Abstract: Embodiments of a computing device for traffic shaping are disclosed. In an embodiment, the computing device includes one or more processor(s) coupled to a memory. The memory includes a set of instructions which when executed causes the one or more processor(s) to divide a burst period associated with a shaper queue into a plurality of microbursts based at least on a count of worker threads corresponding to a plurality of queues and a shaper bandwidth. The plurality of queues constitutes the shaper queue.

Abstract: Embodiments for bounded broadcast encryption key management in a peer-to-peer network are described. To realize bounded broadcast encryption key management, a second peer of the peer-to-peer network receives a first broadcast message from a first peer. The first broadcast message includes at least a public key associated with the first peer. The second peer then generates a key seed in response to receiving the first broadcast message, and creates a second message that includes the key seed encapsulated with the public key. The second peer then transmits the second message to the first peer, and in response to the transmission of the second message, receives a packet from the first peer. The packet includes data encrypted using a secret key derivable from the key seed and one or more portions of the second message.

Abstract: Embodiments of a secure communication network are disclosed. To implement the embodiments, an ingress core node that includes a processor and a memory storing computer-executable instructions, is presented. The instructions, when executed, cause the processor to receive a data packet. The instructions further cause the processor to compare a slice identifier (ID) associated with the received data packet with one or more slice IDs in an access control list (ACL). The instructions further cause the processor to filter the received data packet based on the comparison indicating an occurrence of a match between the slice ID associated with the data packet and one of the one or more slice IDs in the ACL. The instructions further cause the processor to transmit the filtered data packet to an egress core node of the core network via one or more intermediate core nodes of the core network.

Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: Embodiments of a secure communication network are disclosed. For secure communication of data packets, a method implemented in a core node, is presented. The method includes receiving a double encapsulated data packet associated with a first layer and a second layer of encapsulation/encryption. The method further includes decapsulating/decrypting a second layer of encapsulation/encryption to access a portion of the data packet and re-encapsulating/re-encrypting at least the accessed portion with another second layer of encapsulation/encryption. The method further includes transmitting the re-encapsulated/re-encrypted data packet to a subsequent node based on the accessed portion.

Abstract: Embodiments of a method of communicating a packet by a network address translation (NAT) enabled router, are described. In an embodiment, the method includes receiving a return packet to be communicated to a destination. The destination is associated with a first source address in the context of a forward packet. The method further includes determining a return path to transmit the return packet to the destination based on security association data. The security association data is pre-recorded in a routing table of the NAT enabled router when the forward packet is received, prior to receiving the return packet, over a forward path established between the NAT enabled router and an enterprise node. The security association data uniquely identifies the forward path as the return path.