Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: Various embodiments disclosed herein include apparatuses, systems, devices, and methods for anonymously generating an encrypted session for a client device in a wireless network. The method comprises, in response to providing, to the client device in the wireless network, a request for credentials associated with the client device, obtaining, from the client device, a response including proposed credentials associated with the client device. The method further comprises determining whether or not the format of the response matches a response template. The method further comprises, in response to determining that the format of the response matches the response template, generating an encrypted wireless session for the client device independent of the proposed credentials associated with the client device.

Abstract: In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

Abstract: A method comprises obtaining, from a client device, a first set of application authentication credentials formatted in accordance with a first authentication protocol. The first set of application authentication credentials corresponds to a first user profile. The method includes translating the first set of application authentication credentials to a second set of application authentication credentials. The second set of application authentication credentials is formatted in accordance with a second authentication protocol different from the first authentication protocol and corresponds to the first user profile. The method includes providing the second set of application authentication credentials to an application authentication system. The method includes, in response to providing the second set of application authentication credentials to the application authentication system, obtaining, from the application authentication system, an application authentication indicator.

Abstract: Embodiments are provided for providing optimal route reflector (ORR) root address assignment to route reflector clients and fast failover capabilities in an autonomous system, including identifying a first node in an autonomous system as a candidate root node of a first routing group, identifying a client node based on a neighbor address used in a first routing protocol, mapping the neighbor address to routing information received from the client node via a second routing protocol, and associating the neighbor address with the first routing group if the routing information includes an identifier of the first routing group. In more specific embodiments, identifying the first node as a candidate root node includes determining the first node and the first routing group are advertised in a first protocol packet, and determining the first node and the second routing group are advertised in a second protocol packet.

Abstract: In one embodiment, a network quality assessment service that monitors a network obtains multimodal data indicative of a plurality of measurements from the network and subjective perceptions of the network by users of the network. The network quality assessment service uses the obtained multimodal data as input to one or more neural network-based models. The network quality assessment service maps, using a conceptual space, outputs of the one or more neural network-based models to symbols. The network quality assessment service applies a symbolic reasoning engine to the symbols, to generate a conclusion regarding the monitored network. The network quality assessment service provides an indication of the conclusion to a user interface.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: One embodiment performs longest prefix matching operations in one or more different manners that provides packet processing and/or memory efficiencies in the processing of packets. In one embodiment, a packet switching device determines a set of one or more mask lengths of a particular conforming entry of a multibit trie or other data structure that matches a particular address of a packet via a lookup operation in a mask length data structure. A conforming entry refers to an entry which has less than or equal to a maximum number of different prefix lengths, with this maximum number corresponding to the maximum number of prefix lengths which can be searched in parallel in the address space for a longest matching prefix by the implementing hardware. The packet switching device then performs corresponding hash table lookup operation(s) in parallel in determining an overall longest matching prefix for the particular address.

Abstract: In one embodiment, a network node automatically cycles among packet traffic flows and subjects the currently selected packet flows to varying drop probabilities in a packet network, such as, but not limited to in response to congestion in a device or network. Packets of a currently selected packet traffic flow are subjected to a drop or forward decision with a higher drop probability than packets of a currently non-selected flow. By cycling through all of these packet traffic flows, all of these packet flows are subjected to the drop or forward decision in the long term approximately uniformly, thus providing fairness to all packet traffic flows. In the short term, packets of a currently selected flow are targeted for possible dropping with a higher drop probability providing unfairness to the currently selected flows over the non-selected flows.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: In one embodiment, a service that monitors a network detects a plurality of anomalies in the network. The service uses data regarding the detected anomalies as input to one or more machine learning models. The service maps, using a conceptual space, outputs of the one or more machine learning models to symbols. The service applies a symbolic reasoning engine to the symbols, to rank the anomalies. The service sends an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.

Abstract: A crowd-sourced cloud environment allows for, and benefits from, modes of interaction between among the service providers (including the “resource providers” and the “cloud provider”) and consumers (also referred to herein as “tenants”) that are not practiced in a DC-centric cloud environment—specifically, the use of Internet-based social networking technology and Internet-based online marketplace technology to facilitate resource pooling and interaction between crowd-sourced cloud resource providers, the cloud provider, and crowd-sourced cloud consumers.

