Abstract: A central database maintains values for client publishing devices or application processes executing locally with a database server process or remotely on a different device. Updates may be made by receiving, from a publishing application, an update to a statistic value in a database. The update may include: an indication to process the update as an accumulation update to the statistic value, an accumulation value to apply, and an indication of a key value pair to identify the statistic value to update. Upon receipt, a database server process may obtain access control as appropriate, obtain a current value for the update, apply the accumulation value to the current value, and store the result value as the new statistic value. Updates may be made by client publishers without client publishers being aware of a current value of the statistic. The statistic may represent a network wide operational parameter.

Abstract: Network device snapshots may capture the overall device state of a network device. Individual snapshots or groups of related snapshots (e.g., from different network devices obtained at a common time period) may be used to diagnose, troubleshoot, or correct anomalies or errors within a computer network. The “device state” of a network device may change over time and therefore obfuscate information desired for trouble shooting (e.g., diagnoses) of network errors (or degraded performance periods). Device state may include logical and physical device characteristics at a given instant in time. Network device snapshots may be stored locally on a network device or may be transmitted to external storage on-demand or periodically to accommodate possible limitations of resources on the network device. Network device snapshots may be “re-loaded” onto devices, for example in a lab or clean-room type environment, for comprehensive analysis. Different types of interfaces into network device snapshots are disclosed.

Abstract: A technique to manage a configuration database (CDB) for a network device is disclosed. Network devices may receive a configuration change request as a configuration change object. To process that request, a current configuration CLI set representative of the current CDB may be generated. The network device creates a shadow CDB initially corresponding to the current CDB and processes the change request against the shadow CDB. An updated configuration CLI set may then be generated from the updated shadow CDB. A differential CLI set indicating the difference between the first CLI set and the second CLI set may be generated to represent a set of CLI commands to transition from one CDB to the other (e.g., implement the request). Authorization of the user to execute the CLI commands of the differential CLI dataset may be verified. Upon verification, the current CDB may be replaced with the updated shadow CDB.

Abstract: Networks that support business operations may be a complex combination of computers used by end-users, wired connections, wireless connections, and a multitude of infrastructure devices. Some of the infrastructure devices may be critical components in the operation of the network. Disclosed method and system provide for validation, deployment and rollback of configuration changes to network infrastructure components among other things. A computer device may include a network controller, memory storage for instructions and configuration database. A shadow database may be created to execute in parallel with the primary database service process, the shadow database instance comprising a shadow database control process and associated shadow database configuration information independently updatable from the configuration database information. Change validation may be performed using the shadow database without impact to the run-time configuration database.

Abstract: A method of providing data stored in a network device to a subscriber, the method including providing a central database including data stored in a table, maintaining a sorted list for the table in the publisher, and generating a modification and a modification identifier for the table with the publisher. The method further including inserting the modification into the table in the central database based on the modification identifier, receiving a command from the subscribed for the table, and providing the table to the subscriber from the central database.

Abstract: Methods of providing data to a user including receiving a page request from the user for a database to provide a sub-set of data from a dataset. The method further including sending a publish request from the database to a publisher, publishing the dataset from the publisher to the database, preparing the sub-set of data in the page request in the database, and sending the sub-set of data in the page request to the user.

Abstract: Network device configuration information may change over time. Individual configuration versions or groups of related configuration versions (e.g., from different network devices obtained at a common time period) may be used to diagnose, troubleshoot, or coordinate network device configurations within a computer network. Device configuration parameters may affect both logical and physical device characteristics of a network device. Network device configuration versions may be stored locally on a network device (e.g., using a delta versioning method) or may be transmitted to external storage on-demand or periodically to accommodate possible limitations of resources on the network device. Network device configurations may be “pushed” onto devices, for example, from a version control repository. A locally executing version control agent/client may assist a network device to Implement the disclosed versioning control techniques.

