Abstract: A buffer memory can be configured to temporarily store data in a number of queues. A processor can be configured to measure a fullness of the buffer memory. The processor can be configured to adjust thresholds and drop profiles based on a measured global resource usage for a weighted random early detection (WRED) technique with less resources than a conventional.

Abstract: A method includes a proxy device receiving from a source device a request to establish a flow to a destination device; generating, based on the request, a meta-packet that indicates that the flow to the destination device is to be proxied; determining whether a pre-established flow connecting the proxy device to another proxy device that leads toward the destination device exists; sending the meta-packet on the pre-established flow, when it is determined that the pre-established flow exists; receiving by the other proxy device, the meta-packet, and establishing the flow to the destination device based on the meta-packet, where the proxy devices assign one or more of a source address, a source port, a destination address, or a destination port, associated with the source device and the destination device, to the pre-established flow.

Abstract: Techniques are described for preventing network attacks. More specifically, the techniques involve classification of routes based on the network protocol from which the routes were learned, and filtering of packets based on the classification. A network device, for example, is described that includes interface cards to receive routing information via one or more routing protocols, wherein the routing information defines network routes. The network device further includes a control unit to classify the routes based the routing protocol by which the routes were received, and selectively forward packets associated with the routes based on the classification of the routes. Edge routers within a service provider network, for example, may classify routes as either “internal” or “external” based on the protocols from which the routes were learned, and automatically filter packets to prevent network attacks using the techniques.

Abstract: Techniques are described for detecting failure or degradation of a service enabling technology function independent from an operational state of a service node hosting the service enabling technology function. For example, a service node may provide one or more service enabling technology functions, and service engineered paths may be traffic-engineered through a network to service node network devices that host a service enabling technology function. A monitor component at the service layer of the service node can detect failure or degradation of one or more service enabling technology functions provided by the service node. The monitor component reports detection of failure or degradation to a fault detection network protocol in a forwarding plane of the service node. The fault detection network protocol communicates with an ingress router of a service engineered path to trigger fast reroute by the ingress of traffic flows to bypass the affected service enabling technology function.

Abstract: A method, non-transitory computer readable medium, and apparatus that proactively secures a web application includes injecting one or more decoys into an executing web application. An attempt to exploit one of the one more injected decoys in the executing application is identified. At least one action to secure the executing application from the attempted exploitation is performed.

Abstract: In general, this disclosure describes techniques for applying, with a network device, subscriber-specific packet processing using an internal processing path that includes service objects that are commonly applied to multiple packet flows associated with multiple subscribers. In one example, a network device control plane creates subscriber records that include, for respective subscribers, one or more variable values that specify service objects as well as an identifier for a packet processing template. A forwarding plane of the network device receives and maps subscriber packets to an associated subscriber record and then processes the packet by executing the packet processing template specified by the subscriber record. When the forwarding plane reaches a variable while executing the specified packet processing template, the forwarding plane reads the associated variable value from the subscriber record to identify and then apply the subscriber-specific service object specified by the variable.

Abstract: In general, techniques are described for selectively applying and reusing filters stored in a router. In one example, a method includes receiving a network access request from a first user. The method also includes selecting a candidate rule group associated with the packet flow, wherein the candidate rule group comprises one or more currently deployed rules of an existing rule group on the computing device that are currently installed within a forwarding plane and are being applied by the forwarding plane to network traffic associated with a second user. The method also includes installing a new rule group comprising the one or more currently deployed rules of the existing rule group and one or more new rules associated with the first user and not currently installed within a forwarding plane. The method also includes applying each rule of the new rule group to network traffic associated with the first user.

Abstract: In general, techniques are described for measuring service-specific packet data unit (PDU) loss for individual pseudowires that interconnect two or more L2 customer networks in a L2 virtual private network (L2VPN), such as a VPLS instance. In one example of the techniques, for every pseudowire of a VPLS instance pseudowire mesh, a pseudowire label policer at each of the pseudowire endpoints maintains respective counters for the number of PDUs transmitted and received at the endpoint. The pseudowire label policer may identify service-specific PDUs transmitted and received over individual pseudowires of the VPLS instance by mapping pseudowire labels for the PDUs to the VPLS instance.

Abstract: This disclosure describes techniques to utilize pluggable photonics module in high data rates optical communications systems such as some coherent optical communications system. The pluggable photonics module plugs into a host board. The host board includes a processor that compensates for distortion caused by data streams traveling across the pluggable interfaces that the pluggable photonics module and host board use to couple to one another.

Abstract: In a system including a first autonomous system (AS) configured to have a first gateway router forward data associated with a set of IP address prefixes, to a second AS via a link to a first eBGP peer device of the second AS, the problem of data packets dropped at an output of the first gateway router while the link is still “up” and an eBGP session between the first gateway router and the first eBGP peer is still up, is solved by (1) receiving information about dropped data packets at an output of the first gateway router, (2) determining whether a data traffic offload condition exists using the received information, (3) changing path attribute(s) of at least some of the IP address prefixes of the set if a data traffic offload condition exists, such that the first gateway router will be less likely to forward data associated with those IP address prefixes, and (4) generating a BGP update message including the changed path attribute(s) for communication to at least one iBGP peer device in the first AS.

Abstract: An apparatus includes a phase delay module that is configured to receive a set of signals from an antenna assembly having a horizontal polarization element and an elliptical polarization element. The horizontal polarization element and the elliptical polarization element are collectively configured to receive the set of signals over a coverage area. The phase delay module is configured to determine (1) a signal strength of a first signal from the set of signals received via the horizontal polarization element and (2) a signal strength of a second signal from the set of signals received via the elliptical polarization element. The phase delay module is configured to send a combined signal including (1) the first signal and (2) the second signal having a phase delay if the signal strength of the first signal is higher than the signal strength of the second signal.

