Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: A source virtual private network (VPN) gateway supports a local source subnet and communicates over a wide area network (WAN) with a destination VPN gateway that supports a local destination subnet. The source VPN gateway receives from the local source subnet an Internet Protocol (IP) packet destined for the local destination subnet, determines a security association (SA) based on a source IP address and a destination IP address of the IP packet, and encapsulates the IP packet with tunnel encapsulation including a tunnel protocol header and a tunnel outer IP header, to produce a clear-text tunnel packet. The source VPN gateway encrypts the IP packet and the tunnel protocol header but not the tunnel outer IP header using an encryption key and a security parameter index for the SA, to produce an encrypted tunnel packet, and tunnels it to the destination VPN gateway over the WAN.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: Techniques are presented for encryption key rollover synchronization in a network. In one embodiment, a method includes generating a new set of public-key encryption keys for a first network element. Based on the new set of public-key encryption keys, a set of new security associations between the first network element and each other network element in the network is generated. The method includes providing a new public key from the new set of public-key encryption keys to a network controller and using security associations associated with a previous set of public-key encryption keys for encrypted communication between the first network element and each other network element. Upon obtaining, from a second network element, traffic protected by a security association from the set of new security associations, the method includes using the new security associations for subsequent encrypted communication between the first network element and the second network element.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: A source virtual private network (VPN) gateway supports a local source subnet and communicates over a wide area network (WAN) with a destination VPN gateway that supports a local destination subnet. The source VPN gateway receives from the local source subnet an Internet Protocol (IP) packet destined for the local destination subnet, determines a security association (SA) based on a source IP address and a destination IP address of the IP packet, and encapsulates the IP packet with tunnel encapsulation including a tunnel protocol header and a tunnel outer IP header, to produce a clear-text tunnel packet. The source VPN gateway encrypts the IP packet and the tunnel protocol header but not the tunnel outer IP header using an encryption key and a security parameter index for the SA, to produce an encrypted tunnel packet, and tunnels it to the destination VPN gateway over the WAN.

Abstract: Techniques are presented for encryption key rollover synchronization in a network. In one embodiment, a method includes generating a new set of public-key encryption keys for a first network element. Based on the new set of public-key encryption keys, a set of new security associations between the first network element and each other network element in the network is generated. The method includes providing a new public key from the new set of public-key encryption keys to a network controller and using security associations associated with a previous set of public-key encryption keys for encrypted communication between the first network element and each other network element. Upon obtaining, from a second network element, traffic protected by a security association from the set of new security associations, the method includes using the new security associations for subsequent encrypted communication between the first network element and the second network element.

Abstract: A process to protect secure communication sessions from a network device that may have been subjected to a malicious network attack or otherwise the source of malicious network traffic. A cellular-connected network device, such as an IoT gateway, may receive data from one or more IoT devices. The cellular-connected network device may also communicate with a datacenter via a communication tunnel. The network device may include a usage profile reference. The network device, before transmitting data received from the IoT devices, may transmit the usage profile reference to the datacenter for authentication purposes. The datacenter may use the usage profile reference to resolve a usage profile that the usage profile reference references. Using the usage profile, the datacenter may negotiate with the cellular-connected network device to restrict the types of data that is transmitted between the datacenter and the cellular-connected network device.

Abstract: In one embodiment, a device in a network maintains first and second routing tables associated with a virtual private network (VPN) tunnel. The first and second routing tables comprise routing information used to route packets external to a particular routing domain. The device routes a first packet in the network via the VPN tunnel and a second tunnel that encapsulates the VPN tunnel, using the routing information in the first routing table. The device receives a second packet via the VPN tunnel that was routed to the device using the routing information in the second routing table and bypasses the second tunnel.

