Abstract: Theft detection in data center networks may be provided. First, a first leaf switch may create an entry in a first distributed secure cache in response to an endpoint appearing on the first leaf switch. The entry may correspond to the endpoint and may be marked as having a tentative state. Then a request message may be sent to a plurality of leaf switches. The request message may comprise data identifying the endpoint. Next, a reply message may be received in response to the request message from a second leaf switch within the plurality of leaf switches. The tentative state may then be removed from the entry in response to the reply message indicating that the endpoint is valid.

Abstract: Presented herein are techniques for use in a network environment that includes one or more service zones, each service zone including at least one instance of an in-line application service to be applied to network traffic and one or more routers to direct network traffic to the at least one service, and a route target being assigned to a unique service zone to serve as a community value for route import and export between routers of other service zones, destination networks or source networks via a control protocol. An edge router in each service zone or destination network advertises routes by its destination network prefix tagged with its route target. A service chain is created by importing and exporting of destination network prefixes by way of route targets at edge routers of the service zones or source networks.

Abstract: In one embodiment, a device in a network sends a first multicast message to a plurality of destinations in the network. The first multicast message includes a first bitmap that identifies the destinations. The device receives one or more acknowledgements from a subset of the destinations. The device determines a retransmission bitmap that identifies those of the plurality of destinations that did not acknowledge the first multicast message, based on the received one or more acknowledgements. The device sends a retransmission multicast message to those of the plurality of destinations that did not acknowledge the first multicast message. The retransmission multicast message includes the retransmission bitmap.

Abstract: In one embodiment, a system includes an interface to receive a device identifier which uniquely identifies a first device, a processor to determine at least one characteristic of the first device from the device identifier, and select a first network slice based on the at least one characteristic of the first device, the first network slice including a first plurality of security services countering security risks associated with the at least one characteristic of the first device, wherein the interface is operative to send slice identifier information about the first network slice towards the first device. Related apparatus and methods are also described.

Abstract: An apparatus and method is disclosed for segment routing (SR) over label distribution protocol (LDP). In one embodiment, the method includes a node receiving a packet with an attached segment ID. In response, the node may attach a label to the packet. Thereafter, the node may forward the packet with the attached label and segment ID to another node via a label switched path (LSP).

Abstract: An endpoint among a plurality of endpoints, synchronizes a clock across the plurality of endpoints. The endpoint generates a received ultrasonic signal by transducing ultrasonic sound received at a microphone from a spatial region. The ultrasonic sound includes an identical ultrasonic signal transmitted from the plurality of endpoints and echoes from the spatial region. The identical ultrasonic signal is generated with respect to the synchronized clock. The endpoint computes an error signal based on removing the identical ultrasonic signals and the echoes from the received ultrasonic signal. The endpoint detects motion in the spatial region based on a change in the error signal over time.

Abstract: An example method for zero touch configuration and synchronization of a service appliance in a network environment includes receiving, at an appliance port on a service appliance, an indication that a switch port on a switch changed from an inactive status to an active status, the appliance port being connected over a network to the switch port, starting a bootstrap protocol, including by receiving at the service appliance from the switch, a bootstrap message from a service executing in the switch, creating, by the service appliance, an empty port channel at the service appliance, adding, by the service appliance, the appliance port to the port channel, and associating, by the service appliance, the service to the port channel in a cache.

Abstract: In one embodiment, a method including analyzing a plurality of dialed sequences that are associated with unrouted calls in accordance with one or more candidacy rules, based at least partly on the analyzing, defining one or more candidate dial patterns for addition to a set that includes zero or more dial patterns in use for call control, and performing at least one action which promotes addition of the one or more candidate dial patterns to the set.

Abstract: Presented herein are segment-routing methods and systems that facilitate data plane signaling of a packet as a candidate for capture at various network nodes within a segment routing (SR) network. The signaling occurs in-band, via the data plane—that is, a capture or interrogation signal is embedded within the respective packet that carries a user traffic. The signaling is inserted, preferably when the packet is classified, e.g., at the ingress node of the network, to which subsequent network nodes with the SR network are signaled to capture or further inspect the packet for capture.

Abstract: In one embodiment, when an ingress provider edge (PE) device of a computer network domain receives a frame at the ingress PE device destined to a destination media access control (MAC) address, it can determine whether the frame was received on a root or leaf Ethernet ingress segment, and also whether the destination MAC address is located via a root or leaf Ethernet segment. Accordingly, the ingress PE device may either drop or forward the frame based on the ingress Ethernet segment and destination MAC address Ethernet segment being either a root or a leaf, respectively.

