Abstract: In one embodiment, a method comprises: first determining, by a controller, a target load for each of at least first and second wireless data networks rooted by respective first and second root network devices; second determining, by the controller, that at least a prescribed minimum number of network devices attached within the first wireless data network need to migrate from the first wireless data network to the second wireless data network based on the respective target loads; and causing, by the controller, the prescribed minimum number of network devices to migrate from the first wireless data network to the second wireless data network, based on the controller sending to the first and second root network devices enrollment priorities to be advertised by the first and second root network devices, respectively.

Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.

Abstract: Presented herein are techniques to address a lack of path maximum transmission unit discovery in the context of, e.g., the control and provisioning of wireless access point (CAPWAP) protocol for multicast communications. In one embodiment, IPv4-IPv6-IPv4 network address translation is used to avoid a conservative maximum transmission unit size. In another embodiment, unicast and multicast path maximum transmission unit discovery techniques are executed to set the maximum transmission unit size for multicast communications.

Abstract: In one embodiment, a method comprises: joining, by a network device, a network topology rooted by a root network device in a data network, and in response transmitting an advertisement indicating a position of the network device in the network topology; suppressing a second transmission based on initiating a deferred transmission operation in response to transmitting the advertisement; maintaining the deferred transmission operation to enable a prescribed minimum number of other network devices to join the network topology at respective identified lower positions than the position of the network device; and changing, by the network device, from the deferred transmission operation to an accelerated operation in response to expiration of a prescribed deferral interval or detecting the prescribed minimum number of other network devices having the respective identified lower positions, the accelerated operation enabling the network device to initiate transmission of a data packet before the other network devices.

Abstract: A node of a network configured to forward packets based on network programming instructions encoded in the packets, performs a method. The method includes generating a probe packet encoded with a replication network programming instruction. The replication network programming instruction is configured to validate equal-cost multi-path (ECMP) routing in the network from the node to a destination by remotely triggering transit nodes of the network, that are traversed by the probe packet, to each perform replicate-and-forward actions. The replicate-and-forward actions include: identifying ECMP paths toward the destination; generating, for the ECMP paths, replicated probe packets that each include the replication network programming instruction; and forwarding the replicated probe packets along the ECMP paths. The method further includes forwarding the probe packet toward the destination.

Abstract: In one embodiment, a method comprises causing, by a network controller device, a first access point (AP) device to initiate a reverse sounding operation comprising wirelessly requesting a mobile constrained network device to transmit a null data packet (NDP) at a first transmission interval, wirelessly receiving the NDP at the first transmission interval, and generating a reception report describing reception of the NDP and including beamforming information; causing, by the network controller device, a second AP device to generate a corresponding reception report describing a corresponding wireless detection of the NDP at the first transmission interval; and causing, by the network controller device, the mobile constrained network device to connect to a selected one of the first AP device or the second AP device for an identified data flow based on the respective reception reports from the first and second AP devices.

Abstract: Connectors for a networking device may be provided. A networking device may comprise a first plurality of switch bars each comprising a first switch type arranged parallel to one another, a second plurality of switch bars each comprising a second switch type arranged parallel to one another, and a third plurality of switch bars each comprising a third switch type arranged parallel to one another. The first plurality of switch bars, the second plurality of switch bars, and the third plurality of switch bars may be arranged orthogonally. A first one of the first plurality of switch bars may be connected to a first one of the second plurality of switch bars via a retractable mechanical connector mechanism.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

Abstract: In one embodiment, a server instructs one or more networking devices in a local area network (LAN) to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to the server. The server receives the redirected traffic associated with the particular node. The server trains a machine learning-based behavioral model for the particular node based on the redirected traffic. The server controls whether a particular redirected traffic flow associated with the node in the LAN is sent to a destination of the traffic flow using the trained behavioral model.

Abstract: Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

Abstract: Providing for time sensitive networking (TSN) traffic in high density deployments is described. An access point (AP) is a high density deployment receives a message identifying another AP as a TSN neighbor and also detects a TSN device within an area covered by the APs. This arrangement may cause traffic interruptions for the TSN traffic between the TSN device and the APs. In order to prevent disruption in TSN traffic, a TSN time slot and a resource unit (RU) is determined for each of the APs, and the TSN traffic is communicated between the various devices in network according to the determined TSN time slot and RU.

Abstract: In one embodiment, a method comprises determining, by a controller device in a low power and lossy network (LLN), that a first LLN border device is in a first personal area network (PAN) having a first directed acyclic graph (DAG) topology, and that the first LLN border device is a neighbor of a second LLN border device in a second PAN of the LLN having a second DAG topology; receiving a path request for a third LLN device in the first PAN to reach a fourth LLN device in the second PAN; and generating an inter-PAN path between the third LLN device and the fourth LLN device via the first and second LLN border devices, the inter-PAN path providing a stitching between the first DAG topology and the second DAG topology.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

Abstract: In one embodiment, a method comprises: classifying, by a controller device, a first access point device in a WLAN as a leader access point for a wireless client device, and at least a second access point device as a follower access point; and allocating, to the leader access point, a shortened medium access control layer timer (“timer”) that is shorter than a prescribed timer used by the follower access point, the shortened timer causing the leader access point to respond to reception of a wireless data packet from the wireless client device by transmitting an acknowledgment to the wireless client device upon expiration of the shortened timer; the prescribed timer causing the follower access point to defer to the leader access point based on the follower access point waiting for at least expiration of the prescribed timer before selectively transmitting a corresponding acknowledgment in response to receiving the wireless data packet.

Abstract: In one embodiment, a method is performed. A spine node in communication with a network may determine a subtree of a shadow cone of the spine node. The subtree may comprise a plurality of nodes and a plurality of links connecting pairs of the nodes. The spine node may determine a disaggregated route to a first leaf node to which a disaggregated prefix may be attached. The disaggregated route may be propagated to the plurality of the nodes of the subtree.

Abstract: Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

Abstract: A wireless device can achieve higher predictability for its transmissions by inserting a placeholder frame in a transmission queue before time sensitive data has been received. In addition, a contention countdown associated with the placeholder frame can start before the time sensitive data is ready for transmission. Once the data is available, the device can insert the data into the payload of the placeholder frame, thereby reducing the wait time before the data can be transmitted wirelessly. Additionally, the device can improve reliability by transmitting data using multiple subcarrier RUs in a channel. The data blocks and the duplicative data can be transmitted in parallel using the subcarrier RUs. If a subset of the subcarrier RUs are blocked because of narrowband interference, the receiving device can nonetheless recover the data blocks and reconstruct the packet from the data transported on the RUs that did not have interference.

Abstract: In one illustrative example, a network node connected in a network fabric may identify that it is established as part of a multicast distribution tree for forwarding multicast traffic from a source node to one or more host receiver devices of a multicast group. In response, the network node may propagate in the network fabric a message for advertising the network node as a candidate local source node at which to join the multicast group. The message for advertising may include data such as a reachability metric. The propagation of the message may be part of a flooding of such messages in the network fabric. The network node serving as the candidate local source node may thereafter “locally” join a host receiver device in the multicast group at the network node so that the device may receive the multicast traffic from the source node via the network node.