Abstract: In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a particular subscriber node. The particular request indicates one or more requested flow characteristics for a specified time period. The device determines a probability of the access network being able to accommodate the particular flow characteristic request by classifying the particular flow characteristic request using the trained classifier. The device sends a flow characteristic response to the node of the particular subscriber node based on the determined probability.

Abstract: In one embodiment, a service function classifier device determines a classification of a packet using one or more packet classification rules. The device selects a service function path based on the classification of the packet. The device determines one or more traffic flow characteristics based on the classification of the packet. The device generates a service function chaining (SFC) header that identifies the selected service function path and the determined one or more traffic flow characteristics. The SFC header is configured to cause a device along the service function path to forward the encapsulated packet based on the identified service function path and the determined one or more traffic flow characteristics. The device sends the packet along the selected service function path as an encapsulated packet that includes the generated SFC header.

Abstract: Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

Abstract: In one embodiment, a device in an access network receives network condition data regarding the access network and requested flow characteristic data. The requested flow characteristic data is indicative of one or more flow characteristics requested by one or more subscribers for different periods of time. The device trains a machine learning-based classifier using the network condition data and the request flow characteristic data and receives a particular flow characteristic request from a particular subscriber node. The particular request indicates one or more requested flow characteristics for a specified time period. The device determines a probability of the access network being able to accommodate the particular flow characteristic request by classifying the particular flow characteristic request using the trained classifier. The device sends a flow characteristic response to the node of the particular subscriber node based on the determined probability.

Abstract: Aspects of the embodiments are directed to a service classifier configured for steering cloned traffic through a service function chain. The service classifier is configured to create a cloned data packet by creating a copy of a data packet; activate a mirror bit in a network service header (NSH) of the cloned data packet, the mirror bit identifying the cloned packet to a service function forwarder network element as a cloned packet; and transmit the cloned packet to the service function forwarder network element.

Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.

Abstract: A network node in a service function chaining system receives a media stream from an endpoint device. The media stream is associated with a media session between the endpoint and at least one other endpoint. The network node determines a path for the media stream. The path includes an ordered list of functions to process the media stream. The network node determines a session identifier for the media stream and encapsulates the media stream with a header. The header includes an indication of the path and the session identifier.

Abstract: In one embodiment, a device in a network establishes a trust relationship between the device and a key management service. The device receives keying information from the key management service based on the established trust relationship. The device applies a digital signature to media data for a conference using the keying information, whereby the device is designated as a speaker of the conference. The device provides the signed media data to one or more conference participant devices. The one or more conference participant devices use the signed media data to validate that the media data was signed by the designated speaker of the conference.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data.

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

Abstract: A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.

Abstract: A local network element on an enterprise network caches Domain Name System (DNS) responses in association with user identifiers in accordance with a DNS-based access control policy. The network element receives a DNS request from a first endpoint device. The DNS request includes a domain name to resolve. The network element forwards the DNS request to a domain name server along with a first user identifier associated with the first endpoint device. The network element receives a DNS response from the domain name server. The DNS response includes a network address associated with the domain name, as well as the first user identifier and at least one other user identifier. The network element stores the network address in a DNS cache as a cached DNS response for the domain name. The cached DNS response is stored in association with the first user identifier and the other user identifier(s).

Abstract: In one embodiment, a Domain Name Service (DNS) server pre-fetches domain information regarding a domain that includes certificate information for the domain. The DNS server receives a DNS request that includes a security request for the domain in metadata of a Network Service Header (NSH) of the DNS request. The DNS server retrieves the certificate information for the domain from the pre-fetched information regarding the domain, in response to receiving the security request. The DNS server sends, to a Transport Layer Security (TLS) proxy, a DNS response for the domain that includes the certificate information in metadata of an NSH of the DNS response.

Abstract: An optimized approach to whitelisting includes, at a domain name service server, determining whether a first domain and a second domain resolve to a same Internet Protocol (IP) address, and in response to a request from a domain name service proxy as to whether the first domain resolves to an IP address shared by another domain, notifying the domain name service proxy that the first domain resolves to an IP address shared by another domain. The method further includes the domain name service proxy receiving from the domain name service server a response that indicates that the first domain resolves to an IP address shared by another domain, and storing, in memory, the IP address and an indication that the IP address is shared by another domain. A data flow associated with a shared IP address is subjected to further scrutiny even if the IP address is on a whitelist.

Abstract: A classifier node in a service function chaining system receives a media stream from an endpoint device. The media stream is associated with a media session between the endpoint and at least one other endpoint. The classifier node determines a service function path for the media stream. The service function path includes an ordered list of service functions to process the media stream. The classifier node determines a session identifier for the media stream and encapsulates the media stream with a Network Service Header. The Network Service Header includes an indication of the service function path and a metadata header with the session identifier.

Abstract: In one embodiment, a service function classifier device determines a classification of a packet using one or more packet classification rules. The device selects a service function path based on the classification of the packet. The device determines one or more traffic flow characteristics based on the classification of the packet. The device generates a service function chaining (SFC) header that identifies the selected service function path and the determined one or more traffic flow characteristics. The SFC header is configured to cause a device along the service function path to forward the encapsulated packet based on the identified service function path and the determined one or more traffic flow characteristics. The device sends the packet along the selected service function path as an encapsulated packet that includes the generated SFC header.

Abstract: At a service function node configured to perform at least one service function on a data flow that follows a service function path, degradation in performing the service function is detected. The service function node generates a status indicator for the degradation in performing the service function and inserts the status indicator into a peer detection packet. The peer detection packet encapsulates an inner packet with a header that indicates the service function path. The service function node forwards the peer detection packet to a neighboring service function node along the service function path.

Abstract: A service classifier network device receives a subflow and identifies that the subflow is one of at least two subflows in a multipath data flow. Related data packets are sent from a source node to a destination node in the multipath data flow. The service classifier generates a multipath flow identifier and encapsulates the subflow with a header to produce an encapsulated first subflow. The header identifies a service function path and includes metadata with the multipath flow identifier.