Abstract: This disclosure describes techniques for provisioning a CMTS to re-direct customer traffic into virtualized network functions (NFVs) service chains. This disclosure describes, in one example, techniques for providing linkage between DOCSIS service flows and NFV service chains in the DOCSIS provisioning system by embedding information within cable modem boot files used to configured cable modems within the broadband system. In one example, the techniques facilitate the definition of an NFV service-chain in the DOCSIS cable modem boot file provisioning system. A supported CMTS, CCAP or Edge Router intercepts and interprets the configuration to install packet classifiers that steer specific subscriber flows, as detailed in the DOCSIS cable modem boot file, through the service-chain.

Abstract: A layer 2 tunneling protocol access concentrator (LAC) may receive an indication to set up a layer 2 tunneling protocol (L2TP) tunnel. The LAC may determine, based on the indication, a multicast address associated with initiating setup of the L2TP tunnel. The LAC may provide, to the multicast address, a request associated with initiating the L2TP tunnel. The request may be provided such that a plurality of L2TP network servers (LNSs) receives the request. The LAC may receive a set of responses to the request. The set of responses may be provided by a respective set of LNSs. The plurality of LNSs may include the respective set of LNSs. The LAC may select, based on the set of responses, a particular LNS, of the respective set of LNSs, with which to set up the L2TP tunnel.

Abstract: In general, techniques are generally described for reducing or preventing transient black-holing of network traffic in an overlay network. A first customer edge (CE) network device positioned in a first customer network may be configured to perform the techniques. The first CE network device may comprise a control unit configured to execute an instance of a network protocol to detect faults between the first CE network device and a second CE network device positioned in a second customer network. The first CE network device may also comprise an interface configured to transmit a message to the second CE network device via the instance of the network protocol signaling that a provider edge (PE) network device is going to become nonoperational. The PE network device may be positioned in an intermediate network providing interconnectivity between the first customer network and the second customer network.

Abstract: A device includes a security process unit (SPU) associated with a logical ring of SPUs. The SPU receives a packet with an address associated with a malicious source, and creates, based on the packet, an entry in a data structure associated with the SPU. The entry includes information associated with the packet. The SPU provides an install message to a next SPU in the logical ring. The install message instructs the next SPU to create the entry in another data structure, and forward the install message to another SPU. The SPU receives the install message from a last SPU, and sets a state of the entry to active in the data structure based on receiving the install message from the last SPU. The SPU performs a particular action on another packet, associated with the malicious source, based on the setting the state of the entry to active.

Abstract: The disclosed apparatus may include (1) a storage device that maintains information about mobile devices roaming within a wireless network, (2) an AP-prediction unit that (A) determines, based at least in part on the information maintained in the storage device, a number of times that a mobile device has visited a specific AP within the wireless network, (C) generates, based at least in part on the number of times, a score that represents a probability that the specific AP is the next AP visited by the mobile device, and then (D) determines that the score is above a certain threshold, and (3) a profile-distribution unit that provides, in response to the determination that the score is above the certain threshold, the specific AP with a roaming-session profile that facilitates transferring a roaming session of the mobile device to the specific AP. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques include providing ingress protection for multipoint label switched paths (LSPs). According to the techniques, a primary ingress node and a backup ingress node of a network are both configured to advertise a virtual node identifier of a virtual node as a next hop for a multicast source. Two or more egress nodes of the network then use the virtual node as a root node reachable through the primary ingress node to establish a multipoint LSP. After the multipoint LSP is established, the primary ingress node forwards traffic of the multicast source on the multipoint LSP. When failure occurs at the primary ingress node, the backup ingress node forwards the traffic of the multicast source along a backup path and onto the same multipoint LSP with the virtual node as the root node reachable through the backup ingress node. The techniques enable ingress protection without tearing down the multipoint LSP.

Abstract: A device may detect or emulate a sequence of keystrokes to be used to detect a keystroke logger application. The device may determine a sequence of characters associated with the sequence of keystrokes. The sequence of characters may correspond to the sequence of keystrokes or a portion of the sequence of keystrokes. The device may search a memory for the sequence of characters. The device may determine that the sequence of characters is stored in the memory based on searching the memory for the sequence of characters. The device may perform an action to counteract the keystroke logger application based on determining that the sequence of characters is stored in the memory.

Abstract: A device may receive network traffic. The device may identify candidate text included in a protocol field associated with the network traffic. The device may identify a set of candidate strings included in the candidate text. The device may identify a set of characters that precedes or follows a candidate string, of the set of candidate strings, in the candidate text. The device may determine, using a data structure, a frequency with which the set of characters precedes or follows the candidate string. The device may determine whether the candidate text includes random text based on the frequency. The device may perform an action on the network traffic based on determining whether the candidate text includes random text.

Abstract: An apparatus includes an aggregation module that is associated with a first network core and that is operatively coupled to a second network core and a third network core. The aggregation module is configured to receive a first copy of an access point license that authorizes access to a network via an access point and the second network core. The aggregation module receives the first copy of the access point license from the second network core in response to an installation and validation of the access point license on the second network core. The aggregation module is configured to send a second copy of the access point license to the third network core that authorizes a device to access the network via the access point and via the third network core in accordance with the access point license and in response to a failure of the second network core.

Abstract: In some embodiments, an apparatus comprises of a control module implemented in at least one of a memory or a processing device that is configured to receive, via a network and from a wireless access point or an access network node, a control packet defined based on a control protocol. The control packet is associated with at least one control function of the wireless access point or access network node. The control module is configured to determine a status of an access network node based on the control packet from the access network node. The control module is configured to send via the network, a response to the access network node based on the status of the access network node.

