Abstract: In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

Abstract: In some implementations, an egress network device of a multiprotocol label switching (MPLS) network may exchange Internet key exchange (IKE) messages with an ingress network device of the MPLS network to establish a security association between the egress network device and the ingress network device. The egress network device may receive an MPLS packet that includes an MPLS header, a secure MPLS data header, and an MPLS payload. The egress network device may process the MPLS header to determine a label associated with a label-switched path (LSP) and a secure function indicator. The egress network device may decrypt, using a secure function identified based on the secure MPLS data header, the MPLS payload to generate a decrypted packet. The egress network device may transmit the decrypted packet towards a destination device.

Abstract: In some implementations, an ingress network device of a multiprotocol label switching (MPLS) network may receive a packet destined for a destination network device. The ingress network device may determine, based on the packet, a secure function to secure the packet and a label associated with a label-switched path (LSP) from the ingress network device to an egress network device of the MPLS network that is associated with the destination network device. The ingress network device may encrypt, using the secure function, the packet to generate an encrypted packet. The ingress network device may generate an MPLS packet comprising: an MPLS header that includes the label and a secure function indicator, a secure MPLS data header that includes information identifying the secure function, and an MPLS payload that includes the encrypted packet. The ingress network device may forward, based on the label, the MPLS packet.

Abstract: In some implementations, an ingress network device of a multiprotocol label switching (MPLS) network may receive a packet destined for a destination network device. The ingress network device may determine, based on the packet, a secure function to secure the packet and a label associated with a label-switched path (LSP) from the ingress network device to an egress network device of the MPLS network that is associated with the destination network device. The ingress network device may encrypt, using the secure function, the packet to generate an encrypted packet. The ingress network device may generate an MPLS packet comprising: an MPLS header that includes the label and a secure function indicator, a secure MPLS data header that includes information identifying the secure function, and an MPLS payload that includes the encrypted packet. The ingress network device may forward, based on the label, the MPLS packet.

Abstract: In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

Abstract: Disclosed embodiments utilize a layer three and/or layer four protocol to collect physical layer properties along a multi-hop network path between a source node and a destination node. The use of a layer three or layer four protocol provides an ability to span multiple links or networks between the source node and destination node, while also collecting the physical layer properties. Once physical layer properties along a network path can be understood, decisions relating to the configuration of the network path and/or whether to communicate via the network path are improved.

Abstract: Disclosed embodiments utilize a layer three and/or layer four protocol to collect physical layer properties along a multi-hop network path between a source node and a destination node. The use of a layer three or layer four protocol provides an ability to span multiple links or networks between the source node and destination node, while also collecting the physical layer properties. Once physical layer properties along a network path can be understood, decisions relating to the configuration of the network path and/or whether to communicate via the network path are improved.

Abstract: Embodiments improve error detection and recovery in media access control security sessions. A MACsec session is torn down after three liveness time intervals elapse without receiving a MACsec key exchange protocol data unit (MKPDU) from a remote peer. This delay between a cessation of effective network communication over the MACsec session and the expiration of the three “liveness” intervals results in increased packet loss and an increased network convergence time as a network continues to route/forward data over the MACsec session for a period of time after the MACsec session has entered secure block mode. To solve this problem, embodiments define a new alarm, called a MACsec link alert, which is raised earlier than a MACsec session timeout generated by traditional embodiments. The MACsec link alert is raised, by at least some embodiments, after a failure to successfully receive an MKPDU from the remote peer after a single MACsec “liveness” timeout interval elapses.

Abstract: Embodiments improve error detection and recovery in media access control security sessions. A MACsec session is torn down after three liveness time intervals elapse without receiving a MACsec key exchange protocol data unit (MKPDU) from a remote peer. This delay between a cessation of effective network communication over the MACsec session and the expiration of the three “liveness” intervals results in increased packet loss and an increased network convergence time as a network continues to route/forward data over the MACsec session for a period of time after the MACsec session has entered secure block mode. To solve this problem, embodiments define a new alarm, called a MACsec link alert, which is raised earlier than a MACsec session timeout generated by traditional embodiments. The MACsec link alert is raised, by at least some embodiments, after a failure to successfully receive an MKPDU from the remote peer after a single MACsec “liveness” timeout interval elapses.

Abstract: Disclosed embodiments utilize a layer three and/or layer four protocol to collect physical layer properties along a multi-hop network path between a source node and a destination node. The use of a layer three or layer four protocol provides an ability to span multiple links or networks between the source node and destination node, while also collecting the physical layer properties. Once physical layer properties along a network path can be understood, decisions relating to the configuration of the network path and/or whether to communicate via the network path are improved.

Abstract: In some embodiments, an apparatus comprises an optical transponder which includes a processor, an electrical interface and an optical interface. The processor is operatively coupled to the electrical interface and the optical interface. The optical interface is configured to be operatively coupled to a plurality of optical links and the electrical interface is configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router. The processor is configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of an optical link from the plurality of optical links. The processor is configured to make modifications to packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link.

Abstract: In some embodiments, an apparatus comprises an optical transponder which includes a processor, an electrical interface and an optical interface. The processor is operatively coupled to the electrical interface and the optical interface. The optical interface is configured to be operatively coupled to a plurality of optical links and the electrical interface is configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router. The processor is configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of an optical link from the plurality of optical links. The processor is configured to make modifications to packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link.

Abstract: In some embodiments, an apparatus comprises an optical transponder which includes a processor, an electrical interface and an optical interface. The processor is operatively coupled to the electrical interface and the optical interface. The optical interface is configured to be operatively coupled to a plurality of optical links and the electrical interface is configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router. The processor is configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of an optical link from the plurality of optical links. The processor is configured to make modifications to packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link.

Abstract: In some embodiments, an apparatus comprises an optical transponder which includes a processor, an electrical interface and an optical interface. The processor is operatively coupled to the electrical interface and the optical interface. The optical interface is configured to be operatively coupled to a plurality of optical links and the electrical interface is configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router. The processor is configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of an optical link from the plurality of optical links. The processor is configured to make modifications to packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link.

Abstract: In some embodiments, an apparatus comprises an optical transponder which includes a processor, an electrical interface and an optical interface. The processor is operatively coupled to the electrical interface and the optical interface. The optical interface is configured to be operatively coupled to a plurality of optical links and the electrical interface is configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router. The processor is configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of an optical link from the plurality of optical links. The processor is configured to make modifications to packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link.