Abstract: Systems, methods, and computer-readable mediums for federating an enterprise and a SaaS provider across one or more network slices of a network service provider. A SaaS provided by a SaaS provider for provisioning to an enterprise can be recognized. One or more network slices within a network of a network service provider between the enterprise and the SaaS provider can be identified. The one or more network slices can be used to provision the SaaS to the enterprise. As follows, the SaaS provider can be federated with the enterprise across one or more network service providers, including the network service provider. Specifically, the SaaS provider can be federated with the enterprise by uniquely associating the one or more network slices provided by the network service provider with the SaaS provisioned by the SaaS provider to the enterprise.

Abstract: Systems and method handling software vulnerabilities in service meshes can include receiving information on software vulnerabilities from external feeds. From a services catalog which maintains data associated with service instances supported by a service mesh, one or more vulnerable service instances supported by the service mesh are identified. Notifications are provided to sidecar proxies associated with vulnerable service instances. The notifications include criteria such as criticality levels and categories associated with the software vulnerabilities. Based on destination policies for the vulnerable service instances, instructions are provided to the sidecar proxies to trip circuit breakers associated with the vulnerable service instances and thus prevent further access and cascading impact of the software vulnerabilities.

Abstract: A disclosed method is performed at a server (e.g., a content delivery network (CDN) server). The server receives from a QUIC client a first token, where the first token includes a first connection identifier that identifies a first path connecting the QUIC client to the server. The server validates the first token, including validating path properties associated with the first path extracted from the first token. The server further generates a second token associated with a second connection identifier that identifies a second path connecting the QUIC client to the server in accordance with a successful validation of the first token. Additionally, the server transmits the second token to the QUIC client.

Abstract: Systems and methods provide for validating a canary release of containers in a containerized production environment. A first container of the containerized production environment can receive network traffic. The first container can transmit the network traffic to a first version of a second container of the containerized production environment and to a traffic analysis engine. First metrics relating to processing by the first version of the second container can be captured. The traffic analysis engine can determine one or more traffic patterns included in the network traffic. The traffic analysis engine can cause simulated network traffic corresponding to the one or more traffic patterns to be transmitted to a second version (e.g., a canary release) of the containerized production environment. Second metrics relating to processing by the second version of the second container can be captured. A comparison between the first metrics and the second metrics can be presented.

Abstract: Systems, methods, computer-readable media, and devices are disclosed for verifying traffic classification. At a first node, a classification to a received packet is designated according to a local model. The classification of the packet by the first node is verified by sending packet information describing the packet to a distributed network comprising multiple nodes, where the packet information includes attributes of the packet. The classification of the packet is verified from receiving results from a second node that, based on the attributes, independently classifies the packet. Based on the verified classification, decentralized information for classifying packets is updated.

Abstract: Systems, methods, and computer-readable mediums for federating an enterprise and a SaaS provider across one or more network slices of a network service provider. A SaaS provided by a SaaS provider for provisioning to an enterprise can be recognized. One or more network slices within a network of a network service provider between the enterprise and the SaaS provider can be identified. The one or more network slices can be used to provision the SaaS to the enterprise. As follows, the SaaS provider can be federated with the enterprise across one or more network service providers, including the network service provider. Specifically, the SaaS provider can be federated with the enterprise by uniquely associating the one or more network slices provided by the network service provider with the SaaS provisioned by the SaaS provider to the enterprise.

Abstract: A disclosed method is performed at a server (e.g., a content delivery network (CDN) server). The server receives from a QUIC client a first token, where the first token includes a first connection identifier that identifies a first path connecting the QUIC client to the server. The server validates the first token, including validating path properties associated with the first path extracted from the first token. The server further generates a second token associated with a second connection identifier that identifies a second path connecting the QUIC client to the server in accordance with a successful validation of the first token. Additionally, the server transmits the second token to the QUIC client.

