Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: Resource provider specifications, characterizing computing resources of computing resource providers, are received. The reachability of each IP address included in the received specification is determined. An agent is deployed that is operable to determine the value of each of a set of metrics in the environment of the host at which the agent is deployed. The agent determines the value of each metric of the set of metrics in the environment of the relevant host, and communicates the determined values to one or more computing devices that validate whether the resources characterized by the communicated values are sufficient to provide the performance characterized by the received specification and that each ISP router complies with a predetermined policy. For each computing resource provider validated and determined to comprise an ISP router compliant with policy, the specified computing resources are added to a pool of resources for cloud computing.

Abstract: In one embodiment, a network quality assessment service that monitors a network obtains multimodal data indicative of a plurality of measurements from the network and subjective perceptions of the network by users of the network. The network quality assessment service uses the obtained multimodal data as input to one or more neural network-based models. The network quality assessment service maps, using a conceptual space, outputs of the one or more neural network-based models to symbols. The network quality assessment service applies a symbolic reasoning engine to the symbols, to generate a conclusion regarding the monitored network. The network quality assessment service provides an indication of the conclusion to a user interface.

Abstract: In one embodiment, new Segment Routing capabilities are used in the steering of packets through Segment Routing nodes in a network. A Segment List includes a set of one or more Segment List (SL) Groups, each of which identifies one or more Segments contiguously or non-contiguously stored in the Segment List (or stored across multiple Segment Lists) of a Segment Routing packet. Each SL Group typically includes one Segment that is encoded as a Segment Identifier, and may include Segments that are Extended Values. The steering order of SL Groups is not required to be the same order as they are listed in the Segment List, as the value of Segments Left may be increased, remain the same, or decreased (possibly to skip a next SL Group) and possibly based on the result of an evaluation of a conditional expression.

Abstract: Resource provider specifications, characterizing computing resources of computing resource providers, are received. The reachability of each IP address included in the received specification is determined. An agent is deployed that is operable to determine the value of each of a set of metrics in the environment of the host at which the agent is deployed. The agent determines the value of each metric of the set of metrics in the environment of the relevant host, and communicates the determined values to one or more computing devices that validate whether the resources characterized by the communicated values are sufficient to provide the performance characterized by the received specification and that each ISP router complies with a predetermined policy. For each computing resource provider validated and determined to comprise an ISP router compliant with policy, the specified computing resources are added to a pool of resources for cloud computing.

Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.

Abstract: In one embodiment, a service receives signal characteristic data indicative of characteristics of wireless signals received by one or more antennas located in a particular area. The service uses the received signal characteristic data as input to a Bayesian inference model to predict physical states of an object located in the particular area. A physical state of the object is indicative of at least one of: a mass, a velocity, an acceleration, a surface area, or a location of the object. The service updates the Bayesian inference model based in part on the predicted state of the object and a change in the received signal characteristic data and based in part by enforcing Newtonian motion dynamics on the predicted physical states.

Abstract: In one embodiment, a service receives signal data indicative of phases and gains associated with wireless signals received by one or more antennas located in a particular area. The service determines, from the received signal data, changes in the phases and gains associated with the wireless signals. The service estimates a direction of motion of one or more objects located in the particular area, based on the determined changes in the gains associated with the wireless signals. The service estimates a total mass of the one or more objects located in the particular area based on a ratio of the determined changes in the gains associated with the wireless signals over the determined changes in the phases associated with the wireless signals.

Abstract: In one embodiment, a service receives signal characteristic data indicative of characteristics of wireless signals received by one or more antennas located in a particular area. The service identifies an object in the particular area, based on the received signal characteristic data. The service associates the identified object with an object kinematics model. The service updates the object kinematics model over time by applying Bayesian inference to changes in the signal characteristic data.

