Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including determining a path through a plurality of provider nodes within a provider network and determining that the path through the plurality of provider nodes within the provider network is secure. The operations also include receiving, from a customer node, a Resource Reservation Protocol (RSVP) path message comprising an attribute for a security request. The operations further include routing the RSVP path message along the path of the plurality of provider nodes.

Abstract: In one embodiment, methods, systems, and apparatus are described in which data to be used by a processor is stored in a memory. Network communications with a data center are enabled via a network interface. The processor maintains a reporting policy for reporting anomalous events to the data center, the reporting policy having at least one rule for determining a reporting action to be taken by the processor in response to an anomalous event. The processor further monitors the IoT device for a report of an occurrence of the anomalous event. The processor performs the reporting action according to the at least one rule, in response to the report of the occurrence of the anomalous event. An episodic update to the reporting policy from the data center may be received at the processor, which modifies the reporting policy in accordance with the update. Related methods, systems, and apparatus are also described.

Abstract: Techniques for provisioning multicast chains in a cloud-based environment are described herein. In an embodiment, an orchestration system sends a particular model of a distributed computer program application comprising one or more sources, destinations, and virtualized appliances for initiation by one or more host computers to a software-defined networking (SDN) controller. The SDN controller determines one or more locations for the virtualized appliances and generates a particular updated model of the distributed computer program application, the updated model comprising the one or more locations for the virtualized appliances. The SDN controller sends the updated model of the distributed computer program application to the orchestration system.

Abstract: In one illustrative example, a multicast traceroute facility for a plurality of interconnected router nodes which are configured to communicate IP multicast traffic amongst hosts is described. The multicast traceroute facility may be for use in processing a multicast traceroute batch query packet which indicates a batch of multicast traceroute queries of a batch query, for identifying a plurality of traced paths for a batch of IP multicast traffic flows. Each identified traced path may be associated with one or more links, each of which has a link metric that satisfies a requested link metric (e.g. a link bandwidth). Resources for satisfying the requested link metric may be reserved for a predetermined or specified time period. The batch of IP multicast traffic flows may be established via at least some of the interconnected router nodes according to the plurality of traced paths identified from the query packet processing.

Abstract: Many modern devices and machines (e.g., Internet of Things (IoT) devices and connected vehicles (CV)) include wireless interfaces that permit external devices to communicate with the devices and machines. These wireless interfaces can be attacked by malicious actors who can affect the operation of the devices or machines. Embodiments herein describe a user controlled actuator (e.g., a knob, set of buttons, switches, etc.) for responding to a wireless attack. Using the actuator, the user can set a response level depending on the threat. Each threat level can elicit a predefined action or set of actions from a control system in the device or machine.

Abstract: An IP multicast group may include a plurality of group members corresponding to a plurality of host receivers that are connected to router nodes of a multicast distribution tree and joined in the multicast group. At least some of the router nodes may store a plurality of group member indicator bits associated with the multicast group. Each group member indicator bit may be assigned to a respective one of the group members and indicate whether the respective group member is reachable downstream from the router node. During IP multicast, the router node may receive an IP multicast message having a destination address field, a source address field, and a payload field. The payload field may include one or more data items of a multicast data stream. The destination address field may include a multicast group address for addressing communications to the multicast group.

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

Abstract: In one illustrative example, a multicast traceroute facility for a plurality of interconnected router nodes which are configured to communicate IP multicast traffic amongst hosts is described. The multicast traceroute facility may be for use in processing a multicast traceroute batch query packet which indicates a batch of multicast traceroute queries of a batch query, for identifying a plurality of traced paths for a batch of IP multicast traffic flows. Each identified traced path may be associated with one or more links, each of which has a link metric that satisfies a requested link metric (e.g. a link bandwidth). Resources for satisfying the requested link metric may be reserved for a predetermined or specified time period. The batch of IP multicast traffic flows may be established via at least some of the interconnected router nodes according to the plurality of traced paths identified from the query packet processing.

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including determining a path through a plurality of provider nodes within a provider network and determining that the path through the plurality of provider nodes within the provider network is secure. The operations also include receiving, from a customer node, a Resource Reservation Protocol (RSVP) path message comprising an attribute for a security request. The operations further include routing the RSVP path message along the path of the plurality of provider nodes.

Abstract: Described in an example embodiment is an end-to-end admission control system that allows any rich media application to secure admission control in an environment where there are mixed wireless and wired segments in the network. In particular embodiments, the system includes the integration of Add Traffic Stream (ADDTS) and Resource Reservation Protocol (RSVP) admission control mechanisms, the mapping of parameters between these two mechanisms, the admission control policies, and failure handling for the end-to-end resource control.

