Abstract: In one embodiment, a method by an apparatus of a Border Gateway Protocol (BGP) network includes accessing an attestation token for the apparatus. The method further includes encoding the attestation token in a BGP signaling message. The method further includes sending the BGP signaling message with the encoded attestation token to a second apparatus of the BGP network.

Abstract: In one embodiment, a method includes receiving an ISIS hello message including an attestation token from a second network apparatus, determining that the attestation token is valid for the second network apparatus at a current time, establishing an adjacency to the second network apparatus in response to the determination, computing, based at least on the attestation token, a trust level for a first link from the first network apparatus to the second network apparatus and a trust level for first prefixes associated with the first link, and sending an LSP comprising the trust level for the first link and the trust level for the first prefixes to neighboring network apparatuses, where the trust level for the first link and the trust level for the prefixes are used by the network apparatuses in the network to compute a routing table of the network.

Abstract: In one embodiment, a method includes receiving an OSPF hello message including an attestation token from a second network apparatus, determining that the attestation token is valid for the second network apparatus at a current time, establishing an adjacency to the second network apparatus in response to the determination, computing, based at least on the attestation token, a trust level for a first link from the first network apparatus to the second network apparatus and a trust level for first prefixes associated with the first link, and sending an LSA comprising the trust level for the first link and the trust level for the first prefixes to neighboring network apparatuses, where the trust level for the first link and the trust level for the prefixes are used by the network apparatuses in the network to compute a routing table of the network.

Abstract: In one embodiment, a method includes determining a secure path through a first plurality of network nodes within a network and determining an alternate secure path through a second plurality of network nodes within the network. The method also includes routing network traffic through the first plurality of network nodes of the secure path and detecting a failure in the secure path using single-hop BFD authentication. The method further includes rerouting the network traffic through the second plurality of network nodes of the alternate secure path.

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a first type-length-value (TLV) associated with a winning flexible algorithm definition (FAD) from a first element of a network. The operations also include determining a security level for the winning FAD based on the TLV. The operations further include determining a data transmission route through a plurality of elements of the network based on the security level for the winning FAD.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: In one embodiment, new Segment Routing capabilities are used in the steering of packets through Segment Routing nodes in a network. A Segment List includes a set of one or more Segment List (SL) Groups, each of which identifies one or more Segments contiguously or non-contiguously stored in the Segment List (or stored across multiple Segment Lists) of a Segment Routing packet. Each SL Group typically includes one Segment that is encoded as a Segment Identifier, and may include Segments that are Extended Values. The steering order of SL Groups is not required to be the same order as they are listed in the Segment List, as the value of Segments Left may be increased, remain the same, or decreased (possibly to skip a next SL Group) and possibly based on the result of an evaluation of a conditional expression.

Abstract: In one illustrative example, a router node is configured for use in a network having a plurality of interconnected router nodes for routing packets according to segment routing (SR). Router nodes of a first network slice are configured to establish routes based on first path determination criteria associated with a first identifier, and router nodes of a second network slice are configured to establish routes based on second path determination criteria associated with a second identifier. Each router node in the first network slice may operate as a unit under test (UUT) and validate isolation from network resources in the second network slice. An operator of the network may be alerted when an isolation failure is detected.

Abstract: An apparatus and method is disclosed for segment routing (SR) over label distribution protocol (LDP). In one embodiment, the method includes a node receiving a packet with an attached segment ID. In response, the node may attach a label to the packet. Thereafter, the node may forward the packet with the attached label and segment ID to another node via a label switched path (LSP).

Abstract: In one embodiment, segment routing (SR) network processing of packets is performed on packets having a segment identifier structure providing processing and/or memory efficiencies. Responsive to an identified particular segment routing policy, the particular router retrieves from memory a dynamic segment routing identifier portion of the particular SR policy that includes a SR node value and a SR function value. The SR function value identifies segment routing processing to be performed by a router in the network identified based on the SR node value. A segment routing discriminator is independently identified, possibly being a fixed value for all segment identifiers in the network. Before sending into the network, a complete segment identifier is added to the particular packet by combining the segment routing discriminator with the dynamic segment routing identifier portion. The particular packet including the complete segment identifier is sent into the network.

Abstract: In one embodiment, a third-party client network access device sends Internet Protocol (IP) encapsulating packets with a predetermined destination address of a node of the network client service provider (NCSP), with these IP encapsulating packets encapsulating original data packets. These IP encapsulating packets are communicated through the ISP network being used by the NCSP in providing its network services. The predetermined destination address, which is typically also a segment identifier, causes network service processing (e.g., according to a corresponding segment routing function) of the received packet by the node of the NCSP. This processing typically includes creating a segment routing packet encapsulating the original packet (extracted from the received IP encapsulating packet) with its segment list(s) being populated with segment identifier(s) according to a current NCSP segment routing policy reflective of a sequence of forwarding and service chaining operations of the NCSP service offering.

Abstract: Various systems and methods for using strict path forwarding. For example, one method involves receiving an advertisement at a node. The advertisement includes a segment identifier (SID). In response to receiving the advertisement, the node determines whether the SID is a strict SID or not. If the SID is a strict SID, the node generates information, such as forwarding information that indicates how to forward packets along a strict shortest path corresponding to the strict SID.

