Abstract: In general, techniques are provided for receiving a first control plane message that indicates the reachability of the second PE network device as a designated forwarder in an Ethernet segment. The techniques include receiving a second control plane message comprising information that indicates, in the event of a network failure at the second PE router, that the third PE network device of the plurality of PE network devices is the designated forwarder in the layer two segment. The techniques also include forwarding layer two frames to the second PE network device identified as the designated forwarder in the layer two segment; and responsive to determining a network failure at the second PE network device, configuring, based at least in part on the second control plane message, a forwarding plane of the first PE network device to forward layer two frames to the third PE network device as the designated forwarder.

Abstract: Selection of proper virtual routing and forwarding (VRF) tables is based on a logical interface that is not associated with a physical interface. The selected VRF table is used to perform an output interface lookup for outgoing packets. In one example, a router includes a plurality of network interfaces, and a processing unit configured to select a logical interface not associated with any of the plurality of network interfaces based on an association with a received packet of a virtual private network, select one of a plurality of VRF tables in which to perform an output interface lookup for the packet that corresponds to the selected logical interface, and determine one of the plurality of network interfaces from the one of the plurality of VRF tables based on a destination of the packet, wherein the determined one of the plurality of network interfaces is configured to forward the packet.

Abstract: This disclosure is directed toward an integrated switching and routing security device that provides zone-based security directly between layer two (L2) interfaces of L2 bridge domains and/or layer three (L3) interfaces of L3 routing instances within the security device. The integrated switching and routing security device supports both switching and routing functionalities for packets on L2 and L3 interfaces, and supports security within and between L2 bridge domains and L3 routing instances. The integrated switching and routing security device configures L2 security zones for one or more L2 interfaces and configures L3 security zones for one or more L3 interfaces. The integrated switching and routing security device then applies security policies to incoming packets according to the L2 security zones and/or the L3 security zones associated with the incoming interface and an outgoing interface for the packets to provide end-to-end security within the security device.

Abstract: In general techniques are described for allocating global identifiers to forwarding units of a network device. A network device having one or more hardware-based microprocessors and an allocation module executable by the microprocessors may implement the techniques. The allocation module may maintain a first map that indicates global identifiers that are allocable to a plurality of forwarding units of the network device, and a second map that indicates local identifiers that are allocated to one of the plurality of forwarding units. The local identifiers may be based at least in part on the global identifiers. The allocation module may allocate to the forwarding unit, a global identifier indicated by the first map that is not allocated to any one of the plurality of forwarding units by comparing the second map to one or more portions of the first map to identify the unallocated global identifier of the first map.

Abstract: A retention-extraction device is provided for a removable card in a chassis. The device includes an actuation rod having a cam slot, the actuation rod configured to provide linear movement along the length of the actuation rod, and an extraction lever operatively connected to a proximal end of the actuation rod and pivotally secured to the chassis. The device also includes a bell crank with a cam follower that is configured to ride in the cam slot and a latch hook that pivots between an open and closed position based on the motion of the bell crank. The linear movement of the actuation rod causes the extraction lever to apply a force to a portion of the card and causes the latch hook to pivot to an open position to allow removal of the card.

Abstract: A first network device receives a control message at an interface from a second network device, wherein the first network device and the second network device use a multipoint service that provides layer two (L2) connectivity between L2 networks. The control message specifies one or more L2 addresses of customer network devices that are provided connectivity to an autonomous system by the second network device, wherein the control message identifies the L2 addresses as static L2 addresses that are to be persistently maintained at the first network device as reachable by the interface. In response to receiving the control message and by the first network device, the first network device stores the L2 addresses as persistently maintained static L2 addresses being reachable by the interface at which the control message was received.

Abstract: Techniques allow an intermediate (IM) device to transparently intercept and dynamically modify signaling messages being exchanged by a client and a server when negotiating setup and delivery of a multimedia stream from a streaming server. The techniques also allow an IM device to dynamically convert the real-time multimedia stream from a first transport layer protocol to a second transport layer protocol, and the reverse, based on the particular topology of the network including the presence and location of any security devices that may block the multimedia stream. The IM device may be configured to dynamically modify messages intercepted between the client and the server to change a transport layer protocol indicated by the messages from the Transmission Control Protocol (TCP) to the User Datagram Protocol (UDP), and the reverse, and convert a UDP data stream to TCP packets and inject the TCP packets into an established TCP session.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: A computer-implemented method may include identifying a controller-based network. The controller-based network may include a controller that enables centralized management of a flow of packets among devices by providing a centralized control plane for the controller-based network. The method may further include receiving a test scenario that includes at least one trigger capable of causing a fault in the controller-based network. The method may also include receiving an automation template having at least one test parameter for utilizing the centralized control plane to execute the test scenario in the controller-based network. The method may additionally include using the centralized control plane to automatically execute the test scenario on the controller-based network in accordance with the test parameter. Various other apparatuses, systems, methods, and computer-readable media are also disclosed.

