Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: A particular fat tree network node stores default routing information indicating that the particular fat tree network node can reach a plurality of parent fat tree network nodes of the particular fat tree network node. The particular fat tree network node obtains, from a first parent fat tree network node of the plurality of parent fat tree network nodes, a negative disaggregation advertisement indicating that the first parent fat tree network node cannot reach a specific destination. The particular fat tree network node determines whether the first parent fat tree network node is the only parent fat tree network node of the plurality of parent fat tree network nodes that cannot reach the specific destination. If so, the particular fat tree network node installs supplemental routing information indicating that every parent fat tree network node except the first parent fat tree network node can reach the specific destination.

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.

Abstract: In one embodiment, a device in a mesh network joins a source-destination oriented partial directed acyclic graph (SDO-PDAG) between a source node and a destination node in the network. The device receives operations, administration and maintenance (OAM) packets flooded along reverse paths of the SDO-PDAG. The device determines, based on the received OAM packets, packet drop rate (PDR) capacities of different paths between the device and the destination node. The device replicates a data packet sent from the source node to the destination node along two or more of the paths between the device and the destination node, based on the determined PDR capacities of those paths.

Abstract: This disclosure describes techniques for device to device authentication. For instance, a first device may detect a second device, such as when a user physically attaches the second device to the first device or when the second device wireless communicates with the first device. A component of the first device and/or an authentication entity may then determine to authenticate the second device. In some instances, the component determines to authenticate the second device using information associated with an environment of the second device. To authenticate the second device, the authentication entity may send a request to a user, receive a response from the user, and then verify the response. After the authentication, the first device may determine that the second device includes a trusted device and establish a connection with the second device.

Abstract: Various embodiments disclosed herein enable performing energy detection on a subset of a channel. In various embodiments, a method of performing energy detection is performed by a computing device. In various embodiments, the computing device includes a wireless transceiver, one or more processors, and a non-transitory memory. In various embodiments, the method includes performing energy detection on one or more overlapping portions of a first channel and a second channel. In some embodiments, the method includes determining whether a detected energy level from the energy detection satisfies a threshold. In some embodiments, the method includes transmitting a signal into the first channel based on the threshold being satisfied.

Abstract: Presented herein are techniques that aggregate messages using a subroot node. A plurality of messages is received from a corresponding plurality of nodes by a subroot node acting as a proxy in a wireless mesh sub-network. The plurality of messages is aggregated into a single message according to a template. The single message is wireless transmitted to a root node, wherein the root node has a wired connection to a network.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PM) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

Abstract: In one embodiment, a device in a network receives a query walker agent configured to query information from a distributed set of devices in the network based on a query. The device executes the query walker agent to identify the query. The device updates state information of the executing query walker agent using local information from the device and based on the query. The device unloads the executing query walker agent after updating the state information. The device propagates the query walker agent with the updated state information to one or more of the distributed set of devices in the network, when the updated state information does not fully answer the query.

Abstract: In one embodiment, a device in a network sends Bidirectional Forwarding Detection (BFD) probes along a network tunnel associated with the device, to collect telemetry regarding the network tunnel. The device monitors an overhead associated with sending the BFD probes along the network tunnel. The device makes a determination that the overhead associated with sending the BFD probes along the network tunnel is unacceptable. The device switches, based on the determination, from sending BFD probes along the network tunnel to modifying data traffic sent via the network tunnel, to collect telemetry regarding the network tunnel.

Abstract: In one embodiment, a device in a network sends Bidirectional Forwarding Detection (BFD) probes along a network tunnel associated with the device, to collect telemetry regarding the network tunnel. The device monitors an overhead associated with sending the BFD probes along the network tunnel. The device makes a determination that the overhead associated with sending the BFD probes along the network tunnel is unacceptable. The device switches, based on the determination, from sending BFD probes along the network tunnel to modifying data traffic sent via the network tunnel, to collect telemetry regarding the network tunnel.

