Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for configuration payload separation policies. According to at least one example, a method is provided for device function. The method includes: during a boot sequence of a network device, generating a unique key for encrypting and decrypting data; identifying a secure location in the network device for storing the unique key; storing the unique key in the secure location; encrypting a configuration payload with the unique key; storing the encrypted configuration payload in an external non-volatile memory; and, in response to a request to access data within the configuration payload, decrypting the encrypted configuration payload using the unique key.

Abstract: According to certain embodiments, a method performed by a device comprises obtaining, from a plurality of hardware modules of the device, a plurality of serial numbers associated with the plurality of hardware modules. Each hardware module is associated with a respective serial number. The method further comprises obtaining, from a provisioning system, one or more ownership vouchers corresponding to the plurality of serial numbers. The method further comprises verifying, for each hardware module of the plurality of hardware modules, whether to trust said hardware module based at least in part on the one or more ownership vouchers.

Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

Abstract: In one embodiment, methods for mediated transfer of ownership are described. The method may include receiving a request for an ownership voucher from a device, validating an identifier of the device, determining whether to issue the ownership voucher, generating a signed ownership voucher, and sending the signed ownership voucher to the device. In another embodiment, methods for unmediated transfer of ownership are described, including receiving, an ownership voucher associated with a first ownership certificate, determining whether the ownership voucher comprises a signature associated with a manufacturer, based at least in part on determining that the signature of the manufacturer is absent, determining that a second ownership certificate is stored in memory, determining that the second ownership certificate comprises a signature associated with a user, validating the ownership voucher; and based at least in part on the validating, enrolling the first ownership certificate on the network device.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: According to certain embodiments, a method performed by a device comprises obtaining, from a plurality of hardware modules of the device, a plurality of serial numbers associated with the plurality of hardware modules. Each hardware module is associated with a respective serial number. The method further comprises obtaining, from a provisioning system, one or more ownership vouchers corresponding to the plurality of serial numbers. The method further comprises verifying, for each hardware module of the plurality of hardware modules, whether to trust said hardware module based at least in part on the one or more ownership vouchers.

Abstract: A remote server monitors the health of a network of computing devices through hierarchical composite indicators by obtaining performance attributes from computing devices in the network. The server generates a composite indicator associated with one or more of the computing device based on a combination of at least two performance attributes of the computing device(s). The server monitors the composite indicator and, responsive to a determination that the composite indicator indicates an alert condition, generates an alert associated with the computing device(s). Additionally, if the alert condition is subject to remediation, the server causes at least one of the computing devices to execute a command to provide remediation of the alert condition.

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for configuration payload separation policies. According to at least one example, a method is provided for device function. The method includes: during a boot sequence of a network device, generating a unique key for encrypting and decrypting data; identifying a secure location in the network device for storing the unique key; storing the unique key in the secure location; encrypting a configuration payload with the unique key; storing the encrypted configuration payload in an external non-volatile memory; and, in response to a request to access data within the configuration payload, decrypting the encrypted configuration payload using the unique key.

Abstract: A remote server monitors a network of computing devices through hierarchical composite indicators by obtaining telemetry data from a computing device in a network of computing devices. The telemetry data includes performance attributes of the computing device. The server generates a composite indicator associated with the computing device based on a combination of at least two performance attributes of the computing device. The server monitors the composite indicator and, responsive to a determination that the composite indicator meets an alert threshold, generates an alert associated with the computing device. Additionally, the server can monitor the health of the network of computing devices based on composite indicators from multiple computing devices in the network.

Abstract: A remote server monitors the health of a network of computing devices through hierarchical composite indicators by obtaining performance attributes from computing devices in the network. The server generates a composite indicator associated with one or more of the computing device based on a combination of at least two performance attributes of the computing device(s). The server monitors the composite indicator and, responsive to a determination that the composite indicator indicates an alert condition, generates an alert associated with the computing device(s). Additionally, if the alert condition is subject to remediation, the server causes at least one of the computing devices to execute a command to provide remediation of the alert condition.

Abstract: A remote server monitors a network of computing devices through hierarchical composite indicators by obtaining telemetry data from a computing device in a network of computing devices. The telemetry data includes performance attributes of the computing device. The server generates a composite indicator associated with the computing device based on a combination of at least two performance attributes of the computing device. The server monitors the composite indicator and, responsive to a determination that the composite indicator meets an alert threshold, generates an alert associated with the computing device. Additionally, the server can monitor the health of the network of computing devices based on composite indicators from multiple computing devices in the network.

