Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

Abstract: In one embodiment, a local service of a network reports configuration information regarding the network to a cloud-based network assurance service. The local service receives a classifier selected by the cloud-based network assurance service based on the configuration information regarding the network. The local service classifies, using the received classifier, telemetry data collected from the network, to select a modeling strategy for the network. The local service installs, based on the modeling strategy for the network, a machine learning-based model to the local service for monitoring the network.

Abstract: Aspects of the embodiments are directed to synchronizing at least a portion of a link-state database. A network element can lose an adjacency. The network element can transmit a request to a neighboring network element for synchronization of a link-state database. The request can include a version number of a last synchronized link-state database from the neighboring network element. The neighboring network element can determine whether the version of the link-state database is greater than or less than a copy of the link-state database stored by the neighboring network element. If the requested version number is less than the neighboring network element's link-state database version number, then the neighboring network element can send changes to the link-state database since the requested link-state database version number.

Abstract: In one method embodiment a method of processing of a bitstream is disclosed.

Abstract: In accordance with various implementations, a method is performed at a gateway with one or more processors, non-transitory memory, and a data interface. The method includes: obtaining a request to instantiate a tunnel for data from a guest service provider (GSP) to a user device that traverses an operator network; determining whether the request satisfies tunneling criteria, where the tunneling criteria at least includes a first criterion associated with intrinsic information associated with the operator network and a second criterion associated with extrinsic information that characterizes network resources of the network operator based on a relationship between the operator network and the GSP; instantiating the tunnel in response to determining that the request satisfies the tunneling criteria, where instantiating the tunnel includes the gateway transmitting tunnel instructions to other nodes of the operator network; and routing the data through the tunnel to transmit the data to the user device.

Abstract: A first network node of a computer network discovers a host route by leveraging a temporary host route on the control plane of the computer network. The first network node receives, from a source host, a request for a host route associated with a destination host. The first network node determines that it has not previously stored the host route associated with the destination host, and generates a temporary host route associated with the destination host. The first network node propagates the temporary host route across the control plane of the computer network, causing each respective network node to discover if the destination host is connected to the respective network node.

Abstract: In one embodiment, a device receives data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network. The device compares the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path. The device detects, using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals. The device causes performance of a mitigation action in the network based on the detected time synchronization anomaly.

Abstract: Multi-VRF universal device Internet Protocol (IP) address for fabric edge devices may be provided. This address may be used to send and receive packets in a connectivity message for all VRFs on a fabric edge device. First, a request packet may be created by a first network device in response to receiving a connectivity message. The request packet may have a source address corresponding to an address of the first network device and a destination address corresponding to an address of a first client device. Next, the first network device may encapsulate the request packet. The first network device may then forward the encapsulated request packet to a second network device associated with the first client device.

Abstract: A data processing method includes receiving a stream of digital data with a plurality of objects and, in response to receiving an object, tokenizing the object to create a tokenized object, and storing the tokenized object in a token database. The method further includes comparing the tokenized object to a plurality of other tokenized objects stored in the token database, computing a pattern associated with the tokenized object, storing the pattern in a pattern database, and managing a size of the pattern database by identifying, a subset of patterns that are eligible for deletion from the pattern database based on an age of each pattern, ranking each pattern of the subset based on a quality and a popularity metric, identifying, based on the ranking and from the subset, a second pattern and deleting the second pattern from the pattern database to produce an updated database.

Abstract: In one embodiment, a device in a network determines performance characteristics of a plurality of physical interfaces of the device. The device receives an application descriptive language-based description of performance requirements of a virtualized application for execution by the device. The device selects a particular one of the plurality of physical interfaces for use by the virtualized application during execution, based on the performance requirements of the virtualized application and on the performance characteristics of the plurality of physical interfaces. The device causes the virtualized application to use the selected physical interface during execution by the device.