Abstract: Clusters of log lines are identified based on log line templates. The log line templates are based on a punctuality pattern for a log line. Clusters of log lines that match each punctuality pattern can be identified based on comparisons between the log lines. The comparison may determine the similarity of the log lines and ultimately identify whether the log lines are close enough to be clustered. The comparison may be based on generated n-grams for the log lines and performing a hash on the n-grams. The resulting cluster information may be communicated to a user in an interface.

Abstract: A distributed neighbor discovery module is disclosed where all neighbor discovery operations and functionalities may be distributed to a switch device processor. Each neighbor discovery process on a switch device may run as an individual neighbor discovery router node. There may be no coordination between neighbor discovery processes occurring on different switch devices. All other traffic, including both IPv6 control traffic and data traffic destined to the router may be processed by the central controller processor.

Abstract: In one embodiment, a system and method are disclosed for sending a request and receiving a reply. The request contains a network service header including a flow label field and a target index field. The flow label field contains a set of available flow labels. The target index field includes a value indicating a target node. The reply contains information indicating which of the flow labels can be used to route a packet to each of the next hop nodes downstream from the device that sent the reply. This process can be repeated for other nodes on a path, and other paths in a service topology layer. The information determined by this process can be used to perform other necessary functionalities at the service topology layer.

Abstract: In one embodiment, a chip comprising a circuit, the circuit comprising a plurality of components, wherein the circuit is adapted to perform a function that is dependent on timing behavior of the circuit, and wherein a geometry of a layout of the circuit is substantially the same as another geometry of another layout of another circuit adapted to perform another function that is dependent on different timing behavior.

Abstract: A handshake procedure to establish a first connection between a client and a server is monitored at an intermediate network device. A request message sent to the server from the client is received at the intermediate network device. The request message includes parameters defining a manner of receiving information from the server. The parameters defining the manner of receiving information from the server are modified to produce modified parameters. A redirect message is sent from the intermediate network device to the client to induce or cause the client to establish a second connection with the server based upon the modified parameters, wherein the redirect message contains the modified parameters.

Abstract: Presented herein are downstream recovery (error correction) techniques for an aggregated/consolidated media stream. In one example, a consolidated media stream that includes source media packets from one or more sources is sent to one or more downstream receiving devices. Based on the source media packets, one or more self-describing recovery packets for downstream error correction of the source media packets are generated. The self-describing recovery packets include a mapping to the source media packets used to generate the self-describing recovery packets, thereby avoiding the addition of error correction information in the consolidated media stream. The one or more self-describing recovery packets are sent to each of the downstream receiving devices as a separate stream.

Abstract: A method for adding a call from a second client to a videoconference; wherein a call from at least a first client is connected to the videoconference, the call from the first client comprising first call control data and first call media data; wherein the call from the second client comprises second call control data and second call media data; and wherein a first node in a videoconferencing network handles the first call media data; the method comprising: handling the second call control data at a second node of the videoconferencing network; determining whether at least one criterion is satisfied; and in the event that at least one criterion is satisfied, diverting the second call media data to the first node of the videoconferencing network.

Abstract: Various systems and methods for using strict path forwarding. For example, one method involves receiving an advertisement at a node. The advertisement includes a segment identifier (SID). In response to receiving the advertisement, the node determines whether the SID is a strict SID or not. If the SID is a strict SID, the node generates information, such as forwarding information, that indicates how to forward packets along a strict shortest path corresponding to the strict SID.

Abstract: One embodiment provides a system that facilitates selective encryption of bit groups of a message. During operation, the system determines, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level. The system computes a plurality of cipher blocks for the message based on an authenticated encryption protocol. The system encrypts the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components. Subsequently, the system indicates the encrypted bit groups as encrypted.

Abstract: One embodiment provides a system that facilitates content closures in a CCN. During operation, the system generates, by a client computing device, an initial interest with a name that is a hierarchically structured variable length identifier which comprises contiguous name components ordered from a most general level to a most specific level, wherein the initial interest indicates a request for a result of a computation. The system receives from a content producing device a content object which indicates a function that outputs the requested result and data to be used as input to the function. The system performs the function based on the indicated data, which outputs the requested result, thereby facilitating a content producing device to offload computation of the function to the client computing device.