Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.

Abstract: In one embodiment, a method includes identifying, using a Static Context Header Compression (SCHC) rules engine, one or more packets matching a rule, selecting a firewall decision based on the identified one or more packets and the rule, and applying the firewall decision to the one or more identified packets.

Abstract: In one embodiment, an access point of an overhead mesh of access points in an area selects a range of client identifiers. The access point sends, via a beam cone transmitted in a substantially downward direction towards a floor of the area, a trigger signal that includes the range of client identifiers and prompts client devices having identifiers in that range to send best effort transmissions towards the overhead mesh. The access point detects a collision between the best effort transmissions of the client devices. The access point adjusts the range of client identifiers so as to avoid future collisions between the best effort transmissions of the client devices.

Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.

Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at a first edge device, a direct indication from a second edge device that a mobile device has moved from the first to the second edge device; determining, based on the direct indication, a first time at which the mobile device attached to the second edge device; receiving a network routing update message indicative of a routing update for the mobile device having moved to the second edge device; determining, based on the network routing update message, a second time at which convergence completed at the first edge device; and calculating a convergence time for the mobile device to be detected as having moved to the second edge device based on a difference between the first time and the second time.

Abstract: In one embodiment, a method comprises identifying, by a path computation element, essential parent devices from a nonstoring destination oriented directed acyclic graph (DODAG) topology as dominating set members belonging to a dominating set; receiving, by the path computation element, an advertisement message specifying a first dominating set member having reachability to a second dominating set member, the reachability distinct from the nonstoring DODAG topology; and generating, by the path computation element based on the advertisement message, an optimized path for reaching a destination network device in the nonstoring DODAG topology via a selected sequence of dominating set members, the optimized path providing cut-through optimization across the nonstoring DODAG topology.

Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at an access device for a network, a packet having a set of packet features; making, by the access device, a determination that the set of packet features of the packet match a forwarding ruleset that defines differentiated services for different types of packets based on their packet features; formulating, by the access device and based on the determination, a compressed header for the packet that has one or more differentiated service indicators based on the forwarding ruleset; and forwarding, from the access device, the packet with the compressed header, to cause forwarding decisions to be made within the network for the packet based on the one or more differentiated service indicators in its compressed header.

Abstract: In one embodiment, a method comprises: classifying, by a controller device, a first access point device in a WLAN as a leader access point for a wireless client device, and at least a second access point device as a follower access point; and allocating, to the leader access point, a shortened medium access control layer timer (“timer”) that is shorter than a prescribed timer used by the follower access point, the shortened timer causing the leader access point to respond to reception of a wireless data packet from the wireless client device by transmitting an acknowledgment to the wireless client device upon expiration of the shortened timer; the prescribed timer causing the follower access point to defer to the leader access point based on the follower access point waiting for at least expiration of the prescribed timer before selectively transmitting a corresponding acknowledgment in response to receiving the wireless data packet.

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

Abstract: In one embodiment, an access point of an overhead mesh of access points in an area selects a range of client identifiers. The access point sends, via a beam cone transmitted in a substantially downward direction towards a floor of the area, a trigger signal that includes the range of client identifiers and prompts client devices having identifiers in that range to send best effort transmissions towards the overhead mesh. The access point detects a collision between the best effort transmissions of the client devices. The access point adjusts the range of client identifiers so as to avoid future collisions between the best effort transmissions of the client devices.

Abstract: In one embodiment, a controller for an overhead mesh of access points in an area receives an indication from one or more access points of the overhead mesh that a client device is present in the area. The controller determines movements of the client device within the area. The controller selects a set of access points of the overhead mesh to support communications between the client device and the overhead mesh, based on the movements of the client device determined by the controller. The controller causes the controller, the set of access points to form communication schedules to support communications with the client device that do not require a prior association exchange with the client device.

Abstract: In one embodiment, a method comprises: receiving, by a constrained wireless network device comprising a local clock, a plurality of messages from respective neighboring wireless network devices advertising as available parent devices in a directed acyclic graph of a time-synchronized network that is synchronized to a master clock device; determining, by the constrained wireless network device, a corresponding timing error of the local clock relative to each message output by the corresponding available parent device; and executing, by the constrained wireless network device, a distributed time synchronization of the local clock with the master clock device based on correlating the respective timing errors relative to the local clock.

Abstract: In one embodiment, a particular device in a deterministic network performs classification of one or more packets of a traffic flow between a source and a destination in the deterministic network. The particular device determines, based on the classification of the one or more packets, a requirement of the traffic flow. The particular device performs, based on the requirement, a packet operation on at least one packet of the traffic flow. The particular device sends packets of the traffic flow towards the destination via two or more paths in the deterministic network.

Abstract: In one embodiment, a device registers with a controller for a mesh of overhead access points. The device receives, from the controller, a communication schedule for the device. The device generates a message to be sent to the mesh of overhead access points. The device transmits, according to the communication schedule, the message as a beam cone directed substantially upward relative to the device towards the mesh of overhead access points. The message is received and relayed by one or more particular access points in the mesh without the device previously performing a wireless association exchange with those one or more particular access points.

Abstract: Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller assigns the access points to access point groups. The controller generates communication schedules for the access points such that each access point in an access point group is on a common channel and only one of neighboring directional transmitters of access points in that group is able to transmit at any given time. The controller sends the communication schedules to the access points forming the overhead mesh of access points in the area.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller determines coverage areas on the floor of the area for the one or more directional transmitters of the access points in the overhead mesh. The controller generates, based on the coverage areas, alternating communication schedules for the access points such that a client device at any given location on the floor of the area is within range of a plurality of receiving access points in the overhead mesh and at least one transmitting access point in the overhead mesh at a certain point in time. The controller sends the communication schedules to the access points.

Abstract: In one embodiment, a client device enters an area having an overhead mesh of access points, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The client device obtains an area-dependent communication schedule for the overhead mesh that is exclusive or partially-exclusive to the client device for the area. The client device sends, during an arbitrary timeslot of the area-dependent communication schedule, a pull request. The client device receives, from a particular access point in the overhead mesh, a packet in response to the pull request.

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

Abstract: In one embodiment, a method comprises causing, by a network controller device, a first access point (AP) device to initiate a reverse sounding operation comprising wireles sly requesting a mobile constrained network device to transmit a null data packet (NDP) at a first transmission interval, wirelessly receiving the NDP at the first transmission interval, and generating a reception report describing reception of the NDP and including beamforming information; causing, by the network controller device, a second AP device to generate a corresponding reception report describing a corresponding wireless detection of the NDP at the first transmission interval; and causing, by the network controller device, the mobile constrained network device to connect to a selected one of the first AP device or the second AP device for an identified data flow based on the respective reception reports from the first and second AP devices.