Abstract: Techniques are presented in which a new information element signaling priority of a management entity is included in a setup (e.g., S1-Setup) response or configuration update message sent by a management entity to a base station entity. The base station entity interprets this priority information along with the relative capacity information in an appropriate way to load-distribute the traffic/calls to highly preferable management entity instances (at a local site) when they are available, and switchover/failover to lower preference management entity instances (at a remote site) when there is a local site outage/failure or insufficient capacity in a geo-resilient pooled network.

Abstract: Techniques for initiator-based data-plane validation of segment routed, multiprotocol label switched (MPLS) networks are described herein. In examples, an initiating node may determine to validate data-plane connectivity associated with a network path of the MPLS network. The initiating node may store validation data in a local memory of the initiating node. In examples, the initiating node may send a probe message that includes a request for identification data associated with a terminating node. The terminating node may send a probe reply message that includes the identification data, as well as, in some examples, a code that instructs the initiating node to perform validation. In examples, the initiating node may use the validation data stored in memory to compare to the identification data received from the terminating node to validate data-plane connectivity. In some examples, the initiating node may indicate a positive or negative response after performing the validation.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: Presented herein are techniques to analyze network anomaly signals based on both a spatial component and a temporal component. A method includes identifying a plurality of factors that trigger a first anomaly signal by a first network node and a second anomaly signal by a second network node in a network comprising a plurality of network nodes, determining that the first network node is adjacent to the second network node in the plurality of network nodes, calculating an anomaly severity score for the first network node based on a number of co-occurring factors from among the plurality of factors that trigger both the first anomaly signal and the second anomaly signal, and adjusting the anomaly severity score for the first network node based on a value of a prior anomaly severity score for the first network node.

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubemetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: An ingress node inserts into a header of a packet service level agreement information and forwards the packet. At an egress node of the network, the packet is received and the service level agreement information is obtained from the header of the packet. The egress node verifies whether there is conformance to a service level agreement based on at least one parameter associated with reception of one or more packets at the egress node and the service level agreement information.

Abstract: A method is performed at one or more entities configured to configure and provide assurance for a service enabled on a network. The service is configured as a collection of subservices on network devices of the network. A definition of the service is decomposed into a subservice dependency graph that indicates the subservices and dependencies between the subservices that collectively implement the service. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of subservice health states of the subservices. The subservice metrics are obtained from the subservices, and the subservice health states of the subservices are determined based on the subservice metrics. A health state of the service is determined based on the subservice health states. One or more of the subservices are reconfigured based on the health state of the service.

Abstract: Techniques are presented in which a new information element signaling priority of a management entity is included in a setup (e.g., S1-Setup) response or configuration update message sent by a management entity to a base station entity. The base station entity interprets this priority information along with the relative capacity information in an appropriate way to load-distribute the traffic/calls to highly preferable management entity instances (at a local site) when they are available, and switchover/failover to lower preference management entity instances (at a remote site) when there is a local site outage/failure or insufficient capacity in a geo-resilient pooled network.

Abstract: Systems, methods, and computer-readable media are disclosed for use of an overlay network termination endpoint as a proxy to collect telemetry data for micro-services or specific applications provided by containers in overlay data centers. In one aspect of the present disclosure, a method includes receiving, at a controller, a probe for flow statistics associated with a service path, the probe including corresponding flow identification information, extracting the corresponding flow identification information from the probe, obtaining the flow statistics from an agent based on the flow identification information, the agent being configured to manage a plurality of containers, generating a response packet including the flow statistics obtained from the agent and sending the response packet to an initiator from which the query is received.

Abstract: Techniques are described to provide service or network function workload preemption. In one example, a method includes identifying a network location at which a first function can be instantiated; determining whether compute resources are available at the network location to instantiate the first function; based on determining that compute resources are available, instantiating the first function; based on determining that compute resources are not available, determining whether preemption of a second function can be performed at the network location, wherein determining whether preemption of the second function can be performed is based, at least in part, on a comparison between a setup priority of the first function and a holdover priority of the second function; and, based on determining that preemption of the second function at the network location can be performed, performing preemption of the second function and instantiating the first function at the network location.

Abstract: A method comprises configuring a service as a collection of subservices on network devices of a network, and decomposing a definition of the service into a subservice dependency graph that indicates the subservices and dependencies between the subservices that implement the service. The method further comprises, based on the subservice dependency graph, configuring a subservice among the subservices to record and report a subservice metric as an indicator of subservice performance. The method further comprises determining a rate at which to obtain values of the subservice metric from the subservice, determining a confidence interval for the values of the subservice metric, and obtaining the values of the subservice metric from the subservice at the rate, to produce values for monitoring the subservice. The method also includes determining whether at least one of the values for monitoring the subservice is within the confidence interval.

