Abstract: In one embodiment, a controller for an overhead mesh of access points in an area receives an indication from one or more access points of the overhead mesh that a client device is present in the area. The controller determines movements of the client device within the area. The controller selects a set of access points of the overhead mesh to support communications between the client device and the overhead mesh, based on the movements of the client device determined by the controller. The controller causes the controller, the set of access points to form communication schedules to support communications with the client device that do not require a prior association exchange with the client device.

Abstract: In one embodiment, an access point of an overhead mesh of access points in an area selects a range of client identifiers. The access point sends, via a beam cone transmitted in a substantially downward direction towards a floor of the area, a trigger signal that includes the range of client identifiers and prompts client devices having identifiers in that range to send best effort transmissions towards the overhead mesh. The access point detects a collision between the best effort transmissions of the client devices. The access point adjusts the range of client identifiers so as to avoid future collisions between the best effort transmissions of the client devices.

Abstract: In one embodiment, a device registers with a controller for a mesh of overhead access points. The device receives, from the controller, a communication schedule for the device. The device generates a message to be sent to the mesh of overhead access points. The device transmits, according to the communication schedule, the message as a beam cone directed substantially upward relative to the device towards the mesh of overhead access points. The message is received and relayed by one or more particular access points in the mesh without the device previously performing a wireless association exchange with those one or more particular access points.

Abstract: Methods are provided to determine validity of a MAC address. The methods involve obtaining a media access control (MAC) address validity message that indicates a plurality of valid MAC addresses in the wireless network using a fully-exploded format or a probabilistic data structure and determining whether a MAC address is valid based on the MAC address validity message. Other methods involve obtaining a query regarding a validity of a media access control (MAC) address, determining whether the MAC address is a value included in a data set of expected values of a probabilistic data structure. The data set represents a list of MAC addresses. The other methods involve determining whether the MAC address is valid in the wireless network based on determining whether the MAC address is the value included in the data set and providing a response indicating whether the MAC address is valid.

Abstract: A method is performed at a mesh access point (MAP) of a mesh network in which MAPs are configured to communicate with each other over wireless backhaul links. The method includes: receiving, from a first wireless client having a first client address, client traffic destined for a second wireless client having a second client address, the client traffic including a first source address that represents the first client address, and a first destination address that represents the second client address; generating a first obfuscated source address that differs from the first client address; replacing the first source address in the client traffic with the first obfuscated source address; and transmitting the client traffic with the first obfuscated source address in place of the first source address to a next MAP of the MAPs over a wireless backhaul link for subsequent forwarding to the second wireless client.

Abstract: A user device connected to a wireless network maintains session persistence through a MAC address change of a user device. The user device establishes a multi-path communication session including a first subflow associated with a first MAC address for the user device. When the user device changes from the first MAC address to a second MAC address. the user device establishes a second subflow of the multi-path communication session. The second subflow is associated with the second MAC address. After establishing the second subflow associated with the second MAC address, the user device ends the first subflow associated with the first MAC address.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller determines coverage areas on the floor of the area for the one or more directional transmitters of the access points in the overhead mesh. The controller generates, based on the coverage areas, alternating communication schedules for the access points such that a client device at any given location on the floor of the area is within range of a plurality of receiving access points in the overhead mesh and at least one transmitting access point in the overhead mesh at a certain point in time. The controller sends the communication schedules to the access points.

Abstract: In one embodiment, a client device enters an area having an overhead mesh of access points, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The client device obtains an area-dependent communication schedule for the overhead mesh that is exclusive or partially-exclusive to the client device for the area. The client device sends, during an arbitrary timeslot of the area-dependent communication schedule, a pull request. The client device receives, from a particular access point in the overhead mesh, a packet in response to the pull request.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller assigns the access points to access point groups. The controller generates communication schedules for the access points such that each access point in an access point group is on a common channel and only one of neighboring directional transmitters of access points in that group is able to transmit at any given time. The controller sends the communication schedules to the access points forming the overhead mesh of access points in the area.

Abstract: This disclosure describes techniques for performing a remote front-drop of data for recovery after a pipeline stall. The techniques include using a receiver-side dropping strategy that is driven from the sender-side. Components of a pipeline determine whether a pipeline is operating within specified latency constraints (e.g., experiencing a pipeline stall). Upon detecting a pipeline stall, the sending device is notified of the stall. Once the sending device is notified of the pipeline stall, the sending device can determine what action(s) to perform to address the pipeline stall. For example, the sending device may instruct one or more components of the pipeline to discard already sent data that has not been processed. This allows the older data to be dropped on the stalled pipeline while keeping the more recently sent data.

