Abstract: Disclosed are embodiments for automatically resolving faults in a complex network system. Some embodiments monitor one or more of system operational parameter values and message exchanges between network components. A machine learning model detects a fault in the complex network system, and an action is selected based on a cause of the fault. After the action is applied to the complex network system, additional monitoring is performed to either determine the fault has been resolved or additional actions are to be applied to further resolve the fault.

Abstract: This disclosure describes techniques for scaling resources that handle, participate, and/or control routing protocol sessions. In one example, this disclosure describes a method that includes instantiating a plurality of containerized routing protocol modules, each capable of storing routing information about a network having a plurality of routers; performing network address translation to enable each of the containerized routing protocol modules to communicate with each of the plurality of routers using a public address associated with the computing system; configuring each of the containerized routing protocol modules to peer with a different subset of the plurality of routers so that each of the containerized routing protocol modules share routing information with a respective different subset of the plurality of routers; and configuring each of the containerized routing protocol modules to peer with each other to share routing information received from the different subsets of the plurality of routers.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A key server network device may install, on the key server network device, a new decryption key based on a timer-based key rollover setting and may provide, to peer network devices, messages identifying the new decryption key. The key server network device may utilize an original encryption key, to encrypt traffic, until all of the peer network devices provide acknowledgements of installation of the new decryption key. The key server network device may be configured to utilize the original encryption key based on the timer-based key rollover setting. The key server network device may generate an alarm. The alarm may include information indicating that the key server network device is waiting for the acknowledgements from one or more peer network devices and information identifying the one or more peer network devices.

Abstract: A method may include obtaining a printed circuit board (PCB) that includes a set of vias that include a set of stub regions. The PCB may include a set of layers perpendicular to the set of vias. The set of layers may include a signal layer and a ground layer. The ground layer may be located between the set of stub regions and the signal layer. The method may include drilling to remove at least a portion of a stub region of a via of the set of vias. The method may include performing an electrical test to determine whether a sliver of conductive material is included within the via after drilling to remove the at least a portion of the stub region of the via.

Abstract: This disclosure describes techniques that include determining the health of one or more routing engines included within a router. In one example, this disclosure describes a method that includes performing, by a first routing engine included within a router, routing operations, wherein the router includes a plurality of routing engines, including the first routing engine and a second routing engine; receiving, by a computing system, data including health indicators associated with the first routing engine; applying, by the computing system, a machine learning model to the data to determine, from the health indicators, a health status of the first routing engine, wherein the machine learning model has been trained to identify the health status from the health indicators; and determining, by the computing system and based on the health status of the first routing engine, whether to switch routing operations to the second routing engine from the first routing engine.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: In general, the disclosure describes techniques for lockless management of immutable objects by multi-threaded processes. A device comprising a processor may implement the techniques, where the processor execute a multi-threaded process including a producer thread and a consumer thread. The producer thread may instantiate an immutable object, and provide, to the consumer thread, a reference to the immutable object. The producer thread may also increment a reference counter to indicate that the reference has been provided to the consumer thread, where the reference counter is local to the producer thread and inaccessible to the at least two consumer threads. The producer thread may receive, from the consumer thread, a notification that the consumer thread has finished processing the immutable object, and decrement, responsive to receiving the notification, the reference counter. The producer thread may then delete, based on the reference counter, the immutable object.

Abstract: A network device may receive data, may extract primary patterns from a plurality of domain names included in the data, may process the primary patterns, with a hash model, to generate hash keys for the primary patterns, wherein a hash key includes a hash value associated with a wildcard character, and may store the plurality of domain names in a hash table. The network device may extract a particular primary pattern from a particular domain name included in a search request, may determine potential matching patterns based on the particular primary pattern, and may process the potential matching patterns, with the hash model, to generate potential matching hash keys for the potential matching patterns, wherein a hash key includes a hash value associated with a wildcard character. The network device may search, based on the potential matching hash keys, the hash table to identify a matching domain name.

Abstract: A network device may receive, via a single port of the network device, a connection request from a user device and may obtain, based on the connection request, information related to an authentication history of the user device. The network device may determine, based on the information related to the authentication history of the user device, an authentication method to be used by the network device to authenticate the user device and may determine, using the authentication method, that the user device is authenticated. The network device may establish, based on determining that the user device is authenticated, an authenticated communication session with the user device on the single port of the network device. The network device may determine, using an additional authentication method, that an additional user device is authenticated and may establish an additional authenticated communication session with the additional user device on the single port.

