Abstract: In accordance with various implementations, a method is performed at a multicast gateway node within an operator network, where the multicast gateway node includes one or more processors, non-transitory memory, an ingress interface, and one or more egress interfaces. The method includes determining a multicast identifier for a user device in response to obtaining a registration request associated with the user device. The method also includes generating a header for a multicast data stream based at least in part on the multicast identifier in response to obtaining a multicast flow join request. The method further includes populating a packet associated with the multicast data stream with the header. The method further includes forwarding the packet to the user device via a portion of the one or more egress interfaces, where the portion of the one or more egress interfaces is associated with the user device.

Abstract: In one embodiment, a first optical network device includes a controller, and a first network interface, wherein the first network interface is configured to exchange data with a first layer 3 network device, and the controller is configured to obtain at least one optical circuit attribute including an optical circuit distance and/or an optical circuit latency of a first optical circuit in an optical network, and provide the at least one optical circuit attribute to the first layer 3 network device. Related apparatus and methods are also described.

Abstract: In one embodiment, a device in a network receives in-situ operations administration and management (iOAM) data regarding a plurality of traffic flows in the network. The iOAM data comprises entropy values for the plurality of traffic flows. The device receives network topology information indicative of network paths available in the network. The device generates a machine learning-based entropy topology model for the network based on the received iOAM data and the received network topology information. The entropy topology model maps path selection predictions for the network paths with entropy values. The device uses the entropy topology model to cause a particular traffic flow to use a particular network path.

Abstract: An interface mapping method includes obtaining, at a network controller, device information of network devices configured to be in communication with each other through an optical network. The network devices include a plurality of colored interfaces that support a range of wavelengths for communication in the optical network. Interface information of the colored interfaces of the network devices is obtained, and optical power information associated with each of the colored interfaces is obtained. Optical power margins for a transmitter interface of the colored interfaces. The transmitter interface is controlled to transmit a power sequence based on the optical power margins, and power readings are obtained from a receiver interface of the colored interfaces. A topology between the colored interfaces is discovered based on the power sequence and the power readings.

Abstract: In some aspects, a method of the technology can include steps for sending a packet along a service function chain (SFC) to an egress node, the SFC comprising a plurality of service function forwarders (SFFs), wherein each SFF is associated with at least one service function (SF), and receiving the packet at a first SFF in the SFC, wherein the first SFF is associated with a first SF. In some aspects, the first SFF can also be configured to perform operations including: reading an option flag of the packet, and determining whether to forward the packet to the first based on the option flag. Systems and machine-readable media are also provided.

Abstract: Systems, methods, and computer-readable media for improving the reliability of service function (SF) application in a service function chain (SFC) are provided. In some aspects, the subject technology facilitates automatic service function type validation by a service function forwarder (SFF), for example, by using a probe configured to query a function type of a SF module associated with the validating SFF.

Abstract: A method is provided in one example embodiment and may include receiving a packet by a forwarder in an Information-Centric Networking (ICN) network; determining Bit Index Explicit Replication (BIER) information associated with the packet; and forwarding the packet based, at least in part, on the BIER information associated with the packet. The packet can be an interest packet or a data packet received by the forwarder in the ICN network.

Abstract: In an embodiment, a computer implemented method comprises at an internetworking device that is logically located in an edge position with respect to an internet protocol network and a plurality of industrial devices, receiving packet and frame data from a first computing device that is associated with an industrial system and communicates using a device-level Ethernet data communication protocol that does not define a management layer; at the internetworking device, generating an Operations, Administration, Management (OAM) header using, at least in part, the packet and frame data, wherein the OAM header comprises a device identifier, a data type, and a variable; encapsulating the packet and frame data with the OAM header to generate encapsulated packet and frame data; storing the encapsulated packet and frame data in a database; sending the encapsulated packet and frame data to a second internetworking device that is associated with the industrial system and communicates using the device-level Ethernet data

Abstract: In one embodiment, a system includes a first host computer including a host interface configured to receive traffic from a domain ingress node of a first domain, and processing machinery configured to instantiate worker nodes, instantiate a master node and a security gateway agent on the master node, instantiate a plurality of security clients on the worker nodes, wherein each worker node includes at least one security client, wherein each security client is configured to monitor at least part of the traffic being forwarded in the one worker node for malicious traffic, and report a first data item about the malicious traffic to the security gateway agent, and wherein the security gateway agent is configured to forward a second data item about the malicious traffic to a security server to determine at least one security policy to mitigate the malicious traffic, and to be enforced by a node.

Abstract: In some aspects, a method of the technology can include steps for sending a packet along a service function chain (SFC) to an egress node, the SFC comprising a plurality of service function forwarders (SFFs), wherein each SFF is associated with at least one service function (SF), and receiving the packet at a first SFF in the SFC, wherein the first SFF is associated with a first SF. In some aspects, the first SFF can also be configured to perform operations including: reading an option flag of the packet, and determining whether to forward the packet to the first based on the option flag. Systems and machine-readable media are also provided.

