Abstract: A service classifier network device receives a subflow and identifies that the subflow is one of at least two subflows in a multipath data flow. Related data packets are sent from a source node to a destination node in the multipath data flow. The service classifier generates a multipath flow identifier and encapsulates the subflow with a header to produce an encapsulated first subflow. The header identifies a service function path and includes metadata with the multipath flow identifier.

Abstract: In one embodiment, a service function classifier device determines a classification of a packet using one or more packet classification rules. The device selects a service function path based on the classification of the packet. The device determines one or more traffic flow characteristics based on the classification of the packet. The device generates a service function chaining (SFC) header that identifies the selected service function path and the determined one or more traffic flow characteristics. The SFC header is configured to cause a device along the service function path to forward the encapsulated packet based on the identified service function path and the determined one or more traffic flow characteristics. The device sends the packet along the selected service function path as an encapsulated packet that includes the generated SFC header.

Abstract: In one embodiment, a browser operating on a host device receives, from a user, a request to access a web server that includes a Uniform Resource Locator (URL) associated with the web server. In response, the browser sends, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with the domain hosting the URL, and receives, from the DNS server, a response that comprises a block policy IP address and an appropriate error code. Based on this IP address and the error code indicated in the response, the browser renders an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to sending the request for the IP address correlated with the domain that is hosting the URL.

Abstract: A first service node receives a message configured to set up a secure communication session between a client and a server, in which the first service node acts as a proxy. Data packets in the secure communication session are subject to multiple service functions that require decryption of the data packets. A service function chain assigns a service node to each of the service functions. A service header is generated including metadata instructing the service nodes other than the first service node not to act as proxies in the secure communication session. The message and the service header are transmitted to a second service node in the service function chain.

Abstract: In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server sends, to a Transport Layer Security (TLS) proxy, a DNS response for the domain that includes the certificate information in metadata of an NSH of the DNS response.

Abstract: Presented herein are techniques for mitigating a distributed denial of service attack. A method includes, at a network security device, such as a firewall, monitoring network traffic, flowing through the firewall, destined for a network device, determining whether the network traffic is below a predetermined amount, while the network traffic is below the predetermined amount, sending to the network device a plurality of probes, receiving responses from the network device in response to the probes, and setting one or more thresholds for subsequent traffic destined for the network device based on the responses received from the network device.

Abstract: In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a particular subscriber node. The particular request indicates one or more requested flow characteristics for a specified time period. The device determines a probability of the access network being able to accommodate the particular flow characteristic request by classifying the particular flow characteristic request using the trained classifier. The device sends a flow characteristic response to the node of the particular subscriber node based on the determined probability.

Abstract: In one embodiment, a service function classifier device determines a classification of a packet using one or more packet classification rules. The device selects a service function path based on the classification of the packet. The device determines one or more traffic flow characteristics based on the classification of the packet. The device generates a service function chaining (SFC) header that identifies the selected service function path and the determined one or more traffic flow characteristics. The SFC header is configured to cause a device along the service function path to forward the encapsulated packet based on the identified service function path and the determined one or more traffic flow characteristics. The device sends the packet along the selected service function path as an encapsulated packet that includes the generated SFC header.

Abstract: In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a particular subscriber node. The particular request indicates one or more requested flow characteristics for a specified time period. The device determines a probability of the access network being able to accommodate the particular flow characteristic request by classifying the particular flow characteristic request using the trained classifier. The device sends a flow characteristic response to the node of the particular subscriber node based on the determined probability.

Abstract: A network service packet (NSP) header security method includes receiving an NSP on a communication interface, analyzing, by a processor, the NSP in order to identify a plurality of service functions and an associated service function path for the plurality of service functions, identifying, by the processor, which security function or functions may be performed by each of the plurality of service functions on an NSP header to be generated for the NSP, requesting, by the processor, at least one key for securing at least part of the NSP header, receiving the at least one key on the communication interface, generating, by the processor, the NSP header for the NSP, securing, by the processor, the NSP header based on the at least one key, and sending, on the communication interface, the NSP with the NSP header to one of the plurality of service functions.

Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.

Abstract: A network node in a service function chaining system receives a media stream from an endpoint device. The media stream is associated with a media session between the endpoint and at least one other endpoint. The network node determines a path for the media stream. The path includes an ordered list of functions to process the media stream. The network node determines a session identifier for the media stream and encapsulates the media stream with a header. The header includes an indication of the path and the session identifier.

Abstract: In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data.

Abstract: A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.

Abstract: A local network element on an enterprise network caches Domain Name System (DNS) responses in association with user identifiers in accordance with a DNS-based access control policy. The network element receives a DNS request from a first endpoint device. The DNS request includes a domain name to resolve. The network element forwards the DNS request to a domain name server along with a first user identifier associated with the first endpoint device. The network element receives a DNS response from the domain name server. The DNS response includes a network address associated with the domain name, as well as the first user identifier and at least one other user identifier. The network element stores the network address in a DNS cache as a cached DNS response for the domain name. The cached DNS response is stored in association with the first user identifier and the other user identifier(s).

Abstract: In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server sends, to a Transport Layer Security (TLS) proxy, a DNS response for the domain that includes the certificate information in metadata of an NSH of the DNS response.

Abstract: An optimized approach to whitelisting includes, at a domain name service server, determining whether a first domain and a second domain resolve to a same Internet Protocol (IP) address, and in response to a request from a domain name service proxy as to whether the first domain resolves to an IP address shared by another domain, notifying the domain name service proxy that the first domain resolves to an IP address shared by another domain. The method further includes the domain name service proxy receiving from the domain name service server a response that indicates that the first domain resolves to an IP address shared by another domain, and storing, in memory, the IP address and an indication that the IP address is shared by another domain. A data flow associated with a shared IP address is subjected to further scrutiny even if the IP address is on a whitelist.

Abstract: In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.

Abstract: A classifier node in a service function chaining system receives a media stream from an endpoint device. The media stream is associated with a media session between the endpoint and at least one other endpoint. The classifier node determines a service function path for the media stream. The service function path includes an ordered list of service functions to process the media stream. The classifier node determines a session identifier for the media stream and encapsulates the media stream with a Network Service Header. The Network Service Header includes an indication of the service function path and a metadata header with the session identifier.

Abstract: In one embodiment, a service function classifier device determines a classification of a packet using one or more packet classification rules. The device selects a service function path based on the classification of the packet. The device determines one or more traffic flow characteristics based on the classification of the packet. The device generates a service function chaining (SFC) header that identifies the selected service function path and the determined one or more traffic flow characteristics. The SFC header is configured to cause a device along the service function path to forward the encapsulated packet based on the identified service function path and the determined one or more traffic flow characteristics. The device sends the packet along the selected service function path as an encapsulated packet that includes the generated SFC header.