Abstract: The present disclosure relates to simultaneous operation of Wi-Fi access points in a super cell mode and a standalone mode and controlling connectivity of end terminals thereto. In one aspect, a method includes receiving a configuration for a group of access points operating within a network, the configuration allowing each access point of the group to operate in a super cell mode over a shared frequency channel and a standalone mode over a non-shared frequency channel. The method further includes determining, for an end terminal, whether the end terminal is to connect to the network over the shared frequency channel or the non-shared frequency channel based on a network policy to yield a determination; and controlling connectivity of the end terminal to at least one access point of the group of access points over the shared frequency channel or the non-shared frequency channel based on the determination.

Abstract: In one embodiment, a method comprises: joining, by a network device, a network topology rooted by a root network device in a data network, and in response transmitting an advertisement indicating a position of the network device in the network topology; suppressing a second transmission based on initiating a deferred transmission operation in response to transmitting the advertisement; maintaining the deferred transmission operation to enable a prescribed minimum number of other network devices to join the network topology at respective identified lower positions than the position of the network device; and changing, by the network device, from the deferred transmission operation to an accelerated operation in response to expiration of a prescribed deferral interval or detecting the prescribed minimum number of other network devices having the respective identified lower positions, the accelerated operation enabling the network device to initiate transmission of a data packet before the other network devices.

Abstract: In one embodiment, a device identifies a path of travel of a mobile system. The device subdivides the path of travel into a plurality of zones. The device generates time-slotted channel hopping schedules for the plurality of zones, each time-slotted channel hopping schedule having an associated zone among the plurality of zones. The device causes the mobile system to communicate wirelessly with networking infrastructure located along the path of travel, in accordance with a particular one of the time-slotted channel hopping schedules while the mobile system is located in its associated zone.

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

Abstract: In one embodiment, a method comprises: creating, by a root network device in a wireless data network, a perimeter topology comprising a first distance vector-protocol path of a first group of perimeter devices and a second distance vector-protocol path of a second group of the perimeter devices, the creating comprising outputting first and second advertisement messages causing the perimeter devices to attach to only one parent of only one of the first or second distance vector-protocol paths and a junction device to attach at respective ends of the first and second distance vector-protocol paths; and causing the junction device to forward, from the first distance vector-protocol path, a data packet toward the root network device via the second distance vector-protocol path.

Abstract: In one embodiment, a method comprises: receiving, by a root network device providing a DAG topology in a low power and lossy network (LLN), one or more multicast registration messages from an LLN device and identifying distinct properties of the LLN device; receiving, by the root network device, one or more multicast address group identifiers of one or more multicast streams to which the LLN device has subscribed, and associating the one or more multicast address group identifiers with the distinct properties; receiving a multicast message specifying one of the multicast address group identifiers; and generating, by the root network device, a directed multicast message having a multi-dimensional addressing data structure comprising a selected one of the distinct properties and the one multicast address group identifier, causing parent network devices in the DAG topology to selectively retransmit based on determining a child network device has the selected one distinct property.

Abstract: In one embodiment, a method comprises: classifying, by a controller device, a first access point device in a WLAN as a leader access point for a wireless client device, and at least a second access point device as a follower access point; and allocating, to the leader access point, a shortened medium access control layer timer (“timer”) that is shorter than a prescribed timer used by the follower access point, the shortened timer causing the leader access point to respond to reception of a wireless data packet from the wireless client device by transmitting an acknowledgment to the wireless client device upon expiration of the shortened timer; the prescribed timer causing the follower access point to defer to the leader access point based on the follower access point waiting for at least expiration of the prescribed timer before selectively transmitting a corresponding acknowledgment in response to receiving the wireless data packet.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

Abstract: In one embodiment, a controller for an overhead mesh of access points in an area receives an indication from one or more access points of the overhead mesh that a client device is present in the area. The controller determines movements of the client device within the area. The controller selects a set of access points of the overhead mesh to support communications between the client device and the overhead mesh, based on the movements of the client device determined by the controller. The controller causes the controller, the set of access points to form communication schedules to support communications with the client device that do not require a prior association exchange with the client device.