Abstract: Path determination constraints may be encoded in the form of a program having one or more instructions. Each of instructions may include an operation code, and operands (or pointers to locations where operands are stored). In this way, an extensible, interoperable way for a nodes (e.g., label-switching routers) to communicate constraints within a network is provided. Such constraints may be inserted (e.g., as one or more CONSTRAINT objects) into signaling messages (e.g., a PATH RSVP message). By enabling the signaling of constraints, the determination of constraint-based (label-switched) paths can be distributed among a number of (label-switching) routers or other nodes. Upon receiving a message with constraints (e.g.

Abstract: A device may identify an image to be encrypted, and may convert the image to a first string in a first format. The first string may represent the image. The device may receive information that identifies a key for encrypting the first string, and may generate a first encrypted string by encrypting the first string using the key. The device may convert the first encrypted string, in the first format, to a second encrypted string in a second format. The device may provide the second encrypted string to a storage device without providing the key or the image to the storage device. The storage device may be unable to recover the image using the second encrypted string.

Abstract: A security device may receive a request from an attacker device and intended for a server device. The security device may identify the request as being associated with a malicious activity. The malicious activity may include one or more undesirable tasks directed to the server device. The security device may generate an unsolvable challenge-response test based on identifying the request as being associated with the malicious activity. The unsolvable challenge-response test may be generated using at least one construction technique and may be configured in an attempt to block the attacker device without making the attacker device aware that the attacker device is being blocked. The security device may provide the unsolvable challenge-response test to the attacker device, and may receive a solution associated with the unsolvable challenge-response test. The security device may notify the attacker device that the solution is incorrect regardless of whether the solution is actually correct.

Abstract: In one embodiment, a method includes sending a configuration signal to a virtual network switch module within a control plane of a communications network. The configuration signal is configured to define a first network rule at the virtual network switch module. The method also includes configuring a packet forwarding module such that the packet forwarding module implements a second network rule, and receiving status information from the virtual network switch module and status information from the packet forwarding module. The status information is received via the control plane.

Abstract: Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Abstract: A security device may receive, from a server device, a response to a request. The request may be provided by an attacker device and may include a plurality of input values. The security device may determine the plurality of input values, included in the request, based on receiving the response. The security device may modify the response to form a modified response. The response may be modified to include information associated with the plurality of input values. The response may be modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the plurality of input values being included in the response. The security device may provide the modified response to the attacker device.

Abstract: A security device may receive a request, from a client device and intended for a server device, to provide a resource. The resource may be associated with information stored by the server device. The security device may identify the request as being associated with a malicious script. The malicious script may execute on the client device and may include a script that performs one or more undesirable tasks directed to the server device. The security device may receive, from the server device, a response to the request. The response may include information associated with the requested resource. The security device may modify the response to form a modified response. The response may be modified in an attempt to cause the malicious script to experience an error. The security device may provide the modified response to the client device.

Abstract: In general, techniques are described for dynamically filtering, at area border routers (ABRs) of a multi-area autonomous system, routes to destinations external to an area by advertising to routers of the area only those routes associated with a destination address requested by at least one router of the area. In one example, a method includes receiving, by an ABR that borders a backbone area and a non-backbone area of a multi-area autonomous system that employs a hierarchical link state routing protocol to administratively group routers of the autonomous system into areas, a request message from the non-backbone area that requests the ABR to provide routing information associated with a service endpoint identifier (SEI) to the non-backbone area. The request message specifies the SEI. The method also includes sending, in response to receiving the request and by the ABR, the routing information associated with the SEI to the non-backbone area.

Abstract: Techniques are described for utilizing two-part metrics with link state routing protocols of computer networks. For example, link state advertisements communicated by a router convey outbound cost metrics representative of outbound costs for the router to send network traffic to a network, and inbound cost metrics representative of inbound costs to receive network traffic from the network. The techniques may be particularly useful with respect to shared access networks, including broadcast or non-broadcast multi-access networks.

Abstract: A key engine that performs route lookups for a plurality of keys may include a data processing portion configured to process one data item at a time and to request data when needed. A buffer may be configured to store a partial result from the data processing portion. A controller may be configured to load the partial result from the data processing portion into the buffer. The controller also may be configured to input another data item into the data processing portion for processing while requested data is obtained for a prior data item. A number of these key engines may be used by a routing unit to perform a large number of route lookups at the same time.