Abstract: In one embodiment, a device of a software defined wide area network (SD-WAN) predicts characteristics of a new traffic flow to be admitted to the SD-WAN, based on a set of initial packets of the flow. The device predicts an impact of admitting the flow to the SD-WAN, based in part on extrinsic or exogenous data regarding the SD-WAN. The device admits the flow to the SD-WAN, based on the predicted impact. The supervisory device uses reinforcement learning to adjust one or more call admission control (CAC) parameters of the SD-WAN, based on captured telemetry data regarding the admitted flow.

Abstract: In one embodiment, a method comprises receiving, by a transport layer executed by a processor circuit in an apparatus, an identifiable grouping of data; storing, by the transport layer, the data as transport layer packets in a buffer circuit in the apparatus, the storing including inserting into each transport layer packet a grouping identifier that identifies the transport layer packets as belonging to the identifiable grouping; and causing, by the transport layer, a plurality of transmitting deterministic network interface circuits to deterministically retrieve the transport layer packets from the buffer circuit for deterministic transmission across respective deterministic links, the grouping identifier enabling receiving deterministic network interface circuits to group the received transport layer packets, regardless of deterministic link, into a single processing group for a next receiving transport layer.

Abstract: In one embodiment, a method comprises: identifying, by a root network device of a directed acyclic graph (DAG) in a low power and lossy network, a child network device in the DAG, including identifying a first rank associated with the child network device; allocating, by the root network device, an allocated rank for the child network device, the allocated rank different from the first rank; and outputting, by the root network device, a message to the child network device specifying the allocated rank, the message causing the child network device to implement the allocated rank in the DAG, including causing the child network device to generate and output a Destination Oriented Directed Acyclic Graph (DODAG) information object (DIO) message specifying the child network device is using the allocated rank.

Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

Abstract: A source access network device multicasts copies of a packet to multiple core switches, for switching to a same target access network device. The core switches are selected for the multicast based on a load balancing algorithm managed by a central controller. The target access network device receives at least one of the copies of the packet and generates at least metric indicative of a level of traffic congestion at the core switches and feeds back information regarding the recorded at least one metric to the controller. The controller adjusts the load balancing algorithm based on the fed back information for selection of core switches for a subsequent data flow.

Abstract: In one embodiment, a method comprises causing, by an apparatus, establishment of first and second multicast trees within one or more underlay switching fabrics of one or more fat tree topologies, the first and second multicast trees comprising first and second multicast roots for multicast transmission to leaf network devices in the respective first and second multicast trees; causing, by the apparatus, establishment of an overlay tunnel between the first and second multicast roots, the overlay tunnel independent and distinct from the first and second multicast trees; causing the first multicast root to multicast transmit, via the first multicast tree, a data packet having been transmitted to the first multicast root; and causing the first multicast root to unicast transmit the data packet to the second multicast root via the overlay tunnel, for multicast transmission of the data packet by the second multicast root via the second multicast tree.

Abstract: In one embodiment, a method comprises identifying a fat tree network topology comprising top-of-fabric (ToF) switching devices, an intermediate layer of intermediate switching devices connected to each of the ToF switching devices, and a layer of leaf network devices; and causing a first leaf network device to initiate establishment of first and second redundant multicast trees for multicasting of data packets, including: causing first and second ToF switching devices to operate as roots of the first and second multicast trees according to first and second attribute types, respectively, causing the first leaf network device to select first and second of the intermediate switching devices as first and second flooding relays belonging to the first and second attribute types, respectively, and causing the first and second flooding relays to limit propagation of registration messages generated by the first leaf network device to the first and second ToF switching devices, respectively.

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.

Abstract: In one embodiment, a device in a mesh network joins a source-destination oriented partial directed acyclic graph (SDO-PDAG) between a source node and a destination node in the network. The device receives operations, administration and maintenance (OAM) packets flooded along reverse paths of the SDO-PDAG. The device determines, based on the received OAM packets, packet drop rate (PDR) capacities of different paths between the device and the destination node. The device replicates a data packet sent from the source node to the destination node along two or more of the paths between the device and the destination node, based on the determined PDR capacities of those paths.

Abstract: In one embodiment, a method comprises causing, by a network controller device, a first access point (AP) device to initiate a reverse sounding operation comprising wirelessly requesting a mobile constrained network device to transmit a null data packet (NDP) at a first transmission interval, wirelessly receiving the NDP at the first transmission interval, and generating a reception report describing reception of the NDP and including beamforming information; causing, by the network controller device, a second AP device to generate a corresponding reception report describing a corresponding wireless detection of the NDP at the first transmission interval; and causing, by the network controller device, the mobile constrained network device to connect to a selected one of the first AP device or the second AP device for an identified data flow based on the respective reception reports from the first and second AP devices.

