Abstract: In one embodiment, an endpoint in a network sends a Session Initiation Protocol (SIP) registration request to a device. The device generates a first key using information included in the SIP registration request. The device also writes the first key to a storage location accessible by a Traversal Using Relays around Network address translators (TURN) server. The endpoint generates a second key based on the information included in the SIP registration request. The endpoint sends an allocate request to the TURN server that includes the second key. The TURN server authenticates the endpoint based in part by comparing the second key to the first key. The endpoint receives an allocate response from the TURN server, after the TURN server authenticates the endpoint.

Abstract: A method includes determining whether the first version is an alias with respect to the second version, the alias being defined as an equivalent version of the YANG module. Based at least in part on a determination that the first version is the alias with respect to the second version, a version alias extension is inserted into a revision label of the first and/or second version. Based on a determination that the second version is backwards compatible with respect to the first version, a version backwards compatible extension is inserted into the revision label of the second version. Based at least in part on a determination that the second version is not backwards compatible with respect to the first version, a version non-backwards compatible extension is inserted into the revision label of the second version.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: A method that includes determining a first clock gap for a first block of an integrated circuit based on a performance factor of the first block or an external factor and adjusting a clock signal to the first block based on the first clock gap. The method also includes determining a second clock gap for a second block of the integrated circuit based on (i) the first clock gap and (ii) a performance factor of the second block or the external factor. The second clock gap is different from the first clock gap. The method further includes adjusting the clock signal to the second block based on the second clock gap.

Abstract: In one embodiment, a device obtains a predictive model that predicts a behavior of a path in a network. The device computes, based in part on the predictive model, a route in the network that includes the path, in accordance with a routing policy that instructs the device to use the predictive model as an attribute of the path during computation of the route. The device validates that the path exhibited the behavior predicted by the predictive model. The device initiates retraining of the predictive model, when the behavior predicted by the predictive model does not match the behavior of the path.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Regulation of a voltage gradient may be provided. A plurality of test voltage values associated with a corresponding plurality of locations associated with an electronic device may be received. Then, based on the plurality of test voltage values, a target setpoint may be determined for a power supply that supplies power to the electronic device. The target setpoint may be configured to cause a maximum of voltage values at the plurality of locations to be below a maximum voltage level defined by a specification for the electronic device. The target setpoint may also be configured to cause a minimum of the voltage values at the plurality of locations to be above a minimum voltage level defined by the specification for the electronic device. The power supply may then be driven at the target setpoint.

Abstract: Networked sleep mode management is provided by measuring network conditions for a first Access Point (AP) serving a plurality of Client Devices (CDs) configured to operate in one of a sleep mode and an active mode; in response to detecting, based on the measured network conditions, an amount of network usage devoted to transitioning members of the plurality of CDs from the sleep mode to the active mode satisfies a threshold: identifying a first subset of CDs from the plurality of CDs that are deprioritized for access to the sleep mode; receiving a sleep request from a given CD that is a member of the first subset of CDs; and denying the sleep request to force the given CD to maintain the active mode for at least a predefined amount of time.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: In one embodiment, a labeling service receives telemetry data for a cluster of endpoint devices in a first network environment. The endpoint devices in the cluster are clustered by a device classification service based on their telemetry data and labeled by a device type classifier of the device classification service as being of an unknown device type. The labeling service obtains a first device type label for the cluster of endpoint devices via a first user interface. The labeling service identifies one or more other network environments in which endpoint devices are located that have similar telemetry data as that of the cluster of endpoint devices. The labeling service obtains device type labels for the cluster of endpoint devices via a selected set of user interfaces from the identified one or more other network environments.

Abstract: In one embodiment, an IoT server includes: processing circuitry, an I/O module operative to communicate with at least an IoT device and a vendor network server, and an onboarding application and operative to at least: receive an onboarding request from the IoT device via the I/O module, send a confirmation request to the vendor network server via the I/O module, where the confirmation request indicates a request to confirm an identity of the IoT device according to a connection to a network device authenticated by the vendor network server, receive a confirmation response from the vendor network server via the I/O module, where the confirmation response indicates whether the IoT device is connected to the network device, and if the confirmation response is a positive confirmation response that indicates that the IoT device is connected to the network device, onboard the IoT device for participation in an IoT-based system.

Abstract: In accordance with one embodiment, a source leaf device receives a packet. The source leaf device identifies a flowlet associated with the packet and a destination leaf device to which the packet is to be transmitted. The source leaf device may determine whether the flowlet is a new flowlet. The source leaf device may select an uplink of the source leaf device via which to transmit the flowlet to the destination leaf device according to whether the flowlet is a new flowlet. The source leaf device may then transmit the packet to the destination leaf device via the uplink.

Abstract: In one embodiment, a device filters data usage metrics regarding a plurality of network nodes by one or more data characteristics, to form filtered metrics. The device applies an anomaly detector to the filtered metrics. The device distinguishes, based on an output of the anomaly detector, abnormal, unusual, and normal data usage among the filtered metrics. The device provides display data to a user interface indicative of the abnormal, unusual, and normal data usage among the filtered metrics.

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Abstract: Techniques are described for automatically generating a consistent configuration state version 2 for a network device with no or minimal help from a user and/or from a provider of the network device when updating from a configuration state version 1 to the configuration state version 2. The techniques and architecture also provide for migration from configuration state version 1 to configuration state version 2 when at least some of a configuration state are located in text files that are applied to the network device at start-up of the network device.

Abstract: In one embodiment, a device identifies a set of probes configured between a first endpoint and a second endpoint serving an online application. Each probe has one or more characteristics and is associated with a different segment between the endpoints. The device selects a subset of the set whose associated segments are along a plurality of paths between the endpoints, based on a match between the online application and the one or more characteristics of probes in the set of probes. The device approximates a performance metric for each of the plurality of paths by aggregating performance metrics measured by probes in the subset of probes that are associated with segments of that path. The device causes traffic to be routed between the endpoints via a particular path in the plurality of paths, based on the performance metric of the particular path.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

Abstract: Channel predictive behavior and fault analysis may be provided. A forward time value may be determined comprising a time a forward signal takes to travel from a transmitter over a channel to the receiver. Next, a reflected time value may be determined comprising a time a reflected signal takes to travel to the receiver. The reflected signal may be associated with the forward signal. A discontinuity may then be determined to exist on the channel based on the forward time value and the reflected time value. The reflected signal may be caused by the discontinuity and a high impedance or low impedance at the transmitter present after the forward signal is sent.

Abstract: Dynamic roaming partner prioritization based on service quality feedback may be provided. First, a server associated with an enterprise may receive performance data and location data for each of a plurality of service provider networks from a plurality of end use devices associated with the enterprise. Next, the server may assign a ranking to a plurality of service providers by location based upon information. The information may comprise the received performance data and the location data corresponding to each of the plurality of service provider networks. The server may then push the ranking to a first end use device.

Abstract: Coordinated Frequency Division Multiplexing (FDM) Transmission Opportunity (TXOP) sharing may be provided by determining that at least two Access Points (APs) of a wireless network support coordinated FDM TXOP sharing. In response to the determination that the at least two APs support coordinated FDM TXOP sharing, at least one of: a first bias is applied to a channel assignment algorithm to promote an assignment of overlapping channels of the at least two APs, and a second bias is applied to the channel assignment algorithm to promote an assignment of adjacent channels of the at least two APs. Next, channels are assigned to the at least two APs based on an output of the channel assignment algorithm.