Abstract: This disclosure describes systems, methods, and apparatus for network slicing with programmable data-plane pipelines, comprising creating slice contexts, where creating the slice contexts comprises creating control-plane and data-plane data for each of a plurality of network slices, and storing the control-plane and the data-plane data to produce slice contexts, mapping resources of network switch hardware to the slice contexts to create a resource mapping, instantiating the plurality of network slices on the network switch hardware using the resource mapping, receiving frames from one or more external sources, identifying a network slice corresponding to each frame, and enriching a header of each of the frames, based upon the identification of the network slice for each frame, to direct each frame to a data-plane pipeline.

Abstract: In general, this disclosure describes an IoT access control exchange for IoT devices. Verifiable credentials can be generated and used to grant access to IoT devices definitively identified using a Decentralized Identifier (DID). DIDs for IoT devices are registered by the IoT exchange hub acting as an Identity Hub. An organization interested in obtaining data from a collection of devices, the IoT Access Customer, contacts the IoT device owner agent via their mutual agents and obtains a verifiable credential with a request for access. The access request is submitted to the IoT exchange hub. The IoT exchange hub either enforces the access request itself if the devices do not have enough resources or submits the verifiable credential with the access request to the devices for them to enforce access. The IoT access customer agent, IoT device owner agent, and IoT exchange hub similarly identify themselves and prove authentication using DIDs.

Abstract: Techniques are described for a network providing application workload routing and application workload interworking. For example, a controller may move or replicate an application workload hosted on an original edge compute to a different edge compute in a different edge data center that is locally accessible by the device and route the network traffic to the new edge compute using paths mapped to respective traffic classes.

Abstract: Techniques are described for a network providing application workload routing and application workload interworking. For example, a controller may move or replicate an application workload hosted on an original edge compute to a different edge compute in a different edge data center that is locally accessible by the device and route the network traffic to the new edge compute using paths mapped to respective traffic classes.

Abstract: Techniques for a secure device registration and software update using Decentralized Identifiers (DIDs). For example, a method includes sending, by a device and to a data store, a request for a software update published by a software publisher, wherein the request includes a verifiable credential for the device including a DID of the device; receiving, by the device and from the data store, a verifiable credential for the software update, wherein the verifiable credential includes a DID of the software publisher; determining, by the device, whether the software update is newer than software on the device; obtaining, by the device, the software update from the software publisher from a location specified by the verifiable credential; verifying, by the device, the software update based on the verifiable credential; and in response to verifying the software update based on the verifiable credential, installing, by the device, the software update.

Abstract: Techniques are described for a network providing network defined edge routing for an application workload. For example, a controller receives element registration information for each module hosted on a set of interconnected edge data centers and for one or more network devices that interconnect the modules in the network; obtain one or more routing metrics of the network; compute, based on the element registration information and the one or more routing metrics, one or more paths mapped to respective traffic classes to route traffic via the set of interconnected edge data centers; receive a request to route traffic according to a traffic class; and in response, send, to the set of interconnected edge data centers, a response specifying a path of the one or more paths that is mapped to the traffic class to cause the set of interconnected edge data centers to route traffic according to the traffic class.

Abstract: Techniques are described for a network providing network defined edge routing for an application workload. For example, a controller receives element registration information for each module hosted on a set of interconnected edge data centers and for one or more network devices that interconnect the modules in the network; obtain one or more routing metrics of the network; compute, based on the element registration information and the one or more routing metrics, one or more paths mapped to respective traffic classes to route traffic via the set of interconnected edge data centers; receive a request to route traffic according to a traffic class; and in response, send, to the set of interconnected edge data centers, a response specifying a path of the one or more paths that is mapped to the traffic class to cause the set of interconnected edge data centers to route traffic according to the traffic class.

Abstract: Techniques are described for a network providing application workload routing and application workload interworking. For example, a controller may move or replicate an application workload hosted on an original edge compute to a different edge compute in a different edge data center that is locally accessible by the device and route the network traffic to the new edge compute using paths mapped to respective traffic classes.

Abstract: Techniques are described for a centralized, neutral system for Internet of Things (IoT) device activation and automatic onboarding on an end-to-end basis, and for establishing secure communication between IoT devices and the IoT platforms. For example, a method includes receiving an activation request message from an IoT device to activate the IoT device on an IoT core network of a plurality of IoT core networks, wherein the plurality of IoT core networks and a plurality of IoT edge devices are co-located within the co-location facilities, and wherein the plurality of IoT edge devices are connected to one or more IoT platforms; authenticating the IoT device for connection to the IoT core network; and in response to authenticating the IoT device, provisioning a connection between the IoT core network and the plurality of IoT edge devices to provide the IoT device access to the one or more IoT platforms.

Abstract: An exemplary security key bootstrapping system determines an application layer session security keyset uniquely associated with a client device and based on a subscriber identity master security credential. The subscriber identity master security credential is permanently stored within a component of the client device and is also stored on a subscriber identity management server associated with a provider network by which the client device is communicatively coupled with an application server system. The security key bootstrapping system uses the application layer session security keyset as a credential to provide end-to-end security for an application layer session between the client device and the application server system over the provider network. Neither the component of the client device nor the subscriber identity management server obtains the subscriber identity master security credential from an exchange of the subscriber identity master security credential over the provider network.

