Skip to content
Morning Briefing · Wednesday, June 24, 2026

Post-Quantum Deadline Set, EVPN Breaks at Anycast, and China Tops the Supercomputer List

networkingautomationai-mldatacentersecurityscience
Listen to the episode
Post-Quantum Deadline Set, EVPN Breaks at Anycast, and China Tops the Supercomputer List
13 min · 73 turns
Plate Ileaf · spine
Schematic leaf-spine fabric — explicit-path traffic flows across the spine plane, pods at the edges.
Top Highlights
№ 01·Top Highlights

Top 3 Highlights

1. Post-Quantum Cryptography EO Sets 2030 Hard Deadline for Federal Contractors

TL;DR: President Trump signed Executive Order 14409 on June 22, setting December 31, 2030, as the hard deadline for federal agencies and their contractors to transition to post-quantum encryption — and Cloudflare's technical response makes clear that network engineers need to start procurement rewrites now, not in 2028.

Key Points:

  • EO 14409 requires federal agencies to complete post-quantum encryption (ML-KEM) by December 31, 2030, and post-quantum authentication (ML-DSA/SLH-DSA) by December 31, 2031
  • Federal contractors must comply with post-quantum FIPS standards by end of 2030 — this creates a supply-chain mandate that flows down through every vendor relationship
  • CISA and sector risk management agencies must help critical infrastructure operators develop PQC adoption plans
  • Cloudflare's implementation guidance flags the hardest problem: any system that supports ML-KEM but still allows a classical-only TLS handshake is vulnerable to downgrade attacks — hybrid mode is not a finish line, it is a waypoint
  • Larger signature sizes in ML-DSA mean short-lived connections and constrained protocols (think BGP session negotiation, device authentication in embedded management planes) may degrade — these need early testing, not late discovery
  • Cloudflare's specific advice: update procurement policies to mandate PQC at no additional cost, and build a quantum impact inventory of publicly exposed systems before doing comprehensive cryptographic audits (which delay action)

Deep Dive: The EO compresses a timeline that most enterprise and operator shops had assumed was a 2032-or-later problem. For network engineers specifically, the exposure is not just TLS on web servers — it is the management plane. BGPsec, SSH device authentication, IPsec tunnel endpoints, and TLS-based NETCONF/RESTCONF sessions all run on classical cryptography. The EO's contractor scope means if you supply networking services to any federal agency or contractor, you are now on a four-year clock. The Cloudflare post is the most practically useful piece published in response to the EO: it explicitly tells you to skip the comprehensive audit phase and instead prioritize internet-facing systems and start rewriting RFPs today. The downgrade attack risk is the key technical point most coverage missed — deploying ML-KEM alongside classical negotiation without forcing ML-KEM means a man-in-the-middle can strip the PQC handshake and both sides silently fall back to classical. Enforcement at the policy layer, not just the capability layer.

So What? Stop treating PQC as a future planning item — audit your vendor contracts today, add "post-quantum FIPS compliance by 2030" to every active RFP, and identify which management-plane protocols in your network would fail a PQC migration before the deadline.

Sourceshttps://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/, https://blog.cloudflare.com/post-quantum-eo-2026/, https://www.cybersecuritydive.com/news/quantum-cryptography-white-house-executive-order/823530/


2. ipSpace.net: Anycast-Only EVPN Gateways Create Silent ARP Failure and Attack Surface

TL;DR: Ivan Pepelnjak's latest in the EVPN ARP series shows that running anycast-only gateways (no unicast fallback) in EVPN asymmetric IRB creates a specific failure mode that breaks silent host reachability across PEs — and Arista EOS has a creative workaround that no other vendor implements, making this a multi-vendor interop landmine.

Key Points:

  • When PE devices share only an anycast MAC/IP address (no unicast), ARP requests between PEs use the anycast address as source — the remote host's ARP reply goes back to the anycast address, and the intercepting PE pockets it, leaving the originating PE without an ARP cache entry
  • Arista EOS resolves this by accepting unsolicited ARP replies and generating an EVPN type-2 MAC/IP route for the silent host — other vendors lack this mechanism, making multi-vendor anycast-only deployments unreliable
  • Pepelnjak explicitly flags the security exposure: an attacker who can send unsolicited ARP replies into this environment can impersonate any IP address (SQL servers were the example), and the anycast design gives them structural cover
  • The lab is reproducible on netlab, GitHub Codespaces, or Apple Silicon Macs — hands-on validation is accessible before you hit this in production

