Abstract: Federation policy exchange is provided in response to receiving a sharing query from an Access Point (AP) indicating that an associated wireless network supports federated identities with data sharing, determining whether the sharing query is within sharing preferences; and in response to determining that the sharing query is within the sharing preferences, transmitting, to the AP, a positive response for identity sharing that authorizes collection and sharing of identity data with at least one entity identified in a sharing policy for the associated wireless network. In various embodiments, federation policy exchange includes transmitting a support notification, via an AP, indicating support for federated identities with data sharing within a wireless network associated with the AP; and in response to receiving a first identify sharing preference from a User Equipment (UE) that indicates that negotiation is preferred, transmitting a sharing policy for the wireless network to the UE.

Abstract: In one embodiment, a device trains, using feedback from a reference cohort of users of an online application, a prediction model to predict a quality of experience metric for the online application based on network telemetry. The device uses the prediction model to predict quality of experience metrics for different cohorts of users of the online application. The device makes one or more comparisons between performance metrics for the prediction model for the different cohorts of users, based on the quality of experience metrics predicted for the different cohorts of users. The device retrains, based on the one or more comparisons, the prediction model using feedback from the reference cohort and a particular cohort from among the different cohorts of users.

Abstract: Techniques for access point (AP) based location computation are disclosed. A target wireless AP, communicatively coupled to a wireless station (STA), is identified. One or more location buddy APs, relating to the target AP, are identified based on the physical locations of the location buddy APs and the target AP. It is determined that a first location buddy AP, of the one or more location buddy APs, is communicatively coupled to the STA, and in response a location of the STA is determined using the target AP.

Abstract: This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

Abstract: Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

Abstract: Techniques are provided for signal translation in a hybrid network environment. In one example, a first provider edge node obtains a connection status indication from a first one of a second provider edge node via a packet switched network or a third provider edge node via a time-division multiplexing transport network. The first provider edge node translates the connection status indication between a packet switched network format and a time-division multiplexing transport network format. The first provider edge node provides the connection status indication to a second one of the second provider edge node via the packet switched network or the third provider edge node via the time-division multiplexing transport network.

Abstract: Systems, methods, and computer-readable media are provided for an efficient roaming management method using a single association identifier token for associating with different access points. In one aspect of the present disclosure, a network controller includes memory having computer-readable instructions stored therein and one or more processors. The one or more processors are configured to execute the computer-readable instructions to receive a request from an endpoint to connect to a first access point; generate association identification token (e.g., PMK and PMKID) for the endpoint to connect to the first access point; and distribute the association identification token to a second access point prior to the endpoint attempting to connect to the second access point, the association identification token being used by the second access point to validate a subsequent request by the endpoint to connect to the second access point.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: In one embodiment, a device receives, via a user interface, an indication of what is considered noise within a time series of a path performance metric. The device selects, based on the indication, a particular denoising filter to be applied to telemetry data obtained from one or more network paths regarding the path performance metric. The device forms model training data by applying the particular denoising filter to telemetry data obtained from one or more network paths regarding the path performance metric. The device trains, using the model training data, a prediction model to predict when a given network path will experience a failure condition.

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

Abstract: Techniques for a context-aware secure access service edge (SASE) engine for generating security profile(s) associated with endpoint device(s) accessing the network and using the security profile(s) to evaluate a traffic flow from the endpoint device(s). The SASE engine may execute on an edge device of a computing resource network and may be configured to maintain a security profile database including an endpoint security profile mapping. Endpoint device(s) accessing the network may share endpoint, application, and/or user specific information with the SASE engine so that the SASE engine may generate a security profile specific to the endpoint, application, and/or user. Additionally, an enterprise network, associated with endpoint device(s) accessing the network, may provide default SASE security profile templates to the SASE engine.

Abstract: Embodiments herein describe disconnecting, by an access node, a first device having a first media access control (MAC) address due to a network violation and receiving, by the access node, information about a second device having a second MAC address different from the first MAC address. In one embodiment, the information is generated by a certificate server based on a token generated by the second device. Further, when the access node determines, based on the information, that the second device is the first device, the access node denies a connection request from the second device.

