Abstract: A method of protecting networks may include detecting a compromised computing device associated with a security event generated by a unified security policy from a plurality of sites within a network. A context of the compromised computing device may be extracted. The context may be propagated to a controller. The method may further include fetching from an identity services engine (ISE), user identity associated with the compromised computing device, and provisioning the controller with a dynamic list and a data policy matching the dynamic list. The method may also include advertising the dynamic list and the data policy to at least one of the plurality of sites.

Abstract: Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.

Abstract: The present disclosure is directed to managing industrial internet of things end points and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations comprising: identifying a first end point using a protocol associated with the first end point, determining a classification for the identified first end point based on one or more attributes of the first end point, identifying one or more related end points having the classification in common with the first end point, segmenting the first end point with the identified one or more related end points, and applying one or more policies to the segmented first end point and the one or more related end points.

Abstract: Techniques for optimizing technologies related to network path tracing and network delay measurements are described herein. Some of the techniques may include using an IPv6 header option and/or segment identifier field of a segment list or a TLV of a segment routing header as a telemetry data carrier. The techniques may also include using an SRv6 micro-segment (uSID) instruction to indicate to a node of a network that the node is to perform one or more path tracing actions and encapsulating the packet and forward. Additionally, the techniques may include using short interface identifiers corresponding to node interfaces to trace a packet path through a network. Further, the techniques may include using short timestamps to determine delay measurements associated with sending a packet through a network. In various examples, the techniques described above and herein may be used with each other to optimize network path tracing and delay measurement techniques.

Abstract: Techniques for optimizing technologies related to network path tracing and network delay measurements are described herein. Some of the techniques may include using an IPv6 header option and/or segment identifier field of a segment list or a TLV of a segment routing header as a telemetry data carrier. The techniques may also include using an SRv6 micro-segment (uSID) instruction to indicate to a node of a network that the node is to perform one or more path tracing actions and encapsulating the packet and forward. Additionally, the techniques may include using short interface identifiers corresponding to node interfaces to trace a packet path through a network. Further, the techniques may include using short timestamps to determine delay measurements associated with sending a packet through a network. In various examples, the techniques described above and herein may be used with each other to optimize network path tracing and delay measurement techniques.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller assigns the access points to access point groups. The controller generates communication schedules for the access points such that each access point in an access point group is on a common channel and only one of neighboring directional transmitters of access points in that group is able to transmit at any given time. The controller sends the communication schedules to the access points forming the overhead mesh of access points in the area.

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

Abstract: A plurality of audio datasets associated with captured audio are provided to a plurality of automatic speech recognition engines, wherein each of the automatic speech recognition engines is configured to recognize speech of a first language. Word error rate estimates that comprise at least one word error rate estimate for each of the plurality of audio datasets are determined from outputs of the plurality of automatic speech recognition engines. From the word error rate estimates, audio in the plurality of audio datasets is determined to include speech in a second language.

Abstract: In one embodiment, an access policy enforcement service receives a user authentication request from an end-user device. The access policy enforcement service identifies a telemetry collection intent from the user authentication request. The access policy enforcement service determines a monitoring policy based on the telemetry collection intent identified from the user authentication request. The access policy enforcement service configures, according to the monitoring policy, one or more telemetry collection agents to collect telemetry for traffic associated with the end-user device.

Abstract: In one embodiment, systems and methods for performing asynchronous local migration of metadata between data stores and asynchronous remote replication of metadata between sites are described. The methods may use various configurations, including 1-to-1, 1-to-N, N-to-1, M-to-N, etc. The method for performing asynchronous local migration at a first site may include pausing critical operation(s) at an old data store, copying metadata from the old data store to a new data store, flagging table(s) in the old data store as complete, and deleting the metadata from the old data store. The method for asynchronous remote replication may include determining that local migration is complete, identifying second metadata from the new data store for which the first site is a primary authority, sending, to the second site, the second metadata, receiving, from the second site, third metadata for which the second site is the primary authority and storing the third metadata.

Abstract: In one illustrative example, a user plane function (UPF) node may receive, from a controller node, a configuration of an allocated bandwidth for a predefined service classification associated with different predefined types of a communication resource at the UPF node, for each one of a plurality of different predefined service classifications associated with different predefined types of the communication resource. The UPF node may monitor a total bandwidth usage for each predefined service classification. Based on identifying that the total bandwidth usage exceeds a threshold limit, the UPF node may send, to the controller node, a message which indicates a request for readjusting the allocated bandwidth for the predefined service classification, and indicating the total bandwidth usage. The different predefined types of the communication resource may be different network slices at the UPF node, or different Quality of Service (QoS) Flow resource types at the UPF node, as examples.