Abstract: Systems, methods, and computer-readable for cognitive sensor fusion management include obtaining one or more data streams from one or more sensors. Learning algorithms are used for determining whether a combination of the one or more data streams includes sufficient information for achieving a desired outcome, based on context, business verticals, or other considerations. One or more modifications are determined to at least the one or more data streams or one or more sensors based on whether the combination of the one or more data streams includes sufficient information for achieving the desired outcome. In a closed-loop system, feedback from implementing the one or more modifications can be used to update the desired outcome.

Abstract: The present technology pertains to a system that authenticates the identity of a user trying to access a service. The system comprises an authentication provider configured to communicate authentication requirements to a continuous multifactor authentication device and the continuous multifactor authentication device configured to receive authentication requirements, to fuse multiple identification factors into an identification credential for a user according to the authentication requirements, and to send the authentication credential to the authentication provider. After receiving the identification credential meeting the authentication requirements, the authentication provider is configured to instruct a service provider to initiate a session.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including determining a path through a plurality of provider nodes within a provider network and determining that the path through the plurality of provider nodes within the provider network is secure. The operations also include receiving, from a customer node, a Resource Reservation Protocol (RSVP) path message comprising an attribute for a security request. The operations further include routing the RSVP path message along the path of the plurality of provider nodes.

Abstract: In one embodiment, a method includes a method includes receiving, by a headend node, network traffic. The method also includes determining, by the headend node, that the network traffic matches a service route. The method further includes steering, by the headend node, the network traffic into an SR-TE policy. The SR-TE policy is associated with the service route and includes a security level constraint.

Abstract: In one embodiment, new Segment Routing capabilities are used in the steering of packets through Segment Routing nodes in a network. A Segment List includes a set of one or more Segment List (SL) Groups, each of which identifies one or more Segments contiguously or non-contiguously stored in the Segment List (or stored across multiple Segment Lists) of a Segment Routing packet. Each SL Group typically includes one Segment that is encoded as a Segment Identifier, and may include Segments that are Extended Values. The steering order of SL Groups is not required to be the same order as they are listed in the Segment List, as the value of Segments Left may be increased, remain the same, or decreased (possibly to skip a next SL Group) and possibly based on the result of an evaluation of a conditional expression.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: In one embodiment, for each distribution period of time, each packet flow is assigned to a path through a packet switching device (e.g., switch fabric) with all packets of the packet flow being sent in order over the assigned path. For a next distribution period, different paths are assigned for these packet flows, with all packets being sent in order over the new corresponding selected path. In one embodiment, these paths are switched often enough to prevent congestion, yet infrequent enough so as to minimize resources for reordering. In one embodiment, the reordering is done at the egress and only for predefined high bandwidth flows (e.g., elephant flows). A distribution period indication is typically associated with each packet to identify its corresponding distribution period. In one embodiment, each routing and egress switching stage in a switching fabric performs reordering.

Abstract: One embodiment performs longest prefix matching operations in one or more different manners that provides packet processing and/or memory efficiencies in the processing of packets. In one embodiment, a packet switching device determines a set of one or more mask lengths of a particular conforming entry of a multibit trie or other data structure that matches a particular address of a packet via a lookup operation in a mask length data structure. A conforming entry refers to an entry which has less than or equal to a maximum number of different prefix lengths, with this maximum number corresponding to the maximum number of prefix lengths which can be searched in parallel in the address space for a longest matching prefix by the implementing hardware. The packet switching device then performs corresponding hash table lookup operation(s) in parallel in determining an overall longest matching prefix for the particular address.

Abstract: A method of retrieving content in an Internet Protocol version 6 (IPv6) network is described, including receiving from a network node a lookup request associated with content at a server comprising a mapping database. A response is generated including an IPv6 address, the IPv6 address comprising a content identifier and an indication of a location of the content. The response is transmitted to the network node. A method including receiving at a mapping database a lookup request associated with content and returning a text record comprising an ordered list of addresses for use in segment routing to the content is also described.