Abstract: This disclosure describes techniques are described for proactively computing configuration information for policy-driven on-demand tunnel creation and deletion between sites in a software-defined networking in wide area network (SD-WAN) environment. In some examples, a controller device is configured to precompute configuration data for an overlay tunnel through the wide area network to connect a first site and a second site of a plurality of sites in the SD-WAN environment. The controller device is further configured to obtain, after precomputing the configuration data, an indication to configure the overlay tunnel. The controller device is also configured to send, in response to receiving the indication to configure the overlay tunnel, at least some of the configuration data to the first site to configure the first site with the overlay tunnel.

Abstract: Methods and apparatus relating to use of actual and/or virtual beacons are described. Virtual beacons are virtual in that an actual beacon need not be transmitted but a rather a virtual beacon transmitter at a desired location maybe considered to transmit virtual beacons. In some embodiments a set of beacon transmitter information for one or more beacons is supplied to devices in a communications system. The beacon transmitter information indicates transmission power and location of actual and virtual beacon transmitters as well as information to be communicated by virtual beacons. Devices with access to beacon information can determine based on the location of a wireless terminal whether the wireless terminal is within coverage area of a virtual beacon and report reception of the virtual beacon to the wireless terminal or a component of the wireless terminal which acts upon receiving an indication of beacon reception.

Abstract: The disclosure describes examples where a first data center includes a first gateway router, a first set of computing devices, and a second set of computing devices. The first set of computing devices is configured to execute a software defined networking (SDN) controller cluster to facilitate operation of one or more virtual networks within the first data center. The second set of computing devices is configured to execute one or more control nodes to exchange route information, between the first gateway router and a second gateway router of a second data center different than the first data center, for a virtual network between computing devices within the second data center, and to communicate control information for the second data center to the second set of computing devices, wherein the one or more control nodes form a subcluster of the SDN controller cluster.

Abstract: A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine whether a difference exists between the target oversubscription factor and the current oversubscription factor and may calculate, when the difference exists, a scale factor based on the current oversubscription factor and the target oversubscription factor. The network device may calculate new scheduling weights based on prior scheduling weights and the scale factor, and may process packets received by the multiple virtual output queues based on the new scheduling weights.

Abstract: A first network device in a high-availability cluster may configure a first wireless channel for a wireless control link. The first network device may establish, using the first wireless channel, the wireless control link with a second network device in the high-availability cluster. The first network device may configure a second wireless channel for a wireless fabric link. The first network device may establish, using the second wireless channel, the wireless fabric link with the second network device.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: A disclosed apparatus ay include (1) a wireless receiver that facilitates communicatively coupling to a wireless transmitter of an access point connected to a network switch of a service provider, and (2) at least one processing device of a router communicatively coupled to the wireless receiver, wherein the processing device of the router (A) activates a wireless mode that (I) causes the router to establish a wireless connection with the access point via the wireless transmitter and the wireless receiver and (II) facilitates remote configuration of the router by a remote user who has gained access to the router via the wireless connection, (B) receives, via the wireless connection, at least one command from the remote user, and (C) applies, to an out-of-band management interface of the router, the command received from the remote user via the wireless connection. Various other apparatuses systems, and methods are also disclosed.

Abstract: A method of measuring (100) metrics of a computer network, comprising the steps of: —from a data source collecting (110) sets of data points during a sampling time period, wherein the set of data points constitute a sample, and uploading (120) each sample to a server for further processing (130), wherein from each sample, a tractile information instance is produced (131), wherein the tractile information has a type and each data source is associated (110a) with a fractile information type.

Abstract: As described herein, a router signals a source device to establish a new stateful communication session with a destination device by changing a network path used by traffic associated with the session. In one example, a router forwards traffic of a first stateful routing session established by the source device along a first path. In response to determining that that the first path should not be used, the router forwards a packet of the first session along a second path. The destination device recognizes the change in path, which causes the destination device to reject the packet, which in turn causes the source device to establish a second stateful routing session. The router forwards subsequent traffic of the second stateful routing session along the second path.

Abstract: In this disclosure, in a network comprising a plurality of network devices, a network device includes processing circuitry configured to: receive packet data corresponding to a network flow originating at a first device, the packet data destined to a second device; generate an entropy label to add to a label stack of the packet data, wherein the entropy label is generated from one or more attributes corresponding to the network flow that originated at the first device and is destined to the second device; generate a flow record including the entropy label, wherein the entropy label identifies the network flow amongst a plurality of network flows in the network; and send, to a controller of the network, the flow record, wherein the controller identifies the flow record based on the entropy label corresponding to the network flow originating at the first device and is destined to the second device.