Abstract: Provided is an infrastructure for enforcing target service level parameters in a network. In one example, a network service level agreement (SLA) registry obtains one or more input service level parameters for at least one service offered by an application. Based on the one or more input service level parameters, the network SLA registry provides one or more target service level parameters to a plurality of network controllers. Each network controller of the plurality of network controllers is configured to enforce the one or more target service level parameters in a respective network domain configured to carry network traffic associated with the application.

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.

Abstract: In one embodiment, dynamic user private networks are virtually segmented within a shared virtual network. A network control system maintains the dynamic logical segmentation of the shared virtual network. User entities (e.g., user devices and/or services) are communicatively coupled to respective personal virtual networks via endpoints of access devices. Each of these endpoints is associated with a corresponding user private network. Responsive in real-time to automated processing of a received electronic particular user request, the network control system automatically modifies the dynamic logical segmentation of the shared virtual network to move a particular user entity on the shared virtual network to newly being on the first dynamic user private network without being disconnected from the shared virtual network. One embodiment uses different user private network identifiers (UPN-IDs) associated with endpoints and received packets to identify their respective user private network.

Abstract: In accordance with one example embodiment, a system configured for programming a network layer multicast address entry in a routing table of an ingress line card module is disclosed. The network layer multicast address entry includes a network layer address associated with at least one egress line card. The system is further configured for programming a data link layer multicast routing address entry in a routing table of a fabric card module in which the data link layer multicast routing address entry corresponds to the network layer multicast address entry.

Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.

Abstract: A method, computer system, and computer program product are provided for automatically analyzing software packages to identify the degree of differences between compared software packages and to apply security policies. A first software bill of materials for a software package is processed to extract a plurality of components of the software package, wherein the first software bill of materials indicates a first hierarchy of components based on relationships between components. The first hierarchy is compared to a second hierarchy, the second hierarchy corresponding to a second software bill of materials, to determine a degree of difference between the first hierarchy and the second hierarchy. The degree of difference is compared to one or more threshold values. A security policy is applied with respect to the software package according to a comparison of the degree of difference to the one or more threshold values.

Abstract: The subject disclosure relates to a computer-implemented method for reducing access contention in a wireless medium. In some aspects, a method of the technology includes steps for exchanging data packets with multiple client devices in a wireless network, and based on the data exchange, identifying a first device from among the multiple client devices for which one or more higher-layer (e.g., Layer 3 and/or Layer 4) packets are likely to be received. In some aspects, a method of the technology can further include steps for broadcasting a lower-layer (e.g., Layer 2) packet to the plurality of client devices, wherein the lower-layer packet includes an extended duration field to suppress transmission by one or more listening client devices until at least one subsequent higher-layer packet is received from the first device. Systems and machine-readable media are also provided.

Abstract: Disclosed herein are systems, methods, and computer-readable media for increasing security of devices that leverages an integration of an authentication system with at least one corporate service. In one aspect, a request is received from a user device to authenticate a person as a particular user by the authentication system. A photo of the person attempting to be authenticated as the particular user is captured. Nodal points are mapped to the captured photo of the person attempting to be authenticated, and the nodal points from the photo are compared against a reference model for facial recognition of the particular user. It is then determined whether the nodal points match the reference model for the particular user. The present technology also includes sending a command to the user device to send data to identify the person, and/or a location of the user device.

Abstract: In an example, a network switch is configured to natively act as a high-speed load balancer. Numerous load-balancing techniques may be used, including one that bases the traffic “bucket” on a source IP address of an incoming packet. This particular technique provides a network administrator a powerful tool for shaping network traffic. For example, by assigning certain classes of computers on the network particular IP addresses, the network administrator can ensure that the traffic is load balanced in a desirable fashion. To further increase flexibility, the network administrator may apply a bit mask to the IP address, and expose only a portion, selected from a desired octet of the address.

