Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet.

Abstract: In one embodiment, a method at a network device includes receiving a link layer advertisement, comparing information in the link layer advertisement with connectivity information stored at the network device, and based on the comparison, determining if there is a cabling error between the network device and a link peer transmitting the link layer advertisement. An apparatus and logic are also disclosed herein.

Abstract: Network security and tracking techniques are provided for intercepting at a first hop switch a neighbor discovery protocol (NDP) message sent from an end node of an Internet Protocol Version 6 (IPV6) network. Address information contained in the NDP message are compared to values stored in a local device tracking cache. As a result of the comparing, end node discovery and learning are performed.

Abstract: Network topology independent service deployment techniques, referred to as overlay-based packet steering techniques, are provided. In one example, a server destined packet is intercepted by an in-path network device enabled as a service classifier. The service classifier encapsulates the packet and inserts the packet into a service path to a service virtualization endpoint front ending one or more service nodes. In other words, the service virtualization endpoint receives the service-directed packet on an overlay-based service path. The service-directed packet includes a service header and a service overlay tunnel encapsulation. The service virtualization endpoint inspects the service header in the service-directed packet to identify a first service node to which the service-directed packet should be forwarded and, based on the inspection, forwards the service-directed packet, on the overlay-based service path, to the first service node.

Abstract: In one embodiment, a method at a network device includes receiving a link layer advertisement, comparing information in the link layer advertisement with connectivity information stored at the network device, and based on the comparison, determining if there is a cabling error between the network device and a link peer transmitting the link layer advertisement. An apparatus and logic are also disclosed herein.

Abstract: Network topology independent service deployment techniques, referred to as overlay-based packet steering techniques, are provided. In one example, a server destined packet is intercepted by an in-path network device enabled as a service classifier. The service classifier encapsulates the packet and inserts the packet into a service path to a service virtualization endpoint front ending one or more service nodes. In other words, the service virtualization endpoint receives the service-directed packet on an overlay-based service path. The service-directed packet includes a service header and a service overlay tunnel encapsulation. The service virtualization endpoint inspects the service header in the service-directed packet to identify a first service node to which the service-directed packet should be forwarded and, based on the inspection, forwards the service-directed packet, on the overlay-based service path, to the first service node.

Abstract: Systems, methods, and other embodiments associated with interworking a VPN and an SIA are described. One example apparatus includes a mapping data store to store a mapping between two logical groups of network devices having separate forwarding planes that are at least partially incompatible. The apparatus includes an instantiation logic to establish the mapping based on unique identifiers associated with the logical groups. The apparatus also includes an encoding logic to implicitly encode information to identify the first logical group in a packet received from the first logical group, provided to the second logical group, and then provided back to the first logical group. The implicitly encoded information is configured to be used without modification by the forwarding plane associated with the second logical group and is configured to facilitate a member of the second logical group resolving the mapping.