Abstract: Network device snapshots may capture the overall device state of a network device. Individual snapshots or groups of related snapshots (e.g., from different network devices obtained at a common time period) may be used to diagnose, troubleshoot, or correct anomalies or errors within a computer network. The “device state” of a network device may change over time and therefore obfuscate information desired for trouble shooting (e.g., diagnoses) of network errors (or degraded performance periods). Device state may include logical and physical device characteristics at a given instant in time. Network device snapshots may be stored locally on a network device or may be transmitted to external storage on-demand or periodically to accommodate possible limitations of resources on the network device. Network device snapshots may be “re-loaded” onto devices, for example in a lab or clean-room type environment, for comprehensive analysis. Different types of interfaces into network device snapshots are disclosed.

Abstract: A high-availability network device database synchronization technique for devices configured with multiple network controllers is disclosed. An HA database that contains information regarding a network state may not properly synchronize upon failure of a network component. For example, an HA switch typically has only two controllers, an active and a standby. If there is a loss of the active controller that causes a failover, changes in the network state may occur rapidly while the system is trying to recover (e.g., process the failover action). In part, because of the impact of the failover (e.g., failed communication paths) and rapidity of changes to network state while processing the failover, database changes may not be properly synchronized across all available database instances. Disclosed techniques provide reconciliation of database values using a mark and sweep technique on the “upside” of the failover and alter the “source of truth” for data value discrepancies.

Abstract: Examples disclosed herein relate to a method comprising monitoring a first condition corresponding to a first parameter in a first database. The first database is configured to operate a first switch operating traffic on a network and the first database periodically synching with a second database. The method may also include monitoring a second parameter, corresponding to the first parameter, on the second database. The second database may be configured to operate a second switch on the network and the first switch and the second switch configured to operate traffic on the network. The method may also include determining that there is a deviation between the first and second that exceeds a threshold amount and transmitting an alert containing the deviation.

Abstract: Examples disclosed herein relate to a method comprising generating a first and a second set of unique identifiers for each row in each table of a first and second database, respectively. The first and second database may be configured to operate a first and second switch operating traffic on a network, respectively. The first switch and the second switch may be configured to operate traffic on the network. The method may also include creating a mapping between the first set of unique identifiers and the second set of unique identifiers and determining that a first row of the first database is marked to be synchronized, the first row corresponding to a first unique row ID. The method may also include retrieving, from a second row of the second database corresponding to a second unique row ID mapped to the first unique row ID and updating the second row.

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract: System and methods for identifying and managing applications over compressed or encrypted traffic in a network are described. The first and second embodiments, which provides a method for managing applications over compressed or encrypted traffic respectively, comprise identifying applications on the traffic, saving the application classification per connection, and propagating the application classification to the network. A method for providing application identification over compressed or encrypted traffic is also disclosed, which includes an application recognition module configured to, among other functions, determine an application classifier for compressed or encrypted traffic without applying an application classification process, and utilize the application classification for previous packets originating from the connection for the current packets from the same connection.

Abstract: System and methods for identifying and managing applications over compressed or encrypted traffic in a network are described. The first and second embodiments, which provides a method for managing applications over compressed or encrypted traffic respectively, comprise identifying applications on the traffic, saving the application classification per connection, and propagating the application classification to the network. A method for providing application identification over compressed or encrypted traffic is also disclosed, which includes an application recognition module configured to, among other functions, determine an application classifier for compressed or encrypted traffic without applying an application classification process, and utilize the application classification for previous packets originating from the connection for the current packets from the same connection.

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

Abstract: A defender operable to support options in a communication session intercepts a connection request packet sent from a client to a server. The defender identifies a client option combination associated with the client from the connection request packet. The defender establishes a client option index corresponding to the client option combination, and encodes the client option index into a cookie of an acknowledgment packet. The defender then sends the acknowledgment packet to the client.

Abstract: A defender operable to support options in a communication session intercepts a connection request packet sent from a client to a server. The defender identifies a client option combination associated with the client from the connection request packet. The defender establishes a client option index corresponding to the client option combination, and encodes the client option index into a cookie of an acknowledgment packet. The defender then sends the acknowledgment packet to the client.