Abstract: A system and method for providing network and port address translation is provided. A global IP address and a block (chunk) of ports are allocated for each mobile subscriber (MS) on first data connection. Subsequent data connections from the same MS are assigned the same IP address and a new port from this block. The mapping information is communicated, processed, and stored once for the complete block, instead of for every new data connection. This process reduces processing, communication, and storage requirements.

Abstract: A secure shared memory interface for computer application processes is described. In one embodiment, a method includes initiating a shared memory interface between a master application process instance and a slave application process instance running on a computer. The method also includes allocating one or more regions within a memory allocation of the slave application process instance to the shared memory interface. The method further includes generating a first descriptor ring and a second descriptor ring in each region of the one or more regions of the shared memory interface. The master application process instance and the slave application process instance exchange information by adding one or more packets to at least one region of the one or more regions of the shared memory interface.

Abstract: A control plane of a network, including radios of a radio access network controlled by the control plane and user plane functions controlled by the control plane, establishes first and second protocol data unit (PDU) connections each to handle the same flows of traffic for ultra-reliable low latency communications (URLLC) from user equipment to a data network through first and second source radios, respectively. Due to mobility of the user equipment, the control plane relocates the flows from the first and second source radios to first and second target radios, respectively. To relocate the flows, the control plane receives from the first target radio a notification that identifies flows that cannot be activated on the first target radio. In response to the notification, the control plane commands the first target radio to prioritize the flows that cannot be activated above remaining ones of the flows.

Abstract: Dynamic power in cable access networks may be reduced. First, a peak data rate associated with a network may be determined. Then, a modulation order and an associated Radio Frequency (RF) level that will support the determined peak data rate may be determined. Next, a power value to be transmitted by a node in the network based on the determined modulation order and the associated RF level may be determined. A bias value may then be determined for the node to support the determined power value.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: In one embodiment, a networking device in a local area network (LAN) receives an instruction from a server to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to the server for analysis. The networking device establishes the virtual network overlay in the LAN to redirect traffic associated with the particular node to the server. The networking device determines that at least a portion of the traffic associated with the particular node should be processed locally within the LAN and not via redirection to the server and adjusts the virtual network overlay to process the at least a portion of the traffic associated with the particular node locally within the LAN and not via redirection to the server.

Abstract: In one embodiment, an apparatus comprising at least one memory, and processing circuitry, the processing circuitry adapted to obtain combined data, the combined data including policy data, or a pointer to the policy data, the policy data relating to general access for an Internet of Things (IoT) device, and update metadata, or a pointer to the update metadata, the update metadata relating to at least one update that is relevant to the IoT device in accordance with at least one criterion, and cause access of the IoT device to the at least one update to be in accordance with an update specific policy that is based on the combined data.

Abstract: In one embodiment, a primary networking device in a branch network receives a notification of an anomaly detected by a secondary networking device in the branch network. The primary networking device is located at an edge of the network. The primary networking device aggregates the anomaly detected by the secondary networking device and a second anomaly detected in the network into an aggregated anomaly. The primary networking device associates the aggregated anomaly with a location of the secondary networking device in the branch network. The primary networking device reports the aggregated anomaly and the associated location of the secondary networking device to a supervisory device.

Abstract: A network function (NF) profile repository function (NPRF) is provided to receive, for each one of a plurality of NF instances of a plurality of different NF types, information associated with the NF instance and store the information in memory. The NPRF may then also receive, from an NF repository function (NRF), a message which indicates a request for information associated with one or more NF instances of an indicated NF type. In response, the NPRF may retrieve, from the memory based on the indicated NF type, information associated with the one or more NF instances. The NPRF may send, to the NRF, a message which indicates a response to the request, where the response includes retrieved information associated with the one or more NF instances.

Abstract: Presented herein are traffic pruning techniques that define the pruning at the group level. A software defined network (SDN) controller determines first and second endpoint groups (EPGs) of an SDN associated with the SDN controller. The SDN runs on a plurality of networking devices that interconnect a plurality of endpoints that are each attached to one or more host devices. The SDN controller determines a host-EPG mapping for the SDN, as well as a networking device-host mapping for the SDN. The SDN controller then uses the host-EPG mapping, the networking device-host mapping, and one or more group-based policies associated with traffic sent from the first EPG to the second EPG to compute hardware pruning policies defining how to prune multi-destination traffic sent from the first EPG to the second EPG. The hardware pruning policies are then installed in one or more of the networking devices or the host devices.

Abstract: In embodiments disclosed herein involve receiving a first packet, where the first packet originated from a first device on a first virtual local area network (VLAN) in a first plurality of VLANs, where routing is enabled among each of the first plurality of VLANs. A first temporary value is assigned to a first VLAN identifier associated with the first packet, where the first temporary value corresponds to the first plurality of VLANs. Additionally, the first packet is processed based on a plurality of flow tables. Further, a first destination value is assigned to the first VLAN identifier, where the first destination value corresponds to a second VLAN in the first plurality of VLANs, and the first packet is transmitted to a second device on the second VLAN.

