Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: In one embodiment, an access point is configured with a plurality of resource units (RUs). Each RU is configured to use a frequency range that differs from frequency ranges used by the other RUs. The access point determines a pattern of recurring signal performance over time. For each RU of the plurality of RUs, the pattern indicates the recurring signal performance with respect to a station when the station is located in a given physical location. The access point allocates one or more of the RUs for communicating with the station. The pattern is used for avoiding allocation of any of the RUs for which the station is predicted to experience strong multipath fading or other destructive interference.

Abstract: A first address resolution request may be received by a first access switch from a first device and the address resolution request may be resolved by the first access switch with a central database of a network. Then a second address resolution request may be sent to a sensor by the first access switch in response to resolving the first address resolution request. An address resolution response may then be sent by the sensor to the first device in response to the sensor determining that the first device is a bad endpoint. A session may then be established between the sensor and the first device in response to the sensor sending the address resolution response. The first device may then be prompted by the sensor via the established session to resolve issues that lead the sensor to determine that the first device is a bad endpoint.

Abstract: In one embodiment, a method is disclosed comprising monitoring dynamic locations of a plurality of mobile communication devices within a physical area covered by a wireless communication network, wherein keys are distributed to the mobile communication devices at association time; determining that a particular mobile communication device should have a relay for communication with the network based on a first location of the particular mobile communication device and inadequate wireless communication characteristics at the first location; selecting an opportunistic relay device from the mobile communication devices based on a second location of the opportunistic relay device and adequate wireless communication characteristics of the opportunistic relay device within the network and to the first location from the second location; and directing the opportunistic relay device to relay communications for the particular mobile communication device at the first location, wherein the communications are encrypted base

Abstract: This disclosure describes techniques for device to device authentication. For instance, a first device may detect a second device, such as when a user physically attaches the second device to the first device or when the second device wireless communicates with the first device. A component of the first device and/or an authentication entity may then determine to authenticate the second device. In some instances, the component determines to authenticate the second device using information associated with an environment of the second device. To authenticate the second device, the authentication entity may send a request to a user, receive a response from the user, and then verify the response. After the authentication, the first device may determine that the second device includes a trusted device and establish a connection with the second device.

Abstract: Described herein are devices, systems, methods, and processes for optimizing network traffic distribution across multiple paths in a manner that is energy-efficient and environmental sustainability-aware. This may be achieved by leveraging time-series analytics and capacity planning based on seasonalities. Data associated with the Layer 3 topology of the network can be collected. Bandwidth can be pre-reserved on an energy-aware traffic engineering tunnel. The time-series data can be used to build a capacity plan based on the seasonalities. Nodes may be clustered based on usage patterns and network utilization seasonality. The data can be used to make decisions about when and where to combine or shut down paths for energy efficiency, while maintaining optimal network performance. A hysteresis mechanism may be incorporated to avoid oscillation when changing active links. Power savings can be achieved by fully turning off or depowering certain network components when they are not needed.

Abstract: In one embodiment, a process determines wireless station (STA) load and schedule of two or more access point (AP) radios. The process then develops a coordination between the two or more access point radios to limit downtime for one or more multi-link wireless devices capable of multi-link operation (MLO) on two or more channels. The process further causes the one or more multi-link wireless devices to move between access point radios based on the wireless station load and schedule and according to the coordination.

Abstract: Techniques for detecting and/or confirming a Man-in-The-Middle (MiTM) attack using Fine Timing Measurement (FTM) are provided. In one aspect, a FTM exchange is initiated between a second station and a first station to detect or confirm a MiTM attack in a network in which a MiTM is positioned between the first station and a third station. The MiTM attack is detected or confirmed, or both, based at least in part on FTM information determined during the FTM exchange.

Abstract: Techniques for using Prefix Address Translation (PAT), Mobile Internet Protocol (MIP), and/or other techniques to anonymize server-side addresses in data communications. Rather than allowing a server and/or endpoint have visibility of a client IP address of a client device accessing the server and/or endpoint, a virtual network service instead returns a PAT IP address that is mapped to the client device and/or the endpoint device. In this way, IP addresses of clients devices are obfuscated by the virtual network. The client device may then communicate data packets to the server and/or endpoint using the PAT IP address as the source address, and the virtual network service that works in conjunction with the server and/or endpoints can convert the PAT IP address to the actual IP address of the client for return packets using PAT and forward the return packet onto the client device.