Deep Dive: This is the fourth or fifth post in a series that has systematically dismantled the "EVPN handles ARP for you" assumption that a lot of leaf-spine designs rely on. The anycast-only variant is particularly interesting because it is often chosen for simplicity — fewer IP addresses, cleaner design. Turns out the simpler design has a more obscure failure mode that is extremely hard to troubleshoot because the data plane appears to be working (you can ping from some hosts) while specific traffic paths silently black-hole. The Arista workaround is clever but it is also precisely the kind of vendor-specific silent behavior that makes multi-vendor fabrics painful. If you are running a Juniper or Cisco EVPN fabric alongside Arista in the same layer-2 domain, this is a live problem you may have right now.

So What? If you have anycast gateways deployed without unicast fallback in a multi-vendor EVPN fabric, run Pepelnjak's netlab scenario against your specific platform combination before you call it production-ready — and while you're at it, check whether your ARP snooping configuration prevents the unsolicited-reply attack vector.

Sourceshttps://blog.ipspace.net/2026/06/arp-issues-evpn-anycast-only/


3. NVIDIA DFlash Speculative Decoding Delivers up to 15x Throughput on Blackwell

TL;DR: NVIDIA published a blog on June 23 detailing DFlash, an open-source block diffusion speculative decoder that hits up to fifteen times the token throughput on Blackwell at the same interactivity level — and it integrates into vLLM, SGLang, and TensorRT-LLM without code changes, meaning inference operators can deploy it today.

Key Points:

  • DFlash uses a block-parallel drafting approach: instead of drafting tokens one at a time, a lightweight diffusion model generates an entire block of candidate tokens in a single forward pass, which the target model verifies in parallel — much better utilization of Blackwell's fifteen PFLOPS of dense NVFP4 compute
  • Benchmark results: up to fifteen times throughput for gpt-oss-120b at same interactivity; nearly double interactivity for Llama 3.1 8B at same concurrency vs EAGLE-3; five point eight times for Gemma 4 31B; five point one times for Qwen3 8B
  • Drop-in integration with vLLM, SGLang, and TensorRT-LLM via model checkpoints on Hugging Face — no code refactoring required
  • LMSYS published a companion post covering DFlash alongside Spec V2, confirming the result is not just an NVIDIA benchmark
  • Implication for inference cluster design: at fifteen times throughput, DFlash changes the economics of Blackwell cluster sizing — you may need significantly fewer nodes than your original inference capacity plan assumed

So What? If you are sizing or operating Blackwell-based inference clusters, benchmark DFlash against your current serving stack before finalizing procurement numbers — a fifteen times throughput improvement changes every ROI calculation you have done.

Sourceshttps://developer.nvidia.com/blog/boost-inference-performance-up-to-15x-on-nvidia-blackwell-using-dflash-speculative-decoding, https://www.lmsys.org/blog/2026-06-15-next-generation-speculative-decoding-dflash-v2/


Networking
№ 02·Networking

Networking

Plate IInetworking
Schematic leaf-spine fabric — explicit-path traffic flows across the spine plane, pods at the edges.

ipSpace.net EVPN Anycast-Only Gateway Failure (covered in Top 3 above)

Post-Quantum EO: Management Plane Impact (covered in Top 3 above)

PP115: Machine Identities Now Outnumber Humans 109 to 1

Packet Pushers ran a sponsored episode with CyberArk/Palo Alto Networks covering the machine identity governance gap. The headline number — one hundred nine non-human identities for every human in the enterprise — is striking, but the more interesting architecture point is the "secret zero" bootstrapping problem: agents need credentials to get credentials, and most enterprise IAM systems have no answer for this at agentic scale. The episode covers kill-switch design for rogue agents and governance onboarding patterns that treat an AI agent like a new employee (capability scoping, access review, offboarding). This is the operational security architecture work that needs to happen before the forty percent enterprise app agent adoption figure Gartner is projecting for year-end arrives.

Sourceshttps://packetpushers.net/podcasts/packet-protector/pp115-palo-alto-networks-reality-of-109-to-1-securing-machine-identities-and-ai-agents-sponsored/


Automation
№ 03·Automation

Automation

Plate IIIautomation
Source-of-truth pipeline — intent → diff → apply → verify, idempotent on every revolution.