Abstract: Group identity assignment and policy enforcement may be provided. A User Defined Network Identifier (UDN ID) defining a group of client devices may be received. Next, a client identifier (ID) associated with a source client device that is associated with the group of client devices may be received. The UDN ID and the client ID may be encoded in an Extended Local Identifier (ELI) Media Access Control (MAC) address associated with the source client device. A source MAC address of a packet received from the source client device may then be substituted with the ELI MAC address. Then the packet may be forwarded.

Abstract: In one embodiment, a supervisory device in a network notifies, via an access point of the network, a node as to an ability of the network to support virtual access points. The supervisory device receives, in response to notifying the node, information from the node regarding characteristics of the node. The supervisory device selects, based on the characteristics of the node, a plurality of access points in the network to form a virtual access point with which the node may communicate. The supervisory device configures the plurality of access points to function as the virtual access point, wherein the node communicates with the network via the virtual access point.

Abstract: A method for providing multicast frames in a Multi-Dwelling Unit (MDU) is provided herein. An Access Point (AP) can receive a join request from a first client device. The AP can generate a Group Master Key (GMK) from the Pre-Shared Key (PSK) associated with a Basic Service Set (BSS) that includes the first client device. The AP can then derive a Group Transient Key (GTK) from the GMK. The AP may then send the GTK to the first client device. Thereinafter, the AP can send multicast frames to the first client device encrypted by the GTK. The first client device can decrypt the multicast frames with the GTK. However, a second client device, that does not share the PSK, may receive the multicast frame but cannot decrypt the multicast frames.

Abstract: Presented herein are techniques to manage a wireless local area network. A method includes defining a plurality of geographical zones corresponding to a geographical area that is serviced by a common service set identifier for a wireless local area network, assigning a pre-shared key to a mobile station based on the plurality of geographical zones, wherein the pre-shared key is associated with predetermined policies for a user of the mobile station, associating a media access control address of the mobile station with the pre-shared key, and controlling access of the mobile station to the wireless local area network based on the predetermined policies.

Abstract: Presented herein are techniques to address a lack of path maximum transmission unit discovery in the context of, e.g., the control and provisioning of wireless access point (CAPWAP) protocol for multicast communications. In one embodiment, IPv4-IPv6-IPv4 network address translation is used to avoid a conservative maximum transmission unit size. In another embodiment, unicast and multicast path maximum transmission unit discovery techniques are executed to set the maximum transmission unit size for multicast communications.

Abstract: Aspects described herein include a method of automated grouping of client devices for a user-defined network (UDN). The method includes receiving, from a client device an authentication request to join an access provider network. The authentication request includes a unique identifier of the client device for a federation-based network. The method further includes transmitting the unique identifier to a UDN cloud, transmitting the authentication request to an identity provider, and receiving, responsive to the identity provider authenticating the authentication request, a list of one or more UDNs from the UDN cloud that are associated with the unique identifier. The method further includes joining the client device with one or more other client devices present on the access provider network listing a same UDN.

Abstract: A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

Abstract: Techniques are provided that rotate a device address used to identify a wireless client device on a wireless network. The wireless client device and at least one network infrastructure component identify a plurality of device addresses associated with the wireless client device. In some embodiments, the plurality of device addresses are generated via a corresponding plurality of invocations of a stateful random number generator, such as a cryptographically secure pseudorandom number generator.

Abstract: A wireless client device communicates, to an access point over a secure channel, a mapping of a dynamic device address to a stable device address. By communicating the mapping, the access point is able to determine that packets received from two different device addresses originate from a common device. The access point is then able to maintain an association between the originating device and other network resources assigned or allocated to the originating device, such as IP addresses or infrastructure station address, which is used to identify the originating device to other devices outside the network in some embodiments.

Abstract: A method for establishing a VPN with a client device is provided. In the method, an AP can receive an access request directed to an OpenRoaming (OR) Service Set Identifier (SSID) from the client device. The AP can send the access request to an OR connector. In response to the access request, the AP may receive an access response from the OR connector. The access response can include an attribute indicating an address to connect to a company Virtual Private Network (VPN) headend. The AP may then use the attribute to establish the VPN connection with the company VPN headend.