Abstract: Techniques for a hub node, provisioned in a site of a hub and spoke overlay network, to receive, store, and/or forward network routing information associated with a spoke, and send packets directly to spoke(s) that are remote from the hub node. A first hub node may receive a network advertisement including a border gateway protocol (BGP) large community string from a first spoke local to the first hub node. The first hub node may send the BGP large community string to a second hub node remote from the first hub node. The second hub node may decode network routing information from the BGP large community string and store the network routing information locally. The second hub node may send a packet from a second spoke local to the second hub node directly to the first spoke without the data packet being routed via the first hub node.

Abstract: Techniques for a hub node, provisioned in a site of a hub and spoke overlay network, to receive, store, and/or forward network routing information associated with a spoke, and send packets directly to spoke(s) that are remote from the hub node. A first hub node may receive a network advertisement including a border gateway protocol (BGP) large community string from a first spoke local to the first hub node. The first hub node may send the BGP large community string to a second hub node remote from the first hub node. The second hub node may decode network routing information from the BGP large community string and store the network routing information locally. The second hub node may send a packet from a second spoke local to the second hub node directly to the first spoke without the data packet being routed via the first hub node.

Abstract: An approach to establish connections between clusters having overlapping IP address ranges. A method includes receiving, at a service discovery server, from a first node in a first cluster, a service discovery request including a unique name, determining, at the service discovery server, that the unique name resolves to a destination IP address of a second node in a second cluster, determining that the destination IP address overlaps with an IP address range associated with the first cluster, in response to determining that the destination IP address overlaps with the IP address range belonging to the first cluster, configuring a gateway to expect a network connection request from the first node that includes an IP address of the gateway, and sending a service discovery response to the first node, the service discovery response including the IP address of the gateway, but not the destination IP address.

Abstract: Systems, methods, and computer-readable media are provided for securely advertising autoconfigured prefixes in a cloud environment. In some examples, a method can include, receiving, by a first router, an indication of an available network address prefix. In some aspects, the method can also include selecting, by the first router, a first network address prefix that is within the available network address prefix, wherein the first network address prefix provides at least one route to one or more network elements associated with the first router. In some cases, the method may further include sending, to a second router, a message including a stub registration option that indicates the first network address prefix.

Abstract: An approach to establish connections between clusters having overlapping IP address ranges. A method includes receiving, at a service discovery server, from a first node in a first cluster, a service discovery request including a unique name, determining, at the service discovery server, that the unique name resolves to a destination IP address of a second node in a second cluster, determining that the destination IP address overlaps with an IP address range associated with the first cluster, in response to determining that the destination IP address overlaps with the IP address range belonging to the first cluster, configuring a gateway to expect a network connection request from the first node that includes an IP address of the gateway, and sending a service discovery response to the first node, the service discovery response including the IP address of the gateway, but not the destination IP address.

Abstract: Systems, methods, and computer-readable storage media are provided to populate databases with routing data for containers to eliminate the need for continuously accessing a global discovery service. An example method includes initiating, from a source container operating on a first machine in a first rack, a communication with a destination container operating on a second machine on a second rack, wherein a local database on the first machine does not know an address of the destination container. The method includes accessing a global discovery service to provide the address of the destination container, populating the local database on the first machine with the address of the destination container and routing a packet from the source container to the destination container according to the address of the destination container.

Abstract: The invention concerns a method for identifying a protocol of a data stream exchanged between two entities of a telecommunication network, the processing method comprising the following steps: on receiving data of the data stream, grammatical parsing of said data stream in order to identify a protocol of the data stream; in the event of failure to identify the protocol of the data stream by grammatical parsing, consulting a signature engine mapping protocols with corresponding signatures, and sequentially applying signatures to the data flow in order to identify a data stream protocol.

Abstract: The invention concerns a method for identifying a protocol of a data stream exchanged between two entities of a telecommunication network, the processing method comprising the following steps: —on receiving data of the data stream, grammatical parsing of said data stream in order to identify a protocol of the data stream; —in the event of failure to identify the protocol of the data stream by grammatical parsing, consulting a signature engine mapping protocols with corresponding signatures, and sequentially applying signatures to the data flow in order to identify a data stream protocol.

Abstract: Systems, methods, and computer-readable storage media are provided to populate databases with routing data for containers to eliminate the need for continuously accessing a global discovery service. An example method includes initiating, from a source container operating on a first machine in a first rack, a communication with a destination container operating on a second machine on a second rack, wherein a local database on the first machine does not know an address of the destination container. The method includes accessing a global discovery service to provide the address of the destination container, populating the local database on the first machine with the address of the destination container and routing a packet from the source container to the destination container according to the address of the destination container.

Abstract: Systems, methods, and computer-readable media for load balancing using segment routing and application monitoring. A method can involve receiving a packet including a request from a source device to an application associated with a virtual address in a network, mapping the request to a set of candidate servers hosting the application associated with the virtual address, and encoding the set of candidate servers as a list of segments in a segment routing header associated with the packet. The method can further involve determining that a first candidate server from the set of candidate servers is a next segment in the list of segments, encoding the first candidate server in a destination address field on a header of the packet, and forwarding the packet to the first candidate server.