EVPN ARP Anycast-Only Failure Modes (covered in Top 3 — networking angle)

Post-Quantum PQC: Automation and Toolchain Implications

The EO's contractor scope means automation toolchains that touch federal environments need PQC-capable SSH and TLS. Nornir and Ansible both rely on Paramiko for SSH — Paramiko's PQC support timeline is not yet confirmed. Practitioners should test their automation stack's SSH library against ML-KEM hybrid handshake behavior now, before 2028 when vendors will likely be validating compliance.


AI / ML
№ 04·AI / ML

AI & Machine Learning

Plate IVai / ml
Embedding space — clusters carry related concepts; the highlighted query vector pulls its nearest neighbors.

NVIDIA DFlash 15x Blackwell Throughput (covered in Top 3 above)

IBM CUGA: Open-Source Agentic Harness with Two Dozen Production Examples

IBM Research published CUGA (Configurable Generalist Agent) with two dozen working single-file applications on Hugging Face, framing it as the answer to the "one week of plumbing before the agent does anything useful" problem. The harness handles planning, execution loops, tool calls, and state management — the developer writes a tool list and a prompt. The interesting architecture angle is that CUGA is designed to run the same agent code in both sovereign (on-premises, air-gapped) and governed (enterprise policy-enforced) modes without a rewrite. For network operations specifically, CUGA's tool-list model maps cleanly onto the MCP server pattern we have been tracking — SuzieQ MCP, Ansible MCP, PagerDuty MCP could all be CUGA tool definitions.

Sourceshttps://huggingface.co/blog/ibm-research/cuga-apps


Datacenter
№ 05·Datacenter

Datacenter

Plate Vdatacenter
Datacenter row — per-rack utilization at a glance. Cool colors are slack; warmer fills are pressure.

Virginia Approves First-Ever Datacenter Electricity Consumption Tax

Virginia's General Assembly passed a budget containing a new electricity consumption tax of $0.011 per kilowatt-hour on all power used by datacenters, effective July 1, 2026, projected to generate $600 million annually for two years. The measure covers utility-supplied power, competitive retail power, and self-generated power — specifically including behind-the-meter generation. That last point is significant: the hyperscaler strategy of building dedicated behind-the-fence generation to minimize grid dependency does not exempt you from Virginia's tax. The rate class applies to any datacenter operation in the state, regardless of how the power is sourced.

Sourceshttps://www.datacenterknowledge.com/regulations/virginia-approves-first-ever-data-center-power-tax, https://www.virginiascope.com/general-assembly-budget-proposal-expected-to-generate-600-million-a-year-in-revenue-from-data-centers/

AlpSemi Raises €17M for Wide-Bandgap Power Switches Targeting 800V DC Datacenters

Grenoble-based AlpSemi closed a €17 million round to commercialize wide- and ultra-wide-bandgap semiconductor power switches purpose-built for 800V DC datacenter architectures and solid-state circuit breakers. The technology replaces traditional silicon in high-voltage power protection systems, operating at higher voltages and switching frequencies with better thermal performance. The 800V DC architecture is increasingly relevant for AI datacenter power distribution — it reduces conductor losses at the same power density compared to traditional 48V or 380V DC bus architectures, and the 800V EV powertrain ecosystem (from automotive) is providing supply chain for components that previously had no commercial scale. AlpSemi's AS800 product is the first step toward production-scale datacenter deployment.

Sourceshttps://www.datacenterdynamics.com/en/news/alpsemi-raises-17m-for-development-of-wide-bandgap-power-switches-for-ai-data-centers/, https://www.businesswire.com/news/home/20260623012512/en/AlpSemi-Raises-%E2%82%AC17-Million-to-Scale-Next-Generation-Solid-State-Circuit-Breaker-Power-Switches-for-Buildings-and-AI-Data-Centers

CBRE: Global Datacenter Demand Continues to Outstrip Supply Across All Regions

CBRE's mid-year report confirms that demand exceeds supply in every major market globally, driving rental rates and construction costs upward simultaneously. The structural constraint is not construction speed — it is utility interconnection and transformer procurement, both running 18 to 24 months. The Virginia power tax adds another input cost variable to North America's most saturated market at exactly the moment operators are looking for alternatives.

