Abstract: A network controller provides proactive notification of a wireless client device's address rotation to layer 2 (L2) and/or layer 3 (L3) devices. Traditional methods of device address discovery rely on broadcasting of address queries across a plurality of links until a path to a device having the queried address responds. As device address changes become more frequent in an effort to improve user privacy, traditional methods of address discovery impose a large burden on networks, reducing their performance and efficiency. By proactively propagating address changes to upstream devices, the need for broadcast oriented address discovery techniques is reduced, resulting in improved network performance.

Abstract: Rotation of a wireless client device address is based on an encryption key and a nonce value. Key information and nonce value information are shared between a wireless client device and a network infrastructure component over a secure communication channel. The wireless client device encrypts the nonce value using the key information and encodes the encrypted value as a device address. The wireless client device then identifies itself via a source address value in a message transmitted over a wireless network. Upon receiving the message, the network infrastructure component decrypts information derived from the source address value and compares the resulting data to the nonce value. If a match is identified, the network infrastructure identifies the wireless client device as a source of the message. In some embodiments, the nonce value is updated with each rotation to provide for improved entropy of generated device addresses.

Abstract: Embodiments are presented for collaborative device address generation between a wireless client device and a network infrastructure component, such as a wireless access point. The wireless client device and network infrastructure component share information to facilitate collaborative generation of a sequence of device addresses. This shared information includes, in some embodiments, key information and moving factor information. The key information and moving factor information is used to generate a token. A sequence of tokens is generated by updating the moving factor as each token is generated. A corresponding sequence of device addresses are then derived based on the sequence of tokens. Since the wireless client device and the network infrastructure device apply equivalent methods to generate respective sequences of addresses, the network infrastructure is able to efficiently identify a source wireless client device when observing a new device address on a wireless network.

Abstract: A method comprises, at a wireless network controller of wireless access points through which wireless client devices that are wireless communicate with the controller: upon receiving, from a wireless client device, a dynamic host configuration protocol (DHCP) request having a media access control (MAC) address, determining whether the wireless client device rotated its MAC address from a previous MAC address to the MAC address; when the wireless client device rotated its MAC address, forwarding, to a DHCP service, the DHCP request with a notification of a MAC address rotation to cause the DHCP service to reassign a previously assigned Internet Protocol (IP) address to the wireless client device; and upon receiving, from the DHCP service, a DHCP offer asserting the previously assigned IP address, forwarding the DHCP offer to the wireless client device.

Abstract: Techniques are provided for verifying Access Points (APs) using crowd sourcing. In one example, a STA establishes a first non-verified connection, based on security material, with a source AP in a wireless infrastructure. A target AP in a wireless infrastructure obtains an indication that the STA is attempting to establish a second non-verified connection with the target AP. In response, the target AP establishes the second non-verified connection based on the security material.

Abstract: Techniques herein facilitate a device address rotation management protocol that may be implemented for a wireless local area network (WLAN), which can be used to influence when wireless client devices or stations may rotate their Media Access Control (MAC) addresses, how to perform such rotations, and/or the like. In one example, a method may include providing, by an access point (AP), a first communication indicating that the AP supports a MAC address rotation management protocol; obtaining, by the AP, a second communication from a wireless station (STA) indicating that the STA intends to perform a MAC address rotation; and transmitting, by the AP, a third communication to influence the MAC address rotation of the STA, the third communication comprising a rotation status indicator and timing information.

Abstract: A network device configured to communicate with a network executes a security protocol. The security protocol establishes a secure session with a security peer network device, exchanges security protected traffic with the security peer network device over a secure link, detects whether there is a security failure in the secure session, and upon detecting a security failure, signals there is a security failure. The network device also executes a routing protocol. The routing protocol maintains a routing table that includes a route to the security peer over the secure link, routes the security protected traffic along the route, and, upon receiving from the security protocol the signal that there is a security failure, removes the route from the routing table to stop the routing.

Abstract: A first network element, such as a router, in a computer network may have established a communication link with a second network element in the computer network. A secure session associated with the communication link between the first and second network elements may then be established. The secure session may use a secure communication function on each of the first network element and the second network element. The first network element may then detect that the first network element cannot communicate with the second network element over the communication link. When the first network element cannot communicate with the second network element, the first network element may terminate the communication link and the secure session associated with the communication link.

Abstract: A network device configured to communicate with a network executes a security protocol. The security protocol establishes a secure session with a security peer network device, exchanges security protected traffic with the security peer network device over a secure link, detects whether there is a security failure in the secure session, and upon detecting a security failure, signals there is a security failure. The network device also executes a routing protocol. The routing protocol maintains a routing table that includes a route to the security peer over the secure link, routes the security protected traffic along the route, and, upon receiving from the security protocol the signal that there is a security failure, removes the route from the routing table to stop the routing.

Abstract: A first network element, such as a router, in a computer network may have established a communication link with a second network element in the computer network. A secure session associated with the communication link between the first and second network elements may then be established. The secure session may use a secure communication function on each of the first network element and the second network element. The first network element may then detect that the first network element cannot communicate with the second network element over the communication link. When the first network element cannot communicate with the second network element, the first network element may terminate the communication link and the secure session associated with the communication link.

Abstract: Presented herein are techniques for optimizing spectral efficiency in a network. One or more metrics of one or more wireless access points that enable one or more wireless client devices to connect to a wireless network are monitored. The one or more metrics reflect a level of client device activity. Based on the one or more metrics, the level of client device activity is determined to require a change in a number of the one or more wireless access points that are active to serve the one or more wireless client devices. The one or more wireless access points are activated or deactivated to improve a spectral efficiency of the wireless network.

Abstract: Presented herein are techniques for optimizing spectral efficiency in a network. One or more metrics of one or more wireless access points that enable one or more wireless client devices to connect to a wireless network are monitored. The one or more metrics reflect a level of client device activity. Based on the one or more metrics, the level of client device activity is determined to require a change in a number of the one or more wireless access points that are active to serve the one or more wireless client devices. The one or more wireless access points are activated or deactivated to improve a spectral efficiency of the wireless network.