Abstract: In general, techniques are described for extending routing protocol advertisements to include respective attributes of constituent links of an aggregation group. In one example, a network device includes a management interface that receives configuration information that specifies first and second constituent links for a layer two (L2) aggregated interface. The first and second constituent links are physical links connected to respective physical interfaces of forwarding units of the network device. A routing protocol daemon of the control unit generates a link state message that specifies layer three (L3) routing information associated with the aggregated interface and further specifies an attribute of the first constituent link and an attribute of the second constituent link. The routing protocol daemon sends the link state message from the network device to another network device of the network in accordance with a routing protocol.

Abstract: In some embodiments, an apparatus comprises a processing module, disposed within a first switch fabric element, configured to detect a second switch fabric element having a routing module when the second switch fabric element is operatively coupled to the first switch fabric element. The processing module is configured to define a virtual processing module configured to be operatively coupled to the second switch fabric element. The virtual processing module is configured to receive a request from the second switch fabric element for forwarding information and the virtual processing module is configured to send the forwarding information to the routing module.

Abstract: Techniques are described for providing high availability during an in-service software upgrade (ISSU) of an appliance within a network device, e.g., a router, by running a pair of virtual machines on each of a primary appliance and a secondary appliance within the router. Examples of the appliances include a routing engine within a router, and a service physical interface card (PIC) within a forwarding engine of a router. An ISSU of the primary appliance may first upgrade the operating system instance of a secondary virtual machine, switch operation from a primary virtual machine to the secondary virtual machine, and then upgrade the operating system instance on the primary virtual machine. During the ISSU of the primary appliance, primary and secondary virtual machines on the secondary appliance provide high availability to the virtual machine on the primary appliance executing the original operating system.

Abstract: Techniques are described for load-balancing deterministic NAT functions in a mobile gateway or other device in which subscriber sessions are distributed across a plurality of session management cards. Each of the session management cards may host a non-contiguous set of public addresses and a non-contiguous set of private network addresses associated with the subscriber sessions. To facilitate deterministic NAT under such conditions, each of the session management cards locally maps the non-contiguous set of public network addresses to an internal contiguous sequence of identifiers for the public addresses and maps the non-contiguous set of private network addresses to an internal contiguous sequence of identifiers for the private addresses. Each of the session management cards may then perform deterministic NAT on packets based on the contiguous sequence of identifiers for the public addresses and the contiguous sequence of identifiers for the private addresses internal to the session management card.

Abstract: In general, techniques are described for performing a controlled non-stop software upgrade (NSSU) of a network device. In some examples, a method includes receiving, by a first network device included in a virtual network device, a non-stop software upgrade (NSSU) request. The first network device is communicatively coupled to each of a computing device and a second network device. The method includes, in response to receiving the NSSU request, forwarding to the second network device, network packets that are received at the first network device and destined to the computing device. The method also includes sending a message to the computing device that instructs the computing device to stop sending network packets to the first network device. The method includes updating one or more software components within the first network device, after sending the message to the computing device and based at least in part on the NSSU request.

Abstract: In some embodiments, an apparatus comprises of a ground plane control module included in an antenna system having a set of antenna segments that includes a first antenna segment, a second antenna segment, and a third antenna segment, with each antenna segment associated with a separate ground plane. The ground plane control module is configured to selectively activate the ground plane of the first antenna segment and the second antenna segment such that receive signals and transmit signals are communicated with a first and second user, respectively, when the ground planes of the first and second antenna segments, respectively, are in an activate mode. The ground plane control module is configured to selectively activate the ground plane of the third antenna segment such that the third antenna segment cannot communicate receive signals and transmit signals when the ground plane of the third antenna segment is in a deactivate mode.

Abstract: A non-transitory processor-readable medium storing code representing instructions to be executed by a processor includes code to cause the processor to receive from a wireless access point (WAP) device frequency-domain data associated with signals received at the WAP device from a wireless device during a time period. The code includes code to determine multiple frequency-domain magnitudes associated with the frequency-domain data for the time period to define a spectral magnitude signature associated with the frequency-domain data. Each frequency-domain magnitude from the multiple frequency-domain magnitudes is uniquely associated with a frequency bin from multiple mutually-exclusive frequency bins associated with the frequency domain data. The code also includes code to identify a spectral response deviation associated with the spectral magnitude signature and send a location identifier associated with a location of the wireless device based on the spectral response deviation.

Abstract: In one example, a network device includes a network interface that receives a packet, a storage card that stores session data for monitored network sessions, a plurality of service processing cards that process packets of respective subsets of the network sessions, wherein each of the service processing cards comprises a respective memory to store session data for the respective subset of the network sessions processed by the corresponding service processing card, and a switch fabric coupled to the network interface, the storage card, and the plurality of service processing cards. One or more of the plurality of service cards process the received packet based on the session data stored by the storage card. The one or more of the plurality of service cards retrieve the session data for the network session to which the packet corresponds from the storage card and store the retrieved session data in the respective memory.

Abstract: In general, techniques are described for scheduling traffic for delivery over an aggregated bundle of links. A network device comprising an interface and a data plane may implement the techniques. The interface receives packets associated with packet flows. The data plane associates each of the packet flows with a different link of an aggregated bundle of links. The data plane monitors transmission of the packets via the links to determine a representation of an amount of data sent per link. The data plane further determines that bandwidth utilization does not conform to a desired bandwidth utilization based on the determined representation of the amount of data sent per link. The data plane then re-associates the packet flows to different links of the aggregated bundle based on the determination that the bandwidth utilization does not conform to the desired bandwidth utilization.