Abstract: Various techniques of network monitoring and diagnostics in computer networks are disclosed herein. In one embodiment, a method includes configuring a network session between a first client device and a second client device interconnected to each other by the computer network. The configured network session having one or more encrypted attributes. The method also includes transmitting one or more of the encrypted attributes of the configured network session to a network management system for collecting information from one or more network elements connecting the first client device to the second client device during the network session.

Abstract: QoS support is detected during discovery of potential media paths between a source and a destination by examining the markings of each available media path and selecting a more suitable media candidate based on a set of QoS prioritization rules. Optionally, each endpoint may update a UC&C monitoring service with the QoS results of the candidate list discovery process so that any automated diagnostic and auditing systems can be alerted to any misconfigured Network Elements.

Abstract: A primary call admission controller (CAC) system receives a request from a client to allocate a network resource such as a network bandwidth. The primary CAC system may determine subordinate CAC to delegate the allocation and transfer the request to the subordinate CAC. Subsequently, the subordinate CAC analyzes the communication session attributes to determine an available network resource for the communication session. Upon a positive determination, the subordinate CAC allocates the network resource and signals the allocation up the network chain to the primary CAC and the client.

Abstract: Unified Communication and Collaboration (UC&C) systems are enabled to dynamically enlighten a set of network elements (NEs) and/or network infrastructure with application awareness so that an accurate set of rules or actions can be applied for a given session without needing to lookup the payload of every packet or applying a somewhat ineffective expensive heuristic mechanisms. Taking advantage of typically longer communication session durations and separate control and media planes, a UC&C control point programs a set of NEs for a given UC&C media flow within a scalable and timely manner. Quality of Service (QoS), security, monitoring, and similar functionality may also be programmed into the NEs through the UC&C control point.

Abstract: A primary call admission controller (CAC) system receives a request from a client to allocate a network resource such as a network bandwidth. The primary CAC system may determine subordinate CAC to delegate the allocation and transfer the request to the subordinate CAC. Subsequently, the subordinate CAC analyzes the communication session attributes to determine an available network resource for the communication session. Upon a positive determination, the subordinate CAC allocates the network resource and signals the allocation up the network chain to the primary CAC and the client.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

Abstract: A mobile computing device that supports cost-aware application components for operation over a metered network. A current basis for computing usage charges over one or more networks may be made available to the cost-aware application components through an application programming interface supported by an operating system service. That service may receive a policy for charging for data usage over a network and may also obtain information defining data usage for the mobile computing device. Based on this information, the service may determine a current basis for charging for data usage. With this information, the application component can determine a manner for executing network operations that involve data transmission over the network, such as deferring the operation or selecting an alternative network.

Abstract: Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: Some embodiments are directed to processing packet data sent according to a security protocol between a first computer and a second computer via a forwarding device. The forwarding device performs a portion of the processing, and forwards the packet data to a third computer, connected to the forwarding device, for other processing. The third computer may support non-standard extensions to the security protocol, such as extensions used in authorizing and establishing a connection over the secure protocol. The packet data may be subject to policies, such as firewall policies or security policies, that may be detected by the third computer. The third computer sends the results of its processing, such as a cryptographic key, or a detected access control policy, to the forwarding device.