Abstract: A network device obtains information, associated with blacklisted domains, that includes blacklisted domain identifiers, and sinkhole server identifiers associated with the blacklisted domain identifiers. The network device obtains a set of rules that specify match criteria, associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets. The set of rules specify actions to perform based on a result of comparing the match criteria and the packet source network addresses and/or the packet destination network addresses for the incoming packets.

Abstract: A network device may establish a media access control security (MACsec) key agreement (MKA) session with another network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the network device and a second packet processing engine of the other network device, where the fast heartbeat session is to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; place an MKA protocol of the MKA session in a pause state until the first packet processing engine detects a rekey event; determine that a key for the MKA session is to be regenerated based on detection of the rekey event; and perform an action based on the rekey event for the MKA session.

Abstract: An example method includes receiving, by a computing system, a declarative testing descriptor for active testing of a virtualized service; obtaining, from an orchestration layer, metadata associated with the virtualized service, wherein the metadata specifies a unique name for a virtualized service within the namespace of a cluster managed by the orchestration layer; determining, by the computing system using the declarative testing descriptor and the metadata, an active testing configuration for an instance of the virtualized service; and starting an active test according to the active testing configuration and determining service level violations for the instance of the virtualized service based on a result of the active test.

Abstract: This disclosure describes techniques that include collecting underlay flow data within a network and associating underlay flow data with a source and a destination virtual network to enable insights into network operation and performance. In one example, this disclosure describes a method that includes identifying, for each underlay data flow, a source overlay network and a destination overlay network associated with the underlay data flow, wherein identifying includes retrieving, from one or more Ethernet Virtual Private Network (EVPN) databases, information identifying the source and destination overlay networks.

Abstract: A computing device may receive, from a collector device, a request to subscribe, in a target-defined mode, to network telemetry data regarding a network element associated with the computing device. The computing device may, in response to receiving the request, provision a network telemetry sensor to operate in a working mode to collect the network telemetry data regarding the network element. The collector device may send, to the collector device, the network telemetry data collected by the network telemetry sensor, wherein the network telemetry data indicates the working mode of the network telemetry sensor.

Abstract: A flexible-algorithm routing method comprises: receiving, by a first router, a route advertisement including a base node label, for a second router, associated with a segment routing path without flexible-algorithm, wherein the second router participates in a flexible-algorithm; deducing, by the first router and from the base node label, a node label, for the second router, associated with a segment routing path with the flexible-algorithm; and constructing, by the first router, a label stack including the node label for the second router to steer a packet to the second router via the segment routing path with the flexible-algorithm.

Abstract: In general, techniques are described for managing address spaces across network elements. A network device including a processor may be configured to perform the techniques. The processor may execute a pool manager that automatically distributes a first block of network addresses to a first network element acting, for a first network, as a first address allocation server to assign the first block of network addresses. The pool manager may further automatically distribute a second block of contiguous network addresses to a second network element acting, for a second network, as a second address allocation server. The pool manager may then dynamically manage a size of the first block of network addresses and a size of the second block of network addresses to address exhaustion of available network addresses within either or both of the first block of network addresses and the second block of network addresses.

Abstract: A device receives network segment information identifying network segments associated with a network, and receives endpoint host session information identifying sessions associated with endpoint hosts communicating with the network. The device generates, based on the network segment information and the endpoint host session information, a data structure that includes information associating the network segments with the sessions associated with the endpoint hosts. The device updates the data structure based on changes in the sessions associated with the endpoint hosts and based on changes in locations of the endpoint hosts within the network segments, and identifies, based on the data structure, a particular endpoint host, of the endpoint hosts, that changed locations within the network segments. The device determines a threat policy action to enforce for the particular endpoint host, and causes the threat policy action to be enforced, by the network, for the particular endpoint host.

Abstract: A network device receives a first message indicating that the network device is to operate according to a new configuration for a period of time and that the network device is to operate according to a user specified configuration upon expiration of the period of time without confirmation of the new configuration. The network device thereby causes the network device to operate according to the new configuration for the period of time, and then determines whether the network device received, prior to expiration of the period of time, confirmation of the new configuration. The network device selectively: causes the network device to operate according to the user specified configuration after expiration of the period of time, based on determining that confirmation was not received; or causes the network device to operate according to the new configuration after expiration of the period of time, based on determining confirmation was received.

Abstract: An example method includes obtaining, by one or more processors, data indicating resource dependencies between a plurality of resources in a network and event dependencies between a plurality of network events and one or more of the plurality of resources; generating a Bayesian model based on resource types of the plurality of resources and event types of the plurality of network events; receiving an indication of a fault in the network; collecting fault data and generating, based on the Bayesian model and the fault data, a plurality of root cause hypotheses for the fault; ordering the plurality of root cause hypotheses based on respective root cause probabilities associated with the plurality of root cause hypotheses; and outputting the ordered plurality of root cause hypotheses.

