Abstract: A secure communication channel is established between network devices separated by an unsecured physical space by dynamically performing server/client resolution based on comparison of unique identifiers of the devices. After a link between a first network device and a second network device is established, the devices exchange start frames in accordance with a network security protocol such as the Media Access Control Security (MACsec) protocol. Comparison logic at the first network device compares a value of a unique identifier of the first network device to a value of a unique identifier of the second network device obtained from the start frame transmitted by the second network device, and vice versa. Based on the comparison, one of the devices assumes a server/authenticator role, and the other device assumes a client/supplicant role. The devices operate in their determined roles to perform an authentication process and thereby establish a secure communication channel.

Abstract: Technology is described for using a first key to secure communications over a network link between a server and a client. A second key may be identified. A first message may indicate the server may receive data from the client using the second key but not to transmit data to the client using the second key, and that the first key is valid for sending and receiving data between the server and the client. A second message may indicate that the client may send and receive data with the server using the second key, and that the client may receive data from the server using the first key but not transmit data to the server using the first key. A third message may indicate that the server may send and receive data with the client using the second key, and that the first key is invalid for sending and receiving data between the server and the client.

Abstract: The following description is directed to encrypting the characteristics of network traffic. In one example, a method can include receiving an unencrypted link layer packet including a first payload of a first size. The method can include encrypting the first payload of the unencrypted link layer packet. The method can include generating an encrypted link layer packet including a second payload. The second payload can include the encrypted payload and a variable length padding field so that the second payload of the encrypted link layer packet is a different size than the first size of the first payload. The encrypted link layer packet can then be transmitted.

Abstract: A network switch and system for detecting the capacity of available paths in a network and for modifying traffic distribution at each stage of the network, such that traffic is proportionally balanced across the unequal capacity paths. A centralized controller manipulates path weights on each switch such that a load is distributed proportionately to the capacity available to ensure that all available capacity is evenly utilized. A central view of the network is used to determine capacity information, calculate a minimal change set to optimize the traffic flows, and modify the existing multipath group objects. A centralized application can use the capacity information of each switch to build a capacity model of the network. Once the full model has been built up by the application, programming of the specific decisions is done via the controller through an API in communication with each network device's local agent.

Abstract: A protocol can be used to share routing information with neighbor network devices in the form of related objects of attributes and prefixes. The attribute object includes a set of unique attributes that are known for a given prefix or prefixes, but without including the prefixes within the attribute object. The attribute object includes an identifier of the attribute object for future reference by other messages. The prefix object includes one or more prefixes and the associated attribute identifier common to the prefixes. In the case where a subset of prefix or prefixes change so as to have new attributes associated with them, then a re-advertisement of the prefixes with the new attribute identifier is generated. In this way, routing updates become more efficient resulting in peers only needing to update the attribute object or the prefix object.

Abstract: Communication systems include network nodes that distribute an electrical or optical base signal to remote nodes for modulation at the remotes nodes. A first waveguide is coupled to transmit data to a corresponding remote node, a second waveguide is coupled to receive remotely modulated data from the remote node, and a third waveguide is coupled to deliver the base signal to the remote node. Typically, the base signal is an optical signal from a laser diode, and optical fibers communicate modulated data signals and the base signal. A portion of the base signal can also be modulated for communication with remote nodes.

Abstract: Technologies are provided for organizing network routes using network topology information. A router in a computer network can be configured to group network address prefixes in a routing table based on origin device clusters. The router can be configured to receive a routing protocol message comprising one or more prefixes and associated next hops. The router can identify an origin device cluster based on information contained in the message. The router can create a next hop group and associate it with the origin device cluster. The router can add the prefixes and next hops in the message to the next hop group. When an updated next hop list for a prefix is received at the router, the router can identify an origin device cluster for the prefix, identify a next hop group associated with the origin device cluster, and update the next hop group using the updated next hop list.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: Disclosed are various embodiments for performing network traffic redirection at the client side. Sending of data to a service at a network address is initiated. Whether the network address is in a predetermined network address range is determined. The network address is translated, when the network address is in the predetermined network address range, to one of multiple other network addresses based at least in part on an availability of the service at the other network address. The data is routed to the other network address.