Abstract: In one embodiment, a method includes monitoring traffic in a Segment Routing (SR) network through a collection of a Segment Routing Demand Matrix (SRDM) at a Traffic Engineering (TE) system operating at a network device, receiving topology information for the SR network at the TE system, modeling the SR network based on the topology information and the SRDM at the TE system, identifying a violation of a constraint in the SR network at the TE system, and running an optimization algorithm for SR optimization of constraints in the SR network at the TE system, wherein the optimization comprises limiting a number of Segment Identifiers (SIDs) used in a SR policy implemented to resolve the constraint violation. An apparatus is also disclosed herein.

Abstract: The present technology is directed to a scalable solution for end-to-end performance delay measurement for Segment Routing Policies on both SR-MPLS and SRv6 data planes. The scalability of the solution stems from the use of distributed PM sessions along SR Policy ECMP paths. This is achieved by dividing the SR policy into smaller sections comprised of SPT trees or sub-paths, each of which is associated with a Root-Node. Downstream SID List TLVs may be used in Probe query messages for signaling SPT information to the Root-Nodes Alternatively, this SPT signaling may be accomplished by using a centralized controller. Root-Nodes are responsible for dynamically creating PM sessions and measuring delay metrics for their associated SPT tree section. The root-nodes then send the delay metrics for their local section to an ingress PE node or to a centralized controller using delay metric TLV field of the response message.

Abstract: The present technology is directed to a system and method for implementing network resource partitioning and Quality of Service (QoS) separation through network slicing. Embodiments of the present invention describe scalable network slicing method based on defining Segment Routing Flexible Algorithm to represent a network slice and assigning a distinct QoS policy queue to each of the Flexible Algorithms configured on a network node. Therefore, scalable network slice based queuing is implemented wherein a single packet processing queue is assigned to each Flex-Algorithm based network slice. QoS policy queue may be implemented in a hierarchical fashion by differentiation between flow packets in a single QoS policy queue based on value of experimental bits in the header.

Abstract: In one embodiment, a segment routing and tunnel exchange provides packet forwarding efficiencies in a network, including providing an exchange between a segment routing domain and a packet tunnel domain. One application includes the segment routing and tunnel exchange interfacing segment routing packet forwarding (e.g., in a Evolved Packet Core (EPC) and/or 5-G user plane) and packet tunnel forwarding in access networks (e.g., replacing a portion of a tunnel between an access node and a user plane function for accessing a corresponding data network). In one embodiment, a network provides mobility services using a segment routing data plane that spans segment routing and tunnel exchange(s) and segment routing-enabled user plane functions. One embodiment uses the segment routing data plane without any modification to a (radio) access network (R)AN (e.g., Evolved NodeB, Next Generation NodeB) nor to user equipment (e.g., any end user device).

Abstract: Techniques for implementing bi-directional paths in a segment routing communication network are described. A first segment routing policy, including a first path from a first node in the communication network to a second node in the communication network, is installed. A second segment routing policy, including a second path from the second node to the first node in the communication network, is installed. At the first node, a first identifier associated with the first segment routing policy is bound to a second association identifier associated with the second segment routing policy. At the second node, a second identifier associated with the second segment routing policy is bound to a first association identifier associated with the first segment routing policy.

Abstract: Techniques are provided for determining end-to-end path delay measurements. In one embodiment, a method includes identifying equal-cost multi-path (ECMP) sections comprising at least two different ECMP paths in a network comprising a plurality of nodes. In response to receiving a request to determine a delay measurement for end-to-end paths from an ingress node to an egress node through the network, the method includes determining sets of ECMP sections that are between the ingress node and the egress node and determining a plurality of paths through each set of ECMP sections. The method includes measuring delay for each of the plurality of paths using probe packets and determining delay measurements for all end-to-end paths. The delay measurements for end-to-end paths include a first subset including measured delays from the probe packets and a second subset calculated using combinations of measured delays.

Abstract: In one illustrative example, a network node (e.g. a router or switch) may receive a data packet and timestamp a copy of the data packet. The node may also compute a signature for the copy and insert the signature in a header of the copy. The node may send the copy to a controller for correlation with one or more other timestamped data packet copies of the data packet from one or more other network nodes having the same signature and for the computation of delay. The original data packet may be forwarded to a next network node without any timestamp or other metadata added to it. The processing of the data packets may be performed as part of a function for punting the timestamped data packet copy and forwarding, or as a function for forwarding and punting the timestamped data packet copy.

Abstract: In one embodiment, segment routing (SR) network processing of packets is performed on packets having a segment identifier structure providing processing and/or memory efficiencies. Responsive to an identified particular segment routing policy, the particular router retrieves from memory a dynamic segment routing identifier portion of the particular SR policy that includes a SR node value and a SR function value. The SR function value identifies segment routing processing to be performed by a router in the network identified based on the SR node value. A segment routing discriminator is independently identified, possibly being a fixed value for all segment identifiers in the network. Before sending into the network, a complete segment identifier is added to the particular packet by combining the segment routing discriminator with the dynamic segment routing identifier portion. The particular packet including the complete segment identifier is sent into the network.