Abstract: Techniques for provisioning multicast chains in a cloud-based environment are described herein. In an embodiment, an orchestration system sends a particular model of a distributed computer program application comprising one or more sources, destinations, and virtualized appliances for initiation by one or more host computers to a software-defined networking (SDN) controller. The SDN controller determines one or more locations for the virtualized appliances and generates a particular updated model of the distributed computer program application, the updated model comprising the one or more locations for the virtualized appliances. The SDN controller sends the updated model of the distributed computer program application to the orchestration system.

Abstract: A method is provided in one example embodiment and may include determining at a parent content node that a plurality of recipient content nodes are to receive a same content; generating, based on a determination that the same content is available at the parent content node, a multi-delivery header comprising a plurality of identifiers, wherein each identifier of the plurality of identifiers indicates each recipient content node that is to receive the same content; appending the multi-delivery header to one or more packets of an Internet Protocol (IP) flow associated with the same content; and transmitting packets for the IP flow to each of the plurality of the recipient content nodes.

Abstract: An example method is provided in one example embodiment and may include configuring a measurement indication for a packet; forwarding the packet through a service chain comprising one or more service functions; recording measurement information for the packet as it is forwarded through the service chain; and managing capacity for the service chain based, at least in part, on the measurement information. In some cases, the method can include determining end-to-end measurement information for the service chain using the recorded measurement information. In some cases, managing capacity for the service chain can further include identifying a particular service function as a bottleneck service function for the service chain; and increasing capacity for the bottleneck service. In various instances, increasing capacity for the bottleneck service can include at least one of: instantiating additional instances of the bottleneck service; and instantiating additional instances of the service chain.

Abstract: In one embodiment, a method comprises: receiving, by a requestor device in a data network, authentication request parameters for generating a secured request for a data object, the authentication request parameters comprising a shared encryption key and a prescribed update time interval value; generating, by the requestor device, the secured request based on generating a reduced-resolution time value by dividing a current device timestamp value of the requestor device by the prescribed update time interval value, and encrypting the reduced-resolution time value using the shared encryption key; and outputting, by the requestor device, the secured request specifying an object name identifying the data object and the encrypted reduced-resolution time value, enabling a content supplier device to authenticate the secured request based on determining whether the reduced-resolution time value, multiplied by the prescribed update time interval, substantially matches a corresponding timestamp value of the content supp

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products embodied at a server managing a resource for providing access to a resource in a distributed network. Embodiments include receiving a request from a client for access to a resource, the request comprising a named capability identifying the resource and identifying a server managing the resource; determining, from the named capability, whether the client is authorized to access the resource identified by the named capability; and granting access to the resource named by the named capability based on the named capability received with the request.

Abstract: In one embodiment, secure service chaining can be implemented efficiently for content delivery systems. An orchestrator can determine a service chain for processing a request from a client for content. The orchestrator can determine a capability identifying nodes of the service chain. The orchestrator can then transmit, to the client, a redirect message having the capability, wherein the redirect message redirects the request to a first node of the service chain. The nodes of the service chain can verify the capability and carry out the service chain. Service functions can be applied to the traffic flow associated with delivering the content to the user.

Abstract: A method is provided in one example embodiment and may include receiving, by a mobility management frontend, an attach request for a user equipment (UE) to attach the UE to a core network slice type for a mobile core Software Defined Network (SDN) infrastructure, wherein a plurality of core network slice types are available for the mobile core SDN infrastructure to receive traffic from a plurality of UEs; determining a particular core network slice type within the mobile core SDN infrastructure to serve the UE based on subscriber information associated with the UE; selecting a particular slice instance of the particular core network slice type to receive traffic for the UE; and forwarding traffic for the UE between a Radio Access Network (RAN) and the particular slice instance by the mobility management frontend.

Abstract: Particular embodiments described herein provide for a communication system that can be configured for receiving, at a network element, a flow offload decision for a first service node. The flow offload decision can include a portion of a service chain for processing a flow and updating next hop flow based routing information for the flow. A next hop in the flow can insert flow specific route information in its routing tables to bypass a packet forwarder serving the service that offloaded the flow in the reverse direction.

Abstract: A method is provided in one example embodiment and may include determining at a parent content node that a plurality of recipient content nodes are to receive a same content; generating, based on a determination that the same content is available at the parent content node, a multi-delivery header comprising a plurality of identifiers, wherein each identifier of the plurality of identifiers indicates each recipient content node that is to receive the same content; appending the multi-delivery header to one or more packets of an Internet Protocol (IP) flow associated with the same content; and transmitting packets for the IP flow to each of the plurality of the recipient content nodes.

