Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

Abstract: The present disclosure is directed to managing industrial internet of things end points and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations comprising: identifying a first end point using a protocol associated with the first end point, determining a classification for the identified first end point based on one or more attributes of the first end point, identifying one or more related end points having the classification in common with the first end point, segmenting the first end point with the identified one or more related end points, and applying one or more policies to the segmented first end point and the one or more related end points.

Abstract: In one embodiment, a method by a first network apparatus includes receiving a request to access a resource from a client device associated with a user, determining that the request does not comprise a session cookie, sending an authorization request to a second network apparatus, receiving an authorization response including a resource authorization token from the second network apparatus, determining that the user is authorized to access the resource using the client device based on the received resource authorization token, establishing a first communication session with the client device by sending a message to the client device, and establishing a second communication session with a resource server that provides the resource, where the first network apparatus relays traffic between the client device and the resource server.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: In one example, a server obtains, from a device having an embedded Subscriber Identification Module (eSIM), a unique identifier of the eSIM. The server validates the device based on the unique identifier of the eSIM. The server provides, to the device, a unique credential for a profile of the eSIM. The profile of the eSIM corresponds to a network of an enterprise. The server provides, to a credential database, the unique credential for the profile of the eSIM. The credential database including the unique credential for the profile of the eSIM indicates that the device is permitted to access the network of the enterprise.

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: Techniques are described to provide open access in a neutral host environment. In one example, a method includes obtaining, by a mobility management node of a neutral host network, a network connectivity request from a user equipment, wherein the network connectivity request comprises an indication of a preferred service provider to which the user equipment is to be connected; determining, by the mobility management node, that the preferred service provider provides non-subscription-based network connectivity for the neutral host network; based on determining that the preferred service provider provides non-subscription-based network connectivity for the neutral host network, establishing secure communications for the user equipment, wherein the secure communications are established for the user equipment without authenticating an identity of user equipment; and providing network connectivity between the user equipment and the preferred service provider upon establishing the secure communications.

Abstract: Systems and methods provide for end-to-end identity-aware routing across multiple administrative domains. A first ingress edge device of a second overlay network can receive a first encapsulated packet from a first egress edge device of a first overlay network. The first ingress edge device can de-encapsulate the first encapsulated packet to obtain an original packet and a user or group identifier. The first ingress edge device can apply a user or group policy matching the user or group identifier to determine a next hop for the original packet. The first ingress edge device can encapsulate the original packet and the user or group identifier to generate a second encapsulated packet. The first ingress edge device can forward the second encapsulated packet to the next hop.

Abstract: Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.

Abstract: Systems and methods are provided for receiving service instructions from a client regarding a network function at a network element, the service instructions including a table of network policies and rules, receiving data from a first edge node of a network fabric, processing the data received from the first edge node according to the service instructions regarding the network function, and providing the processed data to a second edge node of the network fabric based on the service instructions.

Abstract: Systems and methods are provided for receiving, at a network device, a first set of rules from a security controller of an enterprise network, the first set of rules being different from a second set of rules provided to a firewall by the security controller, implementing, at the network device, the first set of rules received from the security controller, generating, at the network device, a first log including metadata based on the first set of rules, the first log being generated on a per flow basis, notifying, at the network device, a NetFlow of the first log including the metadata of the first set of rules, and providing, from the network device, the first log to a cloud-log store by the NetFlow of the network device, the cloud-log store receiving the first log from the network device and a second log from the firewall.

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: Systems and methods are provided for providing, by a user equipment, a short message service (SMS) message to initiate Wi-Fi onboarding to a mobile network, receiving, by the user equipment, a binary SMS message including a request for a certificate signing request by a server, generating, by the user equipment, the certificate signing request based on the request for the certificate signing request of the binary SMS message, providing, by the user equipment, the certificate signing request to the mobile network, and receiving, by the user equipment, a binary SMS message including Wi-Fi login data based on the certificate signing request provided to the mobile network.

Abstract: The present disclosure is directed to mapping indoor user movement using a combination of Wi-Fi and 60 GHz sensing. The methods include detecting, via a Wi-Fi access point, a wireless device associated with a first user, wherein the Wi-Fi access point is configured to determine location information and a device signature associated with the wireless device; transmitting the location information of the wireless device to a 11ay sensor; detecting the first user, via the 11ay sensor, based on the location information of the wireless device; creating a user signature associated with the first user, wherein the user signature is based on one or more physical characteristics of the first user detected by the 11ay sensor; and using the device signature associated with the wireless device and the user signature associated with the first user to subsequently identify the first user.

Abstract: Certain embodiments disclose systems and methods for creating a user private network (UPN) based on 11ay technology. Methods of the present disclosure include creating a personal basic service set (PBSS) having a service device and one or more 11ay devices, the service device configured to wirelessly communicate with the one or more 11ay devices in the PBSS, creating a UPN having an access point located in communicative proximity with the service device, and associating at least one 11ay device of the one or more 11ay devices with the UPN, wherein the at least one 11ay device is configured to establish a wireless connection with the one or more 11ay devices using the service device when within a coverage area of the PBSS, and to establish a wireless connection with the one or more 11ay devices using the access point when outside the coverage area of the PBSS.

Abstract: Technologies for systems, methods and computer-readable storage media for reducing the time to complete authentication during inter-technology handovers by reusing security context between 5G and Wi-Fi. Assuming, that the administrative domain for Wi-Fi and 5G match (and belongs to an enterprise for instance), using an already established security context in one technology to do fast authentication in the other technology during handover. Specifically, if UE is on Wi-Fi and handing over to 5G, use its Wi-Fi security context to do fast security setup in 5G, which includes a corresponding method for use when the UE goes from 5G to Wi-Fi.

Abstract: Systems, methods, and computer-readable media for an integrated Wi-Fi Access Point and cellular network Radio Unit (RU) include a communication system interfacing with a wired network for communicating Wi-Fi traffic and cellular network traffic, the communication system integrating a Wi-Fi Access Point (AP) with a cellular network Radio Unit (RU). The Wi-Fi traffic and cellular network traffic can be processed in the communication system. The communication system can interface with at least one programmable Radio Frequency (RF) front end configured for wireless communication over one or more frequency bands for Wi-Fi traffic and one or more frequency bands for cellular network traffic (e.g., 5G, LTE, Wi-Fi).

Abstract: Technologies for attestation techniques, systems, and methods to that reduces handover delay between LTE/5G eNBs by leveraging Wi-Fi for determining UE location. The systems, methods and computer-readable storage media disclosed here in may operate in the following deployments: the User Equipment (UE) is connected to enterprise Wi-Fi system in addition to being connected to private LTE/5G; enterprise Wi-Fi system having indoor location enabled; and the location system provides an API to give indoor location of the UE; and wherein Wi-Fi AP and LTE eNBs can communicate with each other, which can be accomplished in one instance wherein the two are co-located.

Abstract: Systems and methods are provided for user equipment (UE) multi-factor authentication enrollment. An example method can include receiving, by a first mobile network, an authentication request from a UE; performing a first authentication of the UE at the first mobile network; based on a determination that the UE has not been onboarded at a second mobile network, initiating, by the first mobile network, enrollment of the UE with the second mobile network for additional authentication of the UE with the second mobile network, wherein the first mobile network is separate from the second mobile network; and after the enrollment of the UE with the second mobile network, coordinating, by the first mobile network, a second authentication of the UE with the second mobile network.