Abstract: Disclosed are embodiments for determining a location of a wireless terminal. The wireless terminal measures signal strength of a plurality of wireless transmitters. Based on this information, a plurality of location probability surfaces are generated. Each location probability surface indicates a plurality of probabilities that the wireless terminal is in each of a corresponding plurality of geographic regions. These probability surfaces are then averaged to determine a composite location probability surface. A motion probability surface is also determined, which stores a plurality of probabilities indicating variations of motion of the wireless terminal. The composite location probability surface is then updated based on the motion probability surface. A location estimate of the wireless terminal is then determined based on the updated composite location probability surface.

Abstract: In general, techniques are described for leveraging a configuration framework for an orchestration platform to configure software that implements a control plane for a containerized network router in a cloud-native SDN architecture. In an example, a method comprises receiving, by a server executing a containerized routing protocol process, configuration data generated from a Network Resource configuration object managed by a custom resource controller; configuring, by the server, the containerized routing protocol process with the configuration data; and programming, by the containerized routing protocol process, based on the configuration data generated from the Network Resource configuration object, a virtual router data plane to forward network traffic.

Abstract: Techniques are disclosed for scalable virtualization of tenants and subtenants on a virtualized computing infrastructure. In one example, a first controller for the virtualized computing infrastructure configures underlay network segments in the virtualized computing infrastructure by configuring respective Virtual Extensible Local Area Network (VXLAN) segments of a plurality of VXLAN segments of a VXLAN in a switch fabric comprising network switches. Each VXLAN segment provides underlay network connectivity among a different subset of host computing devices of the virtualized computing infrastructure to enable orchestration of multiple tenants in the VXLAN. A second controller for a first subset of the host computing devices has underlay network connectivity through operation of a first VXLAN segment. The second controller configures overlay networks in the first subset of the host computing devices to enable orchestration of multiple subtenants in the first subset of the host computing devices.

Abstract: In some implementations, a first network device may communicate, with a second network device, one or more internet key exchange (IKE) messages to exchange a first identifier associated with the first network device and a second identifier associated with the second network device, and to indicate that a post-quantum preshared key (PPK) is to be used as a shared key for an IKE security association (SA) between the first network device and the second network device. The first network device may obtain, from a key management entity (KME), a quantum key based on providing the second identifier to the KME, wherein the PPK is based on the quantum key. The first network device may communicate, with the second network device, one or more IKE authentication messages to exchange a third identifier associated with the quantum key and to confirm that the second network device successfully obtained the PPK.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a computing device comprises processing circuitry; a containerized set of workloads; a containerized routing protocol process configured to execute on the processing circuitry and configured to receive routing information; a kernel network stack executing on the processing circuitry and configured to forward packets based on first routing information from the containerized routing protocol process; and a data plane development kit (DPDK)-based virtual router executing on processing circuitry and configured to forward traffic to and from the workloads based on second routing information from the containerized routing protocol process.

Abstract: In some implementations, an egress network device of a multiprotocol label switching (MPLS) network may exchange Internet key exchange (IKE) messages with an ingress network device of the MPLS network to establish a security association between the egress network device and the ingress network device. The egress network device may receive an MPLS packet that includes an MPLS header, a secure MPLS data header, and an MPLS payload. The egress network device may process the MPLS header to determine a label associated with a label-switched path (LSP) and a secure function indicator. The egress network device may decrypt, using a secure function identified based on the secure MPLS data header, the MPLS payload to generate a decrypted packet. The egress network device may transmit the decrypted packet towards a destination device.

Abstract: In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Abstract: An example method includes receiving, by an SD-WAN system, WAN link characterization data for a plurality of WAN links of the SD-WAN system over a time period; and for each site of a plurality of sites of the SD-WAN system, generating, by the SD-WAN system, a local policy for the site, wherein generating the local policy is based on a machine learning model trained with the WAN link characterization data for the plurality of WAN links, and providing the local policy to an SD-WAN edge device of the site.

Abstract: An example network system includes processing circuitry and one or more memories coupled to the processing circuitry. The one or more memories are configured to store instructions which, when executed by the processing circuitry, cause the network system to receive connection data related to an egress connection of an application service of an application. The instructions cause the network system to analyze the connection data to determine that the egress connection is an anomalous connection. The instructions cause the network system to generate a notification indicative of the egress connection being an anomalous connection and send the notification to a computing device.

Abstract: Example systems, methods, and storage media are described. An example network system includes processing circuitry and one or more memories coupled to the processing circuitry. The one or more memories are configured to store instructions which, when executed by the processing circuitry, cause the network system to obtain telemetry data. The instructions cause the network system to determine, based on the telemetry data, that an application running on server processing circuitry does not meet at least one service level agreement (SLA) requirement, the server processing circuitry not including processing circuitry resident on a network interface card (NIC). The instructions cause the network system to, based on the application not meeting the at least one SLA requirement, determine to offload at least one component of the application from the server processing circuitry to the processing circuitry resident on the NIC.

