Abstract: Techniques for virtualizing tenant transport interfaces configured to implement per-tenant network routing attribute differentiation in each tenant overlay of a multisite wide area network (WAN) and share the virtual transport interfaces between multi-tenant edge (MTE) devices providing transport services to tenant devices based on a defined tenant tier model. A Software-Defined Networking (SDN) controller may receive a physical transport interface and/or a device type associated with a tenant device. The SDN controller may determine a virtual transport interface for the tenant device based on a tier associated with the tenant. MTE device(s) may utilize the physical transport interface to establish sessions with other MTE device(s) in the WAN. The virtual transport interface may be utilized by MTE devices to implement and/or enforce network routing attributes when forwarding network traffic associated with the tenant via the sessions established between the MTE devices through the WAN.

Abstract: Techniques for virtualizing tenant transport interfaces configured to implement per-tenant network routing attribute differentiation in each tenant overlay of a multisite wide area network (WAN) and share the virtual transport interfaces between multi-tenant edge (MTE) devices providing transport services to tenant devices based on a defined tenant tier model. A Software-Defined Networking (SDN) controller may receive a physical transport interface and/or a device type associated with a tenant device. The SDN controller may determine a virtual transport interface for the tenant device based on a tier associated with the tenant. MTE device(s) may utilize the physical transport interface to establish sessions with other MTE device(s) in the WAN. The virtual transport interface may be utilized by MTE devices to implement and/or enforce network routing attributes when forwarding network traffic associated with the tenant via the sessions established between the MTE devices through the WAN.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: In one embodiment, a method includes receiving one or more 5G software-defined wide area network (SD-WAN) policies, identifying one or more identity-based policies from the one or more 5G SD-WAN policies, communicating the identified one or more identity-based policies to one or more WAN routers, communicating one or more 5G bindings to the one or more WAN routers, and applying the identified one or more identity-based policies to one or more flows between the one or more WAN routers.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: In one embodiment, a method includes identifying, by a router, a first tenant. The first tenant is associated with a first tenant virtual private network (VPN). The method also includes determining, by the router, a mapping of the first tenant VPN to a first device VPN and generating, by the router, a first label representing the first device VPN. The method further includes adding, by the router, the first label to a first network packet and communicating, by the router, the first network packet with the first label to a controller.

Abstract: A method for allocating resources of a virtual controller is disclosed. The method comprises: allocating resources of a virtual controller to a first tenant, wherein the first tenant is allocated a first tenant quantity of guaranteed resources of the virtual controller and a second tenant is allocated a second tenant quantity of guaranteed resources of the virtual controller; determining that resources requested by the first tenant are greater than the first tenant quantity of guaranteed resources; determining that the virtual controller has unutilized resources sufficient to at least partially provide additional resources beyond the first tenant quantity of guaranteed resources to the first tenant; and temporarily provisioning the additional resources to the first tenant, wherein the additional resources are greater than the first tenant quantity of guaranteed resources.

Abstract: The present technology addresses a need in the art for an automated and scalable mechanism to authorize a containerized process. An aspect of the present technology deals with authorizing an unprivileged process by a privileged process without embedding credentials or network access at the time of validation. The present technology provides the possibility for the privileged process to continuously (dynamically) validate the authenticity of the unprivileged process by performing a plurality of operations to ensure the unprivileged process has maintained its authenticity while having access to sensitive information.

Abstract: In accordance with various implementations, a method is performed at a data plane node with one or more processors, non-transitory memory, and a control interface between a network function module associated with the data plane node and a switch associated with the data plane node. The method includes determining whether an offload capability is available for a data flow received at an ingress network interface of the data plane node. The method also includes determining whether the data flow satisfies offload criteria in response to determining that the offload capability is available. The method includes bypassing the network function module associated with the data plane node and providing the data flow to at least one of the switch associated with the data plane node or an egress network interface associated with the data plane node in response to determining the offload capability is available and the offload criteria is satisfied.

Abstract: In one embodiment, a method includes assigning a number of threads for user plane functions to a corresponding number of transmit queues for transmission of packets on a network interface, assigning additional threads exceeding the number of transmit queues to software transmission queues associated with the threads assigned to the transmit queues, identifying a load at each of the threads, dynamically updating assignment of the additional threads to the software transmission queues based on the load at the threads, and transmitting packets from the transmit queues for transmission on a network from a physical interface at a network device. An apparatus and logic are also disclosed herein.

Abstract: In accordance with various implementations, a method is performed at a data plane node with one or more processors, non-transitory memory, and a control interface between a network function module associated with the data plane node and a switch associated with the data plane node. The method includes determining whether an offload capability is available for a data flow received at an ingress network interface of the data plane node. The method also includes determining whether the data flow satisfies offload criteria in response to determining that the offload capability is available. The method includes bypassing the network function module associated with the data plane node and providing the data flow to at least one of the switch associated with the data plane node or an egress network interface associated with the data plane node in response to determining the offload capability is available and the offload criteria is satisfied.

Abstract: In accordance with various implementations, a method is performed at a data plane node with one or more processors, non-transitory memory, and a control interface between a network function module associated with the data plane node and a switch associated with the data plane node. The method includes determining whether an offload capability is available for a data flow received at an ingress network interface of the data plane node. The method also includes determining whether the data flow satisfies offload criteria in response to determining that the offload capability is available. The method includes bypassing the network function module associated with the data plane node and providing the data flow to at least one of the switch associated with the data plane node or an egress network interface associated with the data plane node in response to determining the offload capability is available and the offload criteria is satisfied.

Abstract: In accordance with various implementations, a method is performed at a data plane node with one or more processors, non-transitory memory, and a control interface between a network function module associated with the data plane node and a switch associated with the data plane node. The method includes determining whether an offload capability is available for a data flow received at an ingress network interface of the data plane node. The method also includes determining whether the data flow satisfies offload criteria in response to determining that the offload capability is available. The method includes bypassing the network function module associated with the data plane node and providing the data flow to at least one of the switch associated with the data plane node or an egress network interface associated with the data plane node in response to determining the offload capability is available and the offload criteria is satisfied.

Abstract: Disclosed is a method that includes periodically observing packets in a user plane according to at least one key performance indicator in a configuration file to yield an observation, wherein the observation represents a closed-loop demand of resources within the user plane. The method includes adjusting, via a scheduler in the user plane and based on the observation, a binding of cores to work items. The binding between cores and work items is dynamic and changeable to improve performance. The at least one key performance indicator can include one or more of a CPU utilization, latency and packet drops. The workload allocations can include work items that are individually scheduleable functions that operate on a queue of packets within the user plane.

Abstract: In one embodiment, a method includes assigning a number of threads for user plane functions to a corresponding number of transmit queues for transmission of packets on a network interface, assigning additional threads exceeding the number of transmit queues to software transmission queues associated with the threads assigned to the transmit queues, identifying a load at each of the threads, dynamically updating assignment of the additional threads to the software transmission queues based on the load at the threads, and transmitting packets from the transmit queues for transmission on a network from a physical interface at a network device. An apparatus and logic are also disclosed herein.