Abstract: Presented herein are techniques to facilitate infrastructure and policy orchestration in a shared workspace network environment. In one example, a method may include obtaining, by a service broker, a reservation request from a consumer network for a consumer, wherein the reservation request seeks a reservation to reserve, at least in part, at least one workspace device for the consumer for a workspace for a particular day and a particular time period; based on determining that the at least one workspace device is available, providing a response to the consumer network that includes a first indicator for identifying the reservation of the workspace and at least one second indicator identifying the at least one workspace device; and upon receiving a session request from the consumer network that includes the second indicator, establishing a management tunnel to interconnect the consumer network and the at least one workspace device via the service broker.

Abstract: In one embodiment, a method herein comprises: receiving, at a device, a registration request from a telemetry exporter that transmits telemetry data; generating, by the device, a telemetry configuration file for the telemetry exporter, the telemetry configuration file defining a policy for transmission of telemetry data from the telemetry exporter and an authentication token for the telemetry exporter; sharing, by the device, the policy with a security enforcer; and sending, by the device, the telemetry configuration file to the telemetry exporter, wherein the telemetry exporter is caused to connect with the security enforcer using the authentication token, send the telemetry configuration file to the security enforcer, and transmit collected telemetry data to the security enforcer, and wherein the security enforcer is caused to create a dynamic publish-subscribe stream for publishing the collected telemetry data received from the telemetry exporter based on the telemetry configuration file and the policy.

Abstract: Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.

Abstract: Techniques for distributed sub-controller permission for control of data-traffic flow within software-defined networking (SDN) mesh networks to limit control plane traffic of the network are described herein. A technique described herein includes a network node of a data-traffic path of an SDN mesh network obtaining SDN sub-controller permission from a border controller of the SDN mesh network. Further, the technique includes suppression of data traffic from sibling and children nodes of data-traffic path allied nodes to the data-traffic path allied nodes. The data-traffic path allied nodes include network nodes that are part of the data-traffic path of the SDN mesh network. Further still, the technique includes the transmission of data across the data-traffic path.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubernetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: Presented herein are techniques to facilitate infrastructure and policy orchestration in a shared workspace network environment. In one example, a method may include obtaining, by a service broker, a reservation request from a consumer network for a consumer, wherein the reservation request seeks a reservation to reserve, at least in part, at least one workspace device for the consumer for a workspace for a particular day and a particular time period; based on determining that the at least one workspace device is available, providing a response to the consumer network that includes a first indicator for identifying the reservation of the workspace and at least one second indicator identifying the at least one workspace device; and upon receiving a session request from the consumer network that includes the second indicator, establishing a management tunnel to interconnect the consumer network and the at least one workspace device via the service broker.

Abstract: In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions; performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.

Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

Abstract: In one embodiment, a supervisory service for a wireless network obtains frequency-time Doppler profile information for an endpoint node attached to a first access point in the wireless network. The supervisory service uses the frequency-time Doppler profile information for the endpoint node as input to a machine learning model. The machine learning model is trained to output an action for the endpoint node with respect to the wireless network. The supervisory service causes the action for the endpoint node with respect to the wireless network to be performed.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: In one embodiment, a device in a wireless network receives telemetry data from a plurality of autonomous vehicles. The telemetry data is indicative of radio signal quality metrics experienced by the vehicles at a particular location over time. The device forms an array of wireless roaming thresholds by applying regression to the telemetry data. The device computes an optimum roaming threshold from the array of wireless roaming thresholds to be used by the vehicles when approaching the location. The device triggers, based on the computed optimum threshold, one or more of the autonomous vehicles to initiate access point roaming when approaching the particular location.

Abstract: Techniques for distributed sub-controller permission for control of data-traffic flow within software-defined networking (SDN) mesh networks to limit control plane traffic of the network are described herein. A technique described herein includes a network node of a data-traffic path of an SDN mesh network obtaining SDN sub-controller permission from a border controller of the SDN mesh network. Further, the technique includes suppression of data traffic from sibling and children nodes of data-traffic path allied nodes to the data-traffic path allied nodes. The data-traffic path allied nodes include network nodes that are part of the data-traffic path of the SDN mesh network. Further still, the technique includes the transmission of data across the data-traffic path.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: This disclosure describes techniques for identifying and reporting a space or individual that has been exposed to an infectious disease. An example method includes identifying sensor data related to one or more individuals in a space; determining, based on the sensor data, that a particular individual among the one or more individuals is infected with an infectious disease; generating a report requesting that the space be disinfected; and outputting the report to a computing device.

Abstract: In one embodiment, a method comprises: identifying, by a root network device of a directed acyclic graph (DAG) in a low power and lossy network, a child network device in the DAG, including identifying a first rank associated with the child network device; allocating, by the root network device, an allocated rank for the child network device, the allocated rank different from the first rank; and outputting, by the root network device, a message to the child network device specifying the allocated rank, the message causing the child network device to implement the allocated rank in the DAG, including causing the child network device to generate and output a Destination Oriented Directed Acyclic Graph (DODAG) information object (DIO) message specifying the child network device is using the allocated rank.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.