Abstract: An exemplary security key bootstrapping system determines an application layer session security keyset uniquely associated with a client device and based on a subscriber identity master security credential. The subscriber identity master security credential is permanently stored within a component of the client device and is also stored on a subscriber identity management server associated with a provider network by which the client device is communicatively coupled with an application server system. The security key bootstrapping system uses the application layer session security keyset as a credential to provide end-to-end security for an application layer session between the client device and the application server system over the provider network. Neither the component of the client device nor the subscriber identity management server obtains the subscriber identity master security credential from an exchange of the subscriber identity master security credential over the provider network.

Abstract: A server device may store inter-layer quality of service (“QoS”) information, indicating a set of link layer QoS levels that are associated with a particular device, a set of network layer QoS levels that are associated with the set of link layer QoS levels, and a set of MPLS QoS levels that are associated with the set of link layer QoS levels. A network device may establish a set of bearers, that correspond to the set of link layer QoS levels, with a particular device; output information regarding the set of network layer QoS levels that are associated with the set of link layer QoS levels, to allow the particular device to select a bearer, of the set of bearers, via which to output traffic to the network device; receive, from the particular device, traffic via the bearer; and determine a particular MPLS QoS level associated with the received traffic.

Abstract: A provisioning system may receive requests, such as from third party service providers, to provision dedicated bearers for traffic associated with the service providers. For example, a service provider may request a particular quality of service (“QoS”) level for traffic sent between the service provider and one or more user devices. This QoS level may be higher than a “normal” QoS level that is ordinarily provided. The provisioning system may establish a bearer, such as a dedicated non-guaranteed bitrate (“non-GBR”) bearer between a packet data network (“PDN”) gateway (“PGW”) and the user device, and may transmit traffic, associated with the service provider, via the dedicated non-GBR bearer. A QoS agent, installed at the user device, may ensure that traffic, associated with the service provider, is sent from the user device via the dedicated non-GBR bearer (e.g., as opposed to another bearer with a lower QoS level).

Abstract: A provisioning system may receive requests, such as from third party service providers, to provision dedicated bearers for traffic associated with the service providers. For example, a service provider may request a particular quality of service (“QoS”) level for traffic sent between the service provider and one or more user devices. This QoS level may be higher than a “normal” QoS level that is ordinarily provided. The provisioning system may establish a bearer, such as a dedicated non-guaranteed bitrate (“non-GBR”) bearer between a packet data network (“PDN”) gateway (“PGW”) and the user device, and may transmit traffic, associated with the service provider, via the dedicated non-GBR bearer. A QoS agent, installed at the user device, may ensure that traffic, associated with the service provider, is sent from the user device via the dedicated non-GBR bearer (e.g., as opposed to another bearer with a lower QoS level).

Abstract: A server device may store inter-layer quality of service (“QoS”) information, indicating a set of link layer QoS levels that are associated with a particular device, a set of network layer QoS levels that are associated with the set of link layer QoS levels, and a set of MPLS QoS levels that are associated with the set of link layer QoS levels. A network device may establish a set of bearers, that correspond to the set of link layer QoS levels, with a particular device; output information regarding the set of network layer QoS levels that are associated with the set of link layer QoS levels, to allow the particular device to select a bearer, of the set of bearers, via which to output traffic to the network device; receive, from the particular device, traffic via the bearer; and determine a particular MPLS QoS level associated with the received traffic.

Abstract: A method comprising receiving, from a first node, a first packet at a network application server via a first local area network (LAN); receiving, from a second node, a second packet at the network application server via a second LAN; associating the first packet with a first VPN based on receiving the first packet via the first LAN; and associating the second packet with a second VPN based on reception of the second packet via the second LAN, wherein the first VPN and the second VPN include overlapping network address spaces.

Abstract: An approach is provided for extending private enterprise networking to wireless interconnecting domains. A home agent maintains a first routing table for a first wireless router configured to route according to a first address space. The home agent also maintains a second routing table for a second wireless router configured to route according to a second address space. The first address space and the second address space are overlapping.

Abstract: A system is configured to receive, from an enterprise device, a request to access a network domain, and is configured to determine whether the network domain is associated with a wireless service provider service. Based on determining that the network domain is not associated with the wireless service provider service, the system is configured to route the request to a private network associated with the enterprise device. Based on determining that the network domain is associated with the wireless service provider service, the system is configured to route the request to a domain name system server associated with the wireless service provider, receive a domain name system response to the request, the domain name system response identifying a network address, and route the domain name system response to the enterprise device.

Abstract: A method may include receiving a packet destined to a wireless node, buffering the packet, and scheduling a time at which to transmit the packet to the wireless node. Scheduling the packet may include determining an application-layer protocol associated with the packet. The method may also include wirelessly transmitting the packet to the wireless node at the scheduled time. In one embodiment, the method may also include sending information to a node that originated the packet indicating that the packet is buffered. In another embodiment, sending information to the node that originated the packet indicating that the packet is scheduled to be wirelessly transmitted at the scheduled time.

Abstract: A method comprising receiving, from a first node, a first packet at a network application server via a first local area network (LAN); receiving, from a second node, a second packet at the network application server via a second LAN; associating the first packet with a first VPN based on receiving the first packet via the first LAN; and associating the second packet with a second VPN based on reception of the second packet via the second LAN, wherein the first VPN and the second VPN include overlapping network address spaces.