Abstract: In an example, a method includes processing, by an application programming interface (API) server implemented by a configuration node of a network controller for a software-defined networking (SDN) architecture system, requests for operations on native resources of a container orchestration system; processing, by a custom API server implemented by the configuration node, requests for operations on custom resources for SDN architecture configuration, wherein each of the custom resources for SDN architecture configuration corresponds to a type of configuration object in the SDN architecture system; detecting, by a control node of the network controller, an event on an instance of a first custom resource of the custom resources; and by the control node, in response to detecting the event on the instance of the first custom resource, obtaining configuration data for the instance of the first custom resource and configuring a corresponding instance of a configuration object in the SDN architecture.

Abstract: A co-packaged optical-electrical chip can include an application-specific integrated circuit (ASIC) and a plurality of optical modules, such as optical transceivers. The ASIC and each of the optical modules can exchange electrical signaling via integrated electrical paths. The ASIC can include Ethernet switch, error correction, bit-to-symbol mapping/demapping, and digital signal processing circuits to pre-compensate and post-compensate channel impairments (e.g., inter-channel/intra-channel impairments) in electrical and optical domains. The co-packaged inter-chip interface can be scaled to handle different data rates using spectral efficient signaling formats (e.g., QAM-64, PAM-8) without adding additional data lines to a given design and without significantly increasing the power consumption of the design.

Abstract: An example network system includes processing circuitry and one or more memories coupled to the processing circuitry. The one or more memories are configured to store instructions which cause the system to obtain telemetry data, the telemetry data being associated with a plurality of applications running on a plurality of hosts. The instructions cause the system to, based on the telemetry data, determine a subset of applications of the plurality of applications that run on a first host of the plurality of hosts. The instructions cause the system to determine a subset of firewall policies of a plurality of firewall polices, each of the subset of firewall policies applying to at least one respective application of the subset of applications. The instructions cause the system to generate an indication of the subset of firewall policies and send the indication to a management plane of a distributed firewall.

Abstract: In general, a device comprising a processor and a memory may be configured to perform various aspects of the techniques described in this disclosure. The memory may store source configuration data of a source environment descriptor associated with a source operating environment and target configuration data of a target environment descriptor associated with a target operating environment. The processor may compare the source configuration data to the target configuration data, and generate, based on the comparison, update data including software component versions. The processor may generate, based on the update data, a unified release including a new application release version, the new application release version including release propagation data.

Abstract: An example application programming interface (API) server device that distributes configuration data to managed network devices includes one or more processing units implemented in circuitry and configured to receive configuration data to be deployed to at least one of the managed network devices; store the configuration data to a configuration database; and send the configuration data to the at least one of the managed network devices. In this manner, the configuration data can be archived for later retrieval and analysis, e.g., to perform root cause analysis in the event of an error.

Abstract: A system includes computer-readable media configured to store a plurality of objects representing intent graph models of a network, and processing circuitry coupled to the computer-readable media. The processing circuitry is configured to receive a request indicating a requested time, determine one or more first objects of the plurality of objects, the first objects storing an intent graph model associated with a first time, the first time different from the requested time, determine one or more second objects of the plurality of objects, the second objects storing difference information indicating one or more changes to the intent graph model associated with the first time that occurred after the first time, apply the changes to the intent graph model associated with the first time to generate an intent graph model associated with the requested time, and output an indication of the intent graph model associated with the requested time.

Abstract: A device receives network segment information identifying network segments associated with a network, and receives endpoint host session information identifying sessions associated with endpoint hosts communicating with the network. The device generates, based on the network segment information and the endpoint host session information, a data structure that includes information associating the network segments with the sessions associated with the endpoint hosts. The device updates the data structure based on changes in the sessions associated with the endpoint hosts and based on changes in locations of the endpoint hosts within the network segments, and identifies, based on the data structure, a particular endpoint host, of the endpoint hosts, that changed locations within the network segments. The device determines a threat policy action to enforce for the particular endpoint host, and causes the threat policy action to be enforced, by the network, for the particular endpoint host.

Abstract: Network elements are managed with a server to support client data models from heterogeneous data sources. A server receives a first query for configuration data of a network element to be returned in a first model. The server determines a model type for the configuration data of the network element. When the model type is a second model that is not the first model, the server sends a second query to the network element for the configuration data to be returned in the second model and transforms the configuration data received from the network element into the first model. Additionally, the server returns the configuration data in the first model as a response to the first query.

Abstract: An example method includes receiving, by a computing system, a declarative testing descriptor for active testing of a virtualized service; obtaining, from an orchestration layer, metadata associated with the virtualized service, wherein the metadata specifies a unique name for a virtualized service within the namespace of a cluster managed by the orchestration layer; determining, by the computing system using the declarative testing descriptor and the metadata, an active testing configuration for an instance of the virtualized service; and starting an active test according to the active testing configuration and determining service level violations for the instance of the virtualized service based on a result of the active test.

