Abstract: The identity of a user of a computerized system is maintained by operating a virtual machine used only by the user, such that logged actions made by the virtual machine can be associated with the user, wherein the user is not otherwise directly identified by the virtual machine. Information requests made from the virtual machine to a specific resource may be logged to enable tracking and auditing of resource access by the user. The virtual machine is managed by an access device to a data center for the enterprise system, a server, or other device within the data center.

Abstract: In some embodiments, an apparatus includes a flow control module configured to receive a first data packet from an output queue of a stage of a multi-stage switch at a first rate when an available capacity of the output queue crosses a first threshold. The flow control module is configured to receive a second data packet from the output queue of the stage of the multi-stage switch at a second rate when the available capacity of the output queue crosses a second threshold. The flow control module configured to send a flow control signal to an edge device of the multi-stage switch from which the first data packet or the second data packet entered the multi-stage switch.

Abstract: Mechanisms are described by which link state “path” information can be collected from networks and shared with external components, such as routers or centralized controllers or path computation elements, using an exterior gateway protocol, such as the Border Gateway Protocol. That is, the link state information for multiple interior gateway protocol (IGP) routing domains is shared between external components using the exterior gateway protocol, such as BGP. As such, the techniques described herein allow link state information to be shared across different routing domains, such as routing and reachability information shared between different autonomous systems. The extensions described herein allow an exterior gateway protocol to be used to signal explicit path segments within IPG routing domains so as to set up an overall path that spans the multiple IPG routing domains.

Abstract: In general, techniques are described for a path computation delay timer for multi-protocol label switched networks. As an example, an ingress network device configured to act as an ingress for a label switched path (LSP) may perform the techniques. The ingress network device comprises an interface and a processor. The interface may receive a message indicating an error along the LSP. The processor may delay an operation performed to configure a replacement LSP to be used in place of the LSP in order to provide time during which a cause of the error along the LSP is able to be determined. When the cause of the error is determined to be a failure of a network device supporting operation of the LSP, the processor may further perform the operation to configure the replacement LSP with the ingress network device such that the replacement LSP avoids the failed network device.

Abstract: Techniques are described for generating a No-Acknowledgement (NACK) message if the installation of a route for a label-switched path at a router has failed or is likely to fail. In some examples, a network device includes at least one processor and at least one module operable by the at least one processor to: receive a request to forward network packets for an LSP; responsive to receiving the request, initiate configuration of at least one forwarding unit of the network device to forward network packets for the LSP; generate a NACK message that indicates the at least one forwarding unit is not configured to forward the network packets for the LSP; and terminate based at least in part on the NACK message, the configuration of the at least one forwarding unit for the LSP.

Abstract: In one example, a method includes exchanging, by a first routing device and with a second routing device, targeted hello messages using a Protocol Independent Multicast (PIM) protocol to establish a targeted neighbor connection between the first routing device and the second routing device, wherein the first routing device exchanges the targeted hello messages with the second routing device via at least one intermediate routing device, and wherein at least one of the first or second routing device comprises a rendezvous point (RP). The example method further includes processing, by the first routing device using the targeted neighbor connection, a register message that includes multicast stream data elements, wherein each multicast stream data element identifies a source address and a group address that are collectively associated with a respective multicast stream, and wherein each multicast stream data element further indicates whether the respective multicast stream is active or withdrawn.

Abstract: An apparatus may include a processor and a control plane that directs the processor to (1) detect that at least a portion of an initial branch path of a point-to-multipoint label-switched path has failed over to a failover route that rejoins the initial branch path at a network node and (2) establish an alternate branch path that merges with the initial branch path at the network node. The apparatus may also include a network interface and a data plane that uses the network interface to transmit data via the alternate branch path, where after the data plane begins transmitting data via the alternate branch path, the control plane instructs the network node to forward data from the alternate branch path rather than from the failover route. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may detect a suspicious activity. The device may automatically obtain a suspect object from a client device that is associated with the suspicious activity and based on detecting the suspicious activity. The suspect object may be an object that is possibly associated with the suspicious activity. The device may determine that the suspect object is malicious. The device may perform an action based on determining that the suspect object is malicious.

Abstract: A network device is configured to receive information regarding a group of content streams and determine a buffer size for each of the content streams. The network device is further configured to receive the content streams from one or more encoding devices. The network device is further configured to buffer an amount of each of the content streams based on the respective buffer size. The network device is further configured to send a first content stream to a user device. The network device is further configured to determine that the first content stream has a quality of experience issue and send the second content stream to the user device.

