Abstract: An apparatus comprising a printed circuit board with at least one heat source, an enclosure around the printed circuit board, wherein the enclosure includes a first surface and a second surface opposite the first surface, and a heatsink comprising a body portion and a plurality of fins extending from the body portion, wherein the heatsink is attached to the first surface, and wherein the at least one heat source conducts heat to the heatsink, wherein a plurality of channels are provided between the first surface and the second surface, each of the plurality of channel passing through the enclosure, the heatsink, and the printed circuit board.

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.

Abstract: A method for calibrating a magnetometer of a device is provided. The method includes collecting, with a portable calibration device having a magnetometer, magnetic field measurements in a spatial region about a mounting location where the device is to be installed for operation, estimating magnetometer compensation parameters to correct for magnetic field distortion at the mounting location based on the magnetic field measurements collected by the portable calibration device, and configuring the device installed at the mounting location based on the magnetometer compensation parameters.

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

Abstract: According to one or more embodiments of this disclosure, a network controller in a data center network establishes a translation table for in-band traffic in a data center network, the translation table resolves ambiguous network addresses based on one or more of a virtual network identifier (VNID), a routable tenant address, or a unique loopback address. The network controller device receives packets originating from applications and/or an endpoints operating in a network segment associated with a VNID. The network controller device translates, using the translation table, unique loopback addresses and/or routable tenant addresses associated with the packets into routable tenant addresses and/or unique loopback addresses, respectively.

Abstract: Systems and methods are provided for providing differential treatment to user traffic involving optimized reporting of start and stop traffic. The systems and method can include detecting, at a user plane function, an initiation of a type of traffic being performed at the user plane function, providing, by the user plane function, a start event trigger of the type of traffic detected by the user plane function to a session management function, and receiving, at the user plane function, a policy associated with the type of traffic from the session management function, the policy including instructions preventing submissions of subsequent event triggers to the session management function until an end of the type of traffic, the subsequent event triggers being associated with the type of traffic detected by the user plane function.

Abstract: Techniques for using more-specific routing to perform scalable Layer-2 (L2) stretching of subnets across hybrid-cloud environments. Routing tables in a public cloud may allow for routes that are more specific than the default local route, and the more-specific routes may be used to send all traffic to a dedicated, cloud router. The more-specific routes are set up for a VPC where a subnet resides such that the more specific-routes cover at least a portion of subnet range. The next hop for the more-specific routes point to the cloud router which is capable of doing host routing and segmentation extension. Thus, traffic originating from endpoints in a VPC is routed to the cloud router, and the cloud router determines whether the traffic is to be re-routed back to a destination endpoint in the VPC (or another cloud location), or sent to a destination endpoint residing in the on-premises site.

Abstract: A method of updating map server entries may include generating a map server database (DB) at a map server. The map server DB may include a plurality of relational fields for a plurality of entries. The method may further include, based at least in part on a first entry of the plurality of entries being updated including a change to a first network location of the first entry, updating a second network location of a second entry of the plurality of entries that has a relation with the first entry based on the relational fields.

Abstract: Systems, methods, and computer-readable media are provided for dynamic allocation of network security resources and measures to network traffic between end terminals on a network and a network destination, based in part on an independently sourced reputation score of the network destination. In one aspect, a method includes receiving, at a cloud network controller, a request from an end terminal for information on a network destination; determining, at the cloud network controller, a reputation score for the network destination; determining, at the cloud network controller, one or more security measures to be applied when accessing the network destination, based on the reputation score; and communicating, by the cloud network controller, the one or more security measures to the end terminal, wherein the end terminal communicates the one or more security measures to a third-party security service provider for applying to communications between the end terminal and the network destination.

Abstract: In one embodiment, a method by a site router agent at an edge site comprises determining that a first application instance becomes running on the edge site, where the first application instance is associated with a first unique identifying information, sending a report to a control plane of an edge backend indicating that the first application instance becomes available at the edge site, retrieving a first message from a message router at the edge backend, determining that the first message is destined to the first application instance based on a destination field of the first message, storing the first message into a storage communicatively connected to the site router agent, establishing a network connection with the first application instance, and sending the first message to the first application instance upon establishing the network connection.

Abstract: Presented herein are techniques to facilitate delivering standalone non-public network (SNPN) credentials from an enterprise authentication server to a user equipment (UE) using an Extensible Authentication Protocol (EAP) process. In one example, a method may include determining, by an authentication server of an enterprise, that a UE for the enterprise is to receive credentials to enable the UE to connect to a SNPN of the enterprise in which the determining is performed based, at least in part, on connection of the UE to an access network that is different than the SNPN for the enterprise; and performing an authentication process with the UE by the authentication server in which the authentication process includes providing the credentials to the UE via a first authentication message and obtaining confirmation from the UE via a second authentication message that indicates successful provisioning of the credentials for the UE.

