Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: Systems and methods for providing identity services are provided. A method, according to one implementation, includes a step of assuming unified and centralized responsibility for performing identity-related services for a plurality of network security products. In response to an end user device attempting to initiate a session with a selected network security product of the plurality of network security products, the method may perform the identity-related services to manage or authenticate an identity of the end user device or a user of the end user device. Then, the method includes a step of enabling the end user device to establish the session with or receive a service from the selected network security product after performing the identity-related services.

Abstract: Systems and methods for a hierarchical step-up authentication mechanism include monitoring access to one or more private applications; responsive to a request to access the one or more private applications, determining an Authentication Level (AL) of a user associated with the request, wherein determining the AL of the user comprises referencing one or more AL trees; and responsive to determining an AL of the user, performing one or more actions based thereon, wherein the one or more actions comprises one of allowing access to the one or more private applications and denying access to the one or more private applications.

Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: A method may include identifying an address within a packet of a traffic flow associated with a network device. The method may also include comparing the address within the packet with a stored address, the stored address associated with a route for an alternative traffic path, where the alternative traffic path may be different from a default route of traffic passing through the network device. The method may additionally include, based on the address within the packet matching the stored address, routing the packet along the alternative traffic path instead of the default route of traffic.

Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: In some examples, an example method to provide a virtualized Carrier-grade Network Address Translation (CGN) at a first customer edge router may include establishing a tunnel between the first customer edge router and each aggregation router among one or more aggregation routers, performing a Network Address Translation (NAT) on a first data packet to create a NAT'ed first data packet, selecting a first aggregation router from amongst the one or more aggregation routers to send the NAT'ed first data packet to, encapsulating the NAT'ed first data packet with overlay information corresponding to a tunnel established between the first customer edge router and a first aggregation router, and sending the encapsulated NAT'ed first data packet through the tunnel to the first aggregation router.

Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: In some examples, an example method to provide a virtualized Carrier-grade Network Address Translation (CGN) at a first customer edge router may include establishing a tunnel between the first customer edge router and each aggregation router among one or more aggregation routers, performing a Network Address Translation (NAT) on a first data packet to create a NAT'ed first data packet, selecting a first aggregation router from amongst the one or more aggregation routers to send the NAT'ed first data packet to, encapsulating the NAT'ed first data packet with overlay information corresponding to a tunnel established between the first customer edge router and a first aggregation router, and sending the encapsulated NAT'ed first data packet through the tunnel to the first aggregation router.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A router architecture that facilitates cloud exchange point routing is disclosed. The architecture relies upon B-nodes to connect branch network to cloud, S-nodes to connect services, and V-nodes to connect cloud to cloud. The nodes can be essentially stateless with node configuration stored outside a router, which facilitates ripping and replacement of nodes. Multiple virtual private clouds can be implemented with respective pluralities of Kubernetes pods and a master Kubernetes cluster. Consumer premises equipment is coupled to a first virtual private cloud that forms a virtual extensible local area network with a second private cloud.

Abstract: A method may include an instruction to route the data to a destination. The method may additionally include inspecting the data to identify metadata associated with the data. The method may further include identifying, based on the metadata, a first routing path and a second routing path that both lead to the destination. The first routing path may include a first communication link associated with a first link classification, and the second routing path may include a second communication link associated with a second link classification. The method may also include selecting the first routing path based on a configuration preference and based on the first routing path including the first communication link associated with the first link classification. The method may additionally include transmitting the data along the first routing path via the first communication link.

Abstract: A method may include receiving a domain name system (DNS) query at a network device, where the DNS query may be associated with a traffic flow identified for rerouting through an alternative path utilizing an alternative network device instead of a default path. The method may also include rewriting the DNS query such that the DNS query is routed through the alternative network device along the alternative path and to a DNS server associated with the alternative path. The method may additionally include receiving a DNS response from the DNS server, where a resource identified in the DNS response may be based on the DNS query coming through the alternative network device.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method may include identifying an address within a packet of a traffic flow associated with a network device. The method may also include comparing the address within the packet with a stored address, the stored address associated with a route for an alternative traffic path, where the alternative traffic path may be different from a default route of traffic passing through the network device. The method may additionally include, based on the address within the packet matching the stored address, routing the packet along the alternative traffic path instead of the default route of traffic.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method may include identifying an address within a packet of a traffic flow associated with a network device. The method may also include comparing the address within the packet with a stored address, the stored address associated with a route for an alternative traffic path, where the alternative traffic path may be different from a default route of traffic passing through the network device. The method may additionally include, based on the address within the packet matching the stored address, routing the packet along the alternative traffic path instead of the default route of traffic.

Abstract: A method of routing network traffic may include routing traffic from a local network device, through a remote network location, to a third party network resource along a first path. The method may also include determining a first ranking for the first path, and determining a second ranking for a second path from the local network device to the third party network resource along a second path, the second path excluding the remote network location. The method may additionally include, based on the second ranking exceeding the first ranking by a threshold amount, rerouting the traffic along the second path.

Abstract: A method of routing network traffic may include routing traffic from a local network device, through a remote network location, to a third party network resource along a first path. The method may also include determining a first ranking for the first path, and determining a second ranking for a second path from the local network device to the third party network resource along a second path, the second path excluding the remote network location. The method may additionally include, based on the second ranking exceeding the first ranking by a threshold amount, rerouting the traffic along the second path.