Abstract: One embodiment provides a system that facilitates secure communication between computing entities. During operation, the system generates a first interest that indicates a vote for a value associated with a group prefix and a round number. In response to the first interest, the system receives a first content object that indicates an acknowledgment of the vote and has a payload that includes a nonce validator. In response to a second interest that indicates an acknowledgment of the first content object, the system receives a second content object that indicates a decision for the value and has a payload that includes a nonce which is used as a pre-image of the nonce validator. The system verifies the second content object based on the nonce and the nonce validator.

Abstract: In one embodiment, a technique for Internet of Things gateway-based carrier-operator signage monitoring is provided that illustratively comprises: receiving, by a gateway device and from a first device of a plurality of devices of a mesh network in a monitored site, positioning information associated with a second device of the plurality of devices, wherein each of the plurality of devices is affixed to a respective sign; generating, by the gateway device, site monitoring information by aggregating the positioning information with other positioning information received from the plurality of devices, wherein the site monitoring information indicates a physical change in placement of a sign to which the second device is affixed; and sending, by the gateway device, the site monitoring information to a signage monitoring device configured to perform a mitigation action for the monitored site based on an identification of the physical change in placement of the sign.

Abstract: A computing device running a local enforcement agent is configured to instantiate at least one application container at the computing device, where the at least one application container is part of a containerized application. The computing device is also configured to associate the local enforcement agent with the least one application container so that the local enforcement agent operates as an intra-application communication proxy for the least one application container. The local enforcement agent receives an intra-application Application Programming Interface (API) call that is sent to the at least one application container from a second application container that is part of the containerized application. The local enforcement agent is configured to analyze the intra-application API call for compliance with one or more security policies associated with the at least one container.

Abstract: A method provided that is performed at one or more intermediate nodes in a path in a network. The node receives a packet having a header that includes metadata that has been accumulated as the packet travels along the path in the network. The node detects whether a trigger condition has occurred. In response to detecting that the trigger condition has occurred, the node exports, to a destination entity, at least a portion of the metadata that has been accumulated in the header so that the portion of the metadata is removed from the header after it has been exported.

Abstract: Computer systems and methods for allocating bandwidth so that server computers can send data to a client computer without exceeding the available bandwidth between the server computers and the client computer, or the processing bandwidth or capacity of the client computer, are discussed herein.

Abstract: In one embodiment, a device in a network stores an archive image to a storage location of the device. The archive image comprises a plurality of compressed files. For one or more of the files, the device copies a segment of a particular file in the archive image to a segment copy in the storage location of the device and deletes the segment of particular file from the archive image. The device repeats the copying and deleting steps until the particular file has been fully deleted from the archive image. The device reconstitutes the particular file by merging the segment copy with one or more other segment copies associated with the particular file.

Abstract: Fifth Generation (5G) standards specify use of a Subscription Concealed Identifier (SUCI) (i.e. a concealed identity) for a user equipment (UE) during initial registration, where the SUCI is derived from a Subscription Permanent Identifier (SUPI) of the UE. Given the identity concealment and use of different identities on different interfaces in a 5G network, maintaining subscriber state with a stateless network architecture may be challenging. Accordingly, one or more techniques and mechanisms are provided herein for subscriber management with a stateless network architecture in a 5G network, even without the need to maintain intermediate states of a UE in an external data store. The one or more techniques and mechanisms may be provided in relation to processing of Next Generation (NG) Application Protocol (NGAP) signaling messages at an access and mobility management function (AMF), and in particular, in relation to a registration procedure for the UE.

Abstract: One embodiment provides a system for facilitating efficient communication of an interest group packet indicating a collection of interests. During operation, the system receives, by an intermediate node, a first packet which has a name and indicates a set of member interests, wherein a member interest has a name, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. In response to obtaining a content object which satisfies a member interest, the system removes the indicated member interest from the first packet. The system adds an entry in a pending interest table for the first packet, wherein the entry indicates the name for the first packet, the name for each member interest, and an indicator of whether each member interest is satisfied. The system transmits the first packet to another node.

Abstract: A Session Initiation Protocol enabled network connected device receives a client certificate from a client device. The SIP enabled network connected device validates the client certificate from information received from a certificate authority. The SIP enabled network connected device determines an identifier of the client device from the client certificate. The SIP enabled network connected stores the identifier of the client device. The SIP enabled network connected device receives a SIP message from the client device. The SIP enabled network connected device inserts the identifier of the client device into the SIP message. The SIP enabled network connected device transmits the SIP message to a destination SIP enabled device after inserting the identifier of the client device into the SIP message.