Sourceshttps://www.datacenterdynamics.com/en/news/cbre-global-data-center-demand-continues-to-outstrip-supply-driving-up-rental-rates-and-construction-costs/


Science
№ 06·Science

Science

Plate VIscience
Field schematic — three-body stability under quasi-equal masses, drawn from the day's central result.

China's LineShine Supercomputer Takes Top500 Number One Spot — CPU-Only, ARM-Based

The June 2026 Top500 list, released at ISC26 in Hamburg, has a new leader: China's LineShine system at the National Supercomputing Centre in Shenzhen, achieving 2.198 exaflops on the HPL Linpack benchmark. This is the first Top500 number one since 2017 for China, and the first exascale-class machine to hit that mark using CPUs only — no GPUs, no accelerators. LineShine uses nearly fourteen million ARM cores on semi-custom 304-core LX2 processors (Armv9 ISA, 1.55 GHz) on the "LingKun" platform, with zero components from NVIDIA, Intel, or AMD. The system sustains roughly eighty percent of its 2.736 exaflop theoretical peak — strong utilization for a CPU-only architecture. The geopolitical read is straightforward: China built a system that bypasses the entire Western GPU export control apparatus and took the top spot anyway. The networking and storage fabric details have not been fully disclosed but the sheer scale of the interconnect required to drive fourteen million cores at this efficiency is itself an architecture story.

Sourceshttps://top500.org/news/lineshine-debuts-no-1-top500-enters-new-global-exascale-era/, https://www.servethehome.com/arm-cpus-take-number-1-in-latest-top500-list-with-chinese-lineshine/, https://www.theregister.com/hpc/2026/06/24/chinese-supercomputer-using-local-processors-heads-top500-list/5260532


Quick Takes
№ 07·Quick Takes

Quick Takes

  • Anthropic Claude in Slack becomes always-on Claude Tag: Anthropic is replacing the existing Claude Slack app with Claude Tag, an always-on agentic version that joins as a team member and monitors everything it has access to. The architecture shift from request-response to ambient monitoring is a governance question as much as a product question. [unverified — Register summary only]

Sourceshttps://www.theregister.com/ai-and-ml/2026/06/23/anthropic-reimagines-claude-in-slack-as-nosy-always-on-agentic-ai-coworker/5260422

  • Scattered Spider guilty pleas day one of UK trial: Two Scattered Spider members pled guilty on the first day of their UK trial for the August 2024 Transport for London attack. The architectural lesson is not the guilty plea — it is that social engineering of helpdesk credential resets remains the entry vector for high-profile attacks in 2026. Identity verification at the helpdesk layer is a gap that zero-trust perimeter controls do not close.

Sourceshttps://krebsonsecurity.com/2026/06/scattered-spider-hackers-plead-guilty-on-day-1-of-trial/

  • Waterborne computing gets another look: The Register covers renewed interest in floating and underwater datacenter deployments driven by cooling and power costs. Microsoft's Project Natick data remains the reference point; no new production deployments announced, but the economics are improving as power costs rise onshore.

Sourceshttps://www.theregister.com/systems/2026/06/23/datacenters-dip-a-toe-back-into-waterborne-computing-despite-obvious-challenges/5259331


Watch Today
№ 08·Watch Today

Watch Today

  • PQC procurement: If you have active vendor RFPs or contracts that touch any federal agency or contractor relationship, add PQC FIPS compliance by 2030 as a mandatory requirement today — not next quarter.
  • DFlash benchmarking: Pull the DFlash checkpoint from Hugging Face and run it against your current vLLM or SGLang inference stack. If you see anything close to the reported throughput gains, your cluster sizing assumptions need revision.
  • Virginia cost modeling: If you have Virginia colocation options in active evaluation, add the $0.011/kWh electricity consumption tax to your TCO model — it applies July 1, 2026, less than a week away.

Automation
№ 09·Automation

Pipeline Stats

Plate VIIautomation
Source-of-truth pipeline — intent → diff → apply → verify, idempotent on every revolution.
  • Articles processed: 66 (RSS digest) + 8 targeted web searches
  • Topics researched: 5 domains (networking, automation, AI/ML, datacenter, science)
  • Quality score: 5/5
  • Dedup rejections: 0 (all items cleared 72-hour window)
  • Edition: morning-briefing
Subscribe

Get the briefing in your inbox.

One email per weekday morning. Same writing, same sources — no audio required.