Abstract: Techniques for identifying nodes in a data center fabric that are affected by a failure in the fabric, and selectively sending disaggregation advertisements to the nodes affected by the failure. The techniques include a process where a component monitors the network fabric to identify communication paths between leaf nodes, and determines what leaf nodes would be affected by a failure in those communication paths. The component may detect a failure in the network and determine which communication paths, and thus which leaf nodes, are affected by the failure and send disaggregation advertisements to the affected leaf nodes. In some examples, ingress leaf nodes send data through the fabric that indicate egress nodes for the communication paths. Intermediate nodes along may receive the data from the leaf nodes to identify communication paths, and the notify only affected nodes upon detecting a failure in the network.

Abstract: In one embodiment, an access policy enforcement service receives a user authentication request from an end-user device. The access policy enforcement service identifies a telemetry collection intent from the user authentication request. The access policy enforcement service determines a monitoring policy based on the telemetry collection intent identified from the user authentication request. The access policy enforcement service configures, according to the monitoring policy, one or more telemetry collection agents to collect telemetry for traffic associated with the end-user device.

Abstract: Techniques and apparatus for determining quality of experience (QoE) for wireless communications are described. One technique involves transmitting a QoE support message to an access point (AP) within an access network. The QoE support message queries whether the AP supports providing key performance indicators (KPI(s)) indicative of QoE provided by the access network. An indication of whether the AP supports providing the KPI(s) is received in response to the QoE support message. The KPI(s) are received when the AP supports providing the KPI(s). A determination is made whether to communicate with the AP based at least in part on the KPI(s). Communications are then performed in accordance with the determination.

Abstract: Techniques for policy-based failure handling of data that is received for processing by failed edge services are described herein. The techniques may include receiving, at an edge node of a network, a data handling policy for a service hosted on the edge node. The service may be configured to process traffic on behalf of an application hosted by a cloud-based platform. In some examples, the data handling policy may be stored in a memory that is accessible to the edge node. The techniques may also include receiving traffic at the edge node that is to be processed at least partially by the service. At least partially responsive to detecting an error associated with the service, the edge node may cause the traffic to be handled according to the data handling policy while the service is experiencing the error.

Abstract: A method, computer system, and computer program product are provided for controlling data access and visibility using a context-based security policy. A request from an endpoint device to receive data is received at a server, wherein the request includes one or more contextual attributes of the endpoint device including an identity of a user of the endpoint device. The one or more contextual attributes are processed to determine that the endpoint device is authorized to receive the data. A security policy is determined for the data based on the one or more contextual attributes. The data is transmitted, including the security policy, to the endpoint device, wherein the endpoint devices enforces the security policy to selectively permit access to the data by preventing the endpoint device from displaying the data to an unauthorized individual.

Abstract: Methods are provided in which a cloud portal, serving as an orchestrator device, obtains a request for diagnostics data to monitor performance of a cloud-based service executing in a provider cloud network and accessed by a client device in an enterprise network and obtains service information about a plurality of assets involved in providing the cloud-based service. The plurality of assets are managed by at least a first cloud-based management entity and a second cloud-based management entity. The methods further include collecting the diagnostics data about the plurality of assets based on the service information, aggregating the diagnostics data to form a multi-cloud diagnostics data, and determining the performance of the cloud-based service based on the multi-cloud diagnostics data.

Abstract: A method, computer system, and computer program product are provided for decentralized machine learning. A plurality of computing networks are identified by determining that each computing network of the plurality of computing networks satisfies a predetermined number of criteria. A decentralized learning agent is provided to each computing network, wherein the decentralized learning agent is provided with input parameters for training and is trained using training data associated with a computing network to which the decentralized learning agent is provided. A plurality of learned parameters are obtained from the plurality of computing networks, wherein each learned parameter of the plurality of learned parameters is obtained by training the decentralized learning agent provided to each respective computing network. A global model is generated based on the plurality of learned parameters.

Abstract: A method, computer system, and computer program product are provided for detecting drift in predictive models for network devices and traffic. A plurality of streams of time-series telemetry data are obtained, the time-series telemetry data generated by network devices of a data network. The plurality of streams are analyzed to identify a subset of streams, wherein each stream of the subset of streams includes telemetry data that is substantially empirically distributed. The subset of streams of time-series data are analyzed to identify a change point. In response to identifying the change point, additional time-series data is obtained from one or more streams of the plurality of streams of time-series telemetry data. A predictive model is trained using the additional time-series data to update the predictive model and provide a trained predictive model.

Abstract: In one example, a controller obtains a request to store an object-based storage object and identifies a data sovereignty policy identifier associated with the object-based storage object. The controller queries a data sovereignty policy manager for a data sovereignty policy associated with the data sovereignty policy identifier and obtains, from the data sovereignty policy manager, an indication of the data sovereignty policy. The controller stores the object-based storage object in compliance with the data sovereignty policy.

Abstract: This disclosure describes techniques for enabling selective connections between user devices and trusted network devices. An example method includes receiving a beacon from a network device. The beacon includes a trust level of the network device. The method further includes determining that the trust level of the network device satisfies a predetermined trust criterion. Based on determining that the trust level of the network device satisfies the predetermined trust criterion, the method includes transmitting a connection request to the network device. Further, user data is received from the network device.