Abstract: Fine Time Measurement (FTM) Location Configuration Information (LCI) protection and, specifically, FTM LCI protection with authentication and selective client enablement may be provided. To perform FTM LCI protection, a controller may first obtain a key-pair including a public key and a private key from a Certificate Authority (CA). The controller my determine a venue location where an Access Point (AP) is located. The controller may send a Certificate Signing Request (CSR) with the venue location to the CA. In response to sending the CSR, the controller may receive a public key certificate from the CA, wherein the public key certificate includes the venue location. The AP may receive a request for Location Configuration Information (LCI) from a Station (STA), wherein the LCI includes an AP location. The AP creates a hash of LCI of the AP using the private key and sends the LCI and the hash to the STA.

Abstract: Techniques for a hub node to, provisioned in a network site of a hub and spoke overlay network, to receive a network advertisement from the spoke, decode network routing requirements from a border gateway protocol (BGP) large community associated with the network advertisement, and store the network routing requirements in association with a route associated with the spoke. The routing requirements may indicate one or more service(s) to be applied to the packet, a trust level associated with the spoke, and/or a trust zone associated with the spoke. The hub node may receive a packet from the spoke to be transmitted to destination spoke. The hub node may then route the packet to the destination spoke, drop the packet, or send the packet to a service node configured to apply the one or more services to the packet based on the routing requirements.

Abstract: Methods, systems, and non-transitory computer-readable media are provided for deploying intent-driving cloud branches. An example method can include obtaining, by one or more controllers in a software-defined network (SDN), a branch network design template for deploying a remote branch in the SDN, wherein the branch network design template defines networking settings for a plurality of services to be provisioned at the remote branch; obtaining, by the one or more controllers, a plurality of software packages for the plurality of services to be provisioned at the remote branch; and based on the branch network design template and the plurality of software packages, provisioning, by the one or more controllers, the plurality of services at the remote branch and a network connectivity of the plurality of services.

Abstract: Various techniques are used to schedule computing jobs for execution by a computing resource. In an example method, a schedule is generated by selecting, for a first slot in the schedule, a first computing job based on a first priority of the first computing job with respect to a first characteristic. A second computing job is selected for a second slot in the schedule based on a second priority of the second computing job with respect to a second characteristic. The second slot occurs after the first slot in the schedule, and the second characteristic is different than the first characteristic. The first characteristic or the second characteristic includes an execution frequency. The computing jobs are executed based on the schedule.

Abstract: Techniques are provided for operator specific customization of a network service configuration. In some embodiments, an operator defines a mapping between an application executing on a user equipment (UE) and a network service configuration. In some embodiments, the network service configuration indicates whether the application is to be supported via a UPF instance located within the core network or deployed at a network edge. The mapping is then provided to the UE, and passed back to the core network, for example, when the UE establishes a connection on behalf of the UE application. The core network then supports the UE application consistent with the configuration specified by the mapping.

Abstract: Techniques and architecture are described for providing connectivity and monitoring the connectivity of a fabric network controller/control plane with external and extended network controllers/control planes. The techniques and architecture provide a method that includes provisioning a control plane of a first network with a control plane of a second network. The method also includes establishing a session between the control planes of the first and second networks. The method further includes registering nodes of the first network with the control plane of the second network and providing, by the control plane of the first network to the control plane of the second network, information related to endpoints within the first network. The method also includes monitoring, reporting, and possibly taking corrective actions, by the control plane of the second network, with respect to connectivity/status between the control plane of the first network and the control plane of the second network.

Abstract: A method for a seamless transfer of a secure multimedia conference session from one endpoint device to another without a need to rekey the session is provided. In this method, a first endpoint device connects a participant to a multimedia conference session to which at least one other participant is connected and based on detecting one or more second endpoint devices within a predetermined location proximity of the first endpoint device, determines whether to transfer the multimedia conference session to a target endpoint device. Based on determining that the session is to be transferred, the first endpoint device establishes a secure pairing connection directly with the target endpoint device and provides, via the secure pairing connection, information about the multimedia conference session based on which the multimedia conference session is transferred to the target endpoint device without rekeying the multimedia conference session.

Abstract: Techniques and mechanisms to reduce double encryption of packets that are transmitted using encrypted tunnels. The techniques described herein include determining that portions of the packets are already encrypted, identifying portions of the packets that are unencrypted, and selectively encrypting the portions of the packets that are unencrypted prior to transmission through the encrypted tunnel. In this way, potentially private or sensitive data in the packets that is unencrypted, such as information in the packet headers, will be encrypted using the encryption protocol of the encrypted tunnel, but the data of the packets that is already encrypted, such as the payload, may avoid unnecessary double encryption. By reducing (or eliminating) the amount of data in data packets that is double encrypted, the amount of time taken by computing devices, and computing resources consumed, to encrypted traffic for encrypted tunnels may be reduced.

Abstract: A method for routing is disclosed. The method comprises establishing an overlay network, comprising a plurality of network elements and an overlay controller; wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network; receiving by the overlay controller, information from each service-hosting network element information said information identifying a service hosted at that service-hosting network element, and label associated with the service-hosting network element; identifying by the overlay controller, at least one policy that associates traffic from a site with a service; and causing by said overly controller, the at least one policy to be executed so that traffic from the site identified in the policy is routed using the underlying transport network to the service-hosting network element associated with the said service.