Abstract: A network device may receive, from a first network, a network packet of a first network packet type that encapsulates a fragment of a second network packet of a second network packet type, where the network packet is part of a flow of a plurality of network packets of the first network packet type that encapsulates fragments of the second network packet, and where the network packet includes a flow label that indicates a source port for the second network packet. The network device may perform an anti-spoof check on the fragment of the second network packet based at least in part on the source port for the second network packet that is indicated by the flow label of the network packet. The network device may, based on the fragment passing the anti-spoof check, forward the fragment of the second network packet to a second network.

Abstract: A network device may receive a message. The network device may determine that the message includes return information indicating a path to an initial device that generated the message. The network device may modify the message by adding an upstream device identifier, wherein the upstream device identifier identifies a device from which the message is received. The network device may modify the message by adding an indication of whether the initial device is reachable by the network device using a segment identifier. The network device may provide the modified message to a downstream device.

Abstract: In general, techniques are described for creating a flexible services-based pipeline for firewall filter processing. A network device may be configured to perform the techniques. In one example, a method includes receiving, by a network device, data defining a plurality of firewall filter processing services, the data defining an order in which to apply services of the plurality of firewall filter processing services to firewall filters; configuring, by the network device and based on the received data, an execution engine pipeline to include the plurality of firewall filter processing services in the defined order; prior to programming a received firewall filter to hardware of the network device for filtering network traffic, processing the firewall filter by the execution engine pipeline to produce a processed firewall filter; and programming, by the network device, the processed firewall filter to the hardware for filtering the network traffic.

Abstract: A label switch router (LSR) in a label-switched path (LSP) may receive, from an ingress edge LSR, a Multi-Protocol Label Switching (MPLS) echo request, where the LSP includes a tunnel having details that are hidden by a Nil Forward Equivalency Class (FEC). The LSR may determine whether the LSR is an egress node for the tunnel in the LSP based at least in part on one or more labels in the MPLS echo request. The LSR may, in response to determining that the LSR is the egress node for the tunnel in the LSP, send an MPLS echo reply that indicates the LSR as being the egress node for the tunnel in the LSP.

Abstract: This disclosure describes techniques relating to assigning unique segment identifiers (SIDs) in a segment routing network. In one example, this disclosure describes a method that includes receiving, by a computing system and from a node on a network, a request to allocate a segment identifier for use in a segment routing network; allocating, by the computing system and from a block of addresses, an assigned segment identifier; responding to the request by outputting, by the computing system and over the network to the node, information about the assigned segment identifier; and maintaining the assigned segment identifier.

Abstract: A device may obtain information concerning a potential network and may process the information concerning the potential network to determine a plurality of configuration parameters associated with the potential network. The device may determine, based on the plurality of configuration parameters, at least one network configuration profile. The device may generate, based on the at least one network configuration profile, a network configuration test plan and may cause one or more network devices to be tested according to the network configuration test plan.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units implemented in circuitry and configured to maintain a graph data structure representing device level configuration schemas for the plurality of network devices, the graph data structure including trie nodes for every first device level configuration schema element for a first model of a version of network device of the plurality of network devices; obtain corresponding second device level configuration schema elements based on a path for a second model of the version of the network device; determine a deviation between the second device level configuration schema element and the first device level configuration schema; and update the trie node to add a branch to a node representing the second device level configuration schema element.

Abstract: A device may identify a plurality of files for a multi-file malware analysis. The device may execute the plurality of files in a malware testing environment. The device may monitor the malware testing environment for behavior indicative of malware. The device may detect the behavior indicative of malware. The device may perform a first multi-file malware analysis or a second multi-file malware analysis based on detecting the behavior indicative of malware. The first multi-file malware analysis may include a partitioning technique that partitions the plurality of files into two or more segments of files to identify a file, included in the plurality of files, that includes malware. The second multi-file malware analysis may include a scoring technique that modifies a plurality of malware scores, corresponding to the plurality of files, to identify the file, included in the plurality of files, that includes malware.

Abstract: In general, various aspects of the techniques described in this disclosure provide time synchronization for encrypted traffic in a computer network. In one example, the disclosure describes an apparatus, such as a network device, having a control unit for a network device in a computerized network having a topology of network devices; and a forwarding unit operative to determine a release time for sending a synchronization packet in accordance with a time synchronization protocol; modify the synchronization packet to include a release timestamp specifying the release time; sending a time value via sideband data associated with the synchronization packet, wherein the time value is based on the release time specified by the release timestamp; and schedule transmission of the synchronization packet for a time corresponding to the time value in the sideband data, the synchronization packet to be transmitted to a destination network device.

Abstract: This disclosure describes techniques for improved multicasting of source VLAN multicast traffic. For example, a method includes receiving, by a switch device within a data center of a leaf and spine network, multicast traffic from a multicast source; sending, by the switch device and to a border device within the data center that is communicatively coupled to a multicast rendezvous point external to the data center, a source-active routing message to indicate that the switch device is receiving multicast traffic from the multicast source; receiving, by the switch device and from the border device, a response routing message including an extended community that indicates whether there are any interested multicast receivers; and configuring, by the switch device, a forwarding engine of the switch device based on the extended community.

Abstract: The disclosure describes examples where a first data center includes a first gateway router, a first set of computing devices, and a second set of computing devices. The first set of computing devices is configured to execute a software defined networking (SDN) controller cluster to facilitate operation of one or more virtual networks within the first data center. The second set of computing devices is configured to execute one or more control nodes to exchange route information, between the first gateway router and a second gateway router of a second data center different than the first data center, for a virtual network between computing devices within the second data center, and to communicate control information for the second data center to the second set of computing devices, wherein the one or more control nodes form a subcluster of the SDN controller cluster.