Abstract: One embodiment performs longest prefix matching operations in one or more different manners that provides packet processing and/or memory efficiencies in the processing of packets. In one embodiment, a packet switching device determines a set of one or more mask lengths of a particular conforming entry of a multibit trie or other data structure that matches a particular address of a packet via a lookup operation in a mask length data structure. A conforming entry refers to an entry which has less than or equal to a maximum number of different prefix lengths, with this maximum number corresponding to the maximum number of prefix lengths which can be searched in parallel in the address space for a longest matching prefix by the implementing hardware. The packet switching device then performs corresponding hash table lookup operation(s) in parallel in determining an overall longest matching prefix for the particular address.

Abstract: One embodiment includes multiple distribution nodes sending packets of different ordered sets of packets among multiple packet switching devices arranged in a single stage topology to reach a reordering node. The reordering node receives these packets sent over the different paths and stores them in reordering storage, such as, but not limited to, in queues for each distribution node and packet switching device combination. The reordering node sends packets stored in the reordering storage from the reordering node in original orderings. In response to determining that an aggregation quantum of packets received from the multiple distribution nodes via a particular packet switching device and stored in the reordering storage is outside a range or value, packets being communicated via the particular packet switching device to the reordering node are rate limited.

Abstract: In one embodiment, a network node automatically cycles among packet traffic flows and subjects the currently selected packet flows to varying drop probabilities in a packet network, such as, but not limited to in response to congestion in a device or network. Packets of the currently selected packet traffic flows are subjected to a drop or forward decision, while packets of other packet traffic flows are not. By cycling through all of these packet traffic flows, all of these packet flows are subjected to the drop or forward decision in the long term approximately uniformly providing fairness to all packet traffic flows. In the short term, only packets of a currently selected flow are targeted for possible dropping providing unfairness to the currently selected flows, while possibly providing communication efficiencies by affecting the currently selected, but not all flows.

Abstract: A crowd-sourced cloud environment allows for, and benefits from, modes of interaction between among the service providers (including the “resource providers” and the “cloud provider”) and consumers (also referred to herein as “tenants”) that are not practiced in a DC-centric cloud environment—specifically, the use of Internet-based social networking technology and Internet-based online marketplace technology to facilitate resource pooling and interaction between crowd-sourced cloud resource providers, the cloud provider, and crowd-sourced cloud consumers.

Abstract: In one embodiment, a particular service chain data packet is received by a particular service node, with the service chain data packet including a header identifying service chain information. The particular service node applies a service to the particular service chain data packet. The particular service node adds service-layer operations data to the particular service chain data packet, with the service-layer operations data related to the current service function or the particular service node. Subsequently, the particular service node sends the particular service chain data packet with the service-layer operations data from the particular service node. In one embodiment, networking operations data is also added to the particular service chain data packet. In one embodiment, an egress service node removes the service-layer (and possibly networking) operations data and forwards to another system, possibly after processing this operations data.

Abstract: One embodiment includes a packet switching device load balancing eligible packets in response to a policing drop decision. The packet switching device sends packets of a particular packet flow out of the packet switching device over a first path in the network towards a destination node; and in response to a policer discipline determining to drop a particular packet of the particular packet flow, switching from said sending packets over the first path to sending packets of the particular packet flow out of the packet switching device over a second path in the network towards the destination node (possibly by switching output queues associated with the two different paths), with the second path being different than the first path, and with the particular packet not being dropped but being sent out of the packet switching device towards the destination node.

Abstract: The present disclosure involves systems and methods for compiling abstract application and associated service models into deployable descriptors under control of a series of policies, maintaining and enforcing dependencies between policies and applications/services, and deploying policies as regularly managed policy applications themselves. In particular, an orchestration system includes one or more policy applications that are executed to apply policies to a deployable application or service in a computing environment. In general, the orchestration system operates to create one or more solution models for execution of an application on one or more computing environments (such as one or more cloud computing environments) based on a received request for deployment.

Abstract: A method of routing a packet in a network is described. The network includes a plurality of nodes implementing Information Centric Networking (ICN) routing or content centric networking and routing. The method includes receiving the packet at a node implementing ICN routing, the packet comprising an Internet Protocol (IP) header and a packet payload, wherein the packet comprises a request packet for requesting content from the network. The method further includes extracting from the packet payload a content identifier for the requested content and forwarding the packet to a next hop node in the network based on the content identifier extracted from the packet payload.