Abstract: A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

Abstract: Techniques for providing a non-blocking fabric in a network are described. A network controller determines the network requirement for various network traffic types on the network and determines the allocation of resources across the network needed to establish a midlay, including midlay components on the network. The network controller then establishes the midlay on the network according to the determined allocation. At least one of the midlay components is a virtually non-blocking fabric for high-priority traffic or fully non-blocking fabric for deterministic traffic.

Abstract: Protocol independent signal slotting and scheduling is provided by receiving a frame including a header and a payload for transmission; in response to determining that the frame matches a rule identifying the frame as part of a control loop, compressing the header according to the rule to produce a compressed packet of a predefined size that includes the compressed header and the payload; scheduling transmission of the compressed packet; and transmitting the compressed packet to a receiving device. In some embodiments, before compressing the frame, in response to determining that a size of the payload does not match a predefined size threshold: the payload is fragmented into a plurality of portions, wherein each portion satisfies the predefined size threshold, or the compressed packet is padded to the predefined size threshold via forward error correction padding information.

Abstract: A source access network device multicasts copies of a packet to multiple core switches, for switching to a same target access network device. The core switches are selected for the multicast based on a load balancing algorithm managed by a central controller. The target access network device receives at least one of the copies of the packet and generates at least metric indicative of a level of traffic congestion at the core switches and feeds back information regarding the recorded at least one metric to the controller. The controller adjusts the load balancing algorithm based on the fed back information for selection of core switches for a subsequent data flow.

Abstract: Protocol independent signal slotting and scheduling is provided by receiving a frame including a header and a payload for transmission; in response to determining that the frame matches a rule identifying the frame as part of a control loop, compressing the header according to the rule to produce a compressed packet of a predefined size that includes the compressed header and the payload; scheduling transmission of the compressed packet; and transmitting the compressed packet to a receiving device. In some embodiments, before compressing the frame, in response to determining that a size of the payload does not match a predefined size threshold: the payload is fragmented into a plurality of portions, wherein each portion satisfies the predefined size threshold, or the compressed packet is padded to the predefined size threshold via forward error correction padding information.

Abstract: A source access network device multicasts copies of a packet to multiple core switches, for switching to a same target access network device. The core switches are selected for the multicast based on a load balancing algorithm managed by a central controller. The target access network device receives at least one of the copies of the packet and generates at least metric indicative of a level of traffic congestion at the core switches and feeds back information regarding the recorded at least one metric to the controller. The controller adjusts the load balancing algorithm based on the fed back information for selection of core switches for a subsequent data flow.

Abstract: In one embodiment, a supervisory device for a software defined networking (SDN) fabric obtains telemetry data regarding congestion levels on a plurality of links in the SDN fabric. The supervisory device predicts seasonal congestion on a particular one of the plurality of links by using the telemetry data as input to a machine learning-based model. The supervisory device identifies a period of time associated with the predicted seasonal congestion on the particular link. The supervisory device initiates, in advance of the identified period of time, re-computation of equal-cost multi-path (ECMP) weights associated with the plurality of links that prevent occurrence of the predicted seasonal congestion on the particular link during the identified period of time.

Abstract: A source access network device multicasts copies of a packet to multiple core switches, for switching to a same target access network device. The core switches are selected for the multicast based on a load balancing algorithm managed by a central controller. The target access network device receives at least one of the copies of the packet and generates at least metric indicative of a level of traffic congestion at the core switches and feeds back information regarding the recorded at least one metric to the controller. The controller adjusts the load balancing algorithm based on the fed back information for selection of core switches for a subsequent data flow.

Abstract: In one embodiment, a supervisory device for a software defined networking (SDN) fabric obtains telemetry data regarding congestion levels on a plurality of links in the SDN fabric. The supervisory device predicts seasonal congestion on a particular one of the plurality of links by using the telemetry data as input to a machine learning-based model. The supervisory device identifies a period of time associated with the predicted seasonal congestion on the particular link. The supervisory device initiates, in advance of the identified period of time, re-computation of equal-cost multi-path (ECMP) weights associated with the plurality of links that prevent occurrence of the predicted seasonal congestion on the particular link during the identified period of time.

Abstract: A source access network device multicasts copies of a packet to multiple core switches, for switching to a same target access network device. The core switches are selected for the multicast based on a load balancing algorithm managed by a central controller. The target access network device receives at least one of the copies of the packet and generates at least metric indicative of a level of traffic congestion at the core switches and feeds back information regarding the recorded at least one metric to the controller. The controller adjusts the load balancing algorithm based on the fed back information for selection of core switches for a subsequent data flow.

Abstract: Techniques for providing a non-blocking fabric in a network are described. A network controller determines the network requirement for various network traffic types on the network and determines the allocation of resources across the network needed to establish a midlay, including midlay components on the network. The network controller then establishes the midlay on the network according to the determined allocation. At least one of the midlay components is a virtually non-blocking fabric for high-priority traffic or fully non-blocking fabric for deterministic traffic.

Abstract: A multihomed site includes in-site network nodes, and first and second gateways configured for providing access outside of the multihomed site. The network nodes and the gateways are configured for utilizing in-site addresses having an in-site address prefix that is not advertised outside of the prescribed site. Each gateway is configured for outputting an advertisement message into the multihomed site that specifies that the gateway is a home agent for a corresponding extra-site address prefix reachable inside and outside the multihomed site. Each in-site network node includes a mobile IP module configured for acquiring extra-site addresses from each of the advertised extra-site address prefixes, and creating mobile IP tunnels with the first and second gateways, enabling the corresponding extra-site address to be reachable via the in-site address. Each node also includes a selection resource for outputting a packet on a selected mobile IP tunnel, based on preference information.

Abstract: A network includes network nodes and a gateway. Each network node has a corresponding unique in-site IPv6 address for communication within a prescribed site, each in-site IPv6 address having a first IPv6 address prefix that is not advertised outside of the prescribed site. Network nodes can obtain from within the prescribed site a unique extra-site IPv6 address for mobile or extra-site communications. The extra-site IPv6 address has a second IPv6 address prefix, distinct from the first IPv6 address prefix, advertised by the gateway to the prescribed site and the wide area network. The gateway establishes a secure connection (e.g., tunnel) with each corresponding IPv6 node using its corresponding extra-site IPv6 address, and creates a corresponding binding cache entry specifying the corresponding extra-site IPv6 address and in-site IPv6 address. Hence, the gateway provides wide area network access while maintaining secrecy of the in-site IPv6 addresses.

Abstract: Each network node having at least one destination-oriented link toward a directed acyclic graph (DAG) destination can receive a corresponding set of path performance metrics via the destination-oriented link. The set of path performance metrics, initiated by the DAG destination outputting initial link metrics on each of its source-connecting links, identifies aggregate link metrics for a corresponding path to the DAG destination via the corresponding destination-oriented link. The network node outputs a corresponding updated set of path performance metrics on each of its source-connecting links based on the received set of path performance metrics and the corresponding link metric for the corresponding source-connecting link. Hence, each network node in the DAG can assess the performance of each connected path to the DAG destination, and forward a data packet via a selected destination-oriented link based on the corresponding path performance metrics and forwarding policies for the forwarded data packet.