Abstract: Techniques for a Software-Defined Networking (SDN) controller associated with a multisite network to implement jurisdictional data sovereignty polices in a multisite network, route network traffic flows between user sites and destination services over one or more provider sites, and/or perform a routing operation on the network traffic flow(s) based on the jurisdictional data sovereignty policies. The jurisdictional data sovereignty polices may be implemented using destination group tags (DGTs) and/or source group tags (SGTs). A secure access service edge (SASE) associated with the network controller may generate, store, and distribute the DGTs to provider sites and/or the SGTs to user sites. Based on the SGT and/or DGT associated with a network traffic flow, one or more services may be applied to the network traffic flow, and the network traffic flow may be routed through a particular region of a software-defined access (SDA) transit.

Abstract: Load balancing for saturated wireless may be provided. A computing device may determine that an Access Point (AP) has reached a saturation point. A first Service Device (SD) having a first SD coverage area that overlaps an AP coverage area associated with the AP may be identified. Then a license to operate within a frequency spectrum segment for the first SD coverage area may be obtained. A plurality of user devices may be moved from the AP to the first SD. The first SD may then service the plurality of user devices using at least a portion of the frequency spectrum segment.

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: With a controller coupled to a first multicast domain and a second multicast domain having incompatible multicast profiles, source and group (S,G) state information may be extracted from a plurality of nodes of the first multicast domain and the second multicast domain, A first interdomain border node may be within the first multicast domain. A second interdomain border node may be defined within the second multicast domain. The (S,G) state information may be transmitted to the first interdomain border node and the second interdomain border node. The multicast traffic may be transmitted between the first multicast domain and the second multicast domain via the first interdomain border node and the second interdomain border node based at least in part on the (S,G) state information.

Abstract: Techniques for a Software-Defined Networking (SDN) controller associated with a multisite network to implement jurisdictional data sovereignty polices in a multisite network, route network traffic flows between user sites and destination services over one or more provider sites, and/or perform a routing operation on the network traffic flow(s) based on the jurisdictional data sovereignty policies. The jurisdictional data sovereignty polices may be implemented using destination group tags (DGTs) and/or source group tags (SGTs). A secure access service edge (SASE) associated with the network controller may generate, store, and distribute the DGTs to provider sites and/or the SGTs to user sites. Based on the SGT and/or DGT associated with a network traffic flow, one or more services may be applied to the network traffic flow, and the network traffic flow may be routed through a particular region of a software-defined access (SDA) transit.

Abstract: Systems and methods are provided for providing transference of a user equipment to a 5G network when a voice call is terminated. The systems and method can include receiving, at a mobility management entity, a voice call termination message from a serving gateway, determining, by the mobility management entity, whether the user equipment includes a 5G subscription and 5G capability based on the voice call termination message, and providing, by the mobility management entity, a handover message to the user equipment to initiate a handover to the 5G network based on the determining of whether the user equipment includes the 5G subscription and 5G capability.

Abstract: Described herein are systems and methods for optimizing energy efficiency in a network utilizing a control plane or other network administration device or software suite. The control plane continuously monitors end-to-end network paths and collects real-time data about network topology, traffic patterns, and connected devices. By analyzing the collected network data, the control plane identifies power needs for network nodes and generates energy saving recommendations or instructions tailored to each node's specific capabilities. Network nodes can subscribe to the energy efficiency service provided by the control plane, receive network usage data, and execute energy saving operations based on the recommendations. The control plane dynamically updates the energy saving recommendations in response to changes in network conditions, enabling network nodes to optimize their energy efficiency without compromising network performance and availability.

Abstract: In one embodiment, a method herein comprises: receiving, at a device, a registration request from a telemetry exporter that transmits telemetry data; generating, by the device, a telemetry configuration file for the telemetry exporter, the telemetry configuration file defining a policy for transmission of telemetry data from the telemetry exporter and an authentication token for the telemetry exporter; sharing, by the device, the policy with a security enforcer; and sending, by the device, the telemetry configuration file to the telemetry exporter, wherein the telemetry exporter is caused to connect with the security enforcer using the authentication token, send the telemetry configuration file to the security enforcer, and transmit collected telemetry data to the security enforcer, and wherein the security enforcer is caused to create a dynamic publish-subscribe stream for publishing the collected telemetry data received from the telemetry exporter based on the telemetry configuration file and the policy.

Abstract: Aspects described herein include a method and related network device and computer program product. The method includes receiving a neighbor report that indicates whether a first network device in an environment is advertising broadcast services and generating, using the neighbor report, a broadcast optimization map that indicates a set of network devices in the environment that will provide a broadest coverage of broadcast services within the environment. The set corresponds to a minimum count of network devices that supports all current broadcast streams by one or more client devices in the environment.

