Abstract: In one embodiment, an agent process associated with a particular application on a computing device intercepts outbound connection calls made by the particular application for a remote target host within a computer network, and determines an application context for the outbound connection call based on the particular application and one or more features of the outbound connection call. The agent process may then compare the application context against a set of application-context-aware firewall policies configured on the agent process, and determines whether to allow or not allow (block) the outbound connection call based on the comparing of the application context to the set of application-context-aware firewall policies.

Abstract: Consumption-based licensing of network features based on blockchained transactions includes receiving, at a server having connectivity to a network including a plurality of network devices, a request from a particular network device of the plurality of network devices for a feature that is licensed in the network on a per-use basis. Feature-specific key blockchain elements and a feature-specific template are generated for the feature and at least one message that includes the feature-specific key blockchain elements and the feature-specific template is sent to the particular network device. The message enables the plurality of network devices to generate one or more blockchain transactions related to consumption of the feature when a usage interval associated with the feature expires.

Abstract: In one embodiment, a device in a network identifies one or more traffic classes used by one or more nodes in the network. The device determines routing requirements for a particular traffic class of the one or more traffic classes. The device generates a channel assignment that assigns the particular traffic class to a particular channel based on the routing requirements for the particular traffic class. The device provides the channel assignment to the one or more nodes. The one or more nodes use the channel assignment to route traffic of the particular traffic class within the network.

Abstract: The present disclosure provides a fine-grained link adaptation mechanism that allows for link adaptation at a resource block granularity. To this end, the fine-grained link adaptation mechanism can determine the effective signal-to-interference-plus-noise ratio for individual user equipment in a particular cell at the resource block granularity. This way, the transmitter can use the effective signal-to-interference-plus-noise ratio to adapt the modulation and coding scheme at the resource block granularity. The fine-grained link adaptation mechanism can be introduced to a long term evolution (LTE) network without substantial redesign of the LTE network.

Abstract: In an embodiment, a computer implemented method comprises receiving, at a first computing device associated with a managing entity, a request to perform an operation of a managed service; publishing to a first block of a distributed ledger system, by the first computing device associated with the managing entity, identification information of the managing entity; identifying, by a second computing device associated with the managed service, the identification information published to the first block of the distributed ledger system; publishing to a second block of the distributed ledger system, by the second computing device associated with the managed service, acknowledgement information comprising an indication that the identification information of the managing entity published to the first block was received and verified; publishing to a third block of the distributed ledger system, by the second computing device associated with the managed service, management request information comprising an operation r

Abstract: One embodiment provides a system that facilitates efficient and transparent encryption of packets between a client computing device and a content producing device. During operation, the system receives, by a content producing device, an interest packet that includes a masked name which corresponds to an original name, wherein the original name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system obtains the original name based on the masked name. The system computes a symmetric key based on the original name and a generated nonce. The system generates a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload encrypted based on the symmetric key, wherein the content object packet is received by a client computing device.

Abstract: Techniques are presented herein for computing angle-of-arrival estimates while switching antenna states during a packet unit for the general Orthogonal Frequency Division Multiple Access (OFMDA) case (including a single user). A wireless device computes channel estimates throughout the entire frame and not only during the training symbols. Consequently, the wireless device computes channel estimates for all antennas in its array within a single frame instead of having to wait for multiple frames.

Abstract: Previously known network management methods are incapable of concertedly managing respective levels of perceptual playback quality of media content data for a number client devices. In particular, previously known methods fail to regulate ABR-enabled client devices and the like that are each operating to individually consume as much of one or more shared network resources as possible without regard to the degree performance improvements. By contrast, various implementations disclosed herein provide network-centric concerted management of respective levels of perceptual playback quality of media content data on each of a number of client devices. The respective levels perceptual playback quality are concertedly managed by adjusting one or more shared network resources (e.g., bandwidth, processor time, memory, etc.).

Abstract: An apparatus comprises an Ethernet port including high-side transformers and low-side transformers. High-side current paths supply high-side currents form a high voltage rail to high-side center taps of the high-side transformers. Low-side current paths supply or do not supply low-side currents from a low voltage rail to low-side center taps of the low-side transformers, and convert the low-side currents to sense voltages. A controller configures the low-side current paths to either supply or not supply the low-side currents to the low-side center taps when none of the sense voltages exceed a voltage threshold representative of an overcurrent threshold or when at least one of the sense voltages exceeds the voltage threshold, respectively. A current monitor injects additional current into the low-side current paths only when at least one of the high-side currents exceeds the overcurrent threshold.

