Abstract: A network device decrypts a record, received from a client device, that is associated with an encrypted session between the client device and an application platform. The network device incorporates decrypted record data, from the decrypted record, into a payload field of a transmission control protocol (TCP) packet to be transmitted to another device, identifies a record header in the record, and determines, based on the record header, a record type associated with the decrypted record. Based on the record type, the network device marks the one or more TCP packets as including urgent data by setting a TCP urgent control bit in a header of the one or more TCP packets, and sets a second field, in the header of the TCP packet, to a second value that identifies an end of the urgent data, which corresponds to an end of the decrypted record data in the payload field.

Abstract: Methods and apparatus relating to the detection of one or more devices in zones, e.g., non-overlapping areas, are described. Individual device locations are made based on RSSI information. Whether a user is determined to be in a zone or not is determined based on location determinations corresponding to the device. Thresholds used to determine whether a device is to be considered as being within a zone differs depending on whether the device is newly detected in the zone or is already determined to be in the zone. In some embodiments it is easier to be determined to be in a zone than to be determined to have left a zone. A device may be determined to be in two non-overlapping zones at the same time thereby increasing the chance that devices in edge areas will be counted with regard to the number of devices for which resources should be provided.

Abstract: A device receives network data associated with a network that includes network devices interconnected by links at an Internet protocol (IP) layer and an optical layer of the network. The device receives constraints associated with determining a network plan for the network, where the constraints include a constraint indicating a particular time period associated with determining potential network plans for the network. The device identifies variables and values of the variables for the network plan based on the network data, and determines, within the particular time period, the potential network plans for the network based on the constraints and the values of the variables. The device identifies a potential network plan, of the potential network plans, that minimizes costs associated with operating the network, and causes the identified potential network plan to be implemented in the network by the network devices.

Abstract: Methods, systems, and devices map an arbitrary number of Virtual Routing and Forwarding (VRF) instances to an Ethernet Virtual Private Network (EVPN) instance (EVI) of a leaf and spine network. For example, a spine network device executes a primary EVI to provide an EVPN to a plurality of leaf network devices, each leaf network device executing a secondary EVI to provide a plurality of network virtualization overlays to tenants of the network. The primary EVI is associated with a primary VRF instance, and each secondary EVI of the plurality of secondary EVIs is associated with a secondary VRF instance of a plurality of secondary VRF instances. The spine network device defines mappings between routes within the primary VRF instance and routes within each secondary VRF instance. The spine network device translates, based on the one or more mappings, network traffic between the primary EVI and the plurality of secondary EVIs.

Abstract: A device may receive, from a first network device, an authentication request that requests authentication of the device, and may provide, to the first network device, an authentication response that includes the authentication of the device. The device may provide, to the first network device and based on the authentication response, a PDU session establishment request that requests establishment of a PDU session for customer premises equipment, and may receive, from the first network device and based on the PDU session establishment request, a PDU session resource setup request that requests a resource to be established for the PDU session. The device may provide, to the first network device and based on the PDU session resource setup request, a PDU session resource setup response indicating that the resource is a GTP tunnel, and may establish the GTP tunnel with a second network device.

Abstract: Methods and apparatus for obtaining status from an isolated AP that cannot connect to a remote management server are described. The status information is obtained from a second device and then provided, via the second device, to the remote management server. At least some of the disclosed embodiments are utilized in a system including a plurality of access points, which can provide alternate pathways to the remote management server. The remote management server determines a remedial action based on the status information.

Abstract: A first plurality of network configuration controllers of a controller may distribute, using a consistent hashing algorithm, a plurality of connection sessions with a plurality of network devices among the plurality of network configuration controllers. The controller may monitor a number of connection sessions maintained by each of the first plurality of network configuration controllers. The controller may add, based on monitoring the number of connection sessions maintained by each of the first plurality of network configuration controllers, an additional network configuration controller to the first plurality of network configuration controllers to form a second plurality of network configuration controllers.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A network monitoring system may receive a configuration request to generate a configuration file associated with collecting feature or debug data associated with a feature, hardware, or software associated with a network device. The network monitoring system may determine a command profile associated with the feature, hardware, or software that identifies a set of commands associated with obtaining the feature or debug data from the network device. The network monitoring system may determine respective parameters of one or more commands of the set of commands. The network monitoring system may determine, based on the respective parameters, respective arguments of the one or more commands. The network monitoring system may generate the configuration file based on the respective arguments and may perform an action associated with the configuration file to permit the configuration file to be used to collect the feature or debug data from the network device.

Abstract: A provider edge (PE) device may receive traffic associated with one or more services, wherein the traffic includes a plurality of packets, and may determine, based on the plurality of packets, one or more packets respectively associated with each service of the one or more services. The PE device may determine, based on the one or more packets respectively associated with each service of the one or more services, a respective status of each of the one or more services. The PE device may generate type-length-value (TLV) data that indicates the respective status of each of the one or more services and may cause the TLV data to be added to a link layer discovery protocol (LLDP) packet. The PE device may send the LLDP packet that includes the added TLV data to a customer edge (CE) device.