Abstract: A network device may receive a border gateway protocol (BGP) flow specification route associated with creation of an overlay network slice in a network, and may create a new routing instance based on the BGP flow specification route. The network device may associate interfaces defined by the BGP flow specification route with virtual private network (VPN) members, and may determine VPN parameters based on the BGP flow specification route. The network device may advertise the VPN parameters within the network to cause the network to generate the overlay network slice.

Abstract: In some implementations, a network device may identify a triggering event associated with a logical port. The logical port may be associated with a subscriber group that is associated with a user plane subscriber access device. The network device may assign, based at least in part on the triggering event, a logical port administrative state to the logical port.

Abstract: A plurality of access point (AP) devices configured to provide a wireless network at a site within a geographic region and a management system (NMS) configured to manage the plurality of APs are described. An AP device sends, to the NMS, a message including version information of hardware compliance data currently stored at the AP device. The NMS determines, based on the version information, whether the first version of the hardware compliance data stored at the AP device is in compliance with applicable regulations of the geographic region. When the first version is not in compliance, the AP device receives, from the NMS, a second version of the hardware compliance data that is in compliance with the applicable regulations of the geographic region. The AP device enables operation of one or more hardware components of the AP device in accordance with the second version of the hardware compliance data.

Abstract: Systems, devices and techniques for an adaptive application-specific probing scheme are disclosed. An example network device includes memory configured to store a network address and probe protocol usable for probing a first network device associated with a source of an application, and one or more processors configured to determine a network address and probe protocol usable for probing the first network device, wherein the first network device comprises a server that is responsive to the probing, the server executing the application for the data flow, or a closest network device, to the server, that is responsive to the probing. The one or more processors are also configured to send to a second network device at a location serviced by the application, a message specifying the network address and probe protocol usable for probing the first network device.

Abstract: A device comprises processing circuitry configured to configure an edge device to collect telemetry flow data output by a plurality of network devices and to generate processed telemetry flow data based on the collected telemetry flow data. The processing circuitry is further configured to receive the processed telemetry flow data from the edge device and store an indication of the processed telemetry flow data.

Abstract: A mounting bracket for mounting an electronic device to the T-bar of a drop ceiling provides for self-locking snap-action securing of the mounting bracket to a flange of the T-bar, suspending the mounting bracket from the T-bar. The mounting bracket also provides for self-locking snap-action attachment of the mounted device to the bracket, suspending the device from the suspended mounting bracket. A split adapter allows vertical offsetting of the device from the ceiling, reducing vertical displacement of ceiling tiles resting on the T-bar. The split adapter has two halves the are laterally slid on to the T-bar flange and are then longitudinally slid together to be joined against lateral separation. The composite adapter thus formed presents an adapter flange to which the mounting bracket snap-secures, the mounting bracket locking the adapter halves against longitudinal separation.

Abstract: In some implementations, a first access gateway function (AGF) may receive, from a second AGF, a communication indicating at least one of a subscriber identity, session information, subscriber context, or session transport information associated with an active session between the second AGF and a client device. The first AGF device may detect that the second AGF device is associated with a failure. The first AGF device may transmit, to a first core network device, a request to switch a first path associated with the active session from the second AGF device to the first AGF device, wherein the request indicates at least one of the subscriber identity, the session information, the subscriber context, or the session transport information. The first AGF device may forward one or more data communications between a second core network device and the DHCP client device associated with the active session via a second path.

Abstract: An example network system includes In one example, a network system includes a service orchestrator for managing a mobile network. The service orchestrator is configured to: receive, from a centralized network controller (CNC) for a time sensitive networking (TSN) application, TSN configuration data for a TSN flow between two end station devices for the TSN application; generate, based on the TSN configuration data, an intent to create a network slice in the mobile network to transport packets for the TSN flow; provision the network with the network slice based on the intent, wherein the network slice is associated with slice identification data; and output the slice identification data to cause a user equipment (UE) device attached to the mobile network to map packets for the TSN flow, received from one of the two end station devices, to the network slice.

Abstract: A network management system includes a memory storing a set of access point (AP) data, wherein the set of AP data corresponds to a communication between a client device and an AP device. Additionally, the network management system includes processing circuitry configured to: receive the set of AP data corresponding to the client device; and receive a set of remote server data, wherein the set of remote server data comprises information corresponding to a communication between the client device and a remote server separate from the network management system. Additionally, the processing circuitry is configured to: determine an association between the set of AP data and the set of remote server data based one or more matching criteria; store data indicative of the association between the set of AP data and the set of remote server data; and perform an action based on the association.

Abstract: A method includes receiving a plurality of configurations comprising a first configuration for provisioning a first set of network services at a first resource of an edge device and a second configuration for provisioning a second set of network services at the first resource, a first configuration group identifier identifying a configuration group for the first configuration, and a first network performance parameter for the configuration group. The method further includes determining a performance factor for the first resource providing the first set of network services to one or more client devices. The method further includes, in response to determining that the performance factor does not satisfy the first network performance parameter for the configuration group and that the first configuration group identifier identifies the configuration group for the first configuration, moving the first configuration from the first resource to a second resource of the edge device.