Abstract: In an embodiment, a secure boot method comprises writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center using one or more computing devices.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: In an embodiment, a secure boot method comprises writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center using one or more computing devices.

Abstract: In an approach, a secure boot process includes two phases. In the first phase an on premises device generates a data encryption key (DEK) with which to encrypt an operating system image and a key encryption key (KEK) with which to wrap the DEK. The on-premises device then utilizes a key management service to wrap the KEK with an account root key and writes the wrapped DEK and wrapped KEK onto a label of the encrypted operating system image. The encrypted operating system image is then uploaded to a virtual data center and merged with an intermediary guest manager image. When the encrypted machine image is used to generate a virtual machine instance, the intermediary guest manager utilizes the key management service to unwrap the KEK. The unwrapped KEK is then used to unwrap the wrapped DEK which is then used to launch the encrypted guest operating system.

Abstract: Techniques are describe for establishing an overall label switched path (LSP) for dynamic load balancing of network traffic being sent across a network using the a resource reservation protocol such as Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The tunnel may be a single RSVP-TE Label Switched Path (LSP) that is configured to automatically and dynamically load balance network traffic across different sub-paths of the RSVP-TE LSP over the network. The ingress device of the overall multi-path LSP can analyze traffic statistics to determine when a network traffic demand differs from a currently reserved bandwidth of the overall multi-path LSP by at least a threshold amount, and can automatically add or remove a sub-path from the overall multi-path LSP to adjust capacity of the overall multi-path LSP to correspond to the currently reserved bandwidth.

Abstract: An extensible software defined network (SDN) controller is described that provides an application-aware framework that enable a variety of different user applications to communicate with the controller and that allows the controller to automatically configure devices in a network based on the needs of the applications. For example, the controller includes a plurality of different northbound interfaces that enable a variety of different user applications to communicate with the controller. The controller also includes multiple southbound protocols for configuring and enabling functionality in network devices based on the communications with the user applications.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: In general, techniques are described for providing current bandwidth usage information for one or more label switched paths (LSPs) to a path computation element (PCE) to trigger the PCE to dynamically modify a path computation domain of the PCE to manage network traffic within the domain. In some examples, a network router signals an LSP in a packet-switched network according to an allocated bandwidth for the LSP. The network router receives and maps the network packets to the LSP for transport along the LSP in accordance with forwarding information. The network router determines bandwidth usage information for the LSP that indicates a volume of the network packets mapped to the LSP and sends, in a notification message, the bandwidth usage information for the LSP to a path computation element that computes label switched paths for a path computation domain to trigger reoptimization of the path computation domain.

Abstract: A network device is described that receives information from separate database systems including a physical network inventory system that stores first topology data specifying resources and links within a network and a traffic engineering system that stores second topology data specifying the resources and links that are deployed within the network and data specifying traffic engineered paths configured to forward network traffic through the network. The network device aggregates the received information into a topology resource management system that stores third topology data specifying at least a current role of each of the resources and links. The network device determines a modification to at least one of the traffic engineered paths based on the third topology data, including an adjustment to the current role of at least one of the resources to change the forwarding of the network traffic. The network device outputs provisioning information based on the modification.

Abstract: An extensible software defined network (SDN) controller is described that provides an application-aware framework that enable a variety of different user applications to communicate with the controller and that allows the controller to automatically configure devices in a network based on the needs of the applications. For example, the controller includes a plurality of different northbound interfaces that enable a variety of different user applications to communicate with the controller. The controller also includes multiple southbound protocols for configuring and enabling functionality in network devices based on the communications with the user applications.

Abstract: A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the underlying optical transport path, based on information obtained by the centralized controller from the underlying network components at both layers.

Abstract: In one example, a method includes establishing a plurality of label switched paths (LSPs) having a common transit network device other than an ingress network device or an egress network device of any of the plurality of LSPs, and, by the transit network device along the plurality of LSPs, detecting a congestion condition on a link along the plurality of LSPs and coupled to the transit network device. The method also includes, responsive to detecting the congestion condition, and by the transit network device, selecting a subset of the plurality of LSPs to evict from the link, wherein the subset comprises less than all of the plurality of LSPs, and updating a forwarding plane of the transit network device to reroute network traffic received for the selected subset of the plurality of the LSPs for forwarding to a next hop on a bypass LSP that avoids the link.

Abstract: A label switched path (LSP) is established within a network using an MPLS fast reroute bypass tunnel when a resource along a primary path of the LSP has failed but is protected by the MPLS fast reroute bypass tunnel. While establishing the LSP, a network device identifies a failed resource along a primary path of the LSP. In response to identifying the failed resource, the network device determines whether a bypass tunnel exists from the network device to a node along the primary path, wherein the bypass tunnel avoids the failed resource. Upon determining that the bypass tunnel exists, the network device tunnels a message for establishing the LSP to the node over the bypass tunnel.

Abstract: A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the underlying optical transport path, based on information obtained by the centralized controller from the underlying network components at both layers.

Abstract: In general, techniques are described for mapping WAN conditions to appropriate back-pressure mechanisms at the WAN edges to improve the performance of delay and/or loss-sensitive applications. In one example, a system includes a wide area network having a provider edge (PE) router to establish a Fiber Channel over Ethernet (FCoE) pseudowire over the wide area network. A Lossless Ethernet network attaches, by an attachment circuit, to the FCoE pseudowire at the PE router. A Fiber Channel Fabric connects to the Lossless Ethernet network and to a storage device that provides data for transmission over the wide area network by the FCoE pseudowire. The PE router detects a defect in the FCoE pseudowire and, in response to detecting the defect in FCoE pseudowire, injects an FCoE flow control extension into the Lossless Ethernet network by the attachment circuit.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: An ingress router of a provider network receives a packet from a customer network, determines that the packet includes a customer network label and that the packet is to be tunneled through the provider network, based on the determination, adds a delimiter label to the packet indicative of a bottom of a provider network label stack and one or more provider network labels to the packet, and forwards the packet to a next routing device along the provider network tunnel. An egress routing device of the provider network receives a packet comprising a provider network label stack, removes the provider network label stack from the packet, determines whether the packet comprises a delimiter label following the provider network label stack, and, when the packet comprises the delimiter label, forwards the packet to a customer network interface device.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: In general, techniques are described for providing extended administrative groups in networks. A network device comprising an interface and a control unit may implement the techniques. The interface receives a routing protocol message that advertises a link. This message includes a field for storing first data associated with the link in accordance with the routing protocol. The field is defined by the routing protocol as a field having a different function from an administrative group field defined by the same routing protocol. The control unit determines that this field has been repurposed to store second data, wherein this second data specifies an extended administrative group for the link different from those that may be specified by the administrative group field. The control unit then updates routing information to associate the advertised link with the extended administrative group and performs path selection to select paths based on the updated routing information.