Abstract: This disclosure describes techniques for performing application-based tagging. An example method is performed by a virtual socket of a device. The method includes receiving non-packetized data from an application, generating a label based on the application, and providing the non-packetized data and the label to a kernel of the device.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: The present disclosure includes methods, systems, and non-transitory computer-readable media for validating data in a data structure used for forwarding packets by a network device comprising sending a data packet probe identifying a destination and including a segment ID, wherein the segment ID maps to a first interpretation by a receiving router to perform an action on the data packet probe to rewrite a portion of a destination address in a header of the data packet probe, and to redirect the data packet probe to the network device that initiated the data packet probe.

Abstract: In one embodiment, a method herein comprises: establishing, by a process, a virtual private network connection (VPN connection) with a particular VPN gateway; requesting, by the process, observability monitoring through the particular VPN gateway, wherein requesting results in a controller being informed about the particular VPN gateway and a domain of the particular VPN gateway; receiving, by the process, test specifics from the controller based on the particular VPN gateway and the domain of the particular VPN gateway; and executing, by the process, one or more tests to the particular VPN gateway based on the test specifics.

Abstract: Techniques for identifying nodes in a data center fabric that are affected by a failure in the fabric, and selectively sending disaggregation advertisements to the nodes affected by the failure. The techniques include a process where a component monitors the network fabric to identify communication paths between leaf nodes, and determines what leaf nodes would be affected by a failure in those communication paths. The component may detect a failure in the network and determine which communication paths, and thus which leaf nodes, are affected by the failure and send disaggregation advertisements to the affected leaf nodes. In some examples, ingress leaf nodes send data through the fabric that indicate egress nodes for the communication paths. Intermediate nodes along may receive the data from the leaf nodes to identify communication paths, and the notify only affected nodes upon detecting a failure in the network.

Abstract: In one embodiment, an access policy enforcement service receives a user authentication request from an end-user device. The access policy enforcement service identifies a telemetry collection intent from the user authentication request. The access policy enforcement service determines a monitoring policy based on the telemetry collection intent identified from the user authentication request. The access policy enforcement service configures, according to the monitoring policy, one or more telemetry collection agents to collect telemetry for traffic associated with the end-user device.

Abstract: Techniques and apparatus for determining quality of experience (QoE) for wireless communications are described. One technique involves transmitting a QoE support message to an access point (AP) within an access network. The QoE support message queries whether the AP supports providing key performance indicators (KPI(s)) indicative of QoE provided by the access network. An indication of whether the AP supports providing the KPI(s) is received in response to the QoE support message. The KPI(s) are received when the AP supports providing the KPI(s). A determination is made whether to communicate with the AP based at least in part on the KPI(s). Communications are then performed in accordance with the determination.

Abstract: Techniques for policy-based failure handling of data that is received for processing by failed edge services are described herein. The techniques may include receiving, at an edge node of a network, a data handling policy for a service hosted on the edge node. The service may be configured to process traffic on behalf of an application hosted by a cloud-based platform. In some examples, the data handling policy may be stored in a memory that is accessible to the edge node. The techniques may also include receiving traffic at the edge node that is to be processed at least partially by the service. At least partially responsive to detecting an error associated with the service, the edge node may cause the traffic to be handled according to the data handling policy while the service is experiencing the error.

Abstract: A method, computer system, and computer program product are provided for controlling data access and visibility using a context-based security policy. A request from an endpoint device to receive data is received at a server, wherein the request includes one or more contextual attributes of the endpoint device including an identity of a user of the endpoint device. The one or more contextual attributes are processed to determine that the endpoint device is authorized to receive the data. A security policy is determined for the data based on the one or more contextual attributes. The data is transmitted, including the security policy, to the endpoint device, wherein the endpoint devices enforces the security policy to selectively permit access to the data by preventing the endpoint device from displaying the data to an unauthorized individual.

Abstract: A method, computer system, and computer program product are provided for decentralized machine learning. A plurality of computing networks are identified by determining that each computing network of the plurality of computing networks satisfies a predetermined number of criteria. A decentralized learning agent is provided to each computing network, wherein the decentralized learning agent is provided with input parameters for training and is trained using training data associated with a computing network to which the decentralized learning agent is provided. A plurality of learned parameters are obtained from the plurality of computing networks, wherein each learned parameter of the plurality of learned parameters is obtained by training the decentralized learning agent provided to each respective computing network. A global model is generated based on the plurality of learned parameters.

Abstract: In one example, a controller obtains a request to store an object-based storage object and identifies a data sovereignty policy identifier associated with the object-based storage object. The controller queries a data sovereignty policy manager for a data sovereignty policy associated with the data sovereignty policy identifier and obtains, from the data sovereignty policy manager, an indication of the data sovereignty policy. The controller stores the object-based storage object in compliance with the data sovereignty policy.

