Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

Abstract: Techniques and architecture are described for validating and verifying iPXE scripts prior to execution during a booting process. During the booting process of a network device, right after the UEFI/BIOS stage of the booting process, a trusted iPXE script may make a request to a network server for the ownership voucher and owner certificate of the network device. The ownership voucher and owner certificate may then be stored in a trusted platform module (TPM) on the network device. In configurations, the retrieved owner certificate may be validated by the ownership voucher. The owner certificate may be used to validate iPXE scripts. Once validated, the iPXE scripts may be executed and the booting process may be continued to the kernel loading step and the application loading step. During a subsequent booting process of the network device, the ownership voucher and owner certificate may be retrieved from the TPM.

Abstract: A modular fuel cell subsystem includes multiple rows of modules, where each row comprises a plurality of fuel cell power modules and a power conditioning module containing a DC to AC inverter electrically connected the power modules. In some embodiments, a single gas and water distribution module is fluidly connected to multiple rows of power modules, and a single mini power distribution module is electrically connected to each of the power conditioning module in each row of modules. In some embodiments, each row of modules further includes a fuel processing module located on an opposite side of the plurality of fuel cell power modules from the power conditioning module. Fuel and water connections may enter each row from the side of the row containing the fuel processing module, and electrical connections may enter each row from the side of the row containing the power conditioning module.

Abstract: In one embodiment, methods for mediated transfer of ownership are described. The method may include receiving a request for an ownership voucher from a device, validating an identifier of the device, determining whether to issue the ownership voucher, generating a signed ownership voucher, and sending the signed ownership voucher to the device. In another embodiment, methods for unmediated transfer of ownership are described, including receiving, an ownership voucher associated with a first ownership certificate, determining whether the ownership voucher comprises a signature associated with a manufacturer, based at least in part on determining that the signature of the manufacturer is absent, determining that a second ownership certificate is stored in memory, determining that the second ownership certificate comprises a signature associated with a user, validating the ownership voucher; and based at least in part on the validating, enrolling the first ownership certificate on the network device.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: A modular fuel cell subsystem includes multiple rows of modules, where each row comprises a plurality of fuel cell power modules and a power conditioning module containing a DC to AC inverter electrically connected the power modules. In some embodiments, a single gas and water distribution module is fluidly connected to multiple rows of power modules, and a single mini power distribution module is electrically connected to each of the power conditioning module in each row of modules. In some embodiments, each row of modules further includes a fuel processing module located on an opposite side of the plurality of fuel cell power modules from the power conditioning module. Fuel and water connections may enter each row from the side of the row containing the fuel processing module, and electrical connections may enter each row from the side of the row containing the power conditioning module.

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol.

Abstract: Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol.

Abstract: In one embodiment, a method includes assigning a discriminator to a target in communication with a reflector at a network device, identifying at the reflector, a packet comprising the discriminator, the packet transmitted from an initiator in a seamless bidirectional forwarding detection (S-BFD) session, and transmitting a response packet from the reflector to the initiator. The response packet includes information for the target obtained by the reflector through monitoring of the target. The target may comprise a plurality of entities. An apparatus and logic are also disclosed herein.

Abstract: In one embodiment, a method includes assigning a discriminator to a target in communication with a reflector at a network device, identifying at the reflector, a packet comprising the discriminator, the packet transmitted from an initiator in a seamless bidirectional forwarding detection (S-BFD) session, and transmitting a response packet from the reflector to the initiator. The response packet includes information for the target obtained by the reflector through monitoring of the target. The target may comprise a plurality of entities. An apparatus and logic are also disclosed herein.