Abstract: A network device may receive, from a first network, a network packet of a first network packet type that encapsulates a fragment of a second network packet of a second network packet type, where the network packet includes an extension header that indicates a source port and a destination port for the second network packet. The network device may perform an anti-spoof check on the fragment of the second network packet based at least in part on at least one of: the source port or the destination port for the second network packet that is indicated by the extension header. The network device may, based on the fragment passing the anti-spoof check, forward the fragment of the second network packet to a second network.

Abstract: A device may provide, to a network device, a subscribe request that includes a request for sensor data, and may receive sensor data packets that include the sensor data and header extensions identifying a group identifier for a group of sensor data and final packet information indicating whether the sensor data packet is a final one for the group. The device may store the sensor data packets until the final packet information of one of the sensor data packets indicates that the one of the sensor data packets is a final sensor data packet for the group, and may identify a complete set of the sensor data packets when the final packet information of the one of the sensor data packets indicates that the one of the sensor data packets is the final sensor data packet. The device may perform actions based on the complete set.

Abstract: A device may receive client cipher information, associated with initiating a secure session, identifying at least one key exchange cipher supported by a client device associated with the secure session. The device may determine, based on the client cipher information, that a Diffie-Hellman key exchange is to be used to establish the secure session. The device may determine whether a server device, associated with the secure session, supports use of the Diffie-Hellman key exchange. The device may manage establishment of the secure session using a first decryption technique based on determining that the server device does not support the use of the Diffie-Hellman key exchange, or manage establishment of the secure session using a second decryption technique based on determining that the server device supports the use of the Diffie-Hellman key exchange or being unable to determine whether the server device supports the use of the Diffie-Hellman key exchange.

Abstract: A secondary routing device is configured as a backup routing device for a primary routing device. The primary routing device performs asynchronous socket replication with the secondary routing device. The secondary routing device includes a transmission buffer, in memory, for storing replicated socket data transmitted between the primary routing device and the standby routing device and one or more processors implemented in circuitry and configured to execute a replication driver to: determine a threshold value; determine that an amount of data equaling or exceeding the threshold value has been read from the transmission buffer; in response to determining that the amount of data equaling or exceeding the threshold value has been read from the transmission buffer, schedule a window update for the transmission buffer at a scheduled time; and send the window update at the scheduled time.

Abstract: This disclosure describes techniques for scaling resources that handle, participate, and/or control routing protocol sessions. In one example, this disclosure describes a method that includes instantiating a plurality of containerized routing protocol modules, each capable of storing routing information about a network having a plurality of routers; performing network address translation to enable each of the containerized routing protocol modules to communicate with each of the plurality of routers using a public address associated with the computing system; configuring each of the containerized routing protocol modules to peer with a different subset of the plurality of routers so that each of the containerized routing protocol modules share routing information with a respective different subset of the plurality of routers; and configuring each of the containerized routing protocol modules to peer with each other to share routing information received from the different subsets of the plurality of routers.

Abstract: Techniques are described for providing fast reroute for BUM traffic in EVPN. For example, a first provider edge (PE) device, elected as a designated forwarder (DF) of an Ethernet segment, configures a backup path using a label received from a second PE device of the Ethernet segment (e.g., backup DF) that identifies the second PE device as a “protector” of the Ethernet segment. For example, a routing component of the DF configures within a forwarding component a backup path to the second PE device, e.g., installing the label and operation(s) within the forwarding component to cause the forwarding component to add the label to BUM packets received from a core network. Therefore, when an access link to the local CE device has failed, the DF reroutes BUM packets from the core network via the backup path to the second PE device, which sends the BUM packets to the CE device.

Abstract: A key server network device may install, on the key server network device, a new decryption key based on a timer-based key rollover setting and may provide, to peer network devices, messages identifying the new decryption key. The key server network device may utilize an original encryption key, to encrypt traffic, until all of the peer network devices provide acknowledgements of installation of the new decryption key. The key server network device may be configured to utilize the original encryption key based on the timer-based key rollover setting. The key server network device may generate an alarm. The alarm may include information indicating that the key server network device is waiting for the acknowledgements from one or more peer network devices and information identifying the one or more peer network devices.

Abstract: Disclosed are embodiments for automatically resolving faults in a complex network system. Some embodiments monitor one or more of system operational parameter values and message exchanges between network components. A machine learning model detects a fault in the complex network system, and an action is selected based on a cause of the fault. After the action is applied to the complex network system, additional monitoring is performed to either determine the fault has been resolved or additional actions are to be applied to further resolve the fault.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A disaggregated broadband network gateway (DBNG) control plane system may receive an association setup request message from a DBNG user plane device, wherein the association setup request message is received via a state control interface between the DBNG control plane system and the DBNG user plane device. The DBNG control plane system may determine, based on the association setup request message, one or more capabilities of the DBNG user plane device and may thereby cause one or more additional state control interfaces to be established between the DBNG control plane system and the DBNG user plane device. The DBNG control plane system and the DBNG control plane system may communicate messages associated with a first message type via the state control interface and may communicate messages associated with a second message type via at least one of the one or more additional state control interfaces.