Abstract: Techniques for network validation are provided. A first request is received at a first manager component, from a first client. The first client and the first manager component are on a first node of a plurality of nodes, and the first request specifies a desired network service. A first network service endpoint that is capable of providing the desired network service is identified, where the first network service endpoint is on a second node of the plurality of nodes. A connection is established between a first validation agent on the first node and a second validation agent on the second node. Finally, upon determining that the connection between the first and second validation agents satisfies predefined criteria, a connection is established between the first client and the first network service endpoint.

Abstract: Techniques and mechanisms to enable a Bidirectional Forwarding Detection (BFD) Echo function to be used for IP multi-hop paths using IP encapsulation. A source device may encapsulate one or more BFD Echo packets as payloads in IP packets. The resulting IP packets may then be sent from a source device to a destination device over a multi-hop path such that one or more intermediary devices forward the IP packets onto the destination device. Upon receiving the IP packets, the destination device may echo back the one or more BFD Echo packets in the forwarding plane to indicate connectivity of the forwarding path between the devices. However, if the BFD Echo packets are not echoed back to the source device, the source device may determine that the multi-hop path has experienced a fault, and that traffic is to be rerouted through other paths.

Abstract: A method is performed at one or more entities configured to configure and provide assurance for a service enabled on a network. The service is configured as a collection of subservices on network devices of the network. A definition of the service is decomposed into a subservice dependency graph that indicates the subservices and dependencies between the subservices that collectively implement the service. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of subservice health states of the subservices. The subservice metrics are obtained from the subservices, and the subservice health states of the subservices are determined based on the subservice metrics. A health state of the service is determined based on the subservice health states. One or more of the subservices are reconfigured based on the health state of the service.

Abstract: A method is performed to provide assurance for a service enabled on a network. A definition of the service is received. The definition includes a service type, a service instance, and configuration information used to enable the service. From the service type and the service instance, a service tag that is unique to the service is generated so as to distinguish the service from other services on the network. Based on the definition, the service is decomposed into a subservice dependency graph of subservices and dependencies between the subservices. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of health states of the subservices. The subservice metrics are obtained from the subservices. The service tag is applied to the subservice metrics to produce service-tagged subservice metrics. The service-tagged subservice metrics are analyzed to determine a health state of the service.

Abstract: A system and method for creating a context-aware, conversational chat bot or agent in multi-party conversations where participants have different levels of security access to information and the bot operates in one or more modes depending on the business context of the multi-user collaboration virtual workspace. The methods include adding a bot, as a participant, to a virtual workspace that is a multi-user collaboration workspace, obtaining, at a bot application server, context of the virtual workspace, setting, by the bot application server, a skill set for the bot from among a plurality of skill sets. The skill set varies based on the context of the virtual workspace. The methods further include configuring, by the bot application server, the bot to perform at least one task in the virtual workspace based on the skill set.

Abstract: In one embodiment, a reasoning engine executed by a device, identifies one or more structural breaks in a time series for a particular metric regarding a computer network. The reasoning engine associates the one or more structural breaks in the time series data with a network event. The reasoning engine determines, using symbolic reasoning, a root cause for the network event based on a symbolic knowledge base maintained by the reasoning engine. The reasoning engine provides an indication of the determined root cause for the network event to one or more devices.

Abstract: In one illustrative example, a user plane (UP) entity for use in a mobile network may receive a data packet from a user equipment (UE) operative to communicate in one or more sessions via a serving base station (BS) (e.g. eNB or gNB) of the mobile network. The UP entity may detect, in a header (e.g. SRH) of the data packet, an identifier indicating a new serving BS or session of the UE. The identifier may be UE- or BS-added data (e.g. iOAM data) that is inserted in the header by the UE or BS. In response, the UP entity may cause a message to be sent to an analytics function (e.g. a NWDAF) to perform analytics for session or flow migration for the UE.

Abstract: A method includes configuring services as respective collections of subservices on network devices of a network, and decomposing definitions of the services into subservice dependency graphs each indicating the subservices and dependencies between the subservices that collectively implement a respective one of the services. The method further includes traversing the subservice dependency graphs to identify, at one or more intersections of the subservice dependency graphs, one or more shared subservices among the subservices of the services, wherein the one or more shared subservices are shared by the services. The method also includes monitoring subservice health states of the one or more shared subservices, and determining health states of the services based on the subservice health states of the one or more shared subservices.

Abstract: An electronic device of a content producer generates a chunk of data, associates a location-independent name with the chunk of data, generates a signature for the chunk of data, attaches the signature to the chunk of data, and transmits the chunk of data, with the signature attached, to one or more user devices in response to respective requests. The signature is generated based on the data in the chunk, using a private key of the electronic device. The electronic device also stores information, including a specification of a public key associated with the private key, in a first ledger entry of a blockchain, to provide the one or more user devices with access to the public key. A user device may obtain the public key and use it to verify the chunk of data.