Abstract: An example network device includes a memory configured to store a plurality of counts of packets of a data flow. The network device also includes one or more processors in communication with the memory. The one or more processors are configured to determine the plurality of counts of packets of the data flow, wherein each count of the plurality of counts includes a number of packets occurring in a predetermined time period. The one or more processors are configured to assign a corresponding range to each count of the plurality of counts, so as to assign a plurality of corresponding ranges. The one or more processors are also configured to determine a pattern in the plurality of corresponding ranges and send a number of active probe packets based on the determined pattern.

Abstract: A method for managing a plurality of network devices of a network includes determining, by one or more processors, a causality map for the plurality of network devices according to an intent. The method further includes receiving, by the one or more processors, an indication of a network service impact and determining, by the one or more processors, a relevant portion of the causality map based on the network service impact. The method further includes determining, by the one or more processors, one or more candidate root cause faults based on the relevant portion of the causality map and outputting, by the one or more processors, an indication of the one or more candidate root cause faults.

Abstract: An example data center system includes server devices hosting data of a first tenant and a second tenant of the data center, network devices of an interconnected topology coupling the server devices including respective service virtual routing and forwarding (VRF) tables, and one or more service devices that communicatively couple the network devices, wherein the service devices include respective service VRF tables for the first set of server devices and the second set of server devices, and wherein the service devices apply services to network traffic flowing between the first set of server devices and the second set of server devices using the first service VRF table and the second service VRF table.

Abstract: In general, techniques are described for leveraging a configuration framework for an orchestration platform to configure software that implements a control plane for a containerized network router in a cloud-native SDN architecture. In an example, a method comprises receiving, by a server executing a containerized routing protocol process, configuration data generated from a Network Resource configuration object managed by a custom resource controller; configuring, by the server, the containerized routing protocol process with the configuration data; and programming, by the containerized routing protocol process, based on the configuration data generated from the Network Resource configuration object, a virtual router data plane to forward network traffic.

Abstract: Disclosed are embodiments for determining a location of a wireless terminal. The wireless terminal measures signal strength of a plurality of wireless transmitters. Based on this information, a plurality of location probability surfaces are generated. Each location probability surface indicates a plurality of probabilities that the wireless terminal is in each of a corresponding plurality of geographic regions. These probability surfaces are then averaged to determine a composite location probability surface. A motion probability surface is also determined, which stores a plurality of probabilities indicating variations of motion of the wireless terminal. The composite location probability surface is then updated based on the motion probability surface. A location estimate of the wireless terminal is then determined based on the updated composite location probability surface.

Abstract: In some implementations, a first network device may communicate, with a second network device, one or more internet key exchange (IKE) messages to exchange a first identifier associated with the first network device and a second identifier associated with the second network device, and to indicate that a post-quantum preshared key (PPK) is to be used as a shared key for an IKE security association (SA) between the first network device and the second network device. The first network device may obtain, from a key management entity (KME), a quantum key based on providing the second identifier to the KME, wherein the PPK is based on the quantum key. The first network device may communicate, with the second network device, one or more IKE authentication messages to exchange a third identifier associated with the quantum key and to confirm that the second network device successfully obtained the PPK.

Abstract: Techniques are disclosed for scalable virtualization of tenants and subtenants on a virtualized computing infrastructure. In one example, a first controller for the virtualized computing infrastructure configures underlay network segments in the virtualized computing infrastructure by configuring respective Virtual Extensible Local Area Network (VXLAN) segments of a plurality of VXLAN segments of a VXLAN in a switch fabric comprising network switches. Each VXLAN segment provides underlay network connectivity among a different subset of host computing devices of the virtualized computing infrastructure to enable orchestration of multiple tenants in the VXLAN. A second controller for a first subset of the host computing devices has underlay network connectivity through operation of a first VXLAN segment. The second controller configures overlay networks in the first subset of the host computing devices to enable orchestration of multiple subtenants in the first subset of the host computing devices.

Abstract: In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Abstract: An example method includes receiving, by an SD-WAN system, WAN link characterization data for a plurality of WAN links of the SD-WAN system over a time period; and for each site of a plurality of sites of the SD-WAN system, generating, by the SD-WAN system, a local policy for the site, wherein generating the local policy is based on a machine learning model trained with the WAN link characterization data for the plurality of WAN links, and providing the local policy to an SD-WAN edge device of the site.

Abstract: An example network system includes processing circuitry and one or more memories coupled to the processing circuitry. The one or more memories are configured to store instructions which, when executed by the processing circuitry, cause the network system to receive connection data related to an egress connection of an application service of an application. The instructions cause the network system to analyze the connection data to determine that the egress connection is an anomalous connection. The instructions cause the network system to generate a notification indicative of the egress connection being an anomalous connection and send the notification to a computing device.

Abstract: In some implementations, an egress network device of a multiprotocol label switching (MPLS) network may exchange Internet key exchange (IKE) messages with an ingress network device of the MPLS network to establish a security association between the egress network device and the ingress network device. The egress network device may receive an MPLS packet that includes an MPLS header, a secure MPLS data header, and an MPLS payload. The egress network device may process the MPLS header to determine a label associated with a label-switched path (LSP) and a secure function indicator. The egress network device may decrypt, using a secure function identified based on the secure MPLS data header, the MPLS payload to generate a decrypted packet. The egress network device may transmit the decrypted packet towards a destination device.