Abstract: This disclosure describes techniques for device to device authentication. For instance, a first device may detect a second device, such as when a user physically attaches the second device to the first device or when the second device wireless communicates with the first device. A component of the first device and/or an authentication entity may then determine to authenticate the second device. In some instances, the component determines to authenticate the second device using information associated with an environment of the second device. To authenticate the second device, the authentication entity may send a request to a user, receive a response from the user, and then verify the response. After the authentication, the first device may determine that the second device includes a trusted device and establish a connection with the second device.

Abstract: Various embodiments disclosed herein enable performing energy detection on a subset of a channel. In various embodiments, a method of performing energy detection is performed by a computing device. In various embodiments, the computing device includes a wireless transceiver, one or more processors, and a non-transitory memory. In various embodiments, the method includes performing energy detection on one or more overlapping portions of a first channel and a second channel. In some embodiments, the method includes determining whether a detected energy level from the energy detection satisfies a threshold. In some embodiments, the method includes transmitting a signal into the first channel based on the threshold being satisfied.

Abstract: In one embodiment, a method comprises determining, by a link layer switch within a distributed link layer switched data network, a trust metric for a media access control (MAC) address used by a network device on a link layer connection provided by the link layer switch; receiving, by the link layer switch, a query originated by a second link layer switch in the distributed link layer switched data network, the query specifying the MAC address and a corresponding specified trust metric; and responding to the query, by the link layer switch, based on determining whether the specified trust metric indicates a higher trust level than the corresponding trust metric for the MAC address used by the network device on the link layer connection.

Abstract: A method includes identifying within a network topology, by an apparatus, a plurality of network devices; and establishing by the apparatus, a multiple tree topology comprising a first multicast tree and a second multicast tree, the first and second multicast trees operable as redundant trees for multicast traffic in the network topology, the establishing including: allocating a first of the network devices as a corresponding root of the first multicast tree, allocating a first group of intermediate devices from the network devices as first forwarding devices in the first multicast tree, allocating a second group of intermediate devices as belonging to first leaf devices in the first multicast tree, and allocating terminal devices of the network devices as belonging to the first leaf devices, and allocating a second of the network devices as the corresponding root of the second multicast tree, allocating the second group of intermediate devices as second forwarding devices in the second multicast tree, alloca

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PM) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

Abstract: In one embodiment, a method comprises: receiving, by a constrained wireless network device comprising a local clock, a plurality of messages from respective neighboring wireless network devices advertising as available parent devices in a directed acyclic graph of a time-synchronized network that is synchronized to a master clock device; determining, by the constrained wireless network device, a corresponding timing error of the local clock relative to each message output by the corresponding available parent device; and executing, by the constrained wireless network device, a distributed time synchronization of the local clock with the master clock device based on correlating the respective timing errors relative to the local clock.

Abstract: In one embodiment, a method comprises: determining, by a network switching device, whether the network switching device is configured as one of multiple leaf network switching devices, one of multiple Top-of-Fabric (ToF) switching devices, or one of multiple intermediate switching devices in a switched data network having a leaf-spine switching architecture; if configured as a leaf switching device, limiting flooding of an advertisement only to a subset of the intermediate switching devices in response to detecting a mobile destination is reachable; if configured as an intermediate switching device, flooding the advertisement, received from any one of the leaf network switching devices, to connected ToF switching devices without installing any routing information specified within the advertisement; if configured as a ToF switching device, installing from the flooded advertisement the routing information and tunneling a data packet, destined for the mobile destination, to the leaf switching device having trans

Abstract: In one embodiment, a device in a network receives a query walker agent configured to query information from a distributed set of devices in the network based on a query. The device executes the query walker agent to identify the query. The device updates state information of the executing query walker agent using local information from the device and based on the query. The device unloads the executing query walker agent after updating the state information. The device propagates the query walker agent with the updated state information to one or more of the distributed set of devices in the network, when the updated state information does not fully answer the query.

Abstract: Protocol independent signal slotting and scheduling is provided by receiving a frame including a header and a payload for transmission; in response to determining that the frame matches a rule identifying the frame as part of a control loop, compressing the header according to the rule to produce a compressed packet of a predefined size that includes the compressed header and the payload; scheduling transmission of the compressed packet; and transmitting the compressed packet to a receiving device. In some embodiments, before compressing the frame, in response to determining that a size of the payload does not match a predefined size threshold: the payload is fragmented into a plurality of portions, wherein each portion satisfies the predefined size threshold, or the compressed packet is padded to the predefined size threshold via forward error correction padding information.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.