Abstract: A method is disclosed that is implemented by a router for executing an internet protocol fast reroute process in response to a network event invalidating a current route to a destination node without degrading forwarding plane functionality or performance caused by indirect forwarding information base lookups. The method comprises a set steps including receiving or generating the network event by the router, the network event associated with a network event identifier and looking up the network event identifier in an event table to determine routes that are affected by the network event. The method further includes determining whether a route with a fast reroute forwarding object is affected by the network event in the routing information base and overwriting a current next hop forwarding object using a backup next hop forwarding object in the forwarding information base.

Abstract: A method is disclosed that is implemented by a router for executing an internet protocol fast reroute process in response to a network event invalidating a current route to a destination node without degrading forwarding plane functionality or performance caused by indirect forwarding information base lookups. The method comprises a set steps including receiving or generating the network event by the router, the network event associated with a network event identifier and looking up the network event identifier in an event table to determine routes that are affected by the network event. The method further includes determining whether a route with a fast reroute forwarding object is affected by the network event in the routing information base and overwriting a current next hop forwarding object using a backup next hop forwarding object in the forwarding information base.

Abstract: A load balancer dynamically load balances packets for network connections between clients and servers. When receiving a packet from a client that requests a new connection, the load balancer checks the current load of all the servers and selects the server most suitable to handle the new connection. The load balancer then forwards that packet to the selected server. If the server accepts the request for the new connection, then the server responds with an acknowledgement packet. The acknowledgement packet also includes the server's blade identification that the client uses for all subsequent packets on the accepted connection. When the load balancer receives a packet containing the blade identification, the load balancer forwards the packet to the server corresponding to the blade identification. Backup load balancers can therefore continue packet forwarding services in a smooth and efficient manner.

Abstract: A load balancer dynamically load balances packets for network connections between clients and servers. When receiving a packet from a client that requests a new connection, the load balancer checks the current load of all the servers and selects the server most suitable to handle the new connection. The load balancer then forwards that packet to the selected server. If the server accepts the request for the new connection, then the server responds with an acknowledgement packet. The acknowledgement packet also includes the server's blade identification that the client uses for all subsequent packets on the accepted connection. When the load balancer receives a packet containing the blade identification, the load balancer forwards the packet to the server corresponding to the blade identification. Backup load balancers can therefore continue packet forwarding services in a smooth and efficient manner.

Abstract: A packet switched node (router), a queuing system and a method for queuing packets are described herein that use tags and manipulate counters in a manner that eliminates the reordering of the packets after a Quality of Service (QoS) class had been altered in one or more of the packets.

Abstract: The present invention relates to a router (e.g., intermediate router) and a method that queues and services an upgraded/downgraded packet and a plurality of other packets all of which are part of a flow in a manner that eliminates the reordering of the packets. In one embodiment, the router and method queues and services the packets by handing-off a token from an upgraded/downgraded packet to a head-of-line packet which is forwarded to a downstream router. In another embodiment, the router and method queues and services the packets without handing-off a token from an upgraded/downgraded packet to a head-of-line packet which is forwarded to a downstream router.

Abstract: A network is described herein which includes a node and a downstream node where the node is capable of altering a Quality of Service (QoS) class of one client (packet) which is associated with a plurality of clients (packets) in a manner such that when the downstream node receives and processes the altered client and the associated clients it will not reorder the altered client and the associated clients.

Abstract: A packet switched node (router), a queuing system and a method for queuing packets are described herein that use tags and manipulate counters in a manner that eliminates the reordering of the packets after a Quality of Service (QoS) class had been altered in one or more of the packets.

Abstract: The present invention relates to a router (e.g., intermediate router) and a method that queues and services an upgraded/downgraded packet and a plurality of other packets all of which are part of a flow in a manner that eliminates the reordering of the packets. In one embodiment, the router and method queues and services the packets by handing-off a token from an upgraded/downgraded packet to a head-of-line packet which is forwarded to a downstream router. In another embodiment, the router and method queues and services the packets without handing-off a token from an upgraded/downgraded packet to a head-of-line packet which is forwarded to a downstream router.