Abstract: A device may identify an image to be encrypted, and may convert the image to a first string in a first format. The first string may represent the image. The device may receive information that identifies a key for encrypting the first string, and may generate a first encrypted string by encrypting the first string using the key. The device may convert the first encrypted string, in the first format, to a second encrypted string in a second format. The device may provide the second encrypted string to a storage device without providing the key or the image to the storage device. The storage device may be unable to recover the image using the second encrypted string.

Abstract: A device may receive data from a first endpoint device. The device may identify a network protocol. The network protocol may be associated with receiving the data. The device may identify a format. The format may be associated with encoding textual information in the data. The device may determine, based on the format and the network protocol, text in the data. The device may determine whether the text includes a reference from a plurality of references. The plurality of references may identify addresses associated with malicious devices. The device may selectively forward the data to a second endpoint device based on determining whether the text includes the reference.

Abstract: In general, techniques are described for providing Hot-Root Standby in Global Table Multicast (GTM) environments. For example, in such GTM environments, normally a single unicast route to the customer multicast source (“C-Source”) will be available to egress provider edge (PE) routers. As described herein, ingress PE routers may advertise multiple routes to a C-Source, including unicast routes that include Route Import Extended Communities, which are imported by egress PE routers. This enables an egress PE router to have multiple paths to the C-Source, and the egress PE router may generate multiple C-multicast source tree joins for respective ingress PE routers in order to receive respective multicast streams sourced by the C-Source from the ingress PE routers.

Abstract: A device may receive an indication to perform a reboot associated with a network service provided via a first virtual machine (VM) of the device and a first container of the device. The device may create a second VM with a boot mode enabled and a second container with the boot mode enabled. The boot mode, while enabled on the second VM, may prevent the second VM from communicating with the first container. The boot mode, while enabled on the second container, may prevent the second container from communicating with the first VM. The device may shut down the first container. The device may disable, after shutting down the first container, the boot mode on the second VM. The device may disable the boot mode on the second container. The device may cause the network service to be provided by the second container and the second VM.

Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.

Abstract: In general, techniques are described for dynamically determining a logical network topology for more efficiently transporting network traffic over a physical topology based on end-to-end network traffic demands and optical transport network (OTN) characteristics of the network. The techniques may be applicable to meeting network traffic demands placed upon a multi-layer network having a base transport layer and a logical or overlay Internet Protocol (IP) layer routed on the transport layer.

Abstract: The disclosed apparatus may include a secure storage device that securely stores an initial geographic location of a network device that facilitates network traffic within a network. This apparatus may also include a processing unit communicatively coupled to the secure storage device. The processing unit may determine a current geographic location of the network device. The policy-enforcement unit may then detect evidence of theft of the network device by (1) comparing the current geographic location of the network device with the initial geographic location of the network device and (2) determining, based at least in part on the comparison, that the current geographic location of the network device does not match the initial geographic location of the network device. Finally, the processing unit may perform at least one security action in response to detecting the evidence of theft of the network device.

Abstract: In general, techniques are described for configuring a provider edge (PE) network device of an Ethernet virtual private network (EVPN) to use a common traffic engineering label (e.g., MPLS label) for different EVPN route types associated with the same EVPN. In some examples, the techniques include sending a first layer three (L3) control plane message that indicates a label-switched network protocol label that corresponds to a first EVPN route type, wherein the first L3 control plane message indicates that a first PE network device is reachable in the L2 segment. The techniques may include performing L2 address learning to determine at least one L2 address associated with the layer two segment of the EVPN. The techniques may include sending a second L3 control plane message that indicates the same label included in the first L3 control plane message corresponds to a second EVPN route type.

Abstract: Techniques are described for providing fast re-route (FRR) node and/or link protection along a primary label switched path (LSP) using generic routing encapsulation (GRE) over multi-protocol label switching (MPLS). An ingress edge router of a primary LSP is configured to encapsulate incoming packets into GRE with a destination address of an egress edge router of the primary LSP, and push a primary label onto the encapsulated packet for forwarding along the primary LSP. Upon a failover to a bypass LSP, a point of local repair (PLR) router swaps the primary label on the encapsulated packet with a bypass label. A merge point (MP) router then receives the encapsulated packet via the bypass LSP, and performs a lookup using the destination address of the egress edge router included on the encapsulated packet in order to determine a primary label for forwarding the encapsulated packet along the primary LSP.

Abstract: An apparatus includes a destination edge device configured to receive a first validation packet according to a switch fabric validation protocol. The destination edge device is configured to validate multiple data paths through a distributed switch fabric from a source edge device to the destination edge device based on the first validation packet. The destination edge device is configured to send, in response to receiving the first validation packet, a second validation packet to a peripheral processing device. The destination edge device is also configured to send the second validation packet according to a validation protocol different from the first validation protocol.

