Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: Techniques are disclosed for management of communication sessions of network traffic between client devices and the use of an up-to-date session state to enable seamless failovers between routers. One example technique may prepare each backup router to resume sessions of the active router in event of a failover and cause a redirection of the network traffic to complete the failover to a backup router. In a hot-switchover example, a network device known as a session controller synchronizes the session state information to backup router prior to failure and then, causes the network traffic to be redirected to backup router in response to the active router failure. In a warm-switchover example, the same session controller selects a backup router dynamically after detecting failure to active router, synchronizes session state information to backup router, and trigger routing updates, causing the network traffic to be redirected to the backup router.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: A network device may receive, from a transmitting network device, a packet, wherein the packet includes a first outer internet protocol (IP) header, a Generic Routing Encapsulation (GRE) header, a second outer IP header, an Encapsulating Security Payload (ESP) header, and an inner packet, wherein the inner packet is encapsulated by the ESP header, the ESP header is encapsulated by the second outer IP header, the second outer IP header is encapsulated by the GRE header, and the GRE header is encapsulated by the first outer IP header. The network device may decapsulate the packet to remove the first outer IP header and the GRE header from the packet. The network device may decrypt, after decapsulating the packet, the packet to identify the inner packet. The network device may cause one or more actions associated with the inner packet to be performed.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: A network device may receive, from a transmitting network device, a packet, wherein the packet includes a first outer internet protocol (IP) header, a Generic Routing Encapsulation (GRE) header, a second outer IP header, an Encapsulating Security Payload (ESP) header, and an inner packet, wherein the inner packet is encapsulated by the ESP header, the ESP header is encapsulated by the second outer IP header, the second outer IP header is encapsulated by the GRE header, and the GRE header is encapsulated by the first outer IP header. The network device may decapsulate the packet to remove the first outer IP header and the GRE header from the packet. The network device may decrypt, after decapsulating the packet, the packet to identify the inner packet. The network device may cause one or more actions associated with the inner packet to be performed.

Abstract: An example gateway device determines that a first policy, applicable to a subscriber device when the subscriber device is coupled to a first access network, indicates that packets from the subscriber device are to be sent to a service device, and forwards a first set of packets from the subscriber device to the service device while the subscriber device is coupled to the first access network. After determining that the subscriber device has become coupled to a second access network of the plurality of access networks, the gateway device determines that a second policy, for the subscriber device when the subscriber device is coupled to the second access network, does not indicate that packets should be sent to the service device, but nevertheless forwards a second set of packets from the subscriber device to the service device while the subscriber device is coupled to the second access network.

Abstract: In some examples, techniques are directed to applying one or more corrective actions that cause the network device to bypass the failed service node of the service chain. In some examples, method includes determining that a failure has occurred at a service node included in a plurality of service nodes, the plurality of service nodes configured to apply one or more stateful services of a primary service chain to packet flows from a plurality of subscriber devices; in response to determining that the failure has occurred, configuring forwarding state of the network device to process the packet flows from the plurality of subscriber devices based on a corrective action that bypasses the service node of the primary service chain; and in response to receiving a subscriber packet in the packet flows, processing the packet flows from the plurality of subscriber devices based on the corrective action.

Abstract: In general, techniques are described for managing group policies in a network. In some examples, a policy enforcement device comprising a plurality of service planes, each having one or more processors operably coupled to a memory, receives a policy enforcement request that includes data identifying a subscriber from a policy control server for a network. The plurality of service planes are further configured to assign, in response to determining that the subscriber is a member of a subscriber group that includes a plurality of subscribers, the subscriber to a selected service plane of the plurality of service planes. The selected service plane applies a group policy for the subscriber group to subscriber data traffic associated with the subscriber.

Abstract: An example gateway device determines that a first policy, applicable to a subscriber device when the subscriber device is coupled to a first access network, indicates that packets from the subscriber device are to be sent to a service device, and forwards a first set of packets from the subscriber device to the service device while the subscriber device is coupled to the first access network. After determining that the subscriber device has become coupled to a second access network of the plurality of access networks, the gateway device determines that a second policy, for the subscriber device when the subscriber device is coupled to the second access network, does not indicate that packets should be sent to the service device, but nevertheless forwards a second set of packets from the subscriber device to the service device while the subscriber device is coupled to the second access network.