Abstract: Presented herein are techniques to automatically provision cross-domain end-to-end services. A method includes receiving, at a cross-domain orchestrator, a request for a service, decomposing the request for the service into a first provisioning command and into a second provisioning command, sending the first and second provisioning commands to the first and second domains, respectively, receiving, from the first domain, in response to the first provisioning command, a first constraint associated with the first resource of the first domain, receiving, from the second domain, in response to the second provisioning command, a second constraint associated with the second resource of the second domain, distributing the first constraint to the second domain, and the second constraint to the first domain; and initiating, based on the first and second constraints, the service using the first resource of the first domain and the second resource of the second domain.

Abstract: The present technology is directed to visualizing a Wi-Fi access point (AP) signal propagation pattern through multiple floors. The present technology can execute a Wi-Fi signal propagation model corresponding to a first AP on a first floor of a building plan and a second AP on a second floor of the building plan. The Wi-Fi signal propagation model calculates a Wi-Fi signal propagation pattern for a plurality of APs including the first AP and the second AP. The present technology can further present a visualization of the Wi-Fi signal propagation pattern for the plurality of APs, wherein the Wi-Fi signal propagation pattern for the first AP on the first floor of the building plan projects onto the second floor of the building plan.

Abstract: Techniques for using more-specific routing to perform scalable Layer-2 (L2) stretching of subnets across hybrid-cloud environments. Routing tables in a public cloud may allow for routes that are more specific than the default local route, and the more-specific routes may be used to send all traffic to a dedicated, cloud router. The more-specific routes are set up for a VPC where a subnet resides such that the more specific-routes cover at least a portion of subnet range. The next hop for the more-specific routes point to the cloud router which is capable of doing host routing and segmentation extension. Thus, traffic originating from endpoints in a VPC is routed to the cloud router, and the cloud router determines whether the traffic is to be re-routed back to a destination endpoint in the VPC (or another cloud location), or sent to a destination endpoint residing in the on-premises site.

Abstract: Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

Abstract: Techniques for group-based classification and policy enforcement at a network fabric edge for traffic that is being sent to external network destinations are disclosed herein. The techniques may include receiving, at a control plane of a network and from an edge node of the network, a request to provide mapping data associated with sending a packet to a destination. Based at least in part on an address prefix value associated with the destination, the control plane may determine that the destination is located in an external network. Additionally, a group identifier that is associated with the destination may be determined. In this way, an indication of the group identifier may be sent to the edge node such that the edge node may determine, based at least in part on the group identifier, a policy decision for routing the packet to the external network.

Abstract: A first address resolution request may be received by a first access switch from a first device and the address resolution request may be resolved by the first access switch with a central database of a network. Then a second address resolution request may be sent to a sensor by the first access switch in response to resolving the first address resolution request. An address resolution response may then be sent by the sensor to the first device in response to the sensor determining that the first device is a bad endpoint. A session may then be established between the sensor and the first device in response to the sensor sending the address resolution response. The first device may then be prompted by the sensor via the established session to resolve issues that lead the sensor to determine that the first device is a bad endpoint.

Abstract: Methods and systems enable internal and external verification of computations performed by a code signing server according to hash-based signature techniques using unique state, and further for a code signing server to expose parts of a hash-based signature log without negating the security of the one-time signature key pairs generated by the code signing server. A signing module of a code signing server receives a signing request from a client computing system. The signing module configures the code signing server to generate a one-time signature key pair based on a Merkle tree state. The signing module configures the code signing server to issue a hash-based signature to the client computing system. The code signing server is configured to record the Merkle tree state and the issued HBS in an immutably ordered log at a logging server.

Abstract: Enhanced network level information for power control is described. The enhanced network level information enables network connected electronic devices to enter and exit standby modes based on system level information. The network level information also enables the use of a respective network connected device in a seamless manner from the perspective of the user, while decreasing the amount of energy consumed by the device when not in active operation. In some examples, a Network Monitoring Application (NMA) classifies electronic devices into power control categories, monitors a physical environment associated with the plurality of connected electronic devices, and provides a power control signal to the various electronic devices upon detection of a change in the physical environment.

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media to encode network functions in a packet header. A method includes receiving a first packet from a source device that is to be delivered to a destination address through a network; determining a route to the destination address; identifying at least one network function for the first packet; encapsulating the first packet in a second packet, wherein a header of the second packet includes the route to the destination address in a destination address field and local processing metadata associated with the at least one network function in a source address field; and forwarding the second packet to a next network node of the network identified in the destination address.