Abstract: Methods, systems, and devices are described for transmitting and storing routing path information and routing topology information using a single protocol. In particular embodiments, routing path information for an exterior gateway protocol (“EGP”) network such as a border gateway protocol (“BGP”) network is transmitted throughout an interior gateway protocol (“IGP”) network using IGP messages such as open-shortest-path-first (“OSPF”) or intermediate state to intermediates state (“IS-IS”) messages. The IGP networks may transmit and store the BGP information using type length values (TLVs). As a result, network areas running an IGP may maintain BGP information throughout the network area without the overhead of an iBGP mesh and related message-passing.

Abstract: A modular encryption device includes a chassis configured to mount in a rack with a networking device and sets of ports mounted on the chassis. Encryption cards are mounted in the chassis of the modular encryption device between ports of the sets of ports such that network traffic flowing through a set of ports flows through one of the encryption cards. The encryption cards of the modular encryption device are configured to encrypt and decrypt network traffic flowing between the networking device and a remote device. In some embodiments, a modular encryption device may encrypt and decrypt network traffic flowing between multiple networking devices and multiple remote devices. Also, in some embodiments, components of a modular encryption device are removable and replaceable such that the modular encryption device can be reconfigured by exchanging the components.

Abstract: Systems and methods for the management of virtual machine instances are provided. The hosted virtual machine networks are configured in a manner such that communications within the hosted virtual machine network are facilitated through a communication protocol. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. Through the utilization of one or more virtual network mapping components in communication with the hosted virtual network components, communications to and from the hosted virtual networks can be processed by mapping relationships between the virtual network communication protocol and the router communication protocol. The mapping information can be provided in advance or as requested to the router components and hosted virtual network components to facilitate bi-lateral communications between the components.

Abstract: Systems and methods manage network traffic of a first protocol by use of a second protocol. Network traffic directed toward a network destination address of a first protocol is received. A mapping of addresses is utilized to determine a corresponding other network address of the second protocol. The network traffic is reconfigured to be forwarded to the intended network destination using the second protocol and the determined corresponding other network address.

Abstract: Systems and methods for the management of virtual machine instances are provided. The hosted virtual machine networks are configured in a manner such that communications within the hosted virtual machine network are facilitated through a communication protocol. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. Through the utilization of one or more virtual network mapping components in communication with the hosted virtual network components, communications to and from the hosted virtual networks can be processed by mapping relationships between the virtual network communication protocol and the router communication protocol. The mapping information can be provided in advance or as requested to the router components and hosted virtual network components to facilitate bi-lateral communications between the components.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: Methods and apparatus for transparent multipath utilization through encapsulation are disclosed. Respective encapsulation packets are generated for at least two different baseline packets transmitted between a source and destination linked by multiple network paths. Each encapsulation packet comprises contents of a corresponding baseline packet, and one or more data values selected in accordance with a path balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: Systems and methods for the management of virtual machine instances are provided. The hosted virtual machine networks are configured in a manner such that communications within the hosted virtual machine network are facilitated through a communication protocol. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. Through the utilization of one or more virtual network mapping components in communication with the hosted virtual network components, communications to and from the hosted virtual networks can be processed by mapping relationships between the virtual network communication protocol and the router communication protocol. The mapping information can be provided in advance or as requested to the router components and hosted virtual network components to facilitate bi-lateral communications between the components.

Abstract: Address resolution in an unnumbered, pseudo-point-to-point network utilizes address transmissions, such as an address advertisement or an address response, in order to obtain address information for use in frame addressing. In one embodiment, routers communicate using a multi-access data link layer protocol, such as Ethernet, but in a physical configuration which restricts data link layer communications to going between only two nodes, thereby negating the multi-access application of the protocol. With only one possible terminal node, address space is conserved by use of unnumbered network interfaces.

Abstract: Systems and methods are disclosed which facilitate the management of changes to a hosted network. In one aspect, a resource optimization manager obtains an identification of one or more changes to be implemented on a hosted network. The network validation manager component simulates the implementation of the identified changes and records state information associated with the monitored simulation. The network validation manager component generates a network change template that includes the information recorded from the simulation of the change to the hosted network. In another aspect, the network validation manager component can utilize network change templates to monitor the implementation of changes to the hosted network. The network change templates can then be utilized to determine whether to proceed with implementation of the change to the hosted network or whether to revert the hosted network to a condition prior to the implementation of the identified change.