A deep dive into BPF LPM trie performance and optimization
2025-10-21
This post explores the performance of BPF LPM tries, a critical data structure used for IP matching. ...
Continue reading »
Simplify allowlist management and lock down origin access with Cloudflare Aegis
2025-03-20
Cloudflare Aegis provides dedicated egress IPs for Zero Trust origin access strategies, now supporting BYOIP and customer-facing configurability, with observability of Aegis IP utilization soon....
connect() - why are you so slow?
2024-02-08
This is our story of what we learned about the connect() implementation for TCP in Linux. Both its strong and weak points. How connect() latency changes under pressure, and how to open connection so that the syscall latency is deterministic and time-bound...
Using DNS to estimate the worldwide state of IPv6 adoption
2023-12-14
In the last decade, IPv6 adoption on the client side went from under 1% to somewhere in the high 30 to low 40 percent, depending on who’s reporting, but there’s also the other end of the equation: the server side...
Amazon’s $2bn IPv4 tax — and how you can avoid paying it
2023-09-26
In this blog, we’ll explain a little bit more about the technology involved, but most importantly, give you a step-by-step walkthrough of how Cloudflare can help you eliminate the need to pay Amazon for something that they shouldn’t be charging you for in the first place...
MORE POSTS
February 02, 2023 1:32 PM
Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses
Recently, a vulnerability was reported to our bug bounty about a bug in the way some of our code interprets IPv4 addresses mapped into IPv6 addresses. ...
- By
March 04, 2019 4:00 PM
Building fast interpreters in Rust
In the previous post we described the Firewall Rules architecture and how the different components are integrated together. We created a configurable Rust library for writing and executing Wireshark®-like filters in different parts of our stack written in Go, Lua, C, C++ and Java...
- By
September 10, 2018 9:21 AM
Fixing an old hack - why we are bumping the IPv6 MTU
Back in 2015 we deployed ECMP routing - Equal Cost Multi Path - within our datacenters. This technology allowed us to spread traffic heading to a single IP address across multiple physical servers....
- By
August 16, 2018 3:01 PM
Enable Private DNS with 1.1.1.1 on Android 9 Pie
Android 9 Pie includes a slew of new features around digital well-being and privacy. Here's how to use the new Private DNS feature with 1.1.1.1....
- By
July 19, 2018 12:03 AM
IPv6 in China
At the end of 2017, Xinhua reported that there will be 200 Million IPv6 users inside Mainland China by the end of this year.. Halfway into the year, we’re seeing a rapid growth in IPv6 users and traffic originating from Mainland China....
- By
March 29, 2018 10:43 AM
eBPF, Sockets, Hop Distance and manually writing eBPF assembly
A friend gave me an interesting task: extract IP TTL values from TCP connections established by a userspace program. This seemingly simple task quickly exploded into an epic Linux system programming hack. ...
- By
December 21, 2017 2:01 PM
2018 and the Internet: our predictions
At the end of 2016, I wrote a blog post with seven predictions for 2017. Let’s start by reviewing how I did. I’ll score myself with two points for being correct, one point for mostly right and zero for wrong. That’ll give me a maximum possible score of fourteen. Here goes......
- By
May 25, 2017 5:30 PM
Less Is More - Why The IPv6 Switch Is Missing
At Cloudflare we believe in being good to the Internet and good to our customers. By moving on from the legacy world of IPv4-only to the modern-day world where IPv4 and IPv6 are treated equally, we believe we are doing exactly that....
- By
November 21, 2016 2:14 PM
98.01% of sites on Cloudflare now use IPv6
It's 2016 and almost every site using Cloudflare (more than 4 million of them) is using IPv6. Cloudflare sees significant IPv6 traffic globally where networks have enabled IPv6 to the consumer....
- By
June 07, 2016 6:55 PM
Supporting the transition to IPv6-only networking services for iOS
Early last month Apple announced that all apps submitted to the Apple Store June 1 forward would need to support IPv6-only networking as they transition to IPv6-only network services in iOS 9. ...
- By
September 28, 2015 2:00 AM
Happy 5th Birthday, CloudFlare!
Today is September 27, 2015. It's a rare Super Blood Moon. And it's also CloudFlare's birthday. CloudFlare launched 5 years ago today. It was a Monday. While Michelle, Lee, and I had high expectations, we would never have imagined what's happened since then....
- By
September 02, 2015 10:15 AM
Test all the things: IPv6, HTTP/2, SHA-2
CloudFlare constantly tries to stay on the leading edge of Internet technologies so that our customers' web sites use the latest, fastest, most secure protocols. For example, in the past we've enabled IPv6 and SPDY/3.1....
- By
June 11, 2015 10:31 AM
iOS Developers — Migrate to iOS 9 with CloudFlare
Thousands of developers use CloudFlare to accelerate and secure the backend of their mobile applications and websites. This week is WWDC, where thousands of Apple developers come to San Francisco to talk, learn and share best practices for developing software for Apple platforms....
- By
June 05, 2015 6:42 PM
Four years later and CloudFlare is still doing IPv6 automatically
Over the past four years CloudFlare has helped well over two million websites join the modern web, making us one of the fastest growing providers of IPv6 web connectivity on the Internet. ...
- By
February 04, 2015 2:16 PM
Path MTU discovery in practice
Last week, a very small number of our users who are using IP tunnels (primarily tunneling IPv6 over IPv4) were unable to access our services because a networking change broke "path MTU discovery" on our servers. ...
- By