Abstract: In radio-frequency (RF) devices integrated on semiconductor-on-insulator (e.g., silicon-based) substrates, RF losses may be reduced by increasing the resistivity of the semiconductor device layer in the vicinity of (e.g., underneath and/or in whole or in part surrounding) the metallization structures of the RF device, such as, e.g., transmission lines, contacts, or bonding pads. Increased resistivity can be achieved, e.g., by ion-implantation, or by patterning the device layer to create disconnected semiconductor islands.

Abstract: An orchestrator component, of a host device, may establish a connection to a bridge associated with the host device, where multiple virtual machines are executing on the host device. The orchestrator component may provide, to one or more of the multiple virtual machines, a notification about the bridge associated with the host device, where the notification is to permit the one or more of the multiple virtual machines to connect to the bridge. The orchestrator component may obtain one or more dynamic parameters relating to the host device, and may provide the one or more dynamic parameters for transmission to the one or more of the multiple virtual machines via the bridge to permit the one or more of the multiple virtual machines to receive and process the one or more dynamic parameters.

Abstract: A network device intercepts, from an application associated with a user space, a request message associated with obtaining information regarding a network state from a kernel. The network device directs the request message to a service daemon of the user space based on intercepting the request message, and determines, using the service daemon, network state information regarding the network state. The network device intercepts, from the service daemon, a response message associated with providing the network state information to the application, and directs an altered response message to the application based on intercepting the response message such that the altered response message identifies the kernel as a source of the response message and not the service daemon as the source of the response message.

Abstract: In general, this disclosure describes a network device that checks consistency between routing objects in a routing information base (RIB), a forwarding information base (FIB), and packet forwarding engine (PFE) forwarding tables. A method includes generating a marker that causes a routing protocol daemon, a control plane kernel, and PFEs of a network device to calculate zonal checksums for a plurality of zones using consistency values for each routing object within a RIB, a FIB, and corresponding forwarding tables respectively. The method includes performing a consistency check on the RIB, the FIB, and the forwarding tables to determine whether the routing objects in each of the RIB, the FIB, and the forwarding tables are consistent with each other. The method includes, when the RIB, the FIB, and the forwarding tables are not consistent, performing an action related to at least one of RIB, the FIB, or the forwarding tables.

Abstract: A network device may receive convergence prioritization data identifying one or more handling configurations for border gateway protocol update messages. The network device may assign a plurality of table priority values to a respective plurality of border gateway protocol tables associated with a respective plurality of entities based on parameters included in the convergence prioritization data. The network device may assign a plurality of queue priority values to a respective plurality of queues of the plurality of border gateway protocol tables based on the convergence prioritization data. The network device may create one or more border gateway protocol update messages based on the plurality of queue priority values and based on traversing the plurality of border gateway protocol tables using the plurality of table priority values. The network device may provide the one or more border gateway protocol update messages to one or more other network devices.

Abstract: A device may utilize a point-to-point protocol over Ethernet (PPPoE) and a point-to-point protocol (PPP) to register the device with a core network, and may establish a first packet data unit (PDU) session with the core network based on the PPPoE and the PPP. The device may configure the first PDU session, based on the PPPoE and the PPP, to provide a first service, and may generate first keep alive messages to maintain the first PDU session. The device may establish a second PDU session with the core network based on the PPPoE and the PPP, and may configure the second PDU session based on the PPPoE and the PPP, where the second PDU session is configured to provide a second service that is different than the first service. The device may generate second keep alive messages to maintain the second PDU session.

Abstract: An example network device executes a plurality of virtual machines (VMs). The network device is configured to determine to assign a number of Internet protocol (IP) addresses to the plurality of VMs, the number of IP addresses being greater than two, determine a first IP address, determine a range value that is equal to or greater than the number of IP addresses, generate a message according to Duplicate Address Protocol (DAD) including data indicating that the message includes a range of addresses, the data further indicating the first IP address and the range value; and send the message according to DAD via the network interface to one or more network devices to determine whether any IP address in a range starting with the first IP address and through the range value is in use by the one or more network devices.

Abstract: Techniques are described for providing a controller to configure, within a given namespace, a virtual network for a pod and an application service address for an application service to enable access to the pod. For example, the controller may configure in each namespace a virtual network for a logically-related group of one or more containers (“pod”) and application service address for an application service that is an abstraction which defines a logical set of pods and a policy by which to access the pods (e.g., load balancing). Techniques are also described for providing a controller to configure controller configures the service chain by configuring the left interface of a service node with a virtual routing and forwarding instance (VRF) identifying the pod of a first namespace and the right interface of the service node with a VRF identifying the application service of a second namespace.

Abstract: Techniques are described for configuring a one or more perimeter firewalls positioned on the perimeter of a data center based on security group information associated with an internal virtual firewall operating within one or more software defined networks (SDN) within the data center. For example, a Security Management System (SMS) may access a centralized network controller (CNC) for an SDN within the data center to obtain security group information for a virtual firewall of the SDN, wherein the security group information specifies a cluster of virtual machines of the software defined network that is protected by the virtual firewall; and automatically configuring, with the SMS, a perimeter firewall positioned on the edge of the data center with one or more security policies based on the security group information from the virtual firewall of the SDN.