Abstract: In some embodiments, a printed circuit board, configured to be coupled to electronic components, includes a first material portion and any number of second material portions. Each second material portion is sized and spaced apart from an adjacent second material portion such that electromagnetic waves associated with the operation of the electronic components are substantially not reflected. The first material portion defines a first dielectric constant and the second material portion defines a second dielectric constant that is different than the value of the first dielectric constant.

Abstract: In general, techniques of this disclosure relate to measuring scheduling performance of monitored threads in an operating system with improved precision. In one example, a method includes inserting, by an operating system kernel, a monitored thread into a queue comprising one or more threads and recording an insertion time that the monitored thread is inserted into the run queue; receiving, by the kernel, an event to remove the monitored thread from the run queue; responsive to receiving the event, determining, by the kernel, an amount of time that the monitored thread is stored on the run queue based on the insertion time and a removal time at which the monitored thread was removed from the run queue; and when the amount of time the monitored thread is stored on the run queue is greater than or equal to a specified threshold, sending a notification to a notification listener.

Abstract: A device creates a pool of available licenses for secure network resources, and receives an unused license from a network device. The device also provides the unused license in the pool of available licenses, and receives a request for a license from another network device. The device further provides, to the other network device, the unused license from the pool of available licenses.

Abstract: This disclosure describes techniques for supporting an and Multi-Protocol Label Switching (MPLS)-based Virutal Private Network (VPN) service that provides layer two (L2) connectivity between the customer edge device. In particular, the techniques support a Border Gateway (BGP) MPLS-based MAC VPNs (“MAC-VPN” or “MAC VPN”). The techniques provide a MAC VPN in which L2 MAC address learning occurs in the control plane via inter-device BGP signaling in the control plane rather than the data plane, in response to VPN traffic, as may be typical with other VPN technologies.

Abstract: In one example, a platform device includes a control unit configured to receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy associated with the first software development entity, execute the first software package only after determining that a root of the first certificate hierarchy corresponds to a certificate authority of a developer of the platform device, receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy associated with the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, and execute the second software package only after determining that a root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.

Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Abstract: Techniques are described for establishing a point-to-multipoint (P2MP) label switched path (LSP) using a branch node-initiated signaling model in which branch node to leaf (B2L) sub-LSPs are signaled and utilized to form a P2MP LSP. The techniques described herein provides a scalable solution in which the number of sub-LSPs for which the source node or any given branch node need maintain state is equal to the number of physical data flows output from that node to downstream nodes, i.e., the number of output interfaces used for the P2MP LSP by that node to output data flows to downstream nodes. As such, unlike the conventional source node-initiated model in which each node maintains state for sub-LSPs that service each of the leaf nodes downstream from the device, the size and scalability of a P2MP LSP is no longer bound to the number of leaves that are downstream from that node.

Abstract: In one example, a network device includes a virtual network agent, and a network interface to send network packets to the virtual network controller using a default route for a physical network prior to establishing a communication session between a virtual network controller and the virtual network agent, wherein, after establishing the communication session between the virtual network controller device and the virtual network agent, the virtual network agent receives from the virtual network controller a command to install a new route at the network device, wherein the new route specifies encapsulation information to use for encapsulating network packets for sending the network packets to the virtual network controller over an overlay network, and wherein, responsive to detecting a failed link in the physical network, the virtual network agent sends packets to the virtual network controller on an alternate route in the overlay network.

Abstract: In general, techniques of the present disclosure relate to synchronizing concurrent access to multiple portions of a data structure. In one example, a method includes, sequentially selecting a plurality of requests from a request queue, wherein at least one of the requests specifies a plurality of requested synchronization objects for corresponding candidate portions of a data structure to which to apply an operation associated with a data element. The method also includes querying one or more sets of identifiers to determine whether one or more of the requested synchronizations objects specified by the selected request are acquirable. The method also includes acquiring each of the requested synchronization objects that are acquirable. The method includes, responsive to acquiring all of the one or more requested synchronization objects, selecting a subset of the candidate portions of the data structure and applying the operation only to the selected subset of the candidate portions.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: A method of sending data to a switch fabric includes assigning a destination port of an output module to a data packet based on at least one field in a first header of the data packet. A module associated with a first stage of the switch fabric is selected based on at least one field in the first header. A second header is appended to the data packet. The second header includes an identifier associated with the destination port of the output module. The data packet is sent to the module associated with the first stage. The module associated with the first stage is configured to send the data packet to a module associated with a second stage of the switch fabric based on the second header.

