Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: Sending Quality-of-Experience (QoE) information to clients for selecting an Access Point (AP) may be provided. Sending QoE information can include determining values for a plurality of QoE attributes. Based on the values for the plurality of QoE attributes, a QoE indicator is determined. The QoE indicator is sent to a client, wherein the client is operable to use the QoE indicator to select an Access Point (AP) to connect to.

Abstract: Control of service provider information collection and, particularly, control of Access Point (AP) location crowdsourcing and time zone information may be provided. A time zone to use in a venue can be determined. A time zone field can be set indicating the time zone. A venue mobility field can be set indicating the venue is mobile. One or more elements comprising the time zone field and the venue mobility field can be sent to a Station (STA), wherein the STA is operable to use the time zone according to the time zone field and based on the venue mobility field indicating the venue is mobile.

Abstract: Signaling preference order of links and maximum allowed links for multi-link operation may be provided. First, an Access Point (AP) Multilink Device (MLD) may receive an indication that a non-AP MLD supports preference ordering for requested links (that are indicated in the Per-STA profile sub-elements). Then the AP MLD may indicate that it supports preference ordering for requested links (that are indicated in the Per-STA profile sub-elements). Next, the AP MLD may receive from the non-AP MLD, a desired preference ordering for the requested link. The AP MLD may then consider the desired preference ordering for requested links.

Abstract: Irregular absence signaling may be provided. An Access Point (AP) may receive an irregular absence report from a station. The AP may parse the irregular absence report to determine upcoming absence periods of the station for non-Peer-to-Peer (P2P) traffic. The AP may schedule Transmit Opportunity's (TxOPs) of the non-P2P traffic to the station based on the determined upcoming absence periods.

Abstract: Access network monitoring in a wireless federation may be provided. A plurality of access requests may be received from a probe device. Each of the plurality of access requests may comprise access request information. Next, an availability metric may be determined based on an amount of the plurality of access requests received and the access request information. The availability metric may then be reported.

Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: A method of cross-domain policy orchestration may include executing, with a cross-domain automation (CDA) controller, a macro-segmentation of a plurality of domains based at least in part on metadata defining a mapping to a corresponding plurality of domain controllers, and executing, with the CDA controller, a micro-segmentation of policies within a group based at least in part on a merged policy matrix obtained from policies of the domain controllers.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: Techniques for using proxies with overprovisioned IP addresses to demultiplex data flows, which may otherwise look the same at L7, into multiple subflows for L3 policy enforcement without having to modify an underlying L3 network. The techniques may include establishing a subflow through a network between a first proxy and a second proxy, the subflow associated with a specific policy. In some examples, the first proxy node may receive an encrypted packet that is to be sent through the network and determine, based at least in part on accessing an encrypted application layer of the packet, a specific application to which the packet is to be sent. The first proxy node may then alter an IP address included in the packet to cause the packet to be sent through the network via the subflow such that the packet is handled according to the specific policy.

Abstract: The present disclosure describes an optical system that uses a source optical signal to bias a receiver photodiode. The system includes an optical source, a receiver photodiode, a first biasing photodiode, a variable optical attenuator, and a compensation photodiode. The optical source produces a first optical signal. The receiver photodiode converts a second optical signal into an electrical signal. The first biasing photodiode generates a bias voltage for the receiver photodiode based on a first portion of the first optical signal. The variable optical attenuator produces a third optical signal based on (i) a second portion of the first optical signal and (ii) a portion of the electrical signal. The compensation photodiode passes the portion of the electrical signal based on the third optical signal.

Abstract: This technology enables directed broadcasts in network fabrics. A control plane node is configured to resolve directed broadcast addresses by mapping the directed broadcast address to a subnet address. A fabric border node receives a directed broadcast, extracts a destination address, and transmits a request to the control plane node to resolve the destination address. The control plane node retrieves the stored mapping and generates a map reply with a multicast destination. The fabric border node encapsulates and forwards the directed broadcast to fabric edge nodes, which decapsulate the directed broadcast and deliver a data set from the directed broadcast to appropriate end point devices. Each fabric edge node may be enabled to determine if the fabric edge node may be connected to a silent host and, based on that determination, request the fabric border node to be added to the multicast destination to receive the directed broadcast.

