Abstract: A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

Abstract: In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

Abstract: A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

Abstract: A network node in a service function chain system receives a peer detection packet from a service function device in a service function path. The peer detection packet includes an inner packet with a header, such as a network service header. The network node detects a status indicator in the header that indicates a degradation in performing a service function at the service function device. The network node adjusts the service function path to compensate for the degradation in performing the service function at the service function device.

Abstract: A trusted application manager (TAM) includes a processor, and a non-transitory computer-readable media storing instructions that, when executed by the processor, causes the processor to perform operations comprising obtaining, from a secure access service edge (SASE) device executing a security service, a data set defining intelligence provided by the security service, defining a policy based at least in part on the intelligence provided by the security service, and managing a trusted application (TA) based on the policy.

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

Abstract: Systems, methods, computer-readable media, and devices are disclosed for verifying traffic classification. At a first node, a classification to a received packet is designated according to a local model. The classification of the packet by the first node is verified by sending packet information describing the packet to a distributed network comprising multiple nodes, where the packet information includes attributes of the packet. The classification of the packet is verified from receiving results from a second node that, based on the attributes, independently classifies the packet. Based on the verified classification, decentralized information for classifying packets is updated.

Abstract: In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

Abstract: Systems and method handling software vulnerabilities in service meshes can include receiving information on software vulnerabilities from external feeds. From a services catalog which maintains data associated with service instances supported by a service mesh, one or more vulnerable service instances supported by the service mesh are identified. Notifications are provided to sidecar proxies associated with vulnerable service instances. The notifications include criteria such as criticality levels and categories associated with the software vulnerabilities. Based on destination policies for the vulnerable service instances, instructions are provided to the sidecar proxies to trip circuit breakers associated with the vulnerable service instances and thus prevent further access and cascading impact of the software vulnerabilities.

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

Abstract: Disclosed herein is a distributed ledger method for a fifth-generation (5G) network. A network slice is created in the 5G network and a root block is generated in response, containing parameters of the network slice and contracts between participants in the network slice. A blockID of the root block is transmitted to identified participants in the network slice, who sequentially commit a plurality of new blocks to a blockchain beginning from the root block. The plurality of new blocks comprises auditing information of the network slice, wherein the information is collected by the participants in the network slice. The blockchain is stored in a blockchain network of a plurality of disparate blockchains. Desired auditing information for the network slice is retrieved by using the blockID of the root block to traverse the blockchain beginning at the root block until all blocks with the desired auditing information have been read.

Abstract: In one embodiment, a domain name system (DNS) service receives a DNS request sent by a client for a particular destination. The DNS service determines that a connection between the client and the particular destination will not support use of the Quick User Datagram Protocol (UDP) Internet Connections (QUIC) protocol. The DNS service generates a DNS response to the DNS request that includes an indication that the connection between the client and the particular destination will not support use of the QUIC protocol within an Extensions Mechanisms for DNS (EDNS) field of the DNS response. The DNS service sends the DNS response, to cause an intermediary between the client and the particular destination to explicitly reject a QUIC protocol connection attempted by the client with the particular destination.

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

Abstract: A network node in a service function chaining system receives multiple media streams of a media session between endpoints. Each media stream is encapsulated with a service header indicating a service function path and a session identifier. The network node determines that multiple service functions connected to the network node perform a particular service function in the service function path. The network node provides all of the media streams of the media session to a single service function instance to ensure that the media session is processed by the single service function.

Abstract: Systems, methods, and computer-readable mediums for federating an enterprise and a SaaS provider across one or more network slices of a network service provider. A SaaS provided by a SaaS provider for provisioning to an enterprise can be recognized. One or more network slices within a network of a network service provider between the enterprise and the SaaS provider can be identified. The one or more network slices can be used to provision the SaaS to the enterprise. As follows, the SaaS provider can be federated with the enterprise across one or more network service providers, including the network service provider. Specifically, the SaaS provider can be federated with the enterprise by uniquely associating the one or more network slices provided by the network service provider with the SaaS provisioned by the SaaS provider to the enterprise.

Abstract: Systems and method handling software vulnerabilities in service meshes can include receiving information on software vulnerabilities from external feeds. From a services catalog which maintains data associated with service instances supported by a service mesh, one or more vulnerable service instances supported by the service mesh are identified. Notifications are provided to sidecar proxies associated with vulnerable service instances. The notifications include criteria such as criticality levels and categories associated with the software vulnerabilities. Based on destination policies for the vulnerable service instances, instructions are provided to the sidecar proxies to trip circuit breakers associated with the vulnerable service instances and thus prevent further access and cascading impact of the software vulnerabilities.

Abstract: In one implementation, a media stream is recorded using one or more keys. The one or more keys are also encrypted. The one or more encrypted keys may be stored with the encrypted media session at a cloud storage service. A network device receives a request to record a media stream and accesses at least one stream key for the media stream. The stream key is for encrypting the media stream. The network device encrypts the stream key with a master key. The encrypted stream key is stored in association with the encrypted media stream.

Abstract: A disclosed method is performed at a server (e.g., a content delivery network (CDN) server). The server receives from a QUIC client a first token, where the first token includes a first connection identifier that identifies a first path connecting the QUIC client to the server. The server validates the first token, including validating path properties associated with the first path extracted from the first token. The server further generates a second token associated with a second connection identifier that identifies a second path connecting the QUIC client to the server in accordance with a successful validation of the first token. Additionally, the server transmits the second token to the QUIC client.

Abstract: In one illustrative example, a network node may receive, from a user equipment (UE), a message indicating a token authorization request for access to a custom, enterprise private network slice of a 5G network. The message may include a token provided to the UE by an enterprise server of an enterprise private network of the enterprise. The network node may perform a token validation procedure and, based on a successful token validation, send a message for causing a provisioning of one or more rules in a forwarding entity of the 5G network, for causing enterprise user plane (UP) traffic of the UE to be forwarded to an anchor UPF of the private network slice. The enterprise UP traffic communication may be used for the remote control and/or monitoring of elements in a private 5G network of the enterprise.