Abstract: Techniques are presented for evaluating Equal Cost Multi-Path (ECMP) performance in a network that includes a plurality of nodes. According to an example embodiment, a method is provided that includes obtaining information indicating equal cost multi-path (ECMP) paths in the network and a branch node in the network. For the branch node in the network, the method includes instantiating a virtual network function that simulates an ECMP hashing algorithm employed by the branch node to select one of multiple egress interface of the branch node; providing to the virtual network function for the branch node, a query containing entropy information as input to the ECMP hashing algorithm that returns interface selection results; and obtaining from the virtual network function a reply that includes the interface selection results. The method further includes evaluating ECMP performance in the network based on the interface selection results obtained for the branch node.

Abstract: Federated multi-access edge computing availability notifications may be provided by: transmitting, from a User Equipment (UE) to an Access Point (AP) of a wireless network, an attach request for the wireless network that includes authentication credentials for an identity provider independent from the wireless network to authenticate the UE to the wireless network; receiving, at the UE via the AP, an authentication success message for the wireless network from the independent identity provider; transmitting, from the UE to the AP, a Multi-access Edge Computing (MEC) query; and receiving, at the UE from the AP, a MEC response that identifies MEC resources that are available to the UE based on an identity for the UE confirmed by the identity provider to the wireless network.

Abstract: Aggregation of cross domain service level indications provide an estimate of available end to end error budget within a service chain of a network system. In some embodiments, service level indications are obtained from a plurality of sub-domains, and aggregated to determine an end to end reliability score. The end to end reliability score is then distributed one or more of the sub-domains. The sub-domains then consider whether to implement a change based on local service level indications as well as the end to end reliability score. In other embodiments, a sub-domain requests approval to implement a change from an error manager. The error manager consults the end to end reliability score to determine whether adequate margin exists in the service chain to allow the change to occur, while still meeting service level objectives of the service chain. The error manager conditionally approves the request based on the determination.

Abstract: Techniques are provided for segmentation of data points after a dimension reduction. A proxy model is then trained based on results of the segmentation. The proxy model provides low latency high throughput labeling of additional data points, without the need to reduce dimensions of the additional data points. A second segmentation is performed with results of the second segmentation compared to that of the first segmentation. When results of the comparison meet certain criterion, configuration parameters of the segmentation are modified. For example, in some embodiments, a user interface is provided that displays shapley values indicating a mapping from the high dimension data to the segmented data. Input is then received that modifies the configuration parameters.

Abstract: Methods are provided in which a computing device obtains telemetry data associated with a network technology used in an enterprise network and an enterprise network profile that includes information about the complexity of the enterprise network. The network technology is deployed at one or more devices of the enterprise network. The methods further include the computing device determining, based on the telemetry data, for each deployment of the network technology, a current stage from a plurality of stages of an adoption lifecycle to which the network technology progressed, determining a time estimate for completing the current stage of the adoption lifecycle, based on the enterprise network profile and an adoption benchmark generated from a plurality of activities performed for progressing along the adoption lifecycle, and evaluating an adoption of the network technology, using the time estimate, to progress the network technology along the lifecycle.

Abstract: Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

Abstract: Systems, methods, and computer-readable for multi-spatial scale object detection include generating one or more object trackers for tracking at least one object detected from on one or more images. One or more blobs are generated for the at least one object based on tracking motion associated with the at least one object. One or more tracklets are generated for the at least one object based on associating the one or more object trackers and the one or more blobs, the one or more tracklets including one or more scales of object tracking data for the at least one object. One or more uncertainty metrics are generated using the one or more object trackers and an embedding of the one or more tracklets. A training module for detecting and tracking the at least one object using the embedding and the one or more uncertainty metrics is generated using deep learning techniques.

Abstract: A node of a network configured to forward packets based on network programming instructions encoded in the packets, performs a method. The method includes generating a probe packet encoded with a replication network programming instruction. The replication network programming instruction is configured to validate equal-cost multi-path (ECMP) routing in the network from the node to a destination by remotely triggering transit nodes of the network, that are traversed by the probe packet, to each perform replicate-and-forward actions. The replicate-and-forward actions include: identifying ECMP paths toward the destination; generating, for the ECMP paths, replicated probe packets that each include the replication network programming instruction; and forwarding the replicated probe packets along the ECMP paths. The method further includes forwarding the probe packet toward the destination.

Abstract: A method is performed at one or more entities configured to configure and provide assurance for a service enabled on a network. The service is configured as a collection of subservices on network devices of the network. A definition of the service is decomposed into a subservice dependency graph that indicates the subservices and dependencies between the subservices that collectively implement the service. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of subservice health states of the subservices. The subservice metrics are obtained from the subservices, and the subservice health states of the subservices are determined based on the subservice metrics. A health state of the service is determined based on the subservice health states. One or more of the subservices are reconfigured based on the health state of the service.

Abstract: This disclosure describes techniques for implementing centralized path computation for routing in hybrid information-centric networking protocols implemented as a virtual network overlay. A method includes receiving an interest packet header from a forwarding router node of a network overlay. The method further includes determining an interest path of the interest packet and one or more destination router nodes of the network overlay. The method further includes computing one or more paths over the network overlay. The method further includes determining an addressing method for the one or more computed paths over the network overlay. The method further includes performing at least one of encoding each computed path in a data packet header, and encoding each computed path as state entries of each router node of the network overlay on each respective path. The method further includes returning the computed path information to the forwarding router node.