Abstract: A method is provided to generate a network risk heatmap. The method includes obtaining first data related to technical support and operations issues of a network that includes a plurality of network elements and second data related to updates and configurations of the network. The method involves analyzing the first data and the second to generate a device risk heatmap rule that determines a level of predictive failure risk as a function of network telemetry data indicative of real-time operations of the network. The method further includes applying the device risk heatmap rule to network telemetry data collected from the network to create a network heatmap representing a level of predictive failure risk for the plurality of network elements in the network. The method then includes instantiating a path or tunnel in the network based on the network heatmap.

Abstract: A system and method predict risks of failure or performance issues in a network to predictively position traffic flows in the network. For a traffic flow through a network, first data accumulated in a header of packets for the traffic flow is obtained, which header is populated by network elements along a path of the traffic flow through the network. Second data is obtained about the network in general including other network elements not along the path of the traffic flow. Machine learning analysis is performed to derive rules that characterize failure or performance risk issues in the network. The rules and topology data describing a topology of the network are applied to a model to create a topological graphical representation indicating failure or performance issues in the network that affect the traffic flow. A path for the traffic flow is modified based on the topological graphical representation.

Abstract: In one embodiment, a device in a network monitors Ethernet virtual private network (EVPN) traffic in the network for a plurality of media access control (MAC) addresses. The device generates a machine learning-based traffic model for the MAC addresses based on the monitored EVPN traffic. The device determines a timeout for a particular one of the MAC addresses based on traffic predicted by the machine learning-based traffic model for the particular MAC address. The device causes the particular MAC address to be timed out from one or more forwarding tables in the network based on the determined timeout.

Abstract: Systems, methods, and computer-readable media are disclosed for use of an overlay network termination endpoint as a proxy to collect telemetry data for micro-services or specific applications provided by containers in overlay data centers. In one aspect of the present disclosure, a method includes receiving, at a controller, a probe for flow statistics associated with a service path, the probe including corresponding flow identification information, extracting the corresponding flow identification information from the probe, obtaining the flow statistics from an agent based on the flow identification information, the agent being configured to manage a plurality of containers, generating a response packet including the flow statistics obtained from the agent and sending the response packet to an initiator from which the query is received.

Abstract: In accordance with various implementations, a method is performed at a multicast gateway node within an operator network, where the multicast gateway node includes one or more processors, non-transitory memory, an ingress interface, and one or more egress interfaces. The method includes determining a multicast identifier for a user device in response to obtaining a registration request associated with the user device. The method also includes generating a header for a multicast data stream based at least in part on the multicast identifier in response to obtaining a multicast flow join request. The method further includes populating a packet associated with the multicast data stream with the header. The method further includes forwarding the packet to the user device via a portion of the one or more egress interfaces, where the portion of the one or more egress interfaces is associated with the user device.

Abstract: Systems, methods, and computer-readable media are disclosed for using real time network traffic for validating policy configuration(s) of containers, virtual machines, bare-metals, etc. In one aspect of the present disclosure a method includes receiving, at a controller, an incoming data packet destined for one or more containers; replicating, at the controller, the incoming data packet for validating at least one non-production container to yield a replicated data packet; sending the replicated data packet to the at least one non-production container; and dropping any data packet received from the at least one non-production container at a corresponding incoming port of the controller.

Abstract: Systems, methods, and computer-readable media for improving the reliability of service function (SF) application in a service function chain (SFC) are provided. In some aspects, the subject technology facilitates automatic service function type validation by a service function forwarder (SFF), for example, by using a probe configured query a function type of a SF module associated with the validating SFF.

Abstract: A process executing on a network connected device provides distinct Internet Protocol addresses to a plurality of workload applications. The process determines that a first of the plurality of workload applications will not be providing in-situ Operations, Administration and Management (iOAM) data in packets processed by the first of the plurality of workload applications. The process receives a packet processed by the first of the plurality of workload applications. The process inserts iOAM data for the first of the plurality of workload applications into the packet.

Abstract: In one embodiment, a device in a network receives a packet that includes one or more forwarding labels and a service function chaining (SFC) header. The device removes the one or more forwarding labels from the packet. The device inserts an indication of the one or more forwarding labels into metadata of the SFC header. The device forwards the packet with the inserted indication of the one or more forwarding labels to a service function.

Abstract: Techniques for use in generating a dynamically-changing IoT device identity with robust blockchain validation are provided. When entering a communication network, an IoT device performs a procedure for registration. The procedure includes communicating, in a transaction, data associated with the IoT device to a network device (e.g. a fog router). The data includes, amongst other data items, an identity for addressing communications to and from the IoT device. A transaction number associated with the transaction is received based on a blockchain registration of the transaction. An updated identity of the IoT device is then derived based on the transaction number. In one example, the updated identity of the IoT device may be derived by combining a static address of the IoT device and the transaction number. The steps may be repeated by the device for each one of a plurality of network registrations.