Abstract: There is provided a technique of securing clock synchronization between master clock node (MCN) and client clock node (CCN). During a cycle of exchanging PTP messages between MCN and CCN, MCN generates an associated paired message for each PTP message generated thereby and informative of t1 or t4 timestamps provided by MCN and sends each paired message to a validation entity (VE) via a secured channel between MCN and VE. When PTP messages traverse transparent clock nodes (TCN) between MCN and CCN, each TCN generates a paired message for each version of PTP message updated thereby and sends each generated paired message to VE via a secured channel between respective TCN and VE. VE uses the received paired messages to provide a validation of the cycle, wherein synchronization-related task(s) (e.g. clock correction by the client clock node, etc.) are provided only subject to successful validation of the cycle by VE.

Abstract: There is provided a technique of securing clock synchronization between master clock node (MCN) and client clock node (CCN). During a cycle of exchanging PTP messages between MCN and CCN, MCN generates an associated paired message for each PTP message generated thereby and informative of t1 or t4 timestamps provided by MCN and sends each paired message to a validation entity (VE) via a secured channel between MCN and VE. When PTP messages traverse transparent clock nodes (TCN) between MCN and CCN, each TCN generates a paired message for each version of PTP message updated thereby and sends each generated paired message to VE via a secured channel between respective TCN and VE. VE uses the received paired messages to provide a validation of the cycle, wherein synchronization-related task(s) (e.g. clock correction by the client clock node, etc.) are provided only subject to successful validation of the cycle by VE.

Abstract: There is provided a technique of establishing encryption keys for communication between 1st peer and 2nd peer via a data path. The technique comprises: by each peer, using input keying material to independently generate equivalent pairs of peer encryption keys (PEKs), verifying equivalence of the generated PEK pairs, and using by 1st peer and 2nd peer the verified PEK pairs to become in possession of equivalent pairs of session encryption keys (SEKs). Verifying comprises: generating by 1st peer a first handshake (HS) message encrypted by PEK Tx1 and sending the first HS message to the 2nd peer via the data path; decrypting by the 2nd peer the first HS message using the PEK Rx2, generating a second HS message encrypted by PEK Tx2, and sending the second HS message to the 1st peer via the data path; and decrypting the second HS message by the 1st peer using PEK Rx1.

Abstract: There is provided a technique of time-sensitive transmission of Ethernet traffic in IET-blind network. A source endpoint network node receives expedited and non-expedited Ethernet frames; for each non-expedited Ethernet frame: detects a pre-provisioned designated non-expedited tunnel with a destination endpoint network node corresponding to a destination address specified in the Ethernet frame, segments non-expedited Ethernet frame into a plurality of segments, encapsulates each segment in accordance with the designated non-expedited tunnel; and sends the encapsulated segments to the destination endpoint network node via the designated non-expedited tunnel. When the designated non-expedited tunnel is constituted by a plurality of successive sub-tunnels (e.g.

Abstract: There is provided a technique of establishing encryption keys for communication between 1st peer and 2nd peer via a data path. The technique comprises: by each peer, using input keying material to independently generate equivalent pairs of peer encryption keys (PEKs), verifying equivalence of the generated PEK pairs, and using by 1st peer and 2nd peer the verified PEK pairs to become in possession of equivalent pairs of session encryption keys (SEKs). Verifying comprises: generating by 1st peer a first handshake (HS) message encrypted by PEK Tx1 and sending the first HS message to the 2nd peer via the data path; decrypting by the 2nd peer the first HS message using the PEK Rx2, generating a second HS message encrypted by PEK Tx2, and sending the second HS message to the 1st peer via the data path; and decrypting the second HS message by the 1st peer using PEK Rx1.

