Abstract: A computing device can receive a request from a requesting device for one or more data elements associated with a digital credential. The computing device can store the digital credential which includes a set of data elements and a security object. The computing device can determine a subset of the data elements based at least in part on the request. The computing device can generate the response, wherein the response includes the subset of the data elements and the security object. The computing device can transmit the response to the requesting device.

Abstract: A computing device can generate a set of transaction keys, the computing device configured to present a digital credential to a requesting device. The computing device can generate a request bundle. The request bundle can include the set of transaction keys. The computing device can transmit, to a first server, the request bundle. The first server can be configured to verify the request bundle. The first server can be configured to send the request bundle to a second server with a request for a set of credentials. Each credential of the set of credentials can correspond to a transaction key of the set of transaction keys. Each credential can include data elements and a security object. The data elements for each credential can be the same. The security object for each credential can be different. The computing device can receive, from the first server, the set of credentials. The computing device can store the set of credentials.

Abstract: Techniques are described for generating a verified data package. An example method includes receiving data including biographical information and an associated portrait. The method further includes causing a prompt for a user to capture a self-portrait photograph to be displayed based at least in part on receiving the data. The method further includes receiving the self-portrait photograph based at least in part on the displayed prompt. The method further includes causing data and the self-portrait photograph to be transmitted to a server. The method further includes receiving, from the server, a verified data package comprising the biographical information, the portrait, and an attestation that the self-portrait photograph and the portrait are the user.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to receive a verified claim including information to identify a user of a device, the verified claim being signed by a server based on verification of the information by an identity verification provider separate from the server, the verified claim being specific to the device. The at least one processor is further configured to send, to a service provider, a request for a service provided by the service provider, and receive, from the service provider and in response to the sending, a request for the verified claim. The at least one processor is further configured to send, in response to the receiving, the verified claim to the service provider.

Abstract: The techniques describe detecting connectivity failure of an aggregated interface. To monitor connectivity of the aggregated interface, a packet processor of a plurality of packet processors is set as a session master responsible for managing an active forwarding plane connectivity detection session with a peer session master node. The other local packet processors of the virtual network node are selected as session standby nodes that each have a passive forwarding plane connectivity detection session running to the peer session master node. If a session master node goes down (i.e., by link or node failure), one of the local session standby nodes may detect the failure and is set as a new session master node by activating its passive session having the same session parameters.

Abstract: Techniques are described for providing targeted selection of cascade ports of an aggregation device. In one example, the disclosed techniques enable dynamic assignment of active and backup cascade ports of an aggregation device for each extended port of satellite devices. In this example, rather than allocating resources for each of the extended ports of the satellite devices on all of the cascade ports of the aggregation device, the aggregation device instead allocates resources for each of the extended port only on the assigned active and backup cascade ports for the respective one of the extended ports of the satellite