Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubemetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: Techniques for distributed sub-controller permission for control of data-traffic flow within software-defined networking (SDN) mesh networks to limit control plane traffic of the network are described herein. A technique described herein includes a network node of a data-traffic path of an SDN mesh network obtaining SDN sub-controller permission from a border controller of the SDN mesh network. Further, the technique includes suppression of data traffic from sibling and children nodes of data-traffic path allied nodes to the data-traffic path allied nodes. The data-traffic path allied nodes include network nodes that are part of the data-traffic path of the SDN mesh network. Further still, the technique includes the transmission of data across the data-traffic path.

Abstract: In one embodiment, a supervisory service for a wireless network obtains frequency-time Doppler profile information for an endpoint node attached to a first access point in the wireless network. The supervisory service uses the frequency-time Doppler profile information for the endpoint node as input to a machine learning model. The machine learning model is trained to output an action for the endpoint node with respect to the wireless network. The supervisory service causes the action for the endpoint node with respect to the wireless network to be performed.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: In one example, a wireless Access Point (AP) is configured to provide network connectivity between a User Equipment (UE) and a private wireless network. The wireless AP obtains, from the private wireless network, an indication that the UE is unregistered with the private wireless network. In response to the indication that the UE is unregistered with the private wireless network, the wireless AP provides, to the private wireless network, an indication to initiate an emergency attach procedure with respect to the UE. In response to the indication to initiate the emergency attach procedure, the wireless AP obtains, from the private wireless network, an indication that the UE is authorized to access the private wireless network. In response to the indication that the UE is authorized to access the private wireless network, the wireless AP provides guest access to the private wireless network on behalf of the UE.

Abstract: Techniques for identification and isolation of Internet-of-Things devices in an enterprise network are described. In one embodiment, a method includes detecting a plurality of devices having a first network interface to connect to a wireless wide area network and a second network interface to connect to an enterprise network. The method also includes identifying a first subset of the plurality of devices as Internet-of-Things (IoT) devices based on at least a detected repetition rate on a physical random access channel of a transmission made by a device of the plurality of devices. The method includes assigning the IoT devices to a separate network segment within the enterprise network.

Abstract: In one embodiment, a device in a wireless network receives telemetry data from a plurality of autonomous vehicles. The telemetry data is indicative of radio signal quality metrics experienced by the vehicles at a particular location over time. The device forms an array of wireless roaming thresholds by applying regression to the telemetry data. The device computes an optimum roaming threshold from the array of wireless roaming thresholds to be used by the vehicles when approaching the location. The device triggers, based on the computed optimum threshold, one or more of the autonomous vehicles to initiate access point roaming when approaching the particular location.

Abstract: In one example, a wireless Access Point (AP) is configured to provide network connectivity between a User Equipment (UE) and a private wireless network. The wireless AP obtains, from the private wireless network, an indication that the UE is unregistered with the private wireless network. In response to the indication that the UE is unregistered with the private wireless network, the wireless AP provides, to the private wireless network, an indication to initiate an emergency attach procedure with respect to the UE. In response to the indication to initiate the emergency attach procedure, the wireless AP obtains, from the private wireless network, an indication that the UE is authorized to access the private wireless network. In response to the indication that the UE is authorized to access the private wireless network, the wireless AP provides guest access to the private wireless network on behalf of the UE.

Abstract: Techniques and mechanisms for detecting and deducing of urgent messages in low-power and lossy networks (LLNs) using a correlation analysis of the nodes within a network and machine learning (ML) models. Utilizing these techniques, a field network director (FND) of the network can determine neighboring devices within the network. ML models may be utilized to determine that based upon receipt of a power outage notification (PON) message and/or a power restoration notification (PRN) message from nodes, neighboring nodes of the nodes may also have suffered a power outage and/or a subsequent power restoration, even if the FND did not receive a corresponding PON message and/or a corresponding PRN message from the neighboring nodes of the network. Thus, loss of power and subsequent power restoration may be handled for large numbers of neighboring nodes within the network, even when only a few PON messages and/or subsequent PRN messages are received.

Abstract: In one embodiment, a device in a wireless network receives telemetry data from a plurality of autonomous vehicles. The telemetry data is indicative of radio signal quality metrics experienced by the vehicles at a particular location over time. The device forms an array of wireless roaming thresholds by applying regression to the telemetry data. The device computes an optimum roaming threshold from the array of wireless roaming thresholds to be used by the vehicles when approaching the location. The device triggers, based on the computed optimum threshold, one or more of the autonomous vehicles to initiate access point roaming when approaching the particular location.

Abstract: Techniques for optimizing performance of narrowband Internet-of-Things (NB-IoT) devices in a wireless wide area network (WWAN) are described. In one embodiment, a method includes providing a NB-IoT base station in an in-band deployment mode to operate within a WWAN. The NB-IoT base station is configured to use a physical resource block of the WWAN for communicating with a plurality of NB-IoT devices. The method includes causing a reduction of a power level for a transmission from an initial power level to a first reduced power level. The method includes obtaining parameters associated with performance and throughput for the WWAN and comparing the parameters to a quality threshold. Based on the comparison of the parameters to the threshold, the method includes determining whether or not to reduce the power level for the physical resource block from the first reduced power level to a second reduced power level.

Abstract: Techniques for optimizing performance of narrowband Internet-of-Things (NB-IoT) devices in a wireless wide area network (WWAN) are described. In one embodiment, a method includes providing a NB-IoT base station in an in-band deployment mode to operate within a WWAN. The NB-IoT base station is configured to use a physical resource block of the WWAN for communicating with a plurality of NB-IoT devices. The method includes causing a reduction of a power level for a transmission from an initial power level to a first reduced power level. The method includes obtaining parameters associated with performance and throughput for the WWAN and comparing the parameters to a quality threshold. Based on the comparison of the parameters to the threshold, the method includes determining whether or not to reduce the power level for the physical resource block from the first reduced power level to a second reduced power level.

Abstract: Techniques for identification and isolation of Internet-of-Things devices in an enterprise network are described. In one embodiment, a method includes detecting a plurality of devices having a first network interface to connect to a wireless wide area network and a second network interface to connect to an enterprise network. The method also includes identifying a first subset of the plurality of devices as Internet-of-Things (IoT) devices based on at least a detected repetition rate on a physical random access channel of a transmission made by a device of the plurality of devices. The method includes assigning the IoT devices to a separate network segment within the enterprise network.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least at portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: In one embodiment, a method comprises: identifying, by a root network device of a directed acyclic graph (DAG) in a low power and lossy network, a child network device in the DAG, including identifying a first rank associated with the child network device; allocating, by the root network device, an allocated rank for the child network device, the allocated rank different from the first rank; and outputting, by the root network device, a message to the child network device specifying the allocated rank, the message causing the child network device to implement the allocated rank in the DAG, including causing the child network device to generate and output a Destination Oriented Directed Acyclic Graph (DODAG) information object (DIO) message specifying the child network device is using the allocated rank.