Abstract: A network infrastructure component determines a risk measurement associated with a wireless client device's use of a device address, and provides an advisory with respect to an address rotation strategy of the wireless client device based on the risk measurement. In some embodiments, the risk measurement is based on one or more of an exposure, by the wireless client device, of information on the wireless network that identifies the wireless client device and/or a characterization of a security of the wireless network environment in which the wireless client device operates.

Abstract: In one example embodiment, a plurality of objects selected by a user on a user interface for a collaboration tool are identified. The plurality of objects include at least two different types of objects. One or more collaboration actions to perform are determined by a computing device based on the types and contextual information for the plurality of objects. The one or more collaboration actions are presented on the user interface. A presented collaboration action is initiated from the user interface.

Abstract: A method includes determining a number of drops of a plurality of messages sent to a first node of a plurality of nodes within a mesh network. Based at least in part on the number of drops of the plurality of messages exceeding a threshold number of drops for a time period, decrementing a first rating assigned to the first node to a second rating assigned to the first node. Based at least in part on the second rating being below a rating threshold, determining that the first node is a potentially malicious node. Based at least in part on a first distance to the first node being larger than a distance threshold, identifying that the first node is a malicious node. The method may further include ending communications with the first node.

Abstract: Methods are provided in which a network device hosts distinct network access resources that are managed by different entities. The method includes obtaining a request for partitioning one or more network resources of an on-premise network device for connecting one or more endpoints to a first network managed by a first entity. The on-premise network device connects one or more endpoints to a second network managed by a different entity. The method further involves partitioning, based on the request, the one or more network resources and connecting the one or more endpoints to the first network using the one or more network resources. The one or more network resources are managed by the first entity while at least one other network resource of the on-premise network device is managed by the different entity and is associated with connecting the one or more endpoints to the second network.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. An ARP responder can receive an ARP request from an ARP requestor for performing address resolution between the ARP requestor and the ARP responder in a network environment. The ARP responder can build an ARP response including attestation information of the ARP responder. Further, the ARP responder can provide, to the ARP requestor, the attestation information for verifying the ARP responder using the ARP response and the attestation information of the ARP responder.

Abstract: Interoperable Transmit Power Envelop (TPE) signaling with Automated Frequency Coordination (AFC) frequency response may be provided. First, AFC information may be received. Next a mask may be determined for a punctured channel indicated in the AFC information. Then a first amount may be determined that the mask needs to be altered to reach an AFC response for the punctured channel indicated in the AFC information. A Transmit Power Envelop (TPE) value may then be reported for the punctured channel comprising the first amount plus a second amount.

Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: In one embodiment, a method includes receiving, by a network node, a packet associated with a session. The method also includes performing, by the network node, a sequence-based anti-replay check and determining, by the network node, that the sequence-based anti-replay check rejected the packet. The method further includes performing, by the network node, a time-based anti-replay check, performing, by the network node, a selective anti-replay check, and determining, by the network node, whether to dynamically adjust a time-based anti-replay window size.

Abstract: A method is performed by a gateway node that is at a boundary of the first network domain and the second network domain. The method includes receiving an end-to-end delay measurement request sent by the first node to measure end-to-end delay between the first node and the second node. The end-to-end delay measurement request is configured to initiate a first delay measurement process configured for use in the first network domain. The gateway node sends to the second node a delay measurement request configured to initiate a second delay measurement process configured for use in the second network domain. The gateway node determines a delay measurement in the second network domain between the gateway node and the second node using the second delay measurement process. The gateway node sends to the first node an end-to-end delay measurement response that enables the first node to compute the end-to-end delay.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: Methods that provide accelerated data operations by splitting data records into sub-records and by using in-memory storage. In these methods, a computing device obtains a complex data record that includes at least one unique identifier, primary information about the complex data record, and a plurality of data values that change over time. The computing device generates a plurality of data sub-records by splitting, based on a set of rules, the complex data record into a plurality of parts in which at least a portion of the primary information is separated from the plurality of data values and added to a respective data sub-record of the plurality of data sub-records, generating a unique binding identifier, and adding the unique binding identifier to each of the plurality of data sub-records to link the plurality of data sub-records to each other. The data sub-records are stored, using an in-memory database, into a blockchain.