Abstract: At a networking device, a method includes obtaining, according to a predefined protocol, a first plurality of attestation vectors from a corresponding plurality of candidate next-hop nodes. Each of the plurality of candidate next-hop nodes is included within a respective route between a particular node and a destination node. The method further includes determining at plurality of confidence scores. Each of the plurality of confidence scores is based on at comparison between a corresponding one of the first plurality of attestation vectors and a trusted image vector. The method further includes selecting, from the plurality of confidence scores, a particular confidence score that satisfies one or more selection criteria. Each of the particular confidence score is associated with a particular candidate next-hop node of the plurality of candidate next-hop nodes. The method further includes directing, to the particular candidate next-hop node, a data packet destined for the destination node.

Abstract: An example method for facilitating conflict avoidant traffic routing in a network environment is provided and includes detecting, at a network element, an intent conflict at a peer network element in a network, and changing a forwarding decision at the network element to steer traffic around the conflicted peer network element. The intent conflict refers to an incompatibility between an asserted intent associated with the traffic and an implemented intent associated with the traffic. In specific embodiments, the detecting includes mounting rules from the peer network element into the network element, and analyzing the mounted rules to determine intent conflict. In some embodiments, a central controller in the network deploys one or more intentlets on a plurality of network elements in the network according to corresponding intent deployment parameters.

Abstract: A method comprising obtaining from a first service-providing device, a plurality of service capability indicators for a set of interconnected devices. The plurality of service capability indicators are indicative of a corresponding plurality of service capabilities according to which the first service-providing device is providing services to one or more nodes. The method further comprises mapping the plurality of service capability indicators to a service capability label according to satisfaction of a continuity criterion. The service capability label corresponds to a representation of the plurality of service capabilities associated with a connection to the first service-providing device. The method further comprises providing the service capability label to the one or more nodes in order to provide the representation of the plurality of service capabilities associated with the connection to the first service-providing device.

Abstract: In one illustrative example, a network node configured for packet flow verification may receive a packet from a host (e.g. a wireless mobile device operating in a wireless network) and obtain, from a header of the packet, data indicative of one or more traversed network node or service function identities. The identities may correspond to one or more traversed network nodes or service functions through which the packet has traversed in a non-steered communication having an unspecified path. Each received data indicative of a traversed network node or service function identity may be network node-added data, provided as part of in-situ Operations, Administration, and Maintenance (iOAM) data.

Abstract: Computer systems and methods for allocating bandwidth so that server computers can send data to a client computer without exceeding the available bandwidth between the server computers and the client computer, or the processing bandwidth or capacity of the client computer, are discussed herein.

Abstract: An aspect of the present disclosure aims to reduce problems associated with data acquisition of a rule set. Systems and methods enabling a semantic reasoner to stage acquisition of data objects necessary to bring each of the rules stored in the knowledge base to a conclusion are disclosed. To that end, a dependency chain is constructed, identifying whether and how each rule depends on other rules. Based on the dependency chain, the rules are assigned to difference epochs and reasoning engine is configured to perform machine reasoning over rules of each epoch sequentially. Moreover, when processing rules of each epoch, data objects referenced by the rules assigned to a currently processed epoch are acquired according to a certain order established based on criteria such as e.g. cost of acquisition of data objects. Such an approach provides automatic determination and just-in-time acquisition of data objects required for semantic reasoning.

Abstract: A method and apparatus for network resource allocation is provided. In some embodiments, the method comprises determining a subscriber limit rate at which a subscriber computer can process updates received from a plurality of publisher computers, wherein each of the updates comprises an electronic digital message received over a computer network; determining, for each publisher computer of the plurality of publisher computers, a not-to-exceed rate of updates sent to the subscriber computer and storing a plurality of the offered rates; determining by the subscriber computer, for each publisher computer of the plurality of publisher computer, a utility of updates sent by the publisher computer and storing a plurality of the utilities; assigning to each publisher computer of the plurality of publisher computers a publisher limit rate at which the respective publisher computer sends updates to the subscriber computer using the offered rate and the utility of updates of the respective publisher computer.

Abstract: An example method executed by a semantic reasoner is disclosed. The method includes identifying, from a plurality of rules, one or more pairs of chained rules, and, from the one or more pairs of chained rules, assigning rules chained together to a respective rule-set of P rule-sets. The method also includes assigning individuals, from a plurality of individuals referenced by the plurality of rules, referenced by each rule-set of the P rule-sets to an individual-set associated with the each rule-set and mapping the rules from the each rule-set and the individuals from the individual-set associated with the each rule-set into a respective knowledge base instance associated with the each rule-set. Such a method ensures knowledge completeness and sound inference while allowing parallel semantic reasoning within a given stream window.

Abstract: A method is provided in one example and includes allocating a first queue, allocating at least two default queues, where the at least two default queues depend from the first queue, allocating a plurality of local queues that each depend from one of the at least two defaults queues, receiving data in a data stream, determining a quality of service (QoS) associated with the data, and assigning the data to one of the plurality of local queues based on the determined QoS. In an example, the QoS is a differentiated services code point.

Abstract: Techniques are provided by which devices in a network may subscribe to a rapidly changing rules in central threat repository. The policies associated with threats are filtered so that just current attack vectors from within subnets learned via routing and/or forwarding information (at the network level of the network) are installed in the local access control list/policy database of the network devices. As routing changes occur, the list of applied policies are continually refined/revisited and pulled from a central security application. Publish/subscribe mechanisms ensure “zombie” policies are not left over in the device after reboot or routing changes occur.

