Abstract: A system and method are provided for implementing a network component and verifying an update of the network component. The network component can be, e.g., a software-defined wide area network, a firewall, a router, or a load balancer. The network component can be an embedded network edge device that is implemented, e.g., in software, in circuitry, or using hardware acceleration (e.g., a data processing unit (DPU), a smart network interface card (SmartNIC), etc.). The updated version of the network component is verified by implementing it on a shadow dataplane concurrently with the current version operating on a primary dataplane, and comparing the performances of these two versions. Based on this comparison satisfying various verification criteria, the updated version passes a verification test and can be promoted to the primary dataplane.

Abstract: A system and method are provided for dynamically placing security controls in a network infrastructure. Input values representing the workload are ingested. A network component is placed in front of the workload to process/filter ingress traffic into the workload. The input values are analyzed to determine the asset criticality of the workload and to determine which vulnerabilities to which the workload is susceptible. Based on this analysis of the input values, compensating controls are selected to protect the workload from the determined vulnerabilities, and the network component is dynamically programed to perform these compensating controls on the ingress traffic. The network component is located directly in front of the workload, and it can be a data processing unit (DPU), a Berkley packet filter (BPF), and/or an extended BPF (eBPF) capability.

Abstract: A system and method are provided that use metadata encoded in a data flow to determine security actions to perform at a policy-enforcement point based on the security-chain context for the data flow that is provided by metadata (e.g., the security-chain context can include which security operations have been performed upstream on which data packets). The policy-enforcement point receives the data flow and the metadata, including attestations of the security operations that have previously (e.g., upstream) been applied to the data flow. Based on the attested to security operations, the policy-enforcement point selects what security actions to apply next to the data flow, e.g., additional security operations to apply, allow the data flow into a workload or trust zone, drop the workload, perform dynamic load balancing.

Abstract: A system and method are provided for implementing a network component, such as a software-defined wide area network, a firewall, a router, or a load balancer. The network component can be an embedded network edge device that is implemented, e.g., in software, in circuitry, or using hardware acceleration (e.g., a data processing unit (DPU), a smart network interface card (SmartNIC), etc.). The system can include multiple dataplanes, including a primary dataplane and a shadow dataplane. A packet dispatcher relays received data packets to a primary dataplane and the shadow dataplane. The primary dataplane applies a current version of the network component to data packets, and the secondary dataplane applies a new version of the network component to identical replicas of the data packets. A control plane agent compares performance data gathered from the respective dataplanes to perform verification testing on the new version of the network component.

Abstract: A system and method are provided for continuous integration, continuous deployment of a network component, such as a software-defined wide area network, a firewall, a router, or a load balancer. The software development lifecycle is achieved without interrupting the data flow of the network by using a multi-dataplane architecture, including a primary dataplane and a shadow dataplane. A packet dispatcher relays ingress data packets to the primary dataplane executing a current version of the network component and the shadow dataplane executing an upgrade to the network component. A control plane agent analyzes/compares the performances of the respective dataplanes for verification testing, and the control plane agent upgrades the network component to the new version upon passing the verification testing. The upgrades is achieved without interruption to the data flow of the network component by gradually transitioning to outputting egress data packets generated using the upgraded version.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks. Geographically diverse network control nodes (NCNs) are provided in an adaptive private network (APN) to provide backup NCN operations in the event of a failure. A primary NCN node in a first geographic location is operated according to a primary state machine at an NCN active state. A client node is operated according to a client state machine. A secondary NCN node in a second geographic location that is geographically remote from the first geographic location is operated according to a secondary state machine at a standby state. The three state machines operating parallel and upon detecting a change in APN state information, the secondary state machine transitions from the standby state to a secondary active NCN state and the secondary NCN node provides APN timing calibration and control to the client node.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks. Geographically diverse network control nodes (NCNs) are provided in an adaptive private network (APN) to provide backup NCN operations in the event of a failure. A primary NCN node in a first geographic location is operated according to a primary state machine at an NCN active state. A client node is operated according to a client state machine. A secondary NCN node in a second geographic location that is geographically remote from the first geographic location is operated according to a secondary state machine at a standby state. The three state machines operating parallel and upon detecting a change in APN state information, the secondary state machine transitions from the standby state to a secondary active NCN state and the secondary NCN node provides APN timing calibration and control to the client node.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks. Geographically diverse network control nodes (NCNs) are provided in an adaptive private network (APN) to provide backup NCN operations in the event of a failure. A primary NCN node in a first geographic location is operated according to a primary state machine at an NCN active state. A client node is operated according to a client state machine. A secondary NCN node in a second geographic location that is geographically remote from the first geographic location is operated according to a secondary state machine at a standby state. The three state machines operating parallel and upon detecting a change in APN state information, the secondary state machine transitions from the standby state to a secondary active NCN state and the secondary NCN node provides APN timing calibration and control to the client node.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks without having costly hardware upgrades or replacement of existing network equipment. An adaptive communication controller provides WAN performance and utilization measurements to another network node over multiple parallel communication paths across disparate asymmetric networks which vary in behavior frequently over time. An egress processor module receives communication path quality reports and tagged path packet data and generates accurate arrival times, send times, sequence numbers and unutilized byte counts for the tagged packets. A control module generates path quality reports describing performance of the multiple parallel communication paths based on the received information and generates heartbeat packets for transmission on the multiple parallel communication paths if no other tagged data has been received in a predetermined period of time to ensure performance is continually monitored.

Abstract: Systems and techniques are described which improve performance, reliability, and predictability of networks. Geographically diverse network control nodes (NCNs) are provided in an adaptive private network (APN) to provide backup NCN operations in the event of a failure. A primary NCN node in a first geographic location is operated according to a primary state machine at an NCN active state. A client node is operated according to a client state machine. A secondary NCN node in a second geographic location that is geographically remote from the first geographic location is operated according to a secondary state machine at a standby state. The three state machines operating parallel and upon detecting a change in APN state information, the secondary state machine transitions from the standby state to a secondary active NCN state and the secondary NCN node provides APN timing calibration and control to the client node.