Abstract: According to one or more embodiments of the disclosure, an example method herein may comprise: managing a particular cell of a multi-celled architecture for an extensibility platform having one or more tenants served by datastores of the particular cell; connecting to a global cell manager for global cell management of all cells of the multi-celled architecture; identifying a consumption limit indicating a maximum amount of system resources that a particular tenant of the one or more tenants is allowed to consume of the particular cell; enforcing the consumption limit on the particular tenant; and ensuring that the particular tenant is provided system resources of the particular cell up to the consumption limit without limitation.

Abstract: Techniques for initiator-based data-plane validation of segment routed, multiprotocol label switched (MPLS) networks are described herein. In examples, an initiating node may determine to validate data-plane connectivity associated with a network path of the MPLS network. The initiating node may store validation data in a local memory of the initiating node. In examples, the initiating node may send a probe message that includes a request for identification data associated with a terminating node. The terminating node may send a probe reply message that includes the identification data, as well as, in some examples, a code that instructs the initiating node to perform validation. In examples, the initiating node may use the validation data stored in memory to compare to the identification data received from the terminating node to validate data-plane connectivity. In some examples, the initiating node may indicate a positive or negative response after performing the validation.

Abstract: A method for allocating resources of a virtual controller is disclosed. The method comprises: allocating resources of a virtual controller to a first tenant, wherein the first tenant is allocated a first tenant quantity of guaranteed resources of the virtual controller and a second tenant is allocated a second tenant quantity of guaranteed resources of the virtual controller; determining that resources requested by the first tenant are greater than the first tenant quantity of guaranteed resources; determining that the virtual controller has unutilized resources sufficient to at least partially provide additional resources beyond the first tenant quantity of guaranteed resources to the first tenant; and temporarily provisioning the additional resources to the first tenant, wherein the additional resources are greater than the first tenant quantity of guaranteed resources.

Abstract: A method of creating a root-of-trust (RoT) within a network fabric may include powering on a network interface card (NIC) baseboard management controller (BMC) (NIC BMC), booting up a NIC via the NIC BMC, obtaining an address for the NIC, verifying an identity of the NIC at a fabric trust identity server using a key obtained from a secure vault communicatively coupled to the NIC BMC, verifying with the fabric trust identity server a number of images of a host device residing in the NIC based at least in part on the identity of the NIC being verified, and instructing a platform BMC to boot up the host device based at least in part on the number of images of the host device being verified.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: In one embodiment, a device receives a set of actions for a low-code workflow specified via a user interface. The device determines authorization scopes for targets of the set of actions. The device compares the authorization scopes for the targets to authorization scopes needed for the set of actions. The device provides, to the user interface, an excessive authorization notification, when the authorization scopes for the targets exceed the authorization scopes needed for the set of actions.

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for providing security postures for a service provided by a heterogenous system. A method for verifying trust by a service node includes receiving a request for a security information of the service node from a client device, wherein the request includes information identifying a service to receive from the service node, identifying a related node to communicate with the service node based on the service, after identifying the related node, requesting a security information of the related node, generating a composite security information from the security information of the service node and the security information of the related node, and sending the composite security information to the client device. The composite security information provides security claims for a service implemented by a heterogenous devices that have different trusted execution environments.

Abstract: Coordinated Frequency Division Multiple Access (C-FDMA) for the simultaneous transmission of a basic Physical Layer Protocol Data Unit (PPDU) may be provided. C-FDMA may include determining sub-channels of a channel for one or more Access Points (APs). The sub-channels may then be assigned to the one or more APs. Transmit Opportunities (TxOps) may be scheduled for the one or more APs on the sub-channels. It may then be determined that a basic PPDU and an enhanced PPDU will be simultaneously transmitted on adjacent sub-channels. In response to determining the basic PPDU and the enhanced PPDU will be simultaneously transmitted on adjacent sub-channels, one or more Resource Units (RUs) of a sub-channel the enhanced PPDU will be transmitted on may be selected to disable transmission in.