Abstract: According to one or more embodiments of the disclosure, an edge node of a virtual overlay for a Layer-2 mesh receives a new flow notification that indicates a destination address for a new flow in the Layer-2 mesh. The virtual overlay is configured to flood replicated frames of the new flow throughout the virtual overlay. The edge node makes a local match between the destination address indicated by the new flow notification and a local address table of the edge node. The edge node sends, based on the local match, a match notification that causes other nodes in the virtual overlay to stop flooding replicated frames of the new flow.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: Techniques for sending Compute Express Link (CXL) packets over Ethernet (CXL-E) in a composable data center that may include disaggregated, composable servers. The techniques may include receiving, from a first server device, a request to bind the first server device with a multiple logical device (MLD) appliance. Based at least in part on the request, a first CXL-E connection may be established for the first server device to export a computing resource to the MLD appliance. The techniques may also include receiving, from the MLD appliance, an indication that the computing resource is available, and receiving, from a second server device, a second request for the computing resource. Based at least in part on the second request, a second CXL-E connection may be established for the second server device to consume or otherwise utilize the computing resource of the first server device via the MLD appliance.

Abstract: A method is provided that is performed using an application performance management agent running on an application and/or application microservices. The method comprises detecting a request to the application and/or application microservices for data, and inserting data compliance metadata into packet headers of packets that are to be sent in response to the request by the application and/or application microservices. The data compliance metadata comprises data-compliance markings associated with the data based on user/operator-defined data compliance requirements. The method further includes causing the packets to be sent into a network so that one or more network devices or services in the network can read the data compliance metadata and apply packet handling policies.

Abstract: An integrated circuit includes a transimpedance amplifier and an injection circuit. The injection circuit generates a first electrical test signal and injects the first electrical test signal into the transimpedance amplifier. The first electrical test signal or an output of the transimpedance amplifier generated based on the first electrical test signal is used to determine whether the integrated circuit is faulty.

Abstract: Methods are provided in which a user device connects a participant to a collaboration session in which the participant communicates with at least one other participant using audio and/or video, which is distributed in a media stream to the at least one other participant via a respective user device. In these methods, the user device detects at least one of an object within a space that is included in the video and an audio signal and selectively filters the media stream to exclude the object or a portion of the audio signal based on at least one of participant list information, learned background information, or learned voices of participants of the collaboration session.

Abstract: This disclosure describes techniques for allowing an organization to manage user identities. In some examples, the management of user identities may be serverless. In some examples, serverless identity management may be enabled through a distributed application on user devices of the organization. The application may generate and/or store information related to the user identities on the user devices. Serverless identity management may further include storing at least some of the information at a location that is easily accessible to the user devices, such as a cloud computing location, while maintaining security for private data. Serverless identity management may therefore provide an organization with greater operational flexibility.

Abstract: In one embodiment, an apparatus includes a connecting member configured for positioning on an upper surface of an integrated circuit package and a cable comprising a first end attached to the connecting member and a second end configured for electrically coupling with a power supply component. The connecting member is operable to position the cable for connection to the upper surface of the integrated circuit package to deliver power from the power supply component to the integrated circuit package with the power supply component and the integrated circuit package mounted on an upper surface of a printed circuit board. A method is also disclosed herein.

Abstract: A method includes providing a sacrificial wafer, contacting the sacrificial wafer to a photonic device wafer, and bonding the sacrificial wafer to the photonic device wafer. The sacrificial wafer includes a substrate and an electro-optical material strip disposed within a dielectric matrix. The photonic device wafer includes a photonic device die, and the electro-optical material strip is disposed proximate to the photonic device die. A photonic device structure includes a photonic device wafer and a sacrificial wafer. The photonic device structure includes a device wafer substrate and a photonic device die fabricated in a device wafer dielectric layer. The sacrificial wafer includes a sacrificial wafer substrate and an electro-optical material strip embedded in a sacrificial wafer dielectric matrix. The sacrificial wafer dielectric matrix is bonded to the device wafer dielectric layer, and the electro-optical material strip is disposed proximate to the photonic device die.

Abstract: Fine Time Measurement (FTM) improvement and, specifically, trigger based FTM improvements via efficiently grouping initiators may be provided. A plurality of probe requests transmitted by a plurality of initiators is received. For each probe request, a Received Signal Strength Indication (RSSI) and Channel State Information (CSI) is determined, and a distance between an initiator and an associated responder associated with the probe request is determined based on the RSSI and the CSI. Line of Sight (LOS) or Non Line of Sight (NLOS) relationships between the plurality of initiators and one or more responders is determined based on the CSI. One or more groups of initiators is determined from the plurality of initiators based on the LOS or NLOS relationships and the distances determined for each probe request, wherein the responders and the initiators perform FTM based on the one or more groups of initiators.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.