Abstract: In one embodiment, a method comprises: receiving, by a requestor device in a data network, authentication request parameters for generating a secured request for a data object, the authentication request parameters comprising a shared encryption key and a prescribed update time interval value; generating, by the requestor device, the secured request based on generating a reduced-resolution time value by dividing a current device timestamp value of the requestor device by the prescribed update time interval value, and encrypting the reduced-resolution time value using the shared encryption key; and outputting, by the requestor device, the secured request specifying an object name identifying the data object and the encrypted reduced-resolution time value, enabling a content supplier device to authenticate the secured request based on determining whether the reduced-resolution time value, multiplied by the prescribed update time interval, substantially matches a corresponding timestamp value of the content supp

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products embodied at a server managing a resource for providing access to a resource in a distributed network. Embodiments include receiving a request from a client for access to a resource, the request comprising a named capability identifying the resource and identifying a server managing the resource; determining, from the named capability, whether the client is authorized to access the resource identified by the named capability; and granting access to the resource named by the named capability based on the named capability received with the request.

Abstract: An example method is provided in one example embodiment and may include configuring a measurement indication for a packet; forwarding the packet through a service chain comprising one or more service functions; recording measurement information for the packet as it is forwarded through the service chain; and managing capacity for the service chain based, at least in part, on the measurement information. In some cases, the method can include determining end-to-end measurement information for the service chain using the recorded measurement information. In some cases, managing capacity for the service chain can further include identifying a particular service function as a bottleneck service function for the service chain; and increasing capacity for the bottleneck service. In various instances, increasing capacity for the bottleneck service can include at least one of: instantiating additional instances of the bottleneck service; and instantiating additional instances of the service chain.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

Abstract: Particular embodiments described herein provide for a communication system that can be configured for receiving, at a network element, a flow offload decision for a first service node. The flow offload decision can include a portion of a service chain for processing a flow and updating next hop flow based routing information for the flow. A next hop in the flow can insert flow specific route information in its routing tables to bypass a packet forwarder serving the service that offloaded the flow in the reverse direction.

Abstract: A service-based networking capability is presented. The service-based networking capability replaces traditional networking connections between endpoints with service connections between endpoints. The service-based networking capability supports establishment and use of a service connection between endpoints, where the service connection between endpoints may be provided below the application layer and above the transport layer. The establishment and use of a service connection between endpoints may be provided using a connected services stack, which may include a connected services layer that is configured to operate below the application layer and above the transport layer.

Abstract: A service-based networking capability is presented. The service-based networking capability replaces traditional networking connections between endpoints with service connections between endpoints. The service-based networking capability supports establishment and use of a service connection between endpoints, where the service connection between endpoints may be provided below the application layer and above the transport layer. The establishment and use of a service connection between endpoints may be provided using a connected services stack, which may include a connected services layer that is configured to operate below the application layer and above the transport layer.

Abstract: Techniques are disclosed for in-line storage of message authentication codes with respective encrypted data blocks. In one aspect, a given data block is encrypted and a message authentication code is generated for the encrypted data block. A target address is determined for storage of the encrypted data block in a memory. The target address is then modified to permit in-line storage of the message authentication code with the encrypted data block in the memory, and the encrypted data block and the message authentication code are transferred to the memory for storage at the modified address. Illustrative embodiments of the techniques advantageously facilitate secure off-chip storage of data in a processing system.

Abstract: In a processing system comprising a processor and a plurality of peripherals coupled to the processor, access privileges of a secure operating mode of the processor are delegated to at least a given one of the peripherals. The given peripheral is configured to store, in a secure portion of that peripheral, state information indicative of the processor being in a secure operating mode. The given peripheral is further configured to utilize the stored state information to allow the given peripheral to access at least one resource that is accessible to the processor in the secure operating mode but is not otherwise accessible to the given peripheral. The processing system may comprise, for example, a system on a chip, wherein the processor and peripherals are combined into a single integrated circuit.

Abstract: Techniques are disclosed for in-line storage of message authentication codes with respective encrypted data blocks. In one aspect, a given data block is encrypted and a message authentication code is generated for the encrypted data block. A target address is determined for storage of the encrypted data block in a memory. The target address is then modified to permit in-line storage of the message authentication code with the encrypted data block in the memory, and the encrypted data block and the message authentication code are transferred to the memory for storage at the modified address. Illustrative embodiments of the techniques advantageously facilitate secure off-chip storage of data in a processing system.

Abstract: In a processing system comprising a processor and a plurality of peripherals coupled to the processor, access privileges of a secure operating mode of the processor are delegated to at least a given one of the peripherals. The given peripheral is configured to store, in a secure portion of that peripheral, state information indicative of the processor being in a secure operating mode. The given peripheral is further configured to utilize the stored state information to allow the given peripheral to access at least one resource that is accessible to the processor in the secure operating mode but is not otherwise accessible to the given peripheral. The processing system may comprise, for example, a system on a chip, wherein the processor and peripherals are combined into a single integrated circuit.