Abstract: Systems, methods, and computer-readable media for enabling container networking are disclosed. In one aspect, a method includes receiving a request from a first network container on a source server to establish a data session with a second network container on a destination server; determining a destination switch of the destination server based on the request; identifying a communication tunnel between the source server and the destination server; generating a data stream to be embedded in the pre-established communication tunnel, wherein a communication protocol associated with the request is different from a communication protocol used by the data stream; receiving a data packet to be sent to the destination container; mapping the data packet to the data stream; and sending the data packet to the destination server via the data stream over the communication tunnel.

Abstract: Systems, methods, and computer-readable storage media are provided to populate databases with routing data for containers to eliminate the need for continuously accessing a global discovery service. An example method includes initiating, from a source container operating on a first machine in a first rack, a communication with a destination container operating on a second machine on a second rack, wherein a local database on the first machine does not know an address of the destination container. The method includes accessing a global discovery service to provide the address of the destination container, populating the local database on the first machine with the address of the destination container and routing a packet from the source container to the destination container according to the address of the destination container.

Abstract: Systems, methods, and computer-readable storage media are provided to populate databases with routing data for containers to eliminate the need for continuously accessing a global discovery service. An example method includes initiating, from a source container operating on a first machine in a first rack, a communication with a destination container operating on a second machine on a second rack, wherein a local database on the first machine does not know an address of the destination container. The method includes accessing a global discovery service to provide the address of the destination container, populating the local database on the first machine with the address of the destination container and routing a packet from the source container to the destination container according to the address of the destination container.

Abstract: A method includes, in a constellation of clients including a first client and a second client, receiving, at the first client, a connection request from the second client, retrieving endpoint reachability data associated with the second client and transmitting, to a server, a connection request based on the endpoint reachability data. The first client receives, from the server and based on the connection request, endpoint reachability information associated with the second client and starts a bidirectional connection with the second client. A direct or indirect tunnel is established between the first client and the second client. The tunnel is set up based on a table which maps a first connectivity option associated with the first client to a second connectivity option associated with the second client to determine whether to establish the direct tunnel or the indirect tunnel between the first client and the second client.

Abstract: The invention relates to a method for processing a data stream exchanged between a client and an entity via a telecommunications network, the data stream including a set of data packets, the processing method including the following steps: upon intercepting (201) a data packet belonging to a data stream—the data stream including a source and a recipient, the client being the source or the recipient of the data stream—copying (204) the data packet and transferring (205) the data packet to the recipient; transmitting said copy to a stream analyser capable of analyzing the data stream; receiving (206) a data stream analysis result from the stream analyser; and processing (207; 208) the data stream in accordance with the receiver analysis result.

Abstract: A computing device running a local enforcement agent is configured to instantiate at least one application container at the computing device, where the at least one application container is part of a containerized application. The computing device is also configured to associate the local enforcement agent with the least one application container so that the local enforcement agent operates as an intra-application communication proxy for the least one application container. The local enforcement agent receives an intra-application Application Programming Interface (API) call that is sent to the at least one application container from a second application container that is part of the containerized application. The local enforcement agent is configured to analyze the intra-application API call for compliance with one or more security policies associated with the at least one container.

Abstract: Systems, methods, and computer-readable media for enabling container networking are disclosed. In one aspect, a method includes receiving a request from a first network container on a source server to establish a data session with a second network container on a destination server; determining a destination switch of the destination server based on the request; identifying a communication tunnel between the source server and the destination server; generating a data stream to be embedded in the pre-established communication tunnel, wherein a communication protocol associated with the request is different from a communication protocol used by the data stream; receiving a data packet to be sent to the destination container; mapping the data packet to the data stream; and sending the data packet to the destination server via the data stream over the communication tunnel.

Abstract: Systems, methods, and computer-readable media for providing multi-cloud connectivity. A method can involve adding a new virtual private cloud (VPC) to a multi-cloud environment including a private network and VPCs connected to the private network via a segment routing (SR) domain and respective virtual routers on the VPCs and the private network. The method can involve deploying a new virtual router on the new VPC, registering the new virtual router at a BGP controller in the multi-cloud environment, and receiving, at the BGP controller, topology information from the new virtual router. The method can further involve identifying routes in the multi-cloud environment based on paths computed based on the topology information, sending, to the new virtual router, routing information including the routes, SR identifiers and SR policies, and based on the routing information, providing interconnectivity between the private network, the VPCs, and the new VPC.

Abstract: Presented herein are techniques for detecting anomalies in micro-service communications that are indicative of security issues/problems for the application. More specifically, a computing device receives a plurality of micro-service communication records each associated with traffic sent between pairs of executables (nodes) that are related to a micro-services application. Each of the micro-service communication records includes a time series entry and an associated trace sequence identifier and each of the micro-service communication records are generated during a time period. The computing device analyzes the plurality of micro-service communications to detect possible anomalous communication patterns associated with the micro-services application during the time period.

Abstract: Systems, methods, and computer-readable media for load balancing using segment routing and application monitoring. A method can involve receiving a packet including a request from a source device to an application associated with a virtual address in a network, mapping the request to a set of candidate servers hosting the application associated with the virtual address, and encoding the set of candidate servers as a list of segments in a segment routing header associated with the packet. The method can further involve determining that a first candidate server from the set of candidate servers is a next segment in the list of segments, encoding the first candidate server in a destination address field on a header of the packet, and forwarding the packet to the first candidate server.