Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a master on-boarding agent establishes a virtual private network (VPN) connection with a local on-boarding agent executed by a gateway of a vehicle. The master on-boarding agent receives, via the VPN connection, vehicle data obtained by the local on-boarding agent from a co-pilot system of the vehicle. The master on-boarding agent configures, based on the received vehicle data, the gateway of the vehicle with a network configuration, wherein the network configuration includes an Internet Protocol (IP) address for the gateway. The master on-boarding agent coordinates, based on the network configuration, application of a security policy to the gateway.

Abstract: In one embodiment, a master on-boarding agent establishes a virtual private network (VPN) connection with a local on-boarding agent executed by a gateway of a vehicle. The master on-boarding agent receives, via the VPN connection, vehicle data obtained by the local on-boarding agent from a co-pilot system of the vehicle. The master on-boarding agent configures, based on the received vehicle data, the gateway of the vehicle with a network configuration, wherein the network configuration includes an Internet Protocol (IP) address for the gateway. The master on-boarding agent coordinates, based on the network configuration, application of a security policy to the gateway.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a supervisory device in a network, configured to interact with one or more sensors positioned in a given area and with a conference room scheduling service, obtains an acoustic feature of the area from one or more of the sensors. The supervisory device makes a determination that a conference room should be reserved based on the acoustic feature and selects a particular conference room based on the determination that a conference room should be reserved. The supervisory device instructs a conference room scheduling service to reserve the particular conference room.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: In one embodiment, a supervisory device in a network, configured to interact with one or more sensors positioned in a given area and with a conference room scheduling service, obtains an acoustic feature of the area from one or more of the sensors. The supervisory device makes a determination that a conference room should be reserved based on the acoustic feature and selects a particular conference room based on the determination that a conference room should be reserved. The supervisory device instructs a conference room scheduling service to reserve the particular conference room.

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

Abstract: The present disclosure describes methods and systems for providing and enforcing scalable federated policies for network-provided flow-based performance metrics. Due to different security concerns related to different domains, varying group policies can be applied to different domains to ensure proper sharing and receipt of flow-based performance metrics. Some policies can limit the type of performance metric being shared among the nodes in the domain. Some policies allow less information to be exposed by specifying aggregated performance metrics to be shared among the nodes in the domain. A group key management infrastructure can be provided to enforce these group policies in the network in a scalable manner.

Abstract: Techniques are presented herein for enabling performance monitoring of flows within a management and provisioning tunnel used for communicating packets between a wireless controller and wireless access point devices. A wireless controller that is configured to communicate with at least one wireless access point obtains a packet to be sent to the wireless access point for wireless transmission in a wireless network by the wireless access point. The wireless controller identifies, based on the packet, traffic session flow information associated with the packet. The wireless controller encapsulates the packet with a tunneling header that comprises the traffic session flow information and sends the encapsulated packet to the wireless access point. The tunneling header may also comprise an application identifier (ID) associated with the packet.

Abstract: The present disclosure describes methods and systems for providing and enforcing scalable federated policies for network-provided flow-based performance metrics. Due to different security concerns related to different domains, varying group policies can be applied to different domains to ensure proper sharing and receipt of flow-based performance metrics. Some policies can limit the type of performance metric being shared among the nodes in the domain. Some policies allow less information to be exposed by specifying aggregated performance metrics to be shared among the nodes in the domain. A group key management infrastructure can be provided to enforce these group policies in the network in a scalable manner.

Abstract: The present disclosure describes a technique for performing performance monitoring of service chains. Variations on performance monitoring can include: passive monitoring, active monitoring, or hybrid monitoring. To provide performance monitoring, the Network Service Header (NSH) is modified to include telemetry information usable for monitoring the performance of a particular traffic flow being transported over a service path.

Abstract: In an example embodiment, a method for selecting a communication path is provided. The method may comprise receiving data encapsulated in a transport protocol. In addition, a classification type and exit path information associated with the classification type may be received. The data is associated with the classification type and then is encapsulated in Stream Control Transmission Protocol (SCTP) based on the exit path information. This exit path information is associated with the classification type that is associated with the data.

Abstract: A method is provided in one example embodiment and includes generating at a first network device Virtual Private Network (“VPN”) encapsulated packets with anonymized headers; maintaining a table mapping the anonymized headers to original headers of the VPN encapsulated packets; receiving a trace request from an initiator; generating from the received trace request an out-of-tunnel trace request toward a second network device via at least one intermediate network device using the anonymized headers; and forwarding the received trace request as an in-tunnel trace request through a VPN tunnel.

Abstract: Techniques are presented herein for enabling performance monitoring of flows within a management and provisioning tunnel used for communicating packets between a wireless controller and wireless access point devices. A wireless controller that is configured to communicate with at least one wireless access point obtains a packet to be sent to the wireless access point for wireless transmission in a wireless network by the wireless access point. The wireless controller identifies, based on the packet, traffic session flow information associated with the packet. The wireless controller encapsulates the packet with a tunneling header that comprises the traffic session flow information and sends the encapsulated packet to the wireless access point. The tunneling header may also comprise an application identifier (ID) associated with the packet.

Abstract: In an example embodiment, a method for selecting a communication path is provided. The method may comprise receiving data encapsulated in a transport protocol. In addition, a classification type and exit path information associated with the classification type may be received. The data is associated with the classification type and then is encapsulated in Stream Control Transmission Protocol (SCTP) based on the exit path information. This exit path information is associated with the classification type that is associated with the data.

Abstract: A method is provided in one example embodiment and includes generating at a first network device Virtual Private Network (“VPN”) encapsulated packets with anonymized headers; maintaining a table mapping the anonymized headers to original headers of the VPN encapsulated packets; receiving a trace request from an initiator; generating from the received trace request an out-of-tunnel trace request toward a second network device via at least one intermediate network device using the anonymized headers; and forwarding the received trace request as an in-tunnel trace request through a VPN tunnel.

Abstract: In an example embodiment, a method for selecting a communication path is provided. The method may comprise receiving data encapsulated in a transport protocol. In addition, a classification type and exit path information associated with the classification type may be received. The data is associated with the classification type and then is encapsulated in Stream Control Transmission Protocol (SCTP) based on the exit path information. This exit path information is associated with the classification type that is associated with the data.

Abstract: In one embodiment, a Home Agent receives a Mobile IP registration request from a group member, where the group member is a Mobile Node. The Home Agent generates a mobility binding for the group member that associates the group member with a care-of address, wherein the group member is a member of one or more groups. The Home Agent generates a Mobile IP registration reply, where the Mobile IP registration reply identifies one or more key servers. Each of the one or more key servers serves at least one of the one or more groups and is adapted for distributing group cryptography material to members of each group that is served by the corresponding key server. The Home Agent sends the Mobile IP registration reply to the group member, thereby enabling the group member to obtain cryptography material for at least one of the one or more groups from at least one of the one or more key servers to enable the group member to use the cryptography group material to securely communicate with other group members.

Abstract: In an example embodiment, there is disclosed an apparatus comprising a first interface configured to receive a packet from a client, a second interface configured to transmit the packet to a server, a third interface configured to communicate with at least one processing device, redirection module in communication with the first interface, the second interface and the third interface, and flow monitoring and state information module in communication with the first interface, the second interface, the third interface and the redirection module. Responsive to receipt of the packet on the first interface, the redirection module is operable to communicate with the flow monitoring and state information module whether state information exists for the packet, the state information comprising an address for a processing device. The redirection module is operable to route the packet to the processing device responsive to determining state information exists for the packet.