Abstract: Disclosed herein are methods of forwarding data over an IP network. The methods may include receiving a packet from a source host connected to the IP network, identifying the IP address of a destination host designated in the packet, determining the location on the IP network where the destination host designated by the packet is connected, without reference to the MAC address specified in the packet, by using location-identification information stored on the IP network, and forwarding the packet to the location on the IP network where the destination host is connected without reference to the MAC address specified in the packet. Also disclosed herein are related network devices implementing such techniques and operations, as well as IP networks which include such network devices.

Abstract: This disclosure describes techniques to operate a control plane in a network fabric. The techniques include determining a stateless rule corresponding to communication between a first segment of the network fabric and a second segment of the network fabric. The techniques further include configuring the control plane to enforce the stateless rule.

Abstract: Various implementations disclosed herein enable malleable routing for data packets. For example, in various implementations, a method of routing a type of data packets is performed by a device. In some implementations, the device includes a non-transitory memory and one or more processors coupled with the non-transitory memory. In some implementations, the method includes determining a routing criterion to transmit a set of data packets across a network. In some implementations, the method includes identifying network nodes and communication links in the network that satisfy the routing criterion. In some implementations, the method includes determining a route for the set of data packets through the network nodes and the communication links that satisfy the routing criterion. In some implementations, the method includes configuring the network nodes that are on the route with configuration information that allows the set of data packets to propagate along the route.

Abstract: This disclosure describes techniques for enforcing conditional access to network services. In an example method, a first computing device detects a second device operating in a per-flow authorization mode. The first device receives a first request from a second computing device to communicate with a third computing device using a first network flow and determines that the first flow is authorized (e.g., because of an active past authentication and/or the third device's authentication exemption). Data associated with the first request is transmitted to the third device. The first device then receives a second request to communicate with a fourth computing device using a second network flow and determines that the second flow is not authorized (e.g., because it is not associated with an active past authentication and/or the fourth device is not exempt from authentication). Data associated with the second request is not transmitted to the fourth device.

Abstract: This disclosure describes techniques for enabling distributed path computation and centralized path enforcement in a computer network used to implement a software application. In some cases, the disclosed techniques include using a central controller that initializes and coordinates monitoring agents deployed to network regions. The monitoring agents may collect monitoring data associated with application segments in their respective regions and share this data with each other. Using the aggregated data, the agents can compute optimal paths between application segment pairs spanning multiple regions. The optimal inter-region paths may be sent to the controller, which can program the paths into the routing application programming interfaces (APIs) of the various network environments like public cloud and on-premises networks.

Abstract: A client device identifier for dual-Wi-Fi connections may be provided. First, it may be determined that a client device has associated over a first link having a first Media Access Control (MAC) address. Next, from the client device over the first link, a first management frame may be received that identifies a MAC address of a second link associated with the client device. Then, based on information in the first management frame, it may be determined that the first link and the second link are associated with the client device.

Abstract: Address Resolution Protocol (ARP)-proxy update for roaming client devices may be provided. A client device may query for a list of active Internet Protocol (IP) addresses used by the client device. Next, the client device may determine that an Access Point (AP) supports a collaborative IP exchange function. Then the client device may send, in response to determining that the AP supports the collaborative IP exchange function, the list of active Internet Protocol (IP) addresses to the AP.

Abstract: Profile-based association method for enterprise networks may be provided. A computing device may configure a first profile and a second profile. Next, the client device may be configured with a set of network profiles associated with a plurality of networks. A user of the client device may be queried for a profile choice for one of the plurality of networks. Then the client device may associate with the one of the plurality of networks according to the profile choice provide by the user.

Abstract: A method for file system destinations includes obtaining events for storage on one or more of the storage systems. For each event, the method includes extracting at least one field value from the event, comparing the at least one field value to configurations of the storage systems to identify at least one storage system of the plurality of storage systems having a matching configuration, transmitting the event to an ingest module queue for the at least one storage system, selecting a partition for the event based on the at least one field value to obtain a selected partition, mapping the selected partition to a file using a partition mapping, and appending the event to the file on the at least one storage system.

Abstract: Load balancing for saturated wireless may be provided. A computing device may determine that an Access Point (AP) has reached a saturation point. A first Service Device (SD) having a first SD coverage area that overlaps an AP coverage area associated with the AP may be identified. Then a license to operate within a frequency spectrum segment for the first SD coverage area may be obtained. A plurality of user devices may be moved from the AP to the first SD. The first SD may then service the plurality of user devices using at least a portion of the frequency spectrum segment.

