Abstract: This disclosure describes techniques for selectively placing and maintaining sensitive workloads in subsystems that achieve a minimum level of trustworthiness. An example method includes identifying at least one trustworthiness requirement associated with an application and transmitting, to a first subsystem, a request for at least one trustworthiness characteristic of the first subsystem and at least one second subsystem connected to the first subsystem. A response indicating the at least one trustworthiness characteristic is received from the first subsystem. The example method further includes determining that the at least one trustworthiness characteristic satisfies the at least one trustworthiness requirement; and causing the application to operate on a mesh comprising the first subsystem and the at least one second subsystem.

Abstract: A Domain Name System (DNS) device stores data indicative of a user device and data indicative of a policy setting a level of access of the user device to a responding device. The DNS device receives, from the user device, a request for an Internet Protocol address of the responding device. The DNS device determines, based upon the request and the data indicative of the user device, that the policy applies to the request. The DNS device applies the policy in response to the determining.

Abstract: At an authentication server, a request for at least a first dynamic host configuration protocol (DHCP) option is received from a client device, and it is determined if the authentication server implements DHCP. Based at least in part on a determination that the authentication server does not implement a DHCP, the operations further include transmitting an application program interface (API) call to a DHCP server associated with the authentication server acting as a DHCP gateway, receiving a response from the DHCP server, and transmitting the response to the client device.

Abstract: Embodiments identify a station that rotates an over the air station address. As address rotation was not originally designed into wireless networks, the rotation can introduce communication challenges for the station. The embodiments derive that traffic referencing two different over the air station addresses are associated with a single common station. This is accomplished by determining a similarity between properties of two sets of traffic. A first set of traffic references the first over the air station address and a second set of traffic references the second over the air station address. If the properties common across the two sets of traffic indicate sufficient similarity, the embodiments determine that both sets of traffic are associated with a single device. Network configuration of the device is then adjusted based on the determination.

Abstract: Embodiments identify a station that rotates an over the air station address. As address rotation was not originally designed into wireless networks, the rotation can introduce communication challenges for the station. The embodiments derive that traffic referencing two different over the air station addresses are associated with a single common station. This is accomplished by determining a similarity between properties of two sets of traffic. A first set of traffic references the first over the air station address and a second set of traffic references the second over the air station address. If the properties common across the two sets of traffic indicate sufficient similarity, the embodiments determine that both sets of traffic are associated with a single device. Network configuration of the device is then adjusted based on the determination.

Abstract: Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a wireless host device in a media access control (MAC)-based authentication network are described. In an example method a wireless host device is authorized to join a fabric enabled wireless network. A VM executes in bridge mode on the wireless host device. At the fabric edge, a source MAC address of the VM is determined. A session is created between the VM and an authentication server. The VM is authenticated. A policy for the VM is determined. A source internet protocol (IP) address is assigned to the VM to create a MAC-IP binding. A data-plane device in the fabric enabled wireless network is programmed to apply the policy to traffic communicated with the VM. Finally, the data-plane device applies the policy for the VM based at least in part on the MAC-IP binding.

Abstract: In one embodiment, a method includes receiving one or more 5G software-defined wide area network (SD-WAN) policies, identifying one or more identity-based policies from the one or more 5G SD-WAN policies, communicating the identified one or more identity-based policies to one or more WAN routers, communicating one or more 5G bindings to the one or more WAN routers, and applying the identified one or more identity-based policies to one or more flows between the one or more WAN routers.

Abstract: This disclosure describes techniques for selectively placing and maintaining sensitive workloads in subsystems that achieve a minimum level of trustworthiness. An example method includes identifying at least one trustworthiness requirement associated with an application and transmitting, to a first subsystem, a request for at least one trustworthiness characteristic of the first subsystem and at least one second subsystem connected to the first subsystem. A response indicating the at least one trustworthiness characteristic is received from the first subsystem. The example method further includes determining that the at least one trustworthiness characteristic satisfies the at least one trustworthiness requirement; and causing the application to operate on a mesh comprising the first subsystem and the at least one second subsystem.