Abstract: This disclosure describes techniques for monitoring, scheduling, and performance management for virtualization infrastructures within networks. In one example, a computing system includes a plurality of different cloud-based compute clusters (e.g., different cloud projects), each comprising a set of compute nodes. Policy agents execute on the compute nodes to monitor performance and usage metrics relating to resources of the compute nodes. Policy controllers within each cluster deploy policies to the policy agents and evaluate performance and usage metrics from the policy agents by application of one or more rulesets for infrastructure elements of the compute cluster. Each of the policy controllers outputs data to a multi-cluster dashboard software system indicative of a current health status for the infrastructure elements based on the evaluation of the performance and usage metrics for the cluster.

Abstract: A network device may execute a master application communicating with another network device via a session, and may receive, by a backup application replication layer, a replicated data object. The backup application replication layer may provide the replicated data object to a backup application, and may calculate a time delta between when the replicated data object is received and when the replicated data object arrives at the backup application. The backup application replication layer may determine whether the time delta exceeds a first threshold or a second threshold, and may generate a session flag based on the time delta exceeding the first threshold or the second threshold. The backup application replication layer may provide the session flag to a master application replication layer and to the backup application, and the master application replication layer may provide details of the session to the master application and the backup application.

Abstract: In some implementations, an ingress network device of a multiprotocol label switching (MPLS) network may receive a packet destined for a destination network device. The ingress network device may determine, based on the packet, a secure function to secure the packet and a label associated with a label-switched path (LSP) from the ingress network device to an egress network device of the MPLS network that is associated with the destination network device. The ingress network device may encrypt, using the secure function, the packet to generate an encrypted packet. The ingress network device may generate an MPLS packet comprising: an MPLS header that includes the label and a secure function indicator, a secure MPLS data header that includes information identifying the secure function, and an MPLS payload that includes the encrypted packet. The ingress network device may forward, based on the label, the MPLS packet.

Abstract: Techniques are disclosed for disseminating network service-specific mapping information across administrative domains. In one example, a network device receives an indication of a route target and one or more underlay tunnels configured to support a service route. The service route is configured to transport network traffic associated with a first network service of a plurality of network services. The network device defines, based on the indication, a first transport class of a plurality of transport classes. The network device receives a service route for the first network service and stores a correspondence between the service route and the first transport class. The network device receives network traffic associated with the first network service and forwards, based on the correspondence, the network traffic along the underlay tunnels specified by the first transport class.

Abstract: In general, techniques are described for determining reorder commands for remote reordering of policy rules. A device management system comprising a memory, a processor, and an interface may be configured to perform the techniques. A memory may store a currently configured policy for a managed network device and an updated policy for the managed device. The processor may determine a longest increasing subsequence (LIS) between a source list comprising the plurality of policy rules in a first ordering and a destination list of the plurality of policy rules in a second ordering. The processor may generate, based on the LIS, one or more policy configuration commands for the managed network device that direct the managed network device to conform the currently configured policy to the updated policy. The interface may output the one or more policy configuration commands to the managed network device.

Abstract: Techniques are disclosed for a user interface for displaying a topology representation of infrastructure of a 5G Radio Access Network (RAN), such as an Open Radio Access Network (O-RAN) 5G infrastructure. For example, a computing system displays, via a user interface, first icons, each icon of the first icons representing first components providing Level-1 functionality for the O-RAN 5G infrastructure, such as non-real-time RAN Intelligent Controllers (RICs). The computing system receives, via the user interface, a selection of a first icon of the first icons. In response to the selection, the computing system displays, via the user interface, second icons, each icon of the second icons representing second components managed by a component of the first components corresponding to the selected first icon. The second components provide Level-2 functionality for the O-RAN 5G infrastructure, such as near-real-time RICs.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: An example method includes receiving, from a network device, data indicating characterizations of network traffic on a plurality of ports of the network device; determining, by processing circuitry, for each port of the plurality of ports, an indicator of a port type for the port based on the data indicating the characterizations of network traffic on the plurality of ports, wherein the port type indicates a link type of network traffic exchanged by the port; and outputting, by the processing circuitry, the indicator of the port type to an output device.

Abstract: A device may receive, from a virtual machine deployed on the device, a request to register for an event associated with a hardware component of the device, and may create a path to a script associated with providing information about the event when the event occurs. The device may provide the script to an event plugin associated with the event and the hardware component, and may register the event plugin with a kernel associated with the device. The device may receive, the kernel, information indicating occurrence of the event associated with the hardware component, and may cause, via the event plugin, execution of the script based on the occurrence of the event associated with the hardware component. The device may provide, based on execution of the script, a notification to the virtual machine, where the notification may indicate the occurrence of the event associated with the hardware component.