Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: This disclosure describes techniques for selectively providing access to a physical space. An example method includes identifying a location of a device associated with an authorized user based on an electromagnetic signal received by at least one sensor from the device. The electromagnetic signal has a frequency that is greater than or equal to 24 gigahertz (GHz). The example method further includes determining that the location of the device is within a threshold distance of a location of a threshold to a secured space and determining that an authentication score indicating that an individual carrying the device is the authorized user is greater than a threshold score. The authentication score is associated with multiple authentication factors identified by the device. Based on determining that the authentication score is greater than the threshold score, the threshold is unlocked and/or opened.

Abstract: A network node in an optical network dynamically generates a routing table based on attributes of the optical network. The network node obtains attributes characterizing the optical network, which includes multiple network nodes connected by optical links. The network node calculates cost values for sending data from the network node to one or more next hop nodes that are connected to the network node. Each particular cost value is associated with a probability of success of sending the data to a particular next hop node based on a particular permutation of the attributes characterizing the optical network. The network node generates a routing table correlating the permutations of the attributes with each next hop node based on the cost values.

Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.

Abstract: In one embodiment, a device generates a plurality of smoothed timeseries by applying smoothing envelopes of different durations to a timeseries of a path metric for a path in a network that is used to convey traffic of an online application. The device uses the plurality of smoothed timeseries and the timeseries of the path metric to make predictions as to whether the path will provide an unacceptable user experience in the online application. The device selects a smoothing envelope of a particular duration, by comparing performance metrics for the predictions. The device uses a timeseries of the path metric smoothed using the smoothing envelope of the particular duration to make predictive routing decisions in the network for the traffic of the online application.

Abstract: Embodiments for virtual reality (VR) and augmented reality (AR) scenes updates at VR/AR devices in a network are described. Network traffic for the scene updates is divided into traffic layers such as coarse grain (CG) layer traffic and a fine grain (FG) layer traffic for a give VR/AR scene update. The CG layer traffic is scheduled first in resource units (RUs) of a plurality a transmission opportunity (TXOP) for a VR device and FG layer traffic is scheduled in remaining RUs during the TXOP to provide synchronous viewing experiences to users of the VR/AR devices.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: A network management center includes a Dynamic Host Configuration Protocol (DHCP) server. The network management center obtains from an identity server, client information indicating authentication of a client device in a wireless network that is connected to a network fabric. The network management center obtains from an edge node in the network fabric an Internet Protocol (IP) address request for the client device. The IP address request including a fabric domain identifier associated with the edge node. The network management center allocates an IP address for the client device based on the client information obtained from the identity server and the fabric domain identifier contained in the IP address request obtained from the edge node. The network management center provides to the edge node an Identifier Locator Addressing (ILA) address based on the IP address.

Abstract: This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

Abstract: A method of managing security rules may include extracting metadata from a data packet received at a first network device. The metadata including network metadata and network system metadata. The method may further include distributing the metadata to at least one service endpoint registered with the first network device, receiving from the at least one service endpoint, an indication as to how traffic associated with the data packet is to be handled, and enabling the traffic based at least in part on feedback received from the at least one service endpoint and creating a first service flow hash entry of a hash table associated with the data packet at the first network device. The first service flow hash entry identified each of a number of services using a unique number. The method may further include distributing the hash table including the first service flow hash entry across a fabric to at least a second network device.

Abstract: Collision avoidance in Multi Link Device (MLD) Make Before Break Roaming (MBBR) may be provided. It may be determined that a client device may comprise an MBBR client device. Next, a Request To Send (RTS) may be sent to the client device. In response to sending the RTS to the client device, a Clear To Send (CTS) may be received from the client device. In response to receiving the CTS, data may be sent to the client device.

Abstract: Providing overload protection may include receiving, from a first NRF of two or more NRFs, a load metric and comparing the load metric to a threshold. Additionally, when the load metric is above the threshold, providing NRF overload protection may include sending a Network Function (NF) Discovery (NFD) message to a second NRF instead of the first NRF and sending a heartbeat signal to the first NRF.

Abstract: A trust based continuous Fifth Generation (5G) network service assessment, and more specifically a trust based continuous 5G network service assessment for a user equipment to ensure an authorized user is using the user equipment may be provided. A registration request may be received by an Access and Mobility Management Function (AMF) from a User Equipment (UE). In response to the registration request, a Policy Control Function (PCF) may exchange a policy with the AMF, wherein the policy comprises instructions to perform a continuous service assessment. Next, a registration accept message may be sent to the UE, wherein the registration accept message comprises instructions for the UE to enable the continuous service assessment.

Abstract: Techniques for using application network requirements and/or telemetry information from a first networking technology to enhance operation of a second networking technology and optimize wide area network traffic are described herein. The techniques may include establishing a communication network for use by applications of a scalable application service platform, the communication network including a first networking technology and a second networking technology. In this way, a request to establish a connection for use by an application may be received by the first networking technology. The request may include an indication of a threshold service level of the connection. In response to the request, the first networking technology may determine whether the second networking technology is capable of hosting the connection.

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: At an authentication server, a request for at least a first dynamic host configuration protocol (DHCP) option is received from a client device, and it is determined if the authentication server implements DHCP. Based at least in part on a determination that the authentication server does not implement a DHCP, the operations further include transmitting an application program interface (API) call to a DHCP server associated with the authentication server acting as a DHCP gateway, receiving a response from the DHCP server, and transmitting the response to the client device.

Abstract: A reverse time synchronization may be performed between a sending device and a receiving device. Then a Time Error (TE) between the sending device and the receiving device may be determined based on the reverse time synchronization. A gate time on the receiving device may be scheduled based on the determined TE.

Abstract: A system includes an optical source, an integrated circuit, an optical fiber, and a polarization controller. The optical source is arranged emit an optical signal. The integrated circuit includes a mirror. The optical fiber carries the optical signal from the optical source to the integrated circuit. The mirror reflects a transverse magnetic component of the optical signal through the optical fiber to the optical source. The polarization controller adjusts, based on the transverse magnetic component, the optical signal emitted from the optical source such that the transverse magnetic component is reduced.

Abstract: An optical apparatus comprises a semiconductor substrate, and a supermode filtering waveguide (SFW) emitter disposed on the semiconductor substrate. The SFW emitter comprises a first optical waveguide, a spacer layer, and a second optical waveguide spaced apart from the first optical waveguide by the spacer layer. The second optical waveguide is evanescently coupled with the first optical waveguide and is configured, in conjunction with the first waveguide, to selectively propagate only a first mode of a plurality of optical modes. The SFW emitter further comprises an optically active region disposed in one of the first optical waveguide and the second optical waveguide.