Abstract: This disclosure describes the Fast Chromatic Dispersion Estimation (FCDE) techniques which corrects for chromatic dispersion in high data rate optical communications systems such as some coherent optical communications systems. FCDE may utilize transform such as fast-Fourier transforms to estimate the chromatic dispersion. From an estimation of the chromatic dispersion, the techniques may determine filter tap coefficients for compensating the chromatic dispersion.

Abstract: In one example, network device includes a control unit having one or more hardware-based microprocessors and an interface. The interface can receive a first time synchronization message from a master device that comprises a first TTL value. The first TTL value can be indicative of a number of hops traversed by the first time synchronization message. The interface can subsequently receive a second time synchronization message from the master device that comprises a second TTL value that is is indicative of a number of hops traversed by the second time synchronization message. The network device can also include a timing module that determines a time adjustment based at least in part on the determination that the first and second TTL values are different, and applies the time adjustment to update the time of the network device.

Abstract: In general, the invention is directed to techniques for identifying memory overruns. For example, as described herein, a device includes a main memory that enables an addressable memory space for the device. A plurality of memory pages each comprises a separate, contiguous block of addressable memory locations within the addressable memory space. The device also includes a memory manager comprising a secure pool allocator that assigns a secure pool size value to a first one of the plurality of memory pages. The secure pool size value defines a plurality of protected memory spaces in the first memory page that partition the first memory page into a plurality of secure objects. The device also includes a memory management unit comprising secure pool logic that determines, based on the secure pool size value, whether a memory address is an address of one of the protected memory spaces in the first memory page.

Abstract: A network service administration system including a plurality of service objects, a plurality of address objects; and a service configuration application for a multifunction appliance running on a client computer coupled to the appliance via a network. The service configuration application includes an interface allowing subscribers to configure at least a subset of application content services provided by the appliance and including a rule set implementing rules in ones of said application content services in said subset based on changes to configurations of any other of said application content services. Each of said service objects may comprise an individual network service definition.

Abstract: An optical network device re-routes traffic from a path to a backup path in response to determining that a downstream segment of the primary path is not operational. The optical network device receives traffic on a slot of an optical fiber. For each data unit in the traffic, the optical network device determines, based on receiving the data unit on the slot and based on a flow identifier specified in the data unit, that a given path is associated with the data unit. If a downstream segment of the given path is not operational, the optical network device routes the data unit onto a backup path instead of routing the data unit along the given path. Bandwidth is not reserved for the backup path.

Abstract: An apparatus for clamping and relieving strain in a set of optical fiber ribbon. The strain relief clamp includes a first attachment portion and second attachment portion configured to secure the strain relief clamp to a system component and a set of optical fiber ribbons to the strain relief clamp. When secured the strain relief clamp is configured to relieve strain in the set of optical fiber ribbons.

Abstract: In general, techniques are described for providing high availability as a service. The techniques may be performed by a device that includes an interface and a control unit. The interface is configured to receive network traffic originating from a subscriber device operated by a subscriber. The control unit is configured to determine whether to provide a high availability service with respect to at least a portion of the network traffic based on a subscriber profile associated with the subscriber. The control unit may further be configured to provide the high availability service for at least the portion of the network traffic based on the determination of whether to provide the high availability service. The control unit may further be configured to process at least the portion of the network traffic with the network device, and forward at least the portion of the network traffic.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive at a tunnel server, a data unit addressed to a communication device, and define, a first instance of the data unit and a second instance of the data unit. The first instance of the data unit is sent to the communication device via a first tunnel defined between at least the tunnel server and a first base station associated with a first network. The second instance of the data unit is sent to the communication device via a second tunnel defined between at least the tunnel server and a second base station associated with a second network. The second instance of the data unit is dropped by the communication device when the first instance of the data unit is received before the second instance of the data unit.

Abstract: Techniques are described for determining the topology of an optical network. A computing device receives a message on a data communication network after a first device in an optical network receives an optical pulse pattern on an optical fiber in the optical network. The computing device generates topology data using the message. The topology data indicates that a second device is physically connected in the optical network to the first device when the received optical pulse pattern matches an optical pulse pattern sent by the second device.