Abstract: There are provided a method and system for assessing latency of ciphering end point of secure communication channel. The method comprises: generating a test traffic comprising a series of original data packets, wherein, for each original data packet, size of a given packet is uniquely indicative of the packet's place in a sequence of data packets in the series and enables unique correspondence with a size of the given packet upon its encryption; successively transmitting the original packets to the ciphering end point, whilst associating with respective departure time stamps; receiving encrypted packets from the ciphering end point and associating them with respective arrival time stamps; using a size of a given encrypted packet with a timestamp TSa to identify a size of a matching original packet, its place in the sequence of original packets and, thereby, its departure timestamp TSd, thus giving rise to a plurality of timestamp pairs (TSd; TSa).

Abstract: A method, device, and computer-program product of forwarding data packets in a virtual switch is provided. The virtual switch comprises: first, second and third virtual ports for respectively receiving/transmitting: LAN traffic from/to a physical LAN port; secured traffic from/to a physical secured traffic port; and Internet traffic from/to a physical Internet port.

Abstract: There are provided a method and system for assessing latency of ciphering end point of secure communication channel. The method comprises: generating a test traffic comprising a series of original data packets, wherein, for each original data packet, size of a given packet is uniquely indicative of the packet's place in a sequence of data packets in the series and enables unique correspondence with a size of the given packet upon its encryption; successively transmitting the original packets to the ciphering end point, whilst associating with respective departure time stamps; receiving encrypted packets from the ciphering end point and associating them with respective arrival time stamps; using a size of a given encrypted packet with a timestamp TSa to identify a size of a matching original packet, its place in the sequence of original packets and, thereby, its departure timestamp TSd, thus giving rise to a plurality of timestamp pairs (TSd; TSa).

Abstract: A method, device, and computer-program product of forwarding data packets in a virtual switch is provided. The virtual switch comprises: first, second and third virtual ports for respectively receiving/transmitting: LAN traffic from/to a physical LAN port; secured traffic from/to a physical secured traffic port; and Internet traffic from/to a physical Internet port.

Abstract: There is provided a method of resilient operation of a virtual network function (VNF) and a host platform configured to host VNF. The host platform comprises: first PMB configured to host first virtual platform (VP) with the help of first hypervisor, the first VP is configured, when the first hypervisor is in operational mode, to execute the VNF under primary VNF configuration; second PMB configured to host second VP with the help of second hypervisor with substantially less processing power than processing power of the first hypervisor, the second VP is configured, when the first hypervisor has failed, to execute the VNF under emergency VNF configuration. Second PMB is further configured to execute system controller operatively connected to first hypervisor, second hypervisor and I/O switch, the system controller configured to monitor status of first hypervisor and, responsive to a failure of first hypervisor, enable executing the VNF on second VP.

Abstract: A method, device, and computer-program product of forwarding data packets in a virtual switch is provided. The virtual switch comprises: first, second and third virtual ports for respectively receiving/transmitting: LAN traffic from/to a physical LAN port; secured traffic from/to a physical secured traffic port; and Internet traffic from/to a physical Internet port.

Abstract: A method for establishing a self-organized emergency mobile core in a cellular communication network, the cellular communication network having a core element. The method includes the step of storing program code for implementing core network functionality on at least one stationary network element of the cellular communication network allowing to host virtual network functionality. The core network functionality remains inactive when the core element is available. The method includes the steps of detecting an emergency event within the cellular communication network resulting in an unavailability of the core element, and starting operating the core network functionality in order to establish a self-organized emergency mobile core in response to the detected emergency event.

Abstract: A method for facilitating participation of an intermediary network device in a security gateway communication including: establishing a secure channel between the intermediary network device and a security gateway; transmitting a virtual machine instantiation command generated by software running in the security gateway to the intermediary network device; instantiating a virtual machine on the intermediary network device; when establishing a secure communication session between the at least one base station and the core network portion via the security gateway for the first time, establishing an Internet Key Exchange communication between the virtual machine and the security gateway and transmitting session keys from the security gateway to the virtual machine during the Internet Key Exchange communication; establishing an IPsec tunnel between the virtual machine and the security gateway.