Abstract: Systems and methods provide for validating a canary release of containers in a containerized production environment. A first container of the containerized production environment can receive network traffic. The first container can transmit the network traffic to a first version of a second container of the containerized production environment and to a traffic analysis engine. First metrics relating to processing by the first version of the second container can be captured. The traffic analysis engine can determine one or more traffic patterns included in the network traffic. The traffic analysis engine can cause simulated network traffic corresponding to the one or more traffic patterns to be transmitted to a second version (e.g., a canary release) of the containerized production environment. Second metrics relating to processing by the second version of the second container can be captured. A comparison between the first metrics and the second metrics can be presented.

Abstract: Disclosed herein is a distributed ledger method for a fifth-generation (5G) network. A network slice is created in the 5G network and a root block is generated in response, containing parameters of the network slice and contracts between participants in the network slice. A blockID of the root block is transmitted to identified participants in the network slice, who sequentially commit a plurality of new blocks to a blockchain beginning from the root block. The plurality of new blocks comprises auditing information of the network slice, wherein the information is collected by the participants in the network slice. The blockchain is stored in a blockchain network of a plurality of disparate blockchains. Desired auditing information for the network slice is retrieved by using the blockID of the root block to traverse the blockchain beginning at the root block until all blocks with the desired auditing information have been read.

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

Abstract: In one embodiment, a method includes receiving content in a first format at a first interface at an adaptive bit rate client, playing the content received at the first interface at the adaptive bit rate client, monitoring network conditions at the first interface, receiving the content in a second format at a second interface at the adaptive bit rate client, and upon identifying a change in the network conditions at the first interface, switching from playing the content received on the first interface to playing the content received at the second interface at the adaptive bit rate client. An apparatus and logic are also disclosed herein.

Abstract: Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.

Abstract: The disclosed technology addresses the need in the art for a detecting an unauthorized participant in a multiparty conferencing session. A system is configured to join a conferencing session, obtain a roster for the conferencing session via a Session Initiation Protocol (SIP) channel, and generate a roster hash value based on the roster. The system may further receive a reference hash value from a key management server and compare the reference hash value with the roster hash value. The system may determine that the roster is invalid when the reference hash value does not match the roster hash value.

Abstract: An example method is provided and includes receiving a relay address allocation request from an endpoint, the relay address allocation request comprises a unique session identifier that identifies a conference session joined by the endpoint for media streaming; determining a relay candidate comprising a relay transport address for allocating to each endpoint of the conference session having the unique session identifier. Further, the method includes mapping the relay candidate with the unique session identifier and sending a relay address allocation response that comprises at least the relay candidate mapped with the unique session identifier. The method further includes receiving a single copy of one or more media stream packets from the conference controller and relaying the one or more media stream packets via the relay transport address identified by the unique session identifier to each of the one or more endpoints in the session having the unique session identifier.

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

Abstract: An example method includes establishing a communication session between a first participant and a second participant, programming, via a control plane, a stream classifier which is to process packets associated with the communication session with classification logic. The method includes receiving a first packet at the stream classifier and, when the communication session requires recording, applying the classification logic at the stream classifier to route the first packet into a chosen service function path that includes a recording service function which reports media quality data to the control plane. Based on the media quality data, the classification logic is updated to cause a migration of the communication session to a new chosen service function path.

Abstract: Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.

Abstract: A communication session is established between at least a first endpoint and a second endpoint, either or both of which is behind at least one network device in a network that performs network address translation. Candidate path information is obtained that indicates candidate paths in the network through which the communication session can traverse, taking into account, network address translation occurring in the network. The candidate path information is analyzed against training data and data about conditions observed on one or more candidate paths for the communication session with a machine learning-based interface selection process to produce path recommendation information indicating whether one or more candidate paths should or should not be used for the communication session between the first endpoint and the second endpoint. The path recommendation information is supplied to an endpoint in the communication session.

Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.

Abstract: In one embodiment, a device in a network maintains a plurality of network paths for a media session. The device identifies a subset of data for the media session as requiring redundancy. The device sends a packet in the identified subset of data for the media session as redundant packets via two or more of the plurality of network paths for the media session. The device sends a particular packet outside of the identified subset of data for the media session non-redundantly via one of the plurality of network paths for the media session.