Abstract: A system facilitates communication between branches of an SD-WAN and a service chain element. A hub node receives a data packet of a flow from a source branch over a VPN segment to be transmitted to a destination branch, extracts flow information from the data packet including VPN segment information to be stored in a flow table before transmitting the data packet to the service chain element over a service chain VPN. Upon return of the data packet from the service chain element, the hub node uses packet tuple information to retrieve the flow information with VPN segment information from the flow table. The hub node can then forward the data packet to the destination branch over the VPN segment. The hub node can generate and store an Auto Service Chaining Key that connects bidirectional flows so that the hub node can apply service-chaining to bidirectional traffic.

Abstract: Disclosed are systems, apparatuses, methods, computer readable medium, and circuits for ordering services in a service chain comprising: receiving, at an edge router, one or more data packets; determining, at the edge router, a sequence order of service chain elements for the one or more data packets based upon an established sequence, the sequence order modifies the established sequence to performing an altering service that alters a payload of the one or more packets prior to one or more remaining services that inspect the one or more packets; transmitting and receiving, by the edge router in the sequence order, the one or more data packets to and from the service chain elements; transmitting, by the edge router, the one more data packets to a destination after a last of the service chain elements has been performed.

Abstract: A system facilitates communication between branches of an SD-WAN and a service chain element. A hub node receives a data packet of a flow from a source branch over a VPN segment to be transmitted to a destination branch, extracts flow information from the data packet including VPN segment information to be stored in a flow table before transmitting the data packet to the service chain element over a service chain VPN. Upon return of the data packet from the service chain element, the hub node uses packet tuple information to retrieve the flow information with VPN segment information from the flow table. The hub node can then forward the data packet to the destination branch over the VPN segment. The hub node can generate and store an Auto Service Chaining Key that connects bidirectional flows so that the hub node can apply service-chaining to bidirectional traffic.

Abstract: The present disclosure is directed to making service-chains routable and intent-based within an enterprise network. In one aspect, a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.

Abstract: One or more aspects of the present disclosure are directed to providing a single hierarchical construct for defining requirements (connectivity parameters) of a service in a service chain. In one aspect, a single construct for identifying a service in a service chain includes a first object identifying at least one path for accessing an instance of the service within a communication network, a second object identifying a respective communication protocol for the at least one path; and a third object identifying at least a transmission specification for the respective communication protocol in the second object, wherein the second object and the third object are embedded within the first object.

Abstract: A method of implementing controller-based distributed remote access may include connecting a plurality of edge devices to a controller via a network. The plurality of edge devices may perform hole punching to traverse a network address translation (NAT) gateway to create a NAT hole. The method may also include connecting a client device to the controller. The client device may be directly connected to one of the plurality of edge devices via the NAT hole in the network. The method may further include directly connecting the client device to one of the plurality of edge devices by receiving a query from the client device and returning public IP/ports of a most relevant edge device to the client device, the most relevant edge device being based on attributes of the client device, attributes of the plurality of edge devices, or combinations thereof.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK ID from the peer to complete authentication of the peer. The PPK ID is received from the peer, and the encrypted COMMON-SEED and PPK ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: A method is provided for quantum-resistant secure key distribution between a peer and an extendible authentication protocol (EAP) authenticator by using an authentication server. The method may include receiving requests for a COMMON-SEED and a McEliece public key from a peer and an EAP authenticator by an authentication server using an EAP method, encrypting the COMMON-SEED using the McEliece public key of the peer and the McEliece public key of the EAP authenticator by the authentication server, and sending the encrypted COMMON-SEED from the authentication server to the peer along with a request for a PPK_ID from the peer using the EAP method to complete authentication of the peer. The method may also include receiving the PPK_ID from the peer using the EAP method, where the PPK_ID is from a key pair consisting of PPK_ID and PPK obtained from a first SKS server in electrical communication with the peer based upon the encrypted COMMON-SEED.

Abstract: Presented herein are methodologies for establishing secure communications in a post-quantum computer context. The methodology includes receiving, from a first communications device, at a second communications device, a secret seed value, or otherwise obtaining the secret seed value; initializing a session key service with the secret seed value; receiving, from the first communications device, at the second communications device, a pre-shared key identifier; querying the session key service for a pre-shared key corresponding the pre-shared key identifier; receiving, from the session key service, the pre-shared key; deriving a session key based, at least in part, on the pre-shared key; receiving from the first communications device, at the second communications device, data encrypted with the session key; and decrypting the data at the second communications device using the session key.

Abstract: A method is described and in one embodiment includes identifying at an initiator element a list of Internet protocol (“IP”) prefixes corresponding to routes designated as interesting routes, wherein the IP prefixes are included in a Routing Information Base (“RIB”) of the initiator; monitoring the RIB for a change in the list of IP prefixes; and, responsive to detection of a change in the list of IP prefixes, injecting at least a portion of the changed list of IP prefixes into a payload of an IKEv2 NOTIFY message and sending the IKEv2 NOTIFY message to a responder element peered with the initiator element, wherein the responder element updates an RIB of the responder element using the IP prefixes included in the received IKEv2 NOTIFY message.

Abstract: Presented herein are methodologies for establishing secure communications in a post-quantum computer context. The methodology includes receiving, from a first communications device, at a second communications device, a secret seed value, or otherwise obtaining the secret seed value; initializing a session key service with the secret seed value; receiving, from the first communications device, at the second communications device, a pre-shared key identifier; querying the session key service for a pre-shared key corresponding the pre-shared key identifier; receiving, from the session key service, the pre-shared key; deriving a session key based, at least in part, on the pre-shared key; receiving from the first communications device, at the second communications device, data encrypted with the session key; and decrypting the data at the second communications device using the session key.

Abstract: A method is described and in one embodiment includes identifying at an initiator element a list of Internet protocol (“IP”) prefixes corresponding to routes designated as interesting routes, wherein the IP prefixes are included in a Routing Information Base (“RIB”) of the initiator; monitoring the RIB for a change in the list of IP prefixes; and, responsive to detection of a change in the list of IP prefixes, injecting at least a portion of the changed list of IP prefixes into a payload of an IKEv2 NOTIFY message and sending the IKEv2 NOTIFY message to a responder element peered with the initiator element, wherein the responder element updates an RIB of the responder element using the IP prefixes included in the received IKEv2 NOTIFY message.