Abstract: Techniques for orchestrating a workflow for configuring a computer networking environment or other complex workflows are described. A Directed Acyclic Graph (DAG) that defines a plurality of tasks to be executed to complete the workflow and a plurality of orders between the tasks is received. Embodiments generate a State-Machine Neural Network (SNN) based on the received DAG, by generating a plurality of SNN neurons for the SNN, based on the plurality of tasks within the received DAG and generating a plurality of SNN connections for the SNN, connecting pairs of SNN neurons within the plurality of SNN neurons, based on the plurality of connections within the received DAG. The SNN is executed to orchestrate the workflow by sending and receiving signals to and from the SNN neurons.

Abstract: According to one or more embodiments of the disclosure, an asset inventory service executed by one or more devices receives telemetry data collected passively by a sensor application regarding a node in a network. The asset inventory service requests, after receiving the telemetry data, that the sensor application perform active discovery of nodes in the network. The asset inventory service receives active discovery data collected by the sensor application via active discovery of nodes in the network. The asset inventory service generates, based on the telemetry data and the active discovery data, an identity profile for the node.

Abstract: Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

Abstract: A method comprises, at a wireless network controller of wireless access points through which wireless client devices that are wireless communicate with the controller: upon receiving, from a wireless client device, a dynamic host configuration protocol (DHCP) request having a media access control (MAC) address, determining whether the wireless client device rotated its MAC address from a previous MAC address to the MAC address; when the wireless client device rotated its MAC address, forwarding, to a DHCP service, the DHCP request with a notification of a MAC address rotation to cause the DHCP service to reassign a previously assigned Internet Protocol (IP) address to the wireless client device; and upon receiving, from the DHCP service, a DHCP offer asserting the previously assigned IP address, forwarding the DHCP offer to the wireless client device.

Abstract: Supporting Multipath Transmission Control Protocol (MPTCP) subflows using multipath links, and more specifically supporting MPTCP subflows using Wi-Fi Multi-Link Operation (MLO) or cellular multi-link support may be provided. A multipath link may be established between an Access Point (AP) and a station (STA). The STA may mark the multipath link as Multipath Transmission Control Protocol (MPTCP) capable. Next, a request for an addition of a MPTCP subflow may be received. In response to receiving the request, the MPTCP subflow may be bound to the multipath link, and data from the MPTCP subflow may be sent over the multipath link.

Abstract: In one embodiment, webpage data for a webpage is downloaded by a web browser executed by a client device. The client device inserts instrumentation into the webpage data to collect event metrics for events associated with the webpage. The client device selects, based on a user-defined policy, a set of event metrics from among the collected event metrics to be shared with a proxy service. The client device sends the selected set of event metrics to the proxy service. The proxy service provides access to the set of event metrics to one or more collectors registered with the proxy service.

Abstract: A system and a method to dynamically reprovision network devices may include a first network device configured to reprovision a second network device in accordance with a specific location of the second network device in a predefined area. The first network device may be configured to sense the second device at the specific location in the predefined area, identify reprovisioning parameters associated with the specific location, and provide the reprovisioning parameters to the second network device. In turn, the second network device may be configured to perform one or more roles associated with the specific location in the predefined area based at least in part upon information in the reprovisioning parameters.

Abstract: In one embodiment, an illustrative method herein may comprise: determining, by a network controller, physical network topology of a data center network; collecting, by the network controller, virtual machine related network topology of the data center network from a virtual machine manager for the data center network; collecting, by the network controller, virtual ethernet flow mapping information of the data center network from a blade system management software for the data center network; collecting, by the network controller, container workload information of the data center network from a container orchestrator for the data center network; and generating, by the network controller, an integrated correlated visualization mapping of containers and associated network attachment points in the data center network based on the physical network topology, the virtual machine related network topology, the virtual ethernet flow mapping information, and the container workload information.

Abstract: Techniques and apparatus for managing a message relaying system are described. One technique includes an access point (AP) detecting a first signal and a second signal from a computing device. A validation of the first signal is performed based on parameters of the first signal and the second signal. After the validation, information associated with the first signal is transmitted to a computing system. In another technique, the computing system may designate one of multiple APs reporting information regarding first signals as a primary reporting AP and designate the remaining APs as secondary reporting APs. The computing system may instruct the secondary reporting APs to refrain from reporting information regarding first signals to the computing system.