Abstract: A method is provided in one example and includes allocating a first queue, allocating at least two default queues, where the at least two default queues depend from the first queue, allocating a plurality of local queues that each depend from one of the at least two defaults queues, receiving data in a data stream, determining a quality of service (QoS) associated with the data, and assigning the data to one of the plurality of local queues based on the determined QoS. In an example, the QoS is a differentiated services code point.

Abstract: Techniques related to efficient transport of data encoded using multiple templates are disclosed. A sending computing device sends an internet message including internet message segments toward a receiving computing device. The internet message stores information about a data object that includes property types corresponding to property values. A portion of the data object includes multiple instances of a particular property type, and each instance corresponds to a property value. The internet message segments store the property values according to multiple templates, and each internet message segment corresponds to a template. Among the multiple templates is a particular template for the portion of the data object that includes the multiple instances of the particular property type. The multiple templates include fields that correspond to field identifiers.

Abstract: An example method for facilitating network control and management using semantic reasoners in a network environment is provided and includes generating a fully populated semantics model of the network from network data according to a base network ontology of the network, mapping the fully populated semantics model to a network knowledge base, feeding contents of the network knowledge base to a semantic reasoner, and controlling and managing the network using the semantic reasoner. In specific embodiments, generating the model includes receiving the network data from the network, parsing the network data, loading the parsed network data into in-memory data structures, accessing a manifest specifying binding between a network data definition format and ontology components of the base network ontology, identifying ontology components associated with the network data based on the manifest, and populating the identified ontology components with individuals and properties from the corresponding data structures.

Abstract: Techniques are provided by which devices in a network may subscribe to a rapidly changing rules in central threat repository. The policies associated with threats are filtered so that just current attack vectors from within subnets learned via routing and/or forwarding information (at the network level of the network) are installed in the local access control list/policy database of the network devices. As routing changes occur, the list of applied policies are continually refined/revisited and pulled from a central security application. Publish/subscribe mechanisms ensure “zombie” policies are not left over in the device after reboot or routing changes occur.

Abstract: An example method for facilitating conflict avoidant traffic routing in a network environment is provided and includes detecting, at a network element, an intent conflict at a peer network element in a network, and changing a forwarding decision at the network element to steer traffic around the conflicted peer network element. The intent conflict refers to an incompatibility between an asserted intent associated with the traffic and an implemented intent associated with the traffic. In specific embodiments, the detecting includes mounting rules from the peer network element into the network element, and analyzing the mounted rules to determine intent conflict. In some embodiments, a central controller in the network deploys one or more intentlets on a plurality of network elements in the network according to corresponding intent deployment parameters.

Abstract: Techniques related to efficient transport of data encoded using multiple templates are disclosed. A sending computing device sends an internet message including internet message segments toward a receiving computing device. The internet message stores information about a data object that includes property types corresponding to property values. A portion of the data object includes multiple instances of a particular property type, and each instance corresponds to a property value. The internet message segments store the property values according to multiple templates, and each internet message segment corresponds to a template. Among the multiple templates is a particular template for the portion of the data object that includes the multiple instances of the particular property type. The multiple templates include fields that correspond to field identifiers.

Abstract: An example method for facilitating conflict avoidant traffic routing in a network environment is provided and includes detecting, at a network element, an intent conflict at a peer network element in a network, and changing a forwarding decision at the network element to steer traffic around the conflicted peer network element. The intent conflict refers to an incompatibility between an asserted intent associated with the traffic and an implemented intent associated with the traffic. In specific embodiments, the detecting includes mounting rules from the peer network element into the network element, and analyzing the mounted rules to determine intent conflict. In some embodiments, a central controller in the network deploys one or more intentlets on a plurality of network elements in the network according to corresponding intent deployment parameters.

Abstract: Computer systems and methods for allocating bandwidth so that server computers can send data to a client computer without exceeding the available bandwidth between the server computers and the client computer, or the processing bandwidth or capacity of the client computer, are discussed herein.

Abstract: Techniques are provided for, at an administrative device in a network domain, monitoring a network traffic flow parameter to determine whether a presently applied domain wide policy configured to control a network traffic flow should be removed. In response to determining that the domain wide policy should be removed, a command is generated which causes removal of the domain wide policy at each one of the plurality of network devices, and the command is sent to each one of the plurality of network devices to cause the domain wide policy to be removed at substantially the same time at each network device. Alternatively, the domain wide policy can be automatically removed by the expiry of a timer or in accordance with a timestamp so that the policy is revoked across the network domain without a need for an explicit network wide control message instructing removal of the policy.

Abstract: A method and apparatus for network resource allocation is provided. In some embodiments, the method comprises determining a subscriber limit rate at which a subscriber computer can process updates received from a plurality of publisher computers, wherein each of the updates comprises an electronic digital message received over a computer network; determining, for each publisher computer of the plurality of publisher computers, a not-to-exceed rate of updates sent to the subscriber computer and storing a plurality of the offered rates; determining by the subscriber computer, for each publisher computer of the plurality of publisher computer, a utility of updates sent by the publisher computer and storing a plurality of the utilities; assigning to each publisher computer of the plurality of publisher computers a publisher limit rate at which the respective publisher computer sends updates to the subscriber computer using the offered rate and the utility of updates of the respective publisher computer.