Abstract: In one embodiment, a device configures a plurality of subinterfaces for each of a plurality of physical ports of a software defined network (SDN). The device allocates a fixed amount of bandwidth to each of the subinterfaces. The device forms a plurality of midlays for the SDN by assigning subsets of the plurality of subinterfaces to each of the midlays. The device assigns a network slice to one or more of the midlays, based on a bandwidth requirement of the network slice.

Abstract: In one embodiment, a supervisory device in a network receives a help request from a first node in the network indicative of a problem in the network detected by the first node. The supervisory device identifies a second node in the network that is hosting a repair walker agent able to address the detected problem. The supervisory device determines a network path via which the second node is to send repair walker agent to the first node. The supervisory device instructs the second node to send the repair walker agent to the first node via the determined path.

Abstract: In one embodiment, a service receives a feature availability report indicative of which telemetry variables are available at a device in a network and resource costs associated with data features that the device could compute from the telemetry variables. The service selects at least a subset of the data features for input to a machine learning model, based on their associated resource costs and on their respective impacts on one or more performance metrics for the machine learning model. The service trains the machine learning model to evaluate the selected data features. The service sends the trained machine learning model to the device. The device computes the selected data features from the telemetry variables available at the device and uses the computed data features as input to the machine learning model.

Abstract: In one embodiment, a device in a network receives a path computation agent configured to determine a path in the network that satisfies an objective function. The device executes the path computation agent to update state information regarding the network maintained by the path computation agent. The device selects a neighbor of the device in the network to execute the path computation agent based on the updated state information regarding the network. The device instructs the selected neighbor to execute the path computation agent with the updated state information regarding the network. The device unloads the path computation agent from the device after selecting the neighbor of the device to execute the path computation agent.

Abstract: In one embodiment, a device in a mesh network joins a source-destination oriented partial directed acyclic graph (SDO-PDAG) between a source node and a destination node in the network. The device receives operations, administration and maintenance (OAM) packets flooded along reverse paths of the SDO-PDAG. The device determines, based on the received OAM packets, packet drop rate (PDR) capacities of different paths between the device and the destination node. The device replicates a data packet sent from the source node to the destination node along two or more of the paths between the device and the destination node, based on the determined PDR capacities of those paths.

Abstract: The aspects ensure redundancy by including at least two access points (APs), in an environment, that are capable of serving at least one station (STA). A first AP functions as a primary AP and a second AP functions as a secondary AP. The primary AP can send a layer 2 (L2) control message, for example, a Target Wait Time (TWT) response, to a STA. The primary AP may then wait for an indication (e.g., an Acknowledgement (ACK) signal) of receipt of the L2 control message. The primary AP can also provide the L2 control message to the secondary AP that covers the same room. In at least some configurations, the L2 control message includes metadata about when the secondary AP is to send the copy of the L2 control message over the air. The secondary AP can then relay the L2 control message to the STA.

Abstract: Presented herein are techniques that aggregate messages using a subroot node. A plurality of messages is received from a corresponding plurality of nodes by a subroot node acting as a proxy in a wireless mesh sub-network. The plurality of messages is aggregated into a single message according to a template. The single message is wireless transmitted to a root node, wherein the root node has a wired connection to a network.

Abstract: In one embodiment, a tracking device detects a first device connecting to a computer network, and forces an install of fake routing information on the first device that is unique to the first device. Upon detecting a second device connecting to the computer network, the second device having at least one identifying property in common with the first device and at least one identifying property differing from the first device, the tracking device may then query the second device to determine if the second device knows the fake routing information unique to the first device. As such, the tracking device may then determine that the second device is the first device in response to the second device knowing the fake routing information unique to the first device.

Abstract: Disclosed are systems, methods, and computer-readable media for integrating deterministic packet transmissions scheduling of short range local area networks (e.g., 6TiSCH networks) with deterministic packet transmission scheduling for wireless networks such as LTE/4G/5G networks. In one aspect, a wireless communication network includes a plurality of first nodes configured to communicate using a first communication protocol; and a second node configured to communicate with the plurality of first nodes using the first communication protocol and configured to communicate with a third node using a second communication protocol, the second node being further configured to map corresponding transmission schedule of the first communication protocol to a second transmission schedule for the second communication protocol.