Abstract: Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.

Abstract: In one embodiment, a method can include receiving at an egress schedule module a request to schedule transmission of a group of cells from an ingress queue through a switch fabric of a multi-stage switch. The ingress queue can be associated with an ingress stage of the multi-stage switch. The egress schedule module can be associated with an egress stage of the multi-stage switch. The method can also include determining, in response to the request, that an egress port at the egress stage of the multi-stage switch is available to transmit the group of cells from the multi-stage switch.

Abstract: Multicast traffic received by a subnet that uses IGMP/PIM snooping may be efficiently processed so that only required multicast router interfaces are used. A router may, for example, receive a source-specific PIM join/prune message indicating that a multicast receiver of the multicast traffic is to join/leave a multicast group to receive/stop traffic from a multicast source; determine whether the router is a first hop router relative to a subnet of the multicast source; and forward, when the router is a first hop router relative to the subnet of the multicast source and is a non-designated router, the source-specific PIM join/prune message towards the subnet.

Abstract: In one example, a network device includes a plurality of interface cards to send and receive packets over a network, a primary control unit of the network device, and a secondary control unit of the network device configured to detect a failover event that causes the network device to failover from the primary control unit to the secondary control unit. An operating system of the secondary control unit may be configured to send, in response to detecting the failover event, a session maintenance message on each of a plurality of application-level communication sessions in accordance with a prioritized data structure having a plurality of hierarchically arranged nodes, each of the nodes associated with a different subset of the communication sessions having a common session timeout value.

Abstract: A network management system monitors malware within a mobile network. The system comprises a receiver component that obtains data regarding malware in the mobile network. The data is obtained from a first source and a second source, where the first source is of a different type than the second source. The monitoring system also includes an analysis component that generates a malware analysis of the mobile network as a function of the data.

Abstract: An egress network device of a point-to-point (P2P) tunnel can receive an LSP Ping message via the P2P tunnel from an ingress network device of the P2P LSP, wherein the LSP Ping message specifies a label that the egress network device associates with a service provided to the egress network device via the P2P tunnel. In response to receiving the LSP Ping message, the egress network device can store an association between the label and the P2P tunnel. The egress network device also uses a fault detection network protocol session over the P2P tunnel to monitor a state of the P2P tunnel. In response to detecting based on the fault detection network protocol session that the state of the P2P tunnel is down, the egress network device determines the service is unavailable from the ingress network device via the P2P tunnel, and selects a new source to provide the service.

Abstract: Routers balance network traffic among multiple paths through a network according to an amount of bandwidth that can be sent on an outgoing interface computed for each of the paths. For example, a router receives a link bandwidth for network links that are positioned between the first router and a second router of the network, and selects a plurality of forwarding paths from the first router to the second router. Upon determining that one of the network links is shared by multiple of the plurality of forwarding paths, the router computes a path bandwidth for each of the plurality of forwarding paths so as to account for splitting of link bandwidth of the shared network link across the multiple forwarding paths that share the network link. The router assigns packet flows to the forwarding paths based at least on the computed amount of bandwidth for each of the forwarding paths.

Abstract: In some embodiments, an apparatus includes an optical detector that can sample asynchronously an optical signal from an optical component that can be either an optical transmitter or an optical receiver. In such embodiments, the apparatus also includes a processor operatively coupled to the optical detector, where the processor can calculate a metric value of the optical signal without an extinction ratio of the optical signal being measured. The metric value is proportional to the extinction ratio of the optical signal. In such embodiments, the processor can define an error signal based on the metric value of the optical signal and the processor can send the error signal to the optical transmitter such that the optical transmitter modifies an output optical signal.

Abstract: In one aspect, a computer-implemented method includes generating a workload using at least one schema defined by combinations of ranges of each of at least two attributes. The computer-implemented method also includes receiving a request to provide content. The computer-implemented method further includes provisioning the content based upon the workload.

Abstract: A laser system includes an array of lasers that emit light at a number of different, fixed wavelengths. A group of optical transport systems connect to the laser system. Each of the optical transport systems is configured to modulate data signals onto the light from the laser system to create optical signals and transmit the optical signals on one or more optical fibers.

Abstract: In general, techniques are described for automatically identifying likely faulty components in massively distributed complex systems. In some examples, snapshots of component parameters are automatically repeatedly fed to a pre-trained classifier and the classifier indicates whether each received snapshot is likely to belong to a fault and failure class or to a non-fault/failure class. Components whose snapshots indicate a high likelihood of fault or failure are investigated, restarted or taken off line as a pre-emptive measure. The techniques may be applied in a massively distributed complex system such as a data center.