Abstract: In some embodiments, a switch fabric system includes multiple access switches configured to be operatively coupled to a switch fabric. The multiple access switches include multiple ports each to be operatively coupled to a peripheral processing device. A first set of ports from the multiple ports and a second set of ports from the multiple ports are managed by a first network control entity when the switch fabric system is in a first configuration. The first set of ports is managed by the first network control entity and the second set of ports is managed by a second network control entity when the switch fabric system is in a second configuration. The second network control entity is automatically initiated when the system is changed from the first configuration to the second configuration.

Abstract: In general, techniques are described for aggregating, within a network device, internal forwarding routes for multiple control protocols and allocating next hops for the routes among individual service units of a decentralized control plane for the network device. The techniques may also include aggregating internal forwarding routes for data protocols and allocating next hops for the routes among individual forwarding units of a decentralized data plane for the network device. In one example, a mobile gateway includes a plurality of subscriber management service units that present a uniform interface to nodes within a mobile service provider network. An allocation manager apportions a control protocol session identifier namespace into a plurality of contiguous, non-overlapping protocol session identifier ranges and allocates the ranges among the service units.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a network interface card of a server configured to receive a tunnel packet associated with a virtual network. The tunnel packet comprises an outer header associated with the physical network, the outer header encapsulating an inner packet comprising an inner header associated with the virtual network and a payload. A first processing core of the server is configured to perform, based at least on one of the outer header and inner header of the tunnel packet, a first packet steering operation to identify the second processing core. The second processing core is configured to forward the inner packet to a virtual machine of the virtual machines.

Abstract: Techniques are described for enhancements to Protocol Independent Multicast (PIM) in an Any Source Multicast (ASM) mode in order to effectively implement Multicast only Fast Re-Route (MoFRR). According to the PIM ASM mode, a router operating as a last hop router connected to a receiver may initiate establishment of both a shared tree and a shortest path tree over which to receive multicast traffic for a given multicast group. According to the disclosed techniques, the router may use the shortest path tree as a primary path on which to receive the multicast traffic, and may use the shared tree as a secondary or backup path for MoFRR in case a failure occurs on the primary path. The techniques enable the router to perform MoFRR for PIM ASM mode without pruning the multicast traffic from the shared tree, and without building additional trees as secondary paths for MoFRR.

Abstract: The disclosed apparatus may include a lock that has a locking mechanism that secures an electronic module to a telecommunication system. The lock may also have an ejection handle coupled to the locking mechanism such that application of physical force to the ejection handle ejects the electronic module from the telecommunication system by undoing the locking mechanism. The disclosed apparatus may also include a cross-bar coupled to the lock and movable in conjunction with the ejection handle. The cross-bar may facilitate access to a row of power connectors arranged along a surface of the electronic module when the ejection handle is positioned in a first position. Additionally or alternatively, the cross-bar may block access to the row of power connectors arranged along the surface of the electronic module when the ejection handle is positioned in a second position. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In some embodiments, an apparatus includes a network node operatively coupled within a network. The network node is configured to send a first authentication message upon boot up, and receive, in response to the first authentication message, a second authentication message configured to be used to authenticate the network node. The network node is configured to send a first discovery message, and receive, based on the first discovery message, a second discovery message configured to be used by the network node to identify an address of the network node and an address of a core network node within the network. The network node is configured to set up a control-plane tunnel to the core network node based on the address of the network node and the address for the core network node and receive configuration information from the core network node through the control-plane tunnel.

Abstract: In some embodiments, an apparatus comprises a processing module, disposed within a first switch fabric element, configured to detect a second switch fabric element having a routing module when the second switch fabric element is operatively coupled to the first switch fabric element. The processing module is configured to define a virtual processing module configured to be operatively coupled to the second switch fabric element. The virtual processing module is configured to receive a request from the second switch fabric element for forwarding information and the virtual processing module is configured to send the forwarding information to the routing module.

Abstract: In general, techniques are described for distributing traffic engineering (TE) link information across network routing protocol domain boundaries using a routing protocol. In one example, a network device logically located within a first routing protocol domain includes a routing protocol module executing on a control unit to execute an exterior gateway routing protocol. The routing protocol module of the network device receives an exterior gateway routing protocol advertisement from a router logically located within a second routing protocol domain and decodes traffic engineering information for a traffic engineering link from the exterior gateway routing protocol advertisement. A path computation module of the network device computes a traffic engineered path by selecting the traffic engineering link for inclusion in the traffic engineered path based on the traffic engineering information.

Abstract: The disclosed apparatus may include (1) a power distribution unit that distributes electric power to a network device, the power distribution unit including (A) a first set of power inputs that are compatible with a first type of power source and (B) a second set of power inputs that are compatible with a second type of power source that is different from the first type of power source, and (2) a set of power supply modules electrically coupled to the power distribution unit, each power supply module within the set of power supply modules being capable of outputting electric power to the network device upon receiving current via either the first set of power inputs or the second set of power inputs. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In some embodiments, an apparatus includes a management module configured to assign a unique set of identifiers to each network control entity from a set of network control entities. As a result, a network control entity from the set of network control entities can assign an identifier from its unique set of identifiers to a port in response to that network control entity receiving a login request from the port. The set of network control entities is associated with a distributed multi-stage switch. The management module is also configured to store a zone set database associated with the distributed multi-stage switch. The management module is configured to send an instance of an active zone set stored within the zone set database to each network control entity from the set of network control entities such that each network control entity can enforce the active zone set.