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

Abstract: In one embodiment, a method includes determining a first node as a current termination node of a first multicast flow; determining whether a link between the first node and a downstream next-hop node has available bandwidth to accommodate the first multicast flow, where the downstream next-hop node is not currently associated with the first multicast flow; and transmitting the first multicast flow to the downstream next-hop node according to a determination that the link between the first node and a downstream next-hop node has available bandwidth to accommodate the first multicast flow. According to some implementations, the method is performed by a controller with one or more processors and non-transitory memory, where the controller is communicatively coupled to a plurality of network nodes in a network.

Abstract: Many modern devices and machines (e.g., Internet of Things (IoT) devices and connected vehicles (CV)) include wireless interfaces that permit external devices to communicate with the devices and machines. These wireless interfaces can be attacked by malicious actors who can affect the operation of the devices or machines. Embodiments herein describe a user controlled actuator (e.g., a knob, set of buttons, switches, etc.) for responding to a wireless attack. Using the actuator, the user can set a response level depending on the threat. Each threat level can elicit a predefined action or set of actions from a control system in the device or machine.

Abstract: Techniques for provisioning multicast chains in a cloud-based environment are described herein. In an embodiment, an orchestration system sends a particular model of a distributed computer program application comprising one or more sources, destinations, and virtualized appliances for initiation by one or more host computers to a software-defined networking (SDN) controller. The SDN controller determines one or more locations for the virtualized appliances and generates a particular updated model of the distributed computer program application, the updated model comprising the one or more locations for the virtualized appliances. The SDN controller sends the updated model of the distributed computer program application to the orchestration system.

Abstract: In one embodiment, a method includes discovering at a network controller, a topology and link capacities for a network, the network controller in communication with a plurality of spine nodes and leaf nodes, the link capacities comprising capacities for links between the spine nodes and the leaf nodes, identifying at the network controller, a flow received from a source at one of the leaf nodes, selecting at the network controller, one of the spine nodes to receive the flow from the leaf node based, at least in part, on the link capacities, and programming the network to transmit the flow from the spine node to one of the leaf nodes in communication with a receiver requesting the flow. An apparatus and logic are also disclosed herein.

Abstract: In one embodiment, methods, systems, and apparatus are described in which data to be used by a processor is stored in a memory. Network communications with a data center are enabled via a network interface. The processor maintains a reporting policy for reporting anomalous events to the data center, the reporting policy having at least one rule for determining a reporting action to be taken by the processor in response to an anomalous event. The processor further monitors the IoT device for a report of an occurrence of the anomalous event. The processor performs the reporting action according to the at least one rule, in response to the report of the occurrence of the anomalous event. An episodic update to the reporting policy from the data center may be received at the processor, which modifies the reporting policy in accordance with the update. Related methods, systems, and apparatus are also described.

Abstract: In one embodiment, a device between a Controller Area Network (CAN)-based network and an Internet Protocol (IP)-based network receives a CAN message from a node in the CAN-based network. The CAN message comprises a CAN message identifier and a data field. The device determines an IP header based on the CAN message identifier and the CAN message. The device converts the data field of the CAN message into an IP message that includes the determined IP header. The device sends the IP message via the IP network to one or more eligible destinations for the IP message.

Abstract: In one embodiment, a method includes determining a first node as a current termination node of a first multicast flow; determining whether a link between the first node and a downstream next-hop node has available bandwidth to accommodate the first multicast flow, where the downstream next-hop node is not currently associated with the first multicast flow; and transmitting the first multicast flow to the downstream next-hop node according to a determination that the link between the first node and a downstream next-hop node has available bandwidth to accommodate the first multicast flow. According to some implementations, the method is performed by a controller with one or more processors and non-transitory memory, where the controller is communicatively coupled to a plurality of network nodes in a network.

Abstract: Described in an example embodiment is an end-to-end admission control system that allows any rich media application to secure admission control in an environment where there are mixed wireless and wired segments in the network. In particular embodiments, the system includes the integration of Add Traffic Stream (ADDTS) and Resource Reservation Protocol (RSVP) admission control mechanisms, the mapping of parameters between these two mechanisms, the admission control policies, and failure handling for the end-to-end resource control.

Abstract: In one embodiment, a method includes discovering at a network controller, a topology and link capacities for a network, the network controller in communication with a plurality of spine nodes and leaf nodes, the link capacities comprising capacities for links between the spine nodes and the leaf nodes, identifying at the network controller, a flow received from a source at one of the leaf nodes, selecting at the network controller, one of the spine nodes to receive the flow from the leaf node based, at least in part, on the link capacities, and programming the network to transmit the flow from the spine node to one of the leaf nodes in communication with a receiver requesting the flow. An apparatus and logic are also disclosed herein.