Abstract: A method, computer system, and computer program product are provided for network risk analysis. A plurality of risk reports relating to a network device in a network are obtained, wherein each risk report is associated with a particular dimension of a plurality of dimensions of risk for the network device in the network. A count of the plurality of risk reports is determined for each dimension of the plurality of dimensions of risk. A regression model is applied to determine a risk value for the network device in the network based on the count of the plurality of risk reports for each dimension and based a role of the network device in the network.

Abstract: Dynamic Open Radio Access Network Radio Unit (O-RU) sharing between multiple tenant Open RAN Distributed Units (O-DU) may be provided. A Near Real Time RAN Intelligent Controller (nRT-RIC) may receive tenant policies for a first tenant and a second tenant. The nRT-RIC may then determine initial sharing templates for the first tenant and the second tenant based on the tenant policies. The nRT-RIC may send the initial sharing templates to a first tenant Distributed Unit (DU) and a second tenant DU. The nRT-RIC may receive operating metrics from the first tenant DU and the second tenant DU. The nRT-RIC may then determine operational factors based on the operating metrics. The nRT-RIC may alter an allocation of resources between the first tenant and the second tenant based on the operational factors. Finally, the nRT-RIC may send the altered allocation of resources to the first tenant DU and the second tenant DU.

Abstract: In one embodiment, a device identifies a timeseries motif present in a plurality of timeseries of performance metrics for a plurality of paths in a network. The device retrieves, based on the timeseries motif, device-level telemetry data from networking devices along the plurality of paths. The device determines a root cause of the timeseries motif by correlating the timeseries motif with the device-level telemetry data. The device provides an indication of the timeseries motif and its root cause for display by a user interface.

Abstract: Disclosed herein are systems, methods, and computer-readable media for managing Layer 2 (L2) and Layer 3 (L3) policies. Traffic is routed from a first VM to a first CGW within a Service Node, where the Service Node can include a centralized policy for both L2 functions and L3 functions, and the first CGW can integrate both L2 gateways and L3 gateways. Based on a floating IP address of the packet, the traffic is routed within the Service Node, the traffic being routed by an access BD from an ingress BD-VIF to an egress BD-VIF. The traffic is then routed from a second CGW that integrates both L2 gateways and L3 gateways to the destination VM.

Abstract: This disclosure describes techniques for exchanging keys associated with encrypted media sessions using blockchains. In an example method, one or more encrypted frames are generated by encrypting one or more media frames based on an encryption key. Data indicating a ledger in a blockchain is transmitted to one or more computing devices. The ledger includes a decryption key configured to decrypt the one or more encrypted frames. Data packets are generated by packetizing the one or more encrypted frames. The data packets are transmitted to the one or more computing devices.

Abstract: Various embodiments herein disclose coordinating neighbor discovery between access points (APs) with auxiliary radios and APs without auxiliary radios. A corresponding wireless controller comprises a processor and a memory storing instructions that, when executed, cause the controller to perform operations. The operations comprise grouping APs into a first group of more flexible APs and a second group of less flexible APs and querying the second group of APs for a corresponding broadcast interval. The operations further comprise identifying when the second group of APs is scheduled to broadcast parameters, and a broadcast interval for each AP of the second group of APs and generating a schedule based on the scheduled broadcast and the broadcast interval for each AP of the second group of APs. The operations additionally comprise providing the generated schedule to the first group of APs and the second group of APs.

Abstract: Techniques for an Application Programming Interface (API) gateway to workload placement and load balancing in a distributed system. The API gateway may route API requests, responses, and so forth, via a plurality of paths between the API gateway, API endpoint devices and API client devices. The API gateway may collect the path properties for the plurality of paths between itself, and the client devices and API endpoints. Additionally, or alternatively, the API gateway may collect process properties indicating the statistics of specific processes. Using this data, the API gateway may determine that a particular path, a particular process, etc., has experienced performance degradation. The API gateway may further determine, and perform, a remedial action to take to remedy the performance degradation of the path or processes.

Abstract: Techniques for dynamically negotiating a service legal agreement (SLA) between a roaming device and a visited network (VN) in an identity federation. An identity profile provided to a user device by an identity provider (IDP) is accessed by the user device. The identity profile includes a first SLA criteria. An advertisement from the VN indicating one or more SLAs supported by the VN is received at the user device. The advertisement is received before the user device has associated with the VN. The IDP and the VN are part of a same identity federation. It is determined that the SLA supported by the VN satisfies the first SLA criteria. Upon that determination, an acceptance is transmitted by the user device to the VN, and the user device is associated with the VN.

Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.