Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: A method for securing communications for a given network topology is provided. The method comprises generating by a node N(i) of the network, security parameters for the node N(i); transmitting by the node N(i), said security parameters to a controller for the network; maintaining by the controller said security parameters for the node N(i); receiving by the controller a request from a node N(j) for the security parameters for the node N(i); retrieving by the controller the security parameters for the node N(i); and transmitting by the controller said security parameters to the node N(j).

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: Systems and methods for sensing analytes using an extended gate field effect transistor (EGFET) are provided. A biosensing system can utilize a biodetection layer on a substrate, which can be coupled to a field effect transistor (FET). The coupling can be such that the gate of the field effect transistor is connected to the substrate having the biodetection layer thereon. The functionalized substrate can include a well-defined area that can hold a specific, pre-determined volume of fluid on top of it. An external electrode can be dipped in the fluid and can then be connected to a power source supplying a gate voltage. The presence or concentration of the target analyte in the fluid can be determined based on the source-drain characteristics of the FET.

Abstract: A method for securing communications for a given network topology is provided. The method comprises generating by a node N(i) of the network, security parameters for the node N(i); transmitting by the node N(i), said security parameters to a controller for the network; maintaining by the controller said security parameters for the node N(i); receiving by the controller a request from a node N(j) for the security parameters for the node N(i); retrieving by the controller the security parameters for the node N(i); and transmitting by the controller said security parameters to the node N(j).

Abstract: A method for securing communications for a given network is provided. The method comprises by at least one node(i) of the network configured to utilize pairwise keys: generating a set of encryption keys; and transmitting the set of encryption keys to a controller for the network; by the controller, executing a key selection process wherein for each node(j) in the network an encryption key J is selected from the set of encryption keys; assigning the encryption key J to the node(j); and transmitting the selected encryption key J to the node(j); by each node(j), generating an encryption key I to the node(i); and sending the encryption key I to the node(i) via the controller.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

Abstract: A method for operating a network is provided. The method comprises segmenting the network into a plurality of virtual private networks, wherein each virtual private network runs on an underlying physical network; and wherein each virtual private network represents a particular context; and configuring at least some nodes within the network to send and receive traffic based on context.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: A method for securing communications for a given network is provided. The method comprises by at least one node(i) of the network configured to utilize pairwise keys: generating a set of encryption keys; and transmitting the set of encryption keys to a controller for the network; by the controller, executing a key selection process wherein for each node(j) in the network an encryption key J is selected from the set of encryption keys; assigning the encryption key J to the node(j); and transmitting the selected encryption key J to the node(j); by each node(j), generating an encryption key I for the node(i); and sending the encryption key I to the node(i) via the controller.

Abstract: A method for establishing a communication sessions based on a Network Address Translation (NAT) device is provided. The method comprises configuring the NAT device with policy to control the creation of NAT translation entries to support communications between devices residing behind the NAT device, and devices residing outside the NAT device; wherein said policy allows the NAT device to establish multiple communications sessions, each with a dynamic NAT traversal behavior; and configuring the NAT device to maintain a control plane session with an orchestrator device whereby the NAT device learns parameters required to establish a translation entry for each communications session.

Abstract: Example embodiments relate to medication compliance alert devices. An example embodiment includes a method. The method includes capturing information about a medication label associated with a medication. The method also includes analyzing, by a first computing device, the information about the medication label to extract medication information. Further, the method includes generating, by the first computing device, a medication schedule for a corresponding patient associated with the medication. The medication schedule includes a dosage strength and dosage frequency. In addition, the method includes prompting, by a second computing device, the corresponding patient to take an amount of the medication corresponding to the dosage strength at a predetermined time according to the medication schedule. Still further, the method includes receiving, by the second computing device, an indication that the corresponding patient has taken the amount of the medication corresponding to the dosage strength.

Abstract: A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.

Abstract: In one embodiment, a first router determines whether an interface coupling the first router to one or more second routers is transit-only. When the interface is transit-only, the first router generates an Open Shortest Path First (OSPF) Link State Advertisement (LSA) that includes an address for the interface and a designated network mask. The designated network mask operates as a transit-only identification that indicates the address should not be installed in a Routing Information Base (RIB) upon receipt of the OSPF LSA at the one or more second routers. When the network is not transit-only, the first router generates an OSPF LSA that includes the address for the interface but does not include the designated network mask, to permit installation of the address in a RIB upon receipt of the OSPF LSA at the one or more second routers.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: In some examples, an example method to provide a virtualized Carrier-grade Network Address Translation (CGN) at a first customer edge router may include establishing a tunnel between the first customer edge router and each aggregation router among one or more aggregation routers, performing a Network Address Translation (NAT) on a first data packet to create a NAT'ed first data packet, selecting a first aggregation router from amongst the one or more aggregation routers to send the NAT'ed first data packet to, encapsulating the NAT'ed first data packet with overlay information corresponding to a tunnel established between the first customer edge router and a first aggregation router, and sending the encapsulated NAT'ed first data packet through the tunnel to the first aggregation router.