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: Techniques for determining an optimal connection path by a NHNaaS are described. The techniques may include receiving a registration from an IPS that includes service ISP service parameters, and storing the registration in a NaaS database. A request to connect to a remote service from a user device, including user parameters required is received. ISPs having respective service parameters compatible with the user parameters are identified in the NaaS database. Multiple paths offered by the service providers between the user device and the remote service are determined. Network performance data for each path is received from a network monitoring service. Using the network performance data, an optimal path for establishing the connection is identified. A request to instantiate a tunnel between the user device and remote service is transmitted to the service providers along the optimal path and the tunnel information is transmitted to the user device.

Abstract: Systems, methods, and computer-readable media are disclosed for dynamically onboarding a UE between private 5G networks. In one aspect, a private 5G (P5G) federation system can receive a request from a user device for registration with a serving private 5G network, which is part of a P5G federation system. The P5G federation system can further determine that the user device is authenticated with a home private 5G network of the user device, which is also part of the P5G federation system. The P5G federation system can transmit, to the serving private 5G network, a security profile of the user device that is received from the home private 5G network. As follows, the P5G federation system can facilitate onboarding of the user device to the serving private 5G network with the security profile.

Abstract: In one aspect, a method includes associating an MLO device with 2 transmission radios to yield a first communication link between the device and a first MLO access point and a second communication link between the device and a second MLO access point, wherein the device is configured to label the first communication link as a primary link and the second communication link as a secondary link; generating a sequence number to be assigned to a frame to be transmitted on the primary link and to a duplicate copy of the frame to be transmitted on the secondary link; associating a flag with the duplicate copy of the frame on the secondary link; and sending, from the device to the first and the second MLO access points, the frame and the duplicate copy on the primary link and the secondary link, respectively.

Abstract: Quality of Service (QOS) translation may be provided. An identifier of a client device and an indication that the client device supports translation between a Quality of Service (QOS) treatment in a first wireless protocol and a QoS treatment in a second wireless protocol may be received from the first client device. Then a QoS level associated with the client device in the first wireless protocol may be determined. Next, the QoS level associated with the client device in the first wireless protocol may be mapped to a QoS level associated with the client device in the second wireless protocol. The QoS level associated with the client device in the second wireless protocol may then be applied to wireless traffic between the computing device and the client device.

Abstract: Techniques are described for classification-based data security management. The classification-based data security management can include utilizing device and/or data attributes to identify security modes for communication of data stored in a source device. The security modes can be identified based on a hybrid-encryption negotiation. The attributes can include a device resource availability value, an access trust score, a data confidentiality score, a geo-coordinates value, and/or a date/time value. The security modes can include a hybrid-encryption mode. The source device can utilize the hybrid-encryption mode to transmit the data, via one or more network nodes, such as an edge node, to one or more service nodes.

Abstract: Techniques are described for providing secure audio calls between a calling party and a receiving party. Upon receiving a call request from a call initiating party, a notification is sent to the intended call recipient. The call recipient can send a request for a secure call. Upon receiving the request for a secure call, a bi-directional multifactor authentication is performed to authenticate the identity of both the call initiating party and the call receiving party. In response to successfully authenticating both parties, a secure call between the parties is established. One or more secure key tokens or other metadata can be embedded in the call to ensure security of the call.

Abstract: Enhanced Multi-Link Operation (MLO) for client distress operation may be provided. It may be determined that a client device is approaching an edge of a cell. A list of Access Points (APs) that the client device may hear may then be received from the client device. Next, a plurality of APs may be selected from the list. Then a rescue channel to be used by the plurality of APs may be orchestrated. The client device may then be caused to transmit on the rescue channel to the plurality of APs. An original message may be reconstructed from duplicate copies of Uplink (UL) frames received by the plurality of APs on the rescue channel.

Abstract: The present disclosure describes a system and method for secure energy harvesting. An access point includes a memory and a processor communicatively coupled to the memory. The processor receives, from a wireless device, a token and an identifier for a first access point that generated the token and requests the first access point to validate the token. The processor also, in response to the first access point validating the token, wirelessly communicates a first charging frame to the wireless device.

Abstract: The present disclosure describes a combination backscatter device and methods of operation involving the combination backscatter device. An apparatus includes a passive backscatter device, an active backscatter device, and a cover. The passive backscatter device transmits a first message using energy from a wireless signal. The active backscatter device includes a first capacitor that charges using energy from a wireless signal. The cover moves over the passive backscatter device based on an amount of energy stored in the first capacitor.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.