Abstract: In one embodiment, a device in a network receives traffic sent via a service function chain (SFC). The device models one or more behavioral characteristics of the traffic using a machine learning-based service function in the SFC. The device causes a change to the SFC based on the modeled one or more behavioral characteristics of the traffic.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: A response to a Domain Name System (DNS) query can be protected with authentication information to be used by a host that originated the query. In one example, a DNS server is not among servers that can be authenticated by the Domain Name System Security Extensions (DNSSEC). The DNS server generates a public-private key pair and uses the private key for signing DNS resolutions. The corresponding public key can be distributed to hosts that will communicate with the DNS server. In various implementations, the public key is distributed by the DNS server and/or routers or as part of a neighbor discovery interaction. In one example, the public key is distributed in certificate path advertisements of the IPv6 Secure Neighbor Discovery Protocol (SEND) protocol.

Abstract: A response to a Domain Name System (DNS) query can be protected with authentication information to be used by a host that originated the query. In one example, a DNS server is not among servers that can be authenticated by the Domain Name System Security Extensions (DNSSEC). The DNS server generates a public-private key pair and uses the private key for signing DNS resolutions. The corresponding public key can be distributed to hosts that will communicate with the DNS server. In various implementations, the public key is distributed by the DNS server and/or routers or as part of a neighbor discovery interaction. In one example, the public key is distributed in certificate path advertisements of the IPv6 Secure Neighbor Discovery Protocol (SEND) protocol.