Abstract: In some embodiments, an apparatus includes a network node operatively coupled within a network. The network node is configured to send a first authentication message upon boot up, and receive, in response to the first authentication message, a second authentication message configured to be used to authenticate the network node. The network node is configured to send a first discovery message, and receive, based on the first discovery message, a second discovery message configured to be used by the network node to identify an address of the network node and an address of a core network node within the network. The network node is configured to set up a control-plane tunnel to the core network node based on the address of the network node and the address for the core network node and receive configuration information from the core network node through the control-plane tunnel.

Abstract: In some embodiments, an apparatus includes a first network control entity configured to be implemented at a first edge device. The first network control entity is configured to receive a control packet from a peripheral processing device via a tunnel that is between the peripheral processing device and the first network control entity and that includes at least a portion within a second edge device. The first network control entity is configured to determine routing information associated with the peripheral processing device based on the control packet. The first network control entity is configured to send the routing information to a second network control entity such that the second network control entity routes a data unit addressed to the peripheral processing device to the second edge device without sending the data unit to the first edge device.

Abstract: An intermediate network device performs service aware path selection. For example, the intermediate network device comprises a network interface that receives network traffic and a control unit that couples to the network interface. The control unit comprises a storage medium that stores a first set of cost factors for a first path from the intermediate network device to another intermediate network device. The first set of cost factors includes at least one optimization cost factor corresponding to intermediate optimization capabilities available to the intermediate network device that offset other cost factors of the first set. The storage medium also stores a second set of cost factors for a second path between the devices. The control unit selects either the first path or the second path over which to forward the network traffic based on the first and second sets of cost factors.

Abstract: A network device is configured to receive network traffic associated with an application executing on a user device; identify, based on the network traffic, an application identifier associated with the application; determine whether the application identifier matches one of a set of application identifiers stored by the network device; identify a policy based on the application identifier when the application identifier matches one of the set of application identifiers; and apply the policy to the network traffic associated with the application. The policy may be obtained from another network device, in communication with the network device, when the application identifier does not match one of the set of application identifiers.

Abstract: In some embodiments, an apparatus comprises of a control module implemented in at least one of a memory or a processing device that is configured to receive, via a network and from a wireless access point or an access network node, a control packet defined based on a control protocol. The control packet is associated with at least one control function of the wireless access point or access network node. The control module is configured to determine a status of an access network node based on the control packet from the access network node. The control module is configured to send via the network, a response to the access network node based on the status of the access network node.

Abstract: In some embodiments, an apparatus comprises a processing module, disposed within a first switch fabric element, configured to detect a second switch fabric element having a routing module when the second switch fabric element is operatively coupled to the first switch fabric element. The processing module is configured to define a virtual processing module configured to be operatively coupled to the second switch fabric element. The virtual processing module is configured to receive a request from the second switch fabric element for forwarding information and the virtual processing module is configured to send the forwarding information to the routing module.

Abstract: A system may determine to perform an external malware detection operation to detect malware executing on a client device. The system may perform the external malware detection operation. The external malware detection operation may be performed by a particular device by communicating with another device. The system may perform a communication based on performing the external malware detection operation. The system may monitor a result of performing the communication for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

Abstract: A housing includes a mount projection defining a first notch, a second notch, and a recessed wall. At least a portion of the recessed wall defines a substantially conical cross-sectional shape between a maximum width and a length from a leading portion to a line associated with the maximum width. The mount projection is configured to complimentarily mate to a bracket defining a recessed wall with a maximum width, corresponding to the maximum width of the mount projection, and a length, corresponding to the length of the mount projection, from a leading portion to a line associated with the maximum width. The mount projection is releasably retained within an opening of the bracket when a first projection and a second projection of the bracket are disposed within the first notch and the second notch, respectively, of the mount projection.

Abstract: A card ejector comprising a pair of tapered lever arms coupled at a proximal end of the card ejector and coupled at a distal end of the card ejector, a cam block coupling the pair of tapered lever arms at the proximal end of the card ejector, the cam block operable to be rotatably coupled to a card and to engage a card cage, the cam block operable to urge the card into or out of the card cage when a rotational force is applied to the card ejector, and a latching mechanism coupling the pair of tapered lever arms at the distal end of the card ejector, the latching mechanism operable to automatically and releasably secure the distal end of the card ejector in a position near a face portion of the card by engaging an opening in the face portion.

Abstract: A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.