Abstract: At an authentication server, a request for at least a first dynamic host configuration protocol (DHCP) option is received from a client device, and it is determined if the authentication server implements DHCP. Based at least in part on a determination that the authentication server does not implement a DHCP, the operations further include transmitting an application program interface (API) call to a DHCP server associated with the authentication server acting as a DHCP gateway, receiving a response from the DHCP server, and transmitting the response to the client device.

Abstract: A Domain Name System (DNS) device stores data indicative of a user device and data indicative of a policy setting a level of access of the user device to a responding device. The DNS device receives, from the user device, a request for an Internet Protocol address of the responding device. The DNS device determines, based upon the request and the data indicative of the user device, that the policy applies to the request. The DNS device applies the policy in response to the determining.

Abstract: Embodiments identify a station that rotates an over the air station address. As address rotation was not originally designed into wireless networks, the rotation can introduce communication challenges for the station. The embodiments derive that traffic referencing two different over the air station addresses are associated with a single common station. This is accomplished by determining a similarity between properties of two sets of traffic. A first set of traffic references the first over the air station address and a second set of traffic references the second over the air station address. If the properties common across the two sets of traffic indicate sufficient similarity, the embodiments determine that both sets of traffic are associated with a single device. Network configuration of the device is then adjusted based on the determination.

Abstract: A data model can be customized by a user and executed in real-time at a network device. The user provides definitions for the customized data model based on a data model locally stored on the network device. The user provided definitions are used to generate a mapping contract which is processed by a mapping package generator to generate a mapping package. The mapping package can then be processed by a translation engine to dynamically execute a customized data model in real-time.

Abstract: A method comprising obtaining from a first service-providing device, a plurality of service capability indicators for a set of interconnected devices. The plurality of service capability indicators are indicative of a corresponding plurality of service capabilities according to which the first service-providing device is providing services to one or more nodes. The method further comprises mapping the plurality of service capability indicators to a service capability label according to satisfaction of a continuity criterion. The service capability label corresponds to a representation of the plurality of service capabilities associated with a connection to the first service-providing device. The method further comprises providing the service capability label to the one or more nodes in order to provide the representation of the plurality of service capabilities associated with the connection to the first service-providing device.

Abstract: A data model can be customized by a user and executed in real-time at a network device. The user provides definitions for the customized data model based on a data model locally stored on the network device. The user provided definitions are used to generate a mapping contract which is processed by a mapping package generator to generate a mapping package. The mapping package can then be processed by a translation engine to dynamically execute a customized data model in real-time.

Abstract: A method comprising obtaining from a first service-providing device, a plurality of service capability indicators for a set of interconnected devices. The plurality of service capability indicators are indicative of a corresponding plurality of service capabilities according to which the first service-providing device is providing services to one or more nodes. The method further comprises mapping the plurality of service capability indicators to a service capability label according to satisfaction of a continuity criterion. The service capability label corresponds to a representation of the plurality of service capabilities associated with a connection to the first service-providing device. The method further comprises providing the service capability label to the one or more nodes in order to provide the representation of the plurality of service capabilities associated with the connection to the first service-providing device.

Abstract: A method is provided in one example and includes allocating a first queue, allocating at least two default queues, where the at least two default queues depend from the first queue, allocating a plurality of local queues that each depend from one of the at least two defaults queues, receiving data in a data stream, determining a quality of service (QoS) associated with the data, and assigning the data to one of the plurality of local queues based on the determined QoS. In an example, the QoS is a differentiated services code point.

Abstract: A method is provided in one example and includes allocating a first queue, allocating at least two default queues, where the at least two default queues depend from the first queue, allocating a plurality of local queues that each depend from one of the at least two defaults queues, receiving data in a data stream, determining a quality of service (QoS) associated with the data, and assigning the data to one of the plurality of local queues based on the determined QoS. In an example, the QoS is a differentiated services code point.

Abstract: Techniques are provided for asserting an identity of a client device with a server. A request is received from a client device to access processes hosted by the server. Network identifier information associated with the client device is obtained from the request. Confirmation of authentication of the client device is requested from an identity authentication server using the network identifier information. Access is provided to the client device for the processes hosted by the server when authentication of the client device is confirmed by the identity authentication server.