Abstract: Federated multi-access edge computing availability notifications may be provided by: transmitting, from a User Equipment (UE) to an Access Point (AP) of a wireless network, an attach request for the wireless network that includes authentication credentials for an identity provider independent from the wireless network to authenticate the UE to the wireless network; receiving, at the UE via the AP, an authentication success message for the wireless network from the independent identity provider; transmitting, from the UE to the AP, a Multi-access Edge Computing (MEC) query; and receiving, at the UE from the AP, a MEC response that identifies MEC resources that are available to the UE based on an identity for the UE confirmed by the identity provider to the wireless network.

Abstract: Techniques are presented for evaluating Equal Cost Multi-Path (ECMP) performance in a network that includes a plurality of nodes. According to an example embodiment, a method is provided that includes obtaining information indicating equal cost multi-path (ECMP) paths in the network and a branch node in the network. For the branch node in the network, the method includes instantiating a virtual network function that simulates an ECMP hashing algorithm employed by the branch node to select one of multiple egress interface of the branch node; providing to the virtual network function for the branch node, a query containing entropy information as input to the ECMP hashing algorithm that returns interface selection results; and obtaining from the virtual network function a reply that includes the interface selection results. The method further includes evaluating ECMP performance in the network based on the interface selection results obtained for the branch node.

Abstract: Functionality for creating a bit routing table for use in a bit-indexed explicit replication (“BIER”) environment in disclosed herein. In one embodiment, this functionality includes receiving information from a host, and determining whether the information comprises a MAC address that is a bit-indexed explicit replication (“BIER”) MAC address. In response to determining that the information comprises a BIER MAC address, this functionality creates an entry corresponding to the MAC address in a bit routing table. This functionality also analyzes the information to determine a bit position that is associated with the host, and also determines a port via which the host is reachable. The functionality updates the bit routing table by storing information identifying the bit position and the port in the entry, such that the bit position and the port both correspond to the MAC address. This functionality can be used to route packets in a BIER environment.

Abstract: Aggregation of cross domain service level indications provide an estimate of available end to end error budget within a service chain of a network system. In some embodiments, service level indications are obtained from a plurality of sub-domains, and aggregated to determine an end to end reliability score. The end to end reliability score is then distributed one or more of the sub-domains. The sub-domains then consider whether to implement a change based on local service level indications as well as the end to end reliability score. In other embodiments, a sub-domain requests approval to implement a change from an error manager. The error manager consults the end to end reliability score to determine whether adequate margin exists in the service chain to allow the change to occur, while still meeting service level objectives of the service chain. The error manager conditionally approves the request based on the determination.

Abstract: Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

Abstract: A node of a network configured to forward packets based on network programming instructions encoded in the packets, performs a method. The method includes generating a probe packet encoded with a replication network programming instruction. The replication network programming instruction is configured to validate equal-cost multi-path (ECMP) routing in the network from the node to a destination by remotely triggering transit nodes of the network, that are traversed by the probe packet, to each perform replicate-and-forward actions. The replicate-and-forward actions include: identifying ECMP paths toward the destination; generating, for the ECMP paths, replicated probe packets that each include the replication network programming instruction; and forwarding the replicated probe packets along the ECMP paths. The method further includes forwarding the probe packet toward the destination.

Abstract: A method of orchestrating one or more radio resources among various services executing within a container. The method includes obtaining, by an orchestration engine executing on a network device, a request, from a first service of a plurality of services, for use of a physical/hardware resource that connects a container running on the network device to a network. The request from the first service has a particular priority. The plurality of services execute within the container. The method further includes determining whether to connect the first service to the network via the physical/hardware resource based on the priority and an availability status of the physical/hardware resource and establishing, at a kernel level, a connection between the first service and the physical/hardware resource based on the determining.

Abstract: This disclosure describes techniques for implementing centralized path computation for routing in hybrid information-centric networking protocols implemented as a virtual network overlay. A method includes receiving an interest packet header from a forwarding router node of a network overlay. The method further includes determining an interest path of the interest packet and one or more destination router nodes of the network overlay. The method further includes computing one or more paths over the network overlay. The method further includes determining an addressing method for the one or more computed paths over the network overlay. The method further includes performing at least one of encoding each computed path in a data packet header, and encoding each computed path as state entries of each router node of the network overlay on each respective path. The method further includes returning the computed path information to the forwarding router node.

Abstract: Techniques are presented for evaluating Equal Cost Multi-Path (ECMP) performance in a network that includes a plurality of nodes. According to an example embodiment, a method is provided that includes obtaining information indicating equal cost multi-path (ECMP) paths in the network and a branch node in the network. For the branch node in the network, the method includes instantiating a virtual network function that simulates an ECMP hashing algorithm employed by the branch node to select one of multiple egress interface of the branch node; providing to the virtual network function for the branch node, a query containing entropy information as input to the ECMP hashing algorithm that returns interface selection results; and obtaining from the virtual network function a reply that includes the interface selection results. The method further includes evaluating ECMP performance in the network based on the interface selection results obtained for the branch node.