Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

Abstract: In one embodiment, an apparatus receives an advertisement from each of one or more Home Agents, the advertisement including a first set of information associated with a corresponding one of the Home Agents, each advertisement being in a first protocol. The apparatus obtains the first set of information associated with a corresponding one of the Home Agents from each advertisement. The apparatus composes a router advertisement including a second set of information associated with at least one of the Home Agents, the router advertisement being in a second protocol. The apparatus then sends the router advertisement.

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

Abstract: An example method is provided and includes receiving a packet associated with a flow, determining a tunnel identifier for the flow, and determining a flow identifier for the flow. The method includes associating the flow identifier and the tunnel identifier to an Internet protocol (IP) address to generate a binding to be used for a network address and port translation (NAPT). In other embodiments, a routing decision is executed based on the binding between the identifiers and the IP address. The flow identifier can be a context identifier (CID), and the tunnel identifier can be a softwire tunnel ID. In yet other embodiments, the packet can be tagged as part of an encapsulation operation, which includes providing information about a network location at which the network address and port translation is to be executed.

Abstract: In one embodiment, a method includes identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint that are included in a network, and determining whether the unusual behavior with respect to the handshake indicates presence of malicious software. The method also includes identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of malicious software.

Abstract: Multi-operator networking techniques are provided for allowing two or more operators to share a wireless local area network (WLAN). In particular, mobile access gateway functionality is integrated in a wireless network controller of a WLAN that is accessible to first and second operators. Operator-specific tunnels are created through the network for each of the first and second operators that link a core network of each of the first and second operators with an associated client device. Packets are then forwarded between the core networks of the first and second operators and their associated client devices via the operator-specific tunnels.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: A method is provided in one example embodiment and includes communicating a message from a network element to a remote data plane element in order to request a data plane resource for hosting a session for a particular subscriber. The remote data plane element is designated to host a data plane function for a particular mobile network subscriber and the data plane resource comprises at least one of memory space and processor allocation. The method further includes discovering nodes capable of supporting the control plane functions; discovering nodes capable of supporting the data plane functions for the session; and performing a system-specific internal configuration to support separation of the data plane functions and the control plane functions.

Abstract: A method is provided in one example embodiment and includes communicating an in-band message packet from a first network element; receiving a response to the in-band message from a second network element, the response contains tunnel identification binding data that identifies a tunnel on a backhaul link on which traffic from a user equipment can flow; and receiving instructions from the second network element to offload a received data packet from the backhaul link. In particular instances, the in-band message is set to loopback when the in-band message is sent from the first network element. In other embodiments, the tunnel identification binding data is provided in the payload of the in-band message when the in-band message is sent from the first network element. In other examples, the method can include receiving an assigned Internet protocol (IP) address of the user equipment in the response to the in-band message.

Abstract: A method is provided in one example embodiment and includes receiving a data packet over a first link at a first network element; establishing an out-of-band channel over a second link between the first network element and a second network element; and receiving instructions at the first network element to offload the data packet from the first link. In more particular embodiments, the first network element is a mobile enabled router, and the second network element is a gateway general packet radio service support node or a packet data network gateway. The method can also include receiving a discovery message from the second network element, the discovery message triggering the establishment of the out-of-band channel. In certain cases, the data packet is offloaded based on a type of data in the data packet.

Abstract: A method is provided in one example embodiment and includes receiving a downstream data packet transported on a backhaul link at a first network element, the downstream data packet is associated with a user equipment; identifying whether a downstream tunnel used to communicate the data packet to the user equipment has become dormant; and communicating an in-band message to a second network element that the downstream tunnel is dormant. In other examples, the method can include dropping the data packet when a network address port translation binding has expired or does not exist. In certain implementations, the method can include identifying the downstream tunnel as dormant when an activity timer has expired, or identifying the downstream tunnel as dormant based on a stale state setting.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: A method is provided in one example embodiment and includes communicating a message to a remote data plane element in order to request a data plane resource for hosting a session. The method also includes receiving a response at a network element acknowledging the message. Data plane traffic is managed at the remote data plane element based on enforcement rules. The enforcement rules are provisioned in a table element at the remote data plane element, and the table element reflects a portion of a master table element included in the network element.

Abstract: A method is provided in one example embodiment and includes receiving a discover message over a network; determining that the discover message is associated with an unauthenticated client (e.g., identifying a media access control (MAC) address); communicating a proxy binding update (PBU) having a binding type value set to a temporary status; and establishing a bidirectional tunnel for transporting traffic for the client.

Abstract: In one embodiment, a mobile access gateway (MAG) includes a processor, a communications interface, and logic. The communications interface is configured to communicate with at least one mobile network and at least one local mobility anchor. The logic includes a mobile node logical instance module and an selection module. The mobile node logical instance module is configured to cooperate with the processor to create a first logical instance of a first mobile node on the MAG, and the address selection module is configured to cooperate with the processor to configure an egress roaming interface for the MAG.

Abstract: In one embodiment, an apparatus receives an advertisement from each of one or more Home Agents, the advertisement including a first set of information associated with a corresponding one of the Home Agents, each advertisement being in a first protocol. The apparatus obtains the first set of information associated with a corresponding one of the Home Agents from each advertisement. The apparatus composes a router advertisement including a second set of information associated with at least one of the Home Agents, the router advertisement being in a second protocol. The apparatus then sends the router advertisement.

Abstract: Systems and methods for providing identity management and mobility management are disclosed. The management scheme provides mobility in multi-device and multi-homed deployments. A collection of three identities, a device identity, a link layer identity, and a user identity, can be used to provide mobility for a number of devices under different use scenarios. In one embodiment, a method is disclosed for receiving messages from a mobile device at a mobility gateway, the messages including identifiers such as a user identifier, a link layer identifier, and a device identifier where identifiers are stored or retained at the mobility gateway. When a subsequent network attach request is received including one or more identifiers, a reconnection can occur, based on a result of comparing the stored identifiers with the received one or more identifiers.