Abstract: The invention may be a method of establishing one or more secure data channels between network devices, comprising, by a management system, configuring a first network device and a second network device to enable generation of a base key pair and exchanging the base key pair between the first network device and the second network device, generating a nonce corresponding to each of a plurality of policies, and distributing policies and corresponding nonces to the first and second network devices. The method may further comprise generating, by the management system, a unique key per policy of the plurality of policies, and distributing, by the management system, the unique key per policy of the plurality of policies to the first network device and the second network device. The method may further comprise configuring the first network device and the second network device to enable Internet Key Exchange, version 2 (IKEv2) protocol.

Abstract: A method of establishing one or more secure channels between network devices comprises exchanging a base key pair between a first network device and a second network device, and for each of a plurality of policies, providing a nonce corresponding to that policy to the first and second devices. The method further comprises generating, for each of the plurality of policies, a session key that is a function of the base key pair and the policy nonce. The method comprises determining, at the first device, that a data packet matches a rule associated with a policy, encrypting the data with a session key that corresponds to the policy to produce an encrypted packet, and conveying the encrypted packet to the second device. At the second device, determining that the encrypted packet matches the rule associated with the policy, and decrypting the encrypted packet with the session key.

Abstract: A method of managing and deploying network resources, comprising employing a container management tool in a network that implements resources through one or more containers, and engaging a policy extension with the container management tool. The policy extension may be configured to define and enforce user intent in a forwarding plane of the network. The method may comprise using a declarative programming language to convey the intent of the user to the policy extension. The container management tool may be Kubernetes, and the policy extension may define policy as a Custom Resource Definition. The container may comprise a microservice packaged along with associated dependencies and configurations. The method may further comprise defining, by the user, (i) at least one network resource, (ii) at least one service, (iii) at least one policy, and (iv) delivering network data traffic to the at least one service according to the at least one policy.

Abstract: A method of establishing one or more secure channels between network devices comprises exchanging a base key pair between a first network device and a second network device, and for each of a plurality of policies, providing a nonce corresponding to that policy to the first and second devices. The method further comprises generating, for each of the plurality of policies, a session key that is a function of the base key pair and the policy nonce. The method comprises determining, at the first device, that a data packet matches a rule associated with a policy, encrypting the data with a session key that corresponds to the policy to produce an encrypted packet, and conveying the encrypted packet to the second device. At the second device, determining that the encrypted packet matches the rule associated with the policy, and decrypting the encrypted packet with the session key.