Abstract: A device may include a flow table to store, in flow table records, statistics associated with a number of data flows, and a flow type table to store, in flow type table records, information that indicates whether to store statistics in the flow table for each of a number of types of data flows, information that indicates a manner for sampling data units associated with the data flows, and/or information that indicates when to delete flow table records from the flow table.

Abstract: A system includes a module associated with a first stage of a switch fabric directly coupled to a module associated with a second stage of the switch fabric via a single physical hop having multiple virtual channels. The module associated with the first stage is configured to assign a virtual channel identifier associated with a virtual channel with a data packet using a hash function and to send the data packet through the virtual channel based on the virtual channel identifier. The module associated with the second stage is configured to send a flow control signal to the module associated with the first stage when an available capacity of a queue is less than a predetermined threshold. The module associated with the first stage is configured to suspend sending data packets via the virtual channel in response to the flow control signal.

Abstract: In one embodiment, a method includes sending a first flow control signal to a first stage of transmit queues when a receive queue is in a congestion state. The method also includes sending a second flow control signal to a second stage of transmit queues different from the first stage of transmit queues when the receive queue is in the congestion state.

Abstract: An apparatus includes an access switch having a set of ports and configured to be operatively coupled to a multicast router via a first port from the set of ports. The access switch is configured to be associated with a network associated with the multicast router, and designate the first port as a multicast-router interface during a time period. The access switch is configured to send a message to the multicast router via each port from the set of ports in response to an indication of a change in a topology of the network after the time period. The access switch is configured to designate a second port from the set of ports as the multicast-router interface and dedesignate the first port as the multicast-router interface in response to receiving, via the second port and in response to the message, a signal from the multicast router.

Abstract: In one embodiment, edge devices can be configured to be coupled to a multi-stage switch fabric and peripheral processing devices. The edge devices and the multi-stage switch fabric can collectively define a single logical entity. A first edge device from the edge devices can be configured to be coupled to a first peripheral processing device from the peripheral processing devices. The second edge device from the edge devices can be configured to be coupled to a second peripheral processing device from the peripheral processing devices. The first edge device can be configured such that virtual resources including a first virtual resource can be defined at the first peripheral processing device. A network management module coupled to the edge devices and configured to provision the virtual resources such that the first virtual resource can be migrated from the first peripheral processing device to the second peripheral processing device.

Abstract: In general, techniques are described for programming a set of one or more pre-defined rules within the forwarding plane of a packet gateway of a mobile service provider network and caching, within control plane, a group identifier that identifies the set of programmed, pre-defined rules. The control plane may match quality of service (QoS) information of incoming subscriber service requests with the group identifier and respective subsets of the set of programmed, pre-defined rules to rapidly associate service requests with already-programmed PCC rules and thereafter install, to the forwarding plane, subscriber service-specific actions for the PCC rules.

Abstract: A system may include receiving a packet, of a packet stream, including control tags in a header portion of the packet and classifying each of the control tags into a category selected from a set of possible categories. The set of possible categories may include an unambiguous interposable (UI) category that is assigned to a control tag that corresponds to an unambiguous parsing interpretation and that is interposable within a sequence of the control tags, and an ambiguous interposable (AI) category that is assigned to a control tag in which the control tag has an ambiguous parsing interpretation and in which the control tag is interposable within the sequence of the control tags. The method may further include determining parsing operations to perform for the packet based on the classified categories of the control tags and based on the packet stream of the packet.

Abstract: In some embodiments, an apparatus includes a printed circuit board and a thermal interface member. The printed circuit board is configured to be coupled to an electronic device, such as, for example, a removable (or “pluggable”) optical transceiver. A first surface of the printed circuit board includes a thermally-conductive portion, and a second surface of the printed circuit board includes a thermally-conductive portion that is coupled to the thermally-conductive portion of the first surface by a thermally-conductive via between the first surface and the second surface. The thermal interface member is coupled to the first surface of the printed circuit board such that a portion of the thermal interface member is in contact with the thermally-conductive portion of the first surface. The portion of the thermal interface member is deformable and thermally-conductive.

Abstract: Graceful restart in routers having redundant routing facilities may be accomplished by replicating network (state/topology) information.