Abstract: In one embodiment, an access point of an overhead mesh of access points in an area selects a range of client identifiers. The access point sends, via a beam cone transmitted in a substantially downward direction towards a floor of the area, a trigger signal that includes the range of client identifiers and prompts client devices having identifiers in that range to send best effort transmissions towards the overhead mesh. The access point detects a collision between the best effort transmissions of the client devices. The access point adjusts the range of client identifiers so as to avoid future collisions between the best effort transmissions of the client devices.

Abstract: In one embodiment, a method comprises: determining, by a constrained network device in a low power and lossy network (LLN), a self-estimated density value of neighboring LLN devices based on wirelessly receiving an identified number of beacon message transmissions within an identified time interval from neighboring transmitting LLN devices in the LLN; setting, by the constrained network device, a first wireless transmit power value based on the self-estimated density value; and transmitting a beacon message at the first wireless transmit power value, the beacon message specifying the self-estimated density value, a corresponding trust metric for the self-estimated density value, and the first wireless transmit power value used by the constrained network device for transmitting the beacon message.

Abstract: In one embodiment, a method comprises: receiving, by a constrained wireless network device comprising a local clock, a plurality of messages from respective neighboring wireless network devices advertising as available parent devices in a directed acyclic graph of a time-synchronized network that is synchronized to a master clock device; determining, by the constrained wireless network device, a corresponding timing error of the local clock relative to each message output by the corresponding available parent device; and executing, by the constrained wireless network device, a distributed time synchronization of the local clock with the master clock device based on correlating the respective timing errors relative to the local clock.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: In one embodiment, a particular device in a deterministic network performs classification of one or more packets of a traffic flow between a source and a destination in the deterministic network. The particular device determines, based on the classification of the one or more packets, a requirement of the traffic flow. The particular device performs, based on the requirement, a packet operation on at least one packet of the traffic flow. The particular device sends packets of the traffic flow towards the destination via two or more paths in the deterministic network.

Abstract: Optimal determination of wireless network pathway configurations may be provided. A computing device may receive an error profile and a response instruction associated with the error profile, as generated by a network controller. The computing device may then monitor, for an error, on a communication Track, in a network, between an ingress node and an egress node. Then, the computing device, upon detecting the error, can determine that the error is similar to the error profile, and based on the determination that the error is similar to the error profile, enact the response instruction. The response instruction can direct the computing device to switch from the communication Track to a communication subTrack between the ingress node and the egress node.

Abstract: Systems, methods, and computer-readable media are provided for securely advertising autoconfigured prefixes in a cloud environment. In some examples, a method can include, receiving, by a first router, an indication of an available network address prefix. In some aspects, the method can also include selecting, by the first router, a first network address prefix that is within the available network address prefix, wherein the first network address prefix provides at least one route to one or more network elements associated with the first router. In some cases, the method may further include sending, to a second router, a message including a stub registration option that indicates the first network address prefix.

Abstract: In one embodiment, a device registers with a controller for a mesh of overhead access points. The device receives, from the controller, a communication schedule for the device. The device generates a message to be sent to the mesh of overhead access points. The device transmits, according to the communication schedule, the message as a beam cone directed substantially upward relative to the device towards the mesh of overhead access points. The message is received and relayed by one or more particular access points in the mesh without the device previously performing a wireless association exchange with those one or more particular access points.

Abstract: Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

Abstract: This disclosure describes techniques for monitoring expected behavior of devices in a computing network. Behavior of network devices may include performing various functions associated with transferring data packets through the computing network. Monitoring expected behavior may include sending a probe packet into the computing network, and determining whether network devices behave as expected with respect to the probe packet. In some examples, behaviors such as replicating, forwarding, eliminating, ordering, and/or other functions regarding data packets may be validated using the present techniques. As computing networks and/or operations become more complex, assuring the expected behavior of network devices may become more important for the continued efficient, smooth, successful, and/or timely flow of data traffic.