Abstract: A method for facilitating coordinated multipoint communication providing a plurality of network interface devices for measuring synchronization accuracy in the backhaul network; creating an actual coverage map for the coordinated multipoint communication analyzing the created actual coverage map to determine whether the backhaul network is sufficient for a selected coordinated multipoint technique; if the backhaul network is not sufficient determining one or more key performance indicators creating a conditional coverage map; comparing the actual coverage map with the conditional coverage map; reconfiguring the wireless communication network if the actual coverage map does not match the conditional coverage map.

Abstract: There are provided a system and method of assessing latency of forwarding data packets in virtual environment. The method comprises: generating packet signatures SGD and SGA respectively for departing and arriving data packets; maintaining a first data structure comprising records related to departing packets associated with a first virtual function (VF), each record informative of SGD and registered departure time TD of a given departing packet; responsive to registering arriving time TA of a given monitored arriving packet SGA associated with a second VF, searching the first data structure for a record matching a matching condition SGD=SGA; modifying the matching record to become informative of latency ?T=TA?TD and adding the modified record to a second data structure; and using data in the second data structure for assessing latency of forwarding packets from the ingress virtual port to the egress virtual port.

Abstract: There is provided a method of resilient operation of a virtual network function (VNF) and a host platform configured to host VNF. The host platform comprises: first PMB configured to host first virtual platform (VP) with the help of first hypervisor, the first VP is configured, when the first hypervisor is in operational mode, to execute the VNF under primary VNF configuration; second PMB configured to host second VP with the help of second hypervisor with substantially less processing power than processing power of the first hypervisor, the second VP is configured, when the first hypervisor has failed, to execute the VNF under emergency VNF configuration. Second PMB is further configured to execute system controller operatively connected to first hypervisor, second hypervisor and I/O switch, the system controller configured to monitor status of first hypervisor and, responsive to a failure of first hypervisor, enable executing the VNF on second VP.

Abstract: A method for facilitating the establishment of a virtual private network in a cellular communication network comprising the steps of: arranging a network interface device in close proximity to a plurality of antennas; identifying an access request from a client device to establish a virtual private network connection through a core network portion by means of the network interface device; determining application information from the client device by means of the net-work interface device; and comparing the application information to a network information of the core net-work portion to determine whether the application information matches the net-work information by means of the network interface device.

Abstract: A method and apparatus are described for providing communication services to a mobile platform while moving, wherein the mobile platform communicates along two current communication links extending between the mobile platform and two network gateways. The method comprises: setting an H-VPLS service to enable provisioning of L2 services to the moving platform via at least one of the two current communication links; enabling the moving platform to exchange communications along one or both communication links; replacing one of the two current communication links while the mobile platform is moving, with another communication link extending towards a third network gateway, by using Pseudo Wire Redundancy (PWR) to re-route traffic from the communication link being replaced to the other communication link, thereby allowing the moving platform to continue provisioning the L2 services while communicating with two network gateways, being the third network gateway and one of the former two network gateways.

Abstract: There are provided a system and method of assessing latency of forwarding data packets in virtual environment. The method comprises: generating packet signatures SGD and SGA respectively for departing and arriving data packets; maintaining a first data structure comprising records related to departing packets associated with a first virtual function (VF), each record informative of SGD and registered departure time TD of a given departing packet; responsive to registering arriving time TA of a given monitored arriving packet SGA associated with a second VF, searching the first data structure for a record matching a matching condition SGD=SGA; modifying the matching record to become informative of latency ?T=TA?TD and adding the modified record to a second data structure; and using data in the second data structure for assessing latency of forwarding packets from the ingress virtual port to the egress virtual port.

Abstract: A method for facilitating participation of an intermediary network device in a security gateway communication including: establishing a secure channel between the intermediary network device and a security gateway; transmitting a virtual machine instantiation command generated by software running in the security gateway to the intermediary network device; instantiating a virtual machine on the intermediary network device; when establishing a secure communication session between the at least one base station and the core network portion via the security gateway for the first time, establishing an Internet Key Exchange communication between the virtual machine and the security gateway and transmitting session keys from the security gateway to the virtual machine during the Internet Key Exchange communication; establishing an IPsec tunnel between the virtual machine and the security gateway.