Abstract: A method is provided that includes obtaining an access request for a device to access a visited access network, the access request including an authentication identifier for the device including an identity for the device and a realm comprising a network identifying portion; determining a re-write rule for the realm by querying a database based on an identity type of the device and the network identifying portion of the realm, the database including a plurality of re-write rules for a plurality of networks and a plurality of identity types; re-writing the realm based on the re-write rule using the identity for the device to generate a re-written realm; obtaining, based on the re-written realm, an address for an authentication server of an identity provider associated with the device; and performing an authentication with the authentication server using the authentication identifier to authenticate the device for the visited access network.

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: Techniques for determining that a configuration change in configurations for a network device has occurred to result in changed configurations for the network device. The techniques include creating a policy for the network device by a network controller that manages one or more network devices. The network controller may obtain data from the network device, and update the network device policy based on the obtained data. In some examples, the network controller may compare the network device configurations state with the network controller intent to determine if an Out-of-Band (OOB) configuration change has occurred in the configuration of the network device. Finally, the controller may synchronize the network device to the controller based on the updated policy.

Abstract: Disclosed is a method to enable printing on legacy devices. The method includes discovering a legacy device that does not have a universal record that enables the legacy device to provide services to a mobile device through a network, appending the universal record for the legacy device, transmitting the universal record for the legacy device to a controller, receiving, at the controller and from the mobile device, a request for services which can be provided by the legacy device, transmitting, from the controller and based on the universal record for the legacy device, data associated with the legacy device to the mobile device to yield transmitted data and transmitting, based on an acceptance of the transmitted data by the mobile device, a service request from the mobile device to the legacy device for providing a service to the mobile device.

Abstract: System, methods, and computer-readable media for switching a dynamic radio of a single RU between Radio Access Technology (RAT) protocols based on a Software-Defined RAN intelligent controller (SD-RIC). The SD-RIC efficiently assigning RAN resources by converting a radio access point to either 5G or Wi-Fi based on the load conditions and the number of users seen on the network, so that it appropriately servers the customer and end devices. To determine the load conditions may be based on active users on a particular cell, and then the resource utilization cue is a connection latency. A single radio unit includes a primary radio and a secondary radio, each being independently tuned. The primary radio is static while a secondary one can be influenced based on the conditions, turning into N-RU or Wi-Fi.

Abstract: The disclosed technology relates identifying causes of an observed outcome. A system is configured to receive an indication of a user experience problem, wherein the user experience problem is associated with observed operations data including an observed outcome. The system generates, based on the observed operations data, a predicted outcome according to a model, determines that the observed outcome is within range of the predicted outcome, and identifies a set of candidate causes of the user experience problem when the observed outcome is within range of the predicted outcome.

Abstract: Techniques and systems described herein relate to shared storage systems across network devices to use unused storage space and provide backup and additional storage for devices as needed. The techniques and systems include determining availability data describing available storage locations and amounts on network devices, compiling such data at a network controller, and communicating the availability data to the network devices. The network devices then directly communicate with each other to store data remotely as needed.

Abstract: In one embodiment, a method includes determining, by a first network component, a sender shaper drop value based on the following: a maximum sequence number; a minimum sequence number; and a sender sequence counter number associated with the first network component. The method also includes determining, by the first network component, a wide area network (WAN) link drop value based on the sender sequence counter number associated with the first network component and a receiver sequence counter number associated with a second network component. The method further includes determining, by the first network component, whether to adjust a sender shaper rate based on the sender shaper drop value and the WAN link drop value.

Abstract: A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: A system and method for providing network and port address translation is provided. A global IP address and a block (chunk) of ports are allocated for each mobile subscriber (MS) on first data connection. Subsequent data connections from the same MS are assigned the same IP address and a new port from this block. The mapping information is communicated, processed, and stored once for the complete block, instead of for every new data connection. This process reduces processing, communication, and storage requirements.