Abstract: A method, computer system, and computer program product are provided for performing admission control tasks. A universal reference for an executing application is obtained, wherein the universal reference identifies one or more components of the executing application by additional universal references assigned to the one or more components. A description of the executing application is determined by enumerating each additional universal reference of the one or more components and additional sub-components, wherein the description exhaustively identifies components and sub-components of the executing application. The identified one or more components and sub-components are assessed to perform an admission control operation between the executing application and a second application.

Abstract: Systems, methods, and devices are disclosed for re-routing network traffic directed to a pod device. Traffic is routed from an ingress device towards a first node in communication with multiple pods. In response to the detection of a failure event associated with the first pod, a network device address of the first pod is removed from a routing table. If a packet is received from the ingress device that is destined for a service, the routing table is used to look up a pod for handling a service request associated with the service. A network device address of a second pod is determined based on not finding the network device address of the first pod in the routing table. The packet is then forwarded to the second pod using the second device address before the ingress device knows that the first pod has failed.

Abstract: A method, computer system, and computer program product are provided for performing logging, securing communications, and performing digital forensics tasks based on universal references for hardware and/or software configurations. A universal reference, obtained by a first entity, is included in a request of a second entity, wherein the universal reference identifies one or more components of the second entity using additional universal references assigned to each of the one or more components. It is determined whether the first entity is authorized to receive data from the second entity based on the universal reference. Based on the determining, data is received from the second entity.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: A method, computer system, and computer program product are provided for performing policy enforcement, attestation, and network forensics. A universal reference for a computing entity is obtained, wherein the universal reference identifies one or more components of the computing entity by additional universal references assigned to the one or more components. A hierarchical description of the computing entity is determined by enumerating each additional universal reference of the one or more components and additional sub-components, wherein the hierarchical description exhaustively identifies the components and sub-components of the computing entity. The hierarchical description is analyzed by accessing a database to identify mappings of the one or more additional universal references to the one or more components and sub-components.

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

Abstract: Techniques for network validation are provided. A first request is received at a first manager component, from a first client. The first client and the first manager component are on a first node of a plurality of nodes, and the first request specifies a desired network service. A first network service endpoint that is capable of providing the desired network service is identified, where the first network service endpoint is on a second node of the plurality of nodes. A connection is established between a first validation agent on the first node and a second validation agent on the second node. Finally, upon determining that the connection between the first and second validation agents satisfies predefined criteria, a connection is established between the first client and the first network service endpoint.

Abstract: A first node in a service mesh is configured to perform one or more services on network traffic obtained from an upstream network element via a pre-existing Transmission Control Protocol (TCP) session and provide the network traffic obtained from the upstream network element via the pre-existing TCP session to a downstream network element. The first node determines that the first node should no longer obtain the network traffic from the upstream network element via the pre-existing TCP session. In response, the first node provides state information for the pre-existing TCP session to the downstream network element. The downstream network element is configured to establish a new TCP session having the state information for the pre-existing TCP session with the upstream network element and to obtain further network traffic from the upstream network element via the new TCP session. The first node terminates the pre-existing TCP session.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: Techniques for network validation are provided. A first request is received at a first manager component, from a first client. The first client and the first manager component are on a first node of a plurality of nodes, and the first request specifies a desired network service. A first network service endpoint that is capable of providing the desired network service is identified, where the first network service endpoint is on a second node of the plurality of nodes. A connection is established between a first validation agent on the first node and a second validation agent on the second node. Finally, upon determining that the connection between the first and second validation agents satisfies predefined criteria, a connection is established between the first client and the first network service endpoint.

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

Abstract: A first node in a service mesh is configured to perform one or more services on network traffic obtained from an upstream network element via a pre-existing Transmission Control Protocol (TCP) session and provide the network traffic obtained from the upstream network element via the pre-existing TCP session to a downstream network element. The first node determines that the first node should no longer obtain the network traffic from the upstream network element via the pre-existing TCP session. In response, the first node provides state information for the pre-existing TCP session to the downstream network element. The downstream network element is configured to establish a new TCP session having the state information for the pre-existing TCP session with the upstream network element and to obtain further network traffic from the upstream network element via the new TCP session. The first node terminates the pre-existing TCP session.

Abstract: Systems, methods, and devices are disclosed for re-routing network traffic directed to a pod device. Traffic is routed from an ingress device towards a first node in communication with multiple pods. In response to the detection of a failure event associated with the first pod, a network device address of the first pod is removed from a routing table. If a packet is received from the ingress device that is destined for a service, the routing table is used to look up a pod for handling a service request associated with the service. A network device address of a second pod is determined based on not finding the network device address of the first pod in the routing table. The packet is then forwarded to the second pod using the second device address before the ingress device knows that the first pod has failed.

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.