Abstract: Embodiments of a multi-tenant network service architecture are disclosed. For example, a method includes determining, based on a data packet to be communicated from a first enterprise node to a second enterprise node in an enterprise network, an encryption key associated with the second enterprise node, a first identifier to identify an egress core node in a core network, and a second identifier to determine a path leading to the second enterprise node. The method further includes encrypting the data packet using the encryption key and adding the first and second identifiers to the encrypted data packet. The method further includes forwarding the encrypted data packet until the encrypted data packet reaches the egress core node based at least on the first identifier, where the egress core node sends the encrypted data packet to the second enterprise node based at least on the second identifier.

Abstract: Embodiments of a stateless message bus in a network service architecture are disclosed. For example, a method includes transmitting, by a core node, a single aggregated discovery message periodically on behalf of a group of enterprise nodes associated with a first multicast group address. The first multicast group address is one of one or more multicast group addresses associated with the core node and the group of enterprise nodes. The method further includes exchanging, by the core node, one or more crates with a set of core nodes in the core network by advertising the one or more crates over a broadcast channel. Each of the one or more crates advertised by the core node comprises information corresponding to the one or more multicast group addresses associated with the core node, and the set of core nodes have an active status indicated by the single aggregated discovery message.

Abstract: Embodiments for header compression, are disclosed, herein. For header compression, an ingress CPE is disclosed herein. The ingress CPE may include a processor and a memory storing computer-executable instructions that when executed, cause the processor to receive a data packet, which includes an inner header, a payload portion, and an outer header. The inner header comprises a utilized portion and the unutilized portion. The computer-executable instructions further cause the processor to compress the inner header by discarding at least the unutilized portion in the inner header to obtain a compressed inner header.

Abstract: Embodiments of a computing device for traffic shaping are disclosed. In an embodiment, the computing device includes one or more processor(s) coupled to a memory. The memory includes a set of instructions which when executed causes the one or more processor(s) to divide a burst period associated with a shaper queue into a plurality of microbursts based at least on a count of worker threads corresponding to a plurality of queues and a shaper bandwidth. The plurality of queues constitutes the shaper queue.

Abstract: Embodiments for bounded broadcast encryption key management in a peer-to-peer network are described. To realize bounded broadcast encryption key management, a second peer of the peer-to-peer network receives a first broadcast message from a first peer. The first broadcast message includes at least a public key associated with the first peer. The second peer then generates a key seed in response to receiving the first broadcast message, and creates a second message that includes the key seed encapsulated with the public key. The second peer then transmits the second message to the first peer, and in response to the transmission of the second message, receives a packet from the first peer. The packet includes data encrypted using a secret key derivable from the key seed and one or more portions of the second message.

Abstract: Embodiments of a secure communication network are disclosed. To implement the embodiments, an ingress core node that includes a processor and a memory storing computer-executable instructions, is presented. The instructions, when executed, cause the processor to receive a data packet. The instructions further cause the processor to compare a slice identifier (ID) associated with the received data packet with one or more slice IDs in an access control list (ACL). The instructions further cause the processor to filter the received data packet based on the comparison indicating an occurrence of a match between the slice ID associated with the data packet and one of the one or more slice IDs in the ACL. The instructions further cause the processor to transmit the filtered data packet to an egress core node of the core network via one or more intermediate core nodes of the core network.

Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: Embodiments of a secure communication network are disclosed. For secure communication of data packets, a method implemented in a core node, is presented. The method includes receiving a double encapsulated data packet associated with a first layer and a second layer of encapsulation/encryption. The method further includes decapsulating/decrypting a second layer of encapsulation/encryption to access a portion of the data packet and re-encapsulating/re-encrypting at least the accessed portion with another second layer of encapsulation/encryption. The method further includes transmitting the re-encapsulated/re-encrypted data packet to a subsequent node based on the accessed portion.

Abstract: Embodiments of a method of communicating a packet by a network address translation (NAT) enabled router, are described. In an embodiment, the method includes receiving a return packet to be communicated to a destination. The destination is associated with a first source address in the context of a forward packet. The method further includes determining a return path to transmit the return packet to the destination based on security association data. The security association data is pre-recorded in a routing table of the NAT enabled router when the forward packet is received, prior to receiving the return packet, over a forward path established between the NAT enabled router and an enterprise node. The security association data uniquely identifies the forward path as the return path.