-22 17:00
tags:
compiler
jit
lua
perf
programming
One of the first pieces of advice anyone receives when writing Lua code to run quickly using LuaJIT is “avoid the NYIs”: the language or library features that can’t be compiled because they’re NYI (not yet implemented). And that means they run in the interpreter.
A very long post with lots of details.