Abstract: A computer-implemented method for multipath load balancing may include (1) identifying a plurality of paths from a source switch to a destination switch, (2) determining, for each of the plurality of paths, a limiting bandwidth of the path based at least in part on the lowest link bandwidth of one or more data links in the path, and (3) balancing network traffic that is transmitted from the source switch to the destination switch across the plurality of paths based at least in part on the limiting bandwidth of each of the plurality of paths. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A network device identifies an Open Shortest Path First (OSPF) link between the network device and a layer 2 network as one of a point-to-multipoint over broadcast interface or a point-to-multipoint over non-broadcast multi access (NBMA) interface, and performs database synchronization and neighbor discovery and maintenance using one of a broadcast model or a NBMA model. The network device also generates a link-state advertisement for the network device, where the link-state advertisement includes a separate link description for each point-to-point link within the layer 2 network; and sends the link-state advertisement to each fully adjacent neighbor in the layer 2 network.

Abstract: A device receives, from a client device, a request for a resource, where the request provides an identifier of the client device. The device selects a target device for the resource, connects with the selected target device, and provides a proxy of the request to the selected target device, where the proxy of the request hides the identifier of the client device. The device receives the resource from the selected target device, where the resource provides an identifier of the target device. The device provides a proxy of the resource to the client device, where the proxy of the resource hides the identifier of the target device.

Abstract: A device may identify a plurality of files for a multi-file malware analysis. The device may execute the plurality of files in a malware testing environment. The device may monitor the malware testing environment for behavior indicative of malware. The device may detect the behavior indicative of malware. The device may perform a first multi-file malware analysis or a second multi-file malware analysis based on detecting the behavior indicative of malware. The first multi-file malware analysis may include a partitioning technique that partitions the plurality of files into two or more segments of files to identify a file, included in the plurality of files, that includes malware. The second multi-file malware analysis may include a scoring technique that modifies a plurality of malware scores, corresponding to the plurality of files, to identify the file, included in the plurality of files, that includes malware.

Abstract: The disclosed system may include (1) a detection module, stored in memory, that detects that a user is attempting to operate a network peripheral device configured for connecting into a base network device, at least one of the network peripheral device and the base network device including a trusted platform module that further includes an endorsement key that identifies the trusted platform module, (2) an obtaining module, stored in memory, that obtains a digitally signed indication that the user is authorized by a vendor to operate the network peripheral device, (3) an enablement module, stored in memory, that enables the user to operate the network peripheral device based on obtaining the digitally signed indication that the user is authorized by the vendor to operate the network peripheral device, and (4) at least one physical processor configured to execute these modules. Various other systems and methods are also disclosed.

Abstract: A network device includes an internal policy engine that makes local policy decisions for packet flows and controls policies applied by service modules and forwarding components of the network device. The policy engine interacts with an external policy server to receive policies using software defined networking (SDN) protocol as if the data plane of the network device were directly exposed to the external policy server by the SDN protocol.

Abstract: A first provider edge (PE) device is configured to: receive a Label Distribution Protocol (LDP) MAC Flush message from a PE device via an input port; flush a routing table in response to the LDP MAC Flush message; determine whether the LDP MAC Flush message comprises a PE identifier corresponding to the PE device; generate a Topology Change Notification (TCN) message based on the LDP MAC Flush message when the LDP MAC Flush message comprises the PE identifier corresponding to the PE device; and output the TCN message.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: A method and apparatus for performing a lookup in a switching device of a packet switched network where the lookup includes a plurality of distinct operations each of which returns a result that includes a pointer to a next operation in a sequence of operations for the lookup. The method includes determining a first lookup operation to be executed, executing the first lookup operation including returning a result and determining if the result includes a pointer to another lookup operation in the sequence of operations. If the result includes a pointer to another lookup operation, the lookup operation indicated by the result is executed. Else, the lookup is terminated.

Abstract: In some embodiments, an apparatus includes a layer-2 device operably coupled to a source device and a destination device and disposed within a data path (1) between the source device and the destination device, and (2) includes at least one layer-3 device. The layer-2 device receives a first test data unit from the source device, and defines a quality datum associated with processing the first test data unit. The layer-2 device defines a second test data unit based on the first test data unit that includes the quality datum associated with processing the first test data unit. The layer-2 device sends the second test data unit to the layer-3 device. The layer-3 device defines a quality datum associated with processing the second test data unit at the layer-3 device and defines a third test data unit based on the second test data unit.

Abstract: A mesh network of wired and/or wireless nodes is described in which a centralized controller provides seamless end-to-end service from the edge of the mesh network to mesh nodes located proximate to subscriber devices. The controller operates to provide a central configuration point for configuring forwarding planes of the mesh nodes of the mesh network, so as to set up transport data channels to transport traffic from the edge nodes via the mesh nodes to the subscriber devices.