Abstract: Address Resolution Protocol (ARP)-proxy update for roaming client devices may be provided. A client device may query for a list of active Internet Protocol (IP) addresses used by the client device. Next, the client device may determine that an Access Point (AP) supports a collaborative IP exchange function. Then the client device may send, in response to determining that the AP supports the collaborative IP exchange function, the list of active Internet Protocol (IP) addresses to the AP.

Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications and verify an authenticity of a client device attempting to use a virtual IP (VIP) address. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a VIP address that is mapped to the client device and the endpoint device. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can verify an authenticity of the client device and convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: Techniques for using Home Addresses, Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to obfuscate server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a Home Address that is mapped to the client device and at least one server IP address of the endpoint device. In this way, IP addresses of servers are obfuscated by a network mapping of the Home Addresses and the server IP addresses. The client device may then communicate data packets to the server using the Home Addresses as the destination address, and a virtual network service that works in conjunction with DNS can encapsulate the data packet with the server IP addresses and forward the data packet onto the server.

Abstract: Described herein are devices, systems, methods, and processes for improving retransmissions in wireless communication networks by distinguishing between temporal interference and longer-term radio frequency (RF) condition issues. The fact that the access point (AP) does not usually move may be leveraged, and a machine learning process can be utilized to learn and adapt to the RF conditions in the cell. The AP records various parameters for each frame received from client devices and uses this data to build a pairwise temporal matrix. Machine learning models are trained using these parameters, enabling the AP to compute the likely efficient set of modulation and coding schemes (MCSs) at each static position and along moving positions. The AP can then adapt its MCS accordingly for the downlink traffic and provide the client device with recommended MCSs for upcoming uplink transmissions. Accordingly, the retry count at the client devices can be reduced.

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

Abstract: Systems, methods, and computer-readable media are provided for securely advertising autoconfigured prefixes in a cloud environment. In some examples, a method can include, receiving, by a first router, an indication of an available network address prefix. In some aspects, the method can also include selecting, by the first router, a first network address prefix that is within the available network address prefix, wherein the first network address prefix provides at least one route to one or more network elements associated with the first router. In some cases, the method may further include sending, to a second router, a message including a stub registration option that indicates the first network address prefix.

Abstract: Systems and techniques for dynamically optimizing a wireless network topology to minimize energy consumption while preserving user quality of experience (QoE) are described. An example technique includes determining a set of applications that have a target service level agreement (SLA). Network traffic is monitored from the set of applications being executed by one or more client STAs within a network. A topology of the network is dynamically adapted to reduce an amount of energy consumption in the network while maintaining a threshold amount of the network traffic that satisfies the target SLA, based on monitoring the network traffic.

Abstract: Described herein are devices, systems, methods, and processes for managing power congestion in multi-path routing systems. Indications may be similar to the ECN, and may be used in network headers, including headers for IPV6, SRv6, NSH, or other tunneling protocols. The indications, namely EOPN, PTE, and ECMP-exclude, can provide a mechanism for managing network power consumption and controlling ECMP routing based on flow priority and characteristics. The power budget can be dynamically adjusted based on the current power source mix, which may help to achieve sustainability goals. Hashing optimizations and signaling can be utilized to manage network power congestion and bandwidth-normalized power efficiency availability. A process may be implemented to ensure there is sufficient capacity to serve the expected traffic for different next-hop paths.

Abstract: In one embodiment, a method includes receiving a request from an access point to transmit to a TSN data payload to a wireless TSN station, identifying resource units (RUs) in a downlink channel, each RU comprising a set of RU tones, identifying access category (AC) queues, multiplexing the RUs and AC queues to generate RU and AC queue pairs, generating timing boundaries of the pairs, wherein each timing boundary represents a combination of an average airtime of each RU and an average wait time of each AC queue for transmitting a size of the TSN data payload, iteratively validating the timing boundaries with a TSN lookahead time, and determining a first RU tone from a first RU associated with a first timing boundary less than the TSN lookahead time to transmit the TSN data payload in a first AC queue to the wireless TSN station.

Abstract: In one embodiment, a device determines a physical location of a mobile client of wireless network. The device performs a frequency lookup for the mobile client from an AFC service using the physical location of the mobile client. The device selects a frequency to be used by the mobile client based on the frequency lookup. The device causes the mobile client to use the frequency to communicate with the wireless network.