Abstract: An example method is provided in one example embodiment and includes intercepting a setup request for a session via a small cell network portion associated with a wide area network (WAN) instance, wherein the WAN instance comprises the small cell network portion and an enterprise network portion and wherein the small cell network portion and the enterprise network portion are interconnected to a service provider network; classifying the session to a particular WAN priority queue, wherein a plurality of WAN priority queues are configured for the WAN instance; determining whether the particular WAN priority queue has available bandwidth for the session; allocating bandwidth for the particular WAN priority queue if the particular WAN priority queue has available bandwidth; and permitting the session to be established if the particular WAN priority queue has available bandwidth.

Abstract: In one embodiment, a device in a serial network determines that a suspicious event has occurred in the network. The suspicious event is identified based on timing information for one or more frames in the serial network. The device assesses whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event. The device causes a mitigation action to be performed in the network when the suspicious event is deemed malicious.

Abstract: A DNS nameserver processes requests for domain name information based on subscriber identifiers, and optionally subscriber information. Based on a subscriber identifier, requests for a target domain name may generate a DNS response with domain name information for a proxy service. Techniques are provided to seamlessly and transparently authenticate a subscriber at the proxy service. The proxy service generates a redirect with a unique domain name including a tracking identifier in response to requests for a target domain name. The nameserver receives a request associated with the unique domain name. The nameserver responds with domain name information of the proxy service and generates a message to the proxy service mapping the tracking identifier to the subscriber identifier. The client then generates a request to the proxy service that includes the tracking identifier. The proxy service uses the mapping from the nameserver to authenticate the corresponding subscriber identifier.

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

Abstract: A computing device receives one or more messages in a secure communication session with a peer device. Security information for the secure communication session includes a first network address associated with the peer device. The computing device detects that a new message in the secure communication session includes a second network address different from the first network address. The computing device validates the new message as part of the secure communication session and sends an informational request to the peer device. The informational request is sent to the peer device at a destination address of the second network address. The computing device receives an update message from the peer device.

Abstract: A method is provided in one example embodiment and may include receiving a frame at a Ethernet Virtual Private Network (EVPN) provider edge (PE) node via an attachment circuit link, wherein the frame is to be forwarded to a Virtual Private Local Area Network (LAN) Service (VPLS) PE node; determining whether the EVPN PE node is a designated forwarder for the attachment circuit link; forwarding the frame using at least one primary pseudowire label based on a determination that the EVPN PE node is the designated forwarder for the attachment circuit link; and forwarding the frame using at least one mirrored pseudowire label based on a determination that the EVPN PE node is not the designated forwarder for the attachment circuit link. The EVPN node can be in an all-active multi-homed configuration with at least one other EVPN PE node for a customer edge device.

Abstract: In one embodiment, a method, system, and apparatus including a Power Source Equipment (PSE) device configured to provide Power-over-Ethernet (PoE) to a Powered Device (PD) that is configured to receive a request from the PD requesting a quantity of PoE power, the quantity of PoE power including an amount of power to be provided by the PSE as power for redundancy, receiving a message from the PD, the message including a unique identifier, allocating a requested quantity of PoE power, the allocating of the requested quantity of PoE power including allocating to provide the requested quantity of PoE power from one of a plurality of PSEs, and providing the requested quantity of PoE power to the PD. Related methods, systems, and apparatuses are described.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: Roaming Consortium Identifier (RCOI)-based handling of identity requirements may be provided. First, an access device may advertise an identifier. The identifier may identify a roaming federation and an identity type used by a service provider in order to provide service by the access device. Next, a request to associate with the access device may be received from a user device. The request may be compliant with the identity type advertised in the identifier. The user device may then be associated with the access device in response to receiving the request.

Abstract: An apparatus comprises a plurality of optical fibers and a lid member having one or more surfaces with grooves formed therein. The lid member defines a first plurality of grooves that are each dimensioned to partly receive an optical fiber of the plurality of optical fibers. The apparatus further comprises a substrate comprising a plurality of waveguides arranged at a predefined depth relative to a reference surface of the substrate, and a plurality of ribs extending from the reference surface. Each rib of the plurality of ribs is dimensioned to engage with a respective groove of a second plurality of grooves of the lid member. Engaging the plurality of ribs of the substrate with the second plurality of grooves of the lid member provides an optical alignment of the plurality of optical fibers with the plurality of waveguides.