Abstract: Systems and techniques are provided for implementing multiprotocol label switching (MPLS) header extensions. In some examples, a method can include, receiving, by a router of a MPLS network, a data packet. In some aspects, the method can include adding, by the router of the MPLS network, at least one entry to an MPLS stack of the data packet, wherein the at least one entry includes an MPLS extension indicator (MEI) that is associated with at least one of an in-stack extension header presence indicator (IPI) and a bottom-of-stack extension header presence indicator (BPI). In some examples, the method can include adding, based on the IPI and the BPI, at least one of an in-stack extension header and a bottom-of-stack extension header to the MPLS stack of the data packet.

Abstract: In one embodiment, an apparatus includes a chassis base, a printed circuit board mounted on the chassis base, a heatsink positioned over the printed circuit board to prevent corrosion of components on the printed circuit board, wherein the heatsink comprises a plurality of upward extending fins and a plurality of downward extending walls, a seal interposed between an edge of the downward extending walls and the chassis base, and a cover extending over the heatsink.

Abstract: Aspects described herein include a method of fabricating an optical component, the optical component, and a method of operating the optical component. A method includes electrically coupling a first laser channel and a second laser channel of a laser die to different electrical leads and testing (i) a first optical coupling of the first laser channel and a second optical coupling of the second laser channel or (ii) a first spectral performance of the first laser channel and a second spectral performance of the second laser channel. The method also includes optically aligning an optical fiber with the first laser channel and designating the second laser channel as a heater element for the first laser channel based at least in part on (i) the first optical coupling being greater than the second optical coupling or (ii) the first spectral performance relative to the second spectral performance.

Abstract: Techniques for identifying one or more wireless access points (APs), from among a plurality of APs including 6 GHz radios, as candidates to operate in standard power indoor (SPI) mode. Identification is based on at least one of: determining that network switches associated with the wireless APs meet a threshold requirement relating to power over ethernet (PoE) for operating in SPI mode, determining, based on at least one of radio frequency (RF) density and channel quality relating to the plurality of APs, that the one or more APs should operate in SPI mode as opposed to lower power indoor (LPI) mode, and determining that operating the one or more APs in SPI mode improves quality of service (QoS) metrics for the plurality of APs as opposed to operating the one or more APs in LPI mode. The one or more wireless APs are configured to operate in SPI mode.

Abstract: According to certain embodiments, a method performed by a device comprises obtaining, from a plurality of hardware modules of the device, a plurality of serial numbers associated with the plurality of hardware modules. Each hardware module is associated with a respective serial number. The method further comprises obtaining, from a provisioning system, one or more ownership vouchers corresponding to the plurality of serial numbers. The method further comprises verifying, for each hardware module of the plurality of hardware modules, whether to trust said hardware module based at least in part on the one or more ownership vouchers.

Abstract: Providing for time sensitive networking (TSN) traffic in high density deployments is described. An access point (AP) is a high density deployment receives a message identifying another AP as a TSN neighbor and also detects a TSN device within an area covered by the APs. This arrangement may cause traffic interruptions for the TSN traffic between the TSN device and the APs. In order to prevent disruption in TSN traffic, a TSN time slot and a resource unit (RU) is determined for each of the APs, and the TSN traffic is communicated between the various devices in network according to the determined TSN time slot and RU.

Abstract: In one embodiment, a method includes receiving, by a route reflector, a subscription request from a first provider edge node in a network and generating a subscription policy for the first provider edge node. The method also includes receiving a first Ethernet Virtual Private Network (EVPN) Type 2 Route from a second provider edge node, assigning a sequence number to the first EVPN Type 2 Route, and communicating the first EVPN Type 2 Route with the sequence number to the first provider edge node. The method further includes receiving a second EVPN Type 2 Route from a third provider edge node, generating an updated sequence number in response to receiving the second EVPN Type 2 Route from the third provider edge node, and communicating the second EVPN Type 2 Route with the updated sequence number to the first provider edge node and the second provider node.

Abstract: Techniques for the transparent rolling of nodes in a cloud-delivered headend service without disrupting client traffic or making users aware of the various nodes in the system being rolled are described herein. The techniques may include receiving an indication that a first node of a network is to be rolled. Based at least in part on the indication, new connection requests may not be sent to the first intermediate node. Additionally, a client device having an existing connection through the first node may be identified. In some examples, a request may be sent to the client device to prompt the client device to establish a new connection. After determining that the new connection has been established such that the new connection flows through a second node of the network, the first node may be rolled.