Abstract: In one embodiment, a network assurance service that monitors one or more networks receives data indicative of networking device configuration changes in the one or more networks. The service also receives one or more performance indicators for the one or more networks. The service trains a machine learning model based on the received data indicative of the networking device configuration changes and on the received one or more performance indicators for the one or more networks. The service predicts, using the machine learning model, a change in the one or more performance indicators that would result from a particular networking device configuration change. The service causes the particular networking device configuration change to be made in the network based on the predicted one or more performance indicators.

Abstract: Stateless and reliable load balancing using segment routing and an available side-channel may be provided. First, a non-SYN packet associated with a connection may be received. The non-SYN packet may have first data contained in an available side-channel. Next an associated bucket may be retrieved based on a hash of second data in the non-SYN packet. The associated bucket may identify a plurality of servers. Then a one of the plurality of servers may be selected based on the first data contained in the available side-channel.

Abstract: A method is performed by a first provider edge (PE) of a redundancy group including provider edges configured with an Ethernet virtual private network (EVPN) segment identifier (EVI) and an Ethernet segment identifier (ESI) and that are multi-homed to a customer edge (CE). The method includes, upon receiving from the CE a join request including a group address for a multicast stream, electing a designated forwarder (DF) for the multicast stream. The electing includes: computing for each PE a respective affinity for the DF as a function of a respective address of the PE, the EVI, and the group address; and determining which PE has a largest affinity. The method further includes, if the first PE has the largest affinity or does not have the largest affinity, configuring the first PE as the designated forwarder or not configuring the first PE as the designated forwarder for the multicast stream, respectively.

Abstract: An ingress node inserts into a header of a packet service level agreement information and forwards the packet. At an egress node of the network, the packet is received and the service level agreement information is obtained from the header of the packet. The egress node verifies whether there is conformance to a service level agreement based on at least one parameter associated with reception of one or more packets at the egress node and the service level agreement information.

Abstract: In accordance with various implementations, a method is performed at a gateway with one or more processors, non-transitory memory, and a data interface. The method includes: obtaining a request to instantiate a tunnel for data from a guest service provider (GSP) to a user device that traverses an operator network; determining whether the request satisfies tunneling criteria, where the tunneling criteria at least includes a first criterion associated with intrinsic information associated with the operator network and a second criterion associated with extrinsic information that characterizes network resources of the network operator based on a relationship between the operator network and the GSP; instantiating the tunnel in response to determining that the request satisfies the tunneling criteria, where instantiating the tunnel includes the gateway transmitting tunnel instructions to other nodes of the operator network; and routing the data through the tunnel to transmit the data to the user device.

Abstract: A method is described and in one embodiment includes receiving at a first node in a communications network a message associated with a first flow, wherein the message comprises a flow treatment attribute including metadata indicative of how the first flow should be treated in the network; analyzing the flow treatment attribute at the first node; setting policy for treatment of the flow in the network based on the analyzing; and forwarding the message to a next network node.

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Abstract: In one embodiment, data for use by a processor is stored in a memory. A network interface communicates over a network with a second device. At a processor, a Somewhat Homomorphic Encryption (SHE) of a plurality of secret shares is generated. The SHE of the plurality of secret shares is sent to the second device. The following is performed in a loop: a first result of a homomorphic exclusive-or operation performed by the second device on the SHE is received, a SHE of the first result is performed, yielding a second result, a SHE of the second result is performed yielding a third result, the third result is transmitted to the second device, and a final SHE result is received from the second device. The received final SHE result is decrypted in order to produce a final Somewhat Homomorphically Decrypted (SHD) output. The final SHD output is then output. Related methods, systems, and apparatus are also described.

Abstract: A meeting server facilitates an online conference session among a presenter device and a plurality of attendee devices, including a display of shared image data from the presenter device. The meeting server transmits a message representing combined user interest in areas of the shared image data. Based on the message from the meeting server, the presenter device and the attendee devices display a representation of the combined user interest.

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

Abstract: Techniques for generating a multi-layer network topology on a managed network are described herein. In an embodiment, data that was collected from a plurality of network devices within a managed network is received and analyzed within a multi-layered plurality of decision trees. The plurality of decision trees include a plurality of nodes, one overlay decision tree, and at least one underlay decision tree. The plurality of nodes include a set of logic nodes that communicatively couples the at least one underlay tree to one of the logic nodes on the overlay tree. The received data is then classified by the plurality of multi-layered decision trees.