Abstract: This disclosure describes techniques and mechanisms for using a domain-specific language (DSL) to express and compile serverless network functions, and optimizing the deployment location for the serverless network functions on network devices. In some examples, the serverless network functions may be expressed entirely in the DSL (e.g., via a text-based editor, a graphics-based editor, etc.), where the DSL is a computer language specialized to a particular domain, such as a network function domain. In additional examples, the serverless network functions may be expressed and compiled using a DSL in combination with a general-purpose language (GSL). Once the serverless network function have been expressed and/or compiled, the techniques of this disclosure further include determining an optimized network component on which the serverless network function is to execute, and deploying the serverless function to the optimized network component.

Abstract: Systems and methods are provided for re-balancing and healing of an SD-WAN in an unbalanced state and/or experiencing one or more failure states. In response to a request to connect to a new controller resulting from OMP load shedding from a first controller, the system can identify other controllers capable of handling the load requirements of the edge router. The system can incorporate the controller group preference of the edge router and select a second controller based on the identified other controllers and within the preferred controller group. If not possible, the system can temporarily assign the edge router to non-preferred controller groups and move them back to controllers in the preferred controller group once it becomes viable. The system further enhances OMP graceful restart (GR) logic to incorporate the load shedding effect and avoid unnecessary route retention that GR entails.

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: Heatsinking in laser devices may be improved via a device, including: a header disk having a first face with a circumference; a header post that is thermally conductive, and having: a second face connected to the first face coterminously with the circumference; a third face opposite to the second face; and a fourth face perpendicular to the second face and the third face; a lens holder, having a fifth face connected to the third face; and an optical subassembly connected to the fourth face and optically aligned with the lens holder. The device may also be understood to comprise: a header disk having a circumference; a header post that is thermally conductive, the header post having: an arc coterminous to a portion of the circumference; a mounting face, perpendicular to a plane in which the arc and the circumference are defined; and a bonding face perpendicular to the mounting face.

Abstract: Embodiments for handling multidestination traffic in a network are described. It is determined that a destination of a packet, received at a network device, is a multihomed destination. In response to determining that the destination of the packet is a multihomed destination, a hash value is determined from a selection of header values of the packet using a hash function. The packet is forwarded to the destination using a shadow hash forwarding table based at least in part on determining, based on the hash value and a hash forwarding table, that the network device is a designated forwarder for the packet.

Abstract: Techniques for an email-security system to detect multi-stage email scam attacks, and engage an attacker to obtain additional information. The system may analyze emails for users and identify scam emails by analyzing metadata of the emails. The system may then classify the scam emails into particular classes from among a group of scam-email classes. The system may then engage the attacker that sent the scam email. In some instances, the scam emails may be multi-stage attacks, and the system may automatically engage the attacker to move to the next stage of the scam attack. For instance, the system may send a lure email that is responsive to the particular scam class to prompt or provoke the attacker to send more sensitive information, such as a phone number, a bank account, etc. The system may then harvest this sensitive information of the attacker, and use that information for various remedial actions.

Abstract: Real-time radio self-calibration may be provided. The self-calibration may begin by sampling a Transmission (TX) signal. An achievable Error Vector Magnitude (EVM) for one or more frames may be determined based on the TX signal. Link budgets for clients may be determined using a TX power and a supported Modulation and Coding Scheme (MCS). A per packet TX power is adjusted based on the achievable EVM and a TX retry rate. The PA linearity of the radio may also be adjusted based on the achievable EVM and the link budget. The client may be regrouped into a new MCS based on the link budget.

Abstract: Techniques are described for providing service level agreement performance in a link aggregation group computer networking environment. A performance measurement data packet such as a bi-directional forwarding detection (BFD) packet is received. The performance measuring data packet can be considered a parent performance measurement data packet is split into multiple child performance measurement data packets which are each different constituent links of a link aggregation database. The performance of each constituent is tested to determine which constituents satisfy service level agreement parameters. Data packets can then be sent to constituents that meet the data packet's service level agreement performance parameters while still allowing link aggregation grouping.

Abstract: This disclosure generally relate to a method and system for mapping application dependency information. The present technology relates techniques that enable user-adjustable application dependency mapping of a network system. By collecting internal network data using various sensors in conjunction with external user inputs, the present technology can provide optimized application dependency mapping using user inputs.