Abstract: In one embodiment, a device in a network identifies a translated source network address for a tunnel source of a tunnel-in-tunnel packet. The device includes the translated source network address within a header of the packet. The header of the packet identifies an inner tunnel that is encapsulated within an outer tunnel during transmission of the packet within the network. The device sends the packet with the translated source network address within the header of the packet.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: In one embodiment, a device in a network identifies a translated source network address for a tunnel source of a tunnel-in-tunnel packet. The device includes the translated source network address within a header of the packet. The header of the packet identifies an inner tunnel that is encapsulated within an outer tunnel during transmission of the packet within the network. The device sends the packet with the translated source network address within the header of the packet.

Abstract: Techniques are presented herein to distribute the processing of communication to network-connected devices to routing nodes, as opposed to centralizing those operations in one device as in the traditional/classical system. Using a bitmapped Type field, advertisements and queries can be categorized. Also, by using a Subgroup field, the scope of advertisements and queries can be dynamically limited. These techniques reduce the number of matches and make the matches more relevant to the user who sent the query. Routing nodes can be any network element that routes traffic, physical or virtual (cloud-based router or switch). The intelligence to perform these techniques can be embodied as an overlay on top of a physical network.

Abstract: Techniques are presented herein to distribute the processing of communication to network-connected devices to routing nodes, as opposed to centralizing those operations in one device as in the traditional/classical system. Using a bitmapped Type field, advertisements and queries can be categorized. Also, by using a Subgroup field, the scope of advertisements and queries can be dynamically limited. These techniques reduce the number of matches and make the matches more relevant to the user who sent the query. Routing nodes can be any network element that routes traffic, physical or virtual (cloud-based router or switch). The intelligence to perform these techniques can be embodied as an overlay on top of a physical network.

Abstract: A system receives a request at a hub. The request is received from a first spoke regarding a packet to be transmitted from the first spoke to a second spoke. The system identifies, at the time of the request, a preferred route from the first spoke to the second spoke. The system sends a redirect message to the first spoke, the redirect message directing the packet along the preferred route. The system transmits, from a first spoke to a hub, a first request associated with a packet. In response, the system receives, at the first spoke, a redirect message from the hub. The redirect message identifies a preferred route by which the first spoke transmits the packet to a second spoke. The system creates, at the first spoke, a second request containing a destination address of the second spoke, and transmits the second request along the preferred route.

Abstract: Disclosed are methods and apparatus for handling data having an embedded address (and port). In general terms, a host of a private network is operable to obtain from its corresponding edge router a global address (GA) and optionally an additional global port range (GPR). When the host then wishes to transmit data out of the private network, the obtained GA (and GPR) may then be used for an embedded address (and port) within data sent by the host to a public network. The obtained GA (and GPR) may also be used by the host to translate its own source address and port in its IP and/or TCP/UDP header if needed.

Abstract: A method comprises receiving a request for secure network traffic from a device having a private network address at a source node, obtaining the private network address of a requested destination device at a destination node from a route server based on signaling information associated with the request, obtaining the public network address of the destination node associated with the private network address, creating in response to the request a virtual circuit between the source node and the destination node based on the public network address of the destination node, and encrypting network traffic for transporting at least from the source node to the destination node through the virtual circuit. The process is dynamic in that the virtual circuit is created in response to the request. Hence, the process operates as if a fully meshed network exists but requires less provisioning and maintenance than a fully meshed network architecture.

Abstract: A process is disclosed in which a security policy is associated with a virtual private network (VPN) interface at a first device, for example, a router. Input is received specifying an association of a VPN endpoint address to a corresponding routable network address of a second device. A message is issued to a security module at the first device, the message including the routable network address of the second device and the security policy. Encryption state information is generated for network traffic from the first device to the second device, based on the message. The process is applicable to a hub-and-spoke network architecture that utilizes a point-to-multipoint GRE tunnel and the IPsec protocol for security. The process is dynamic in that the encryption state is generated for traffic over a VPN link, in response to notification of a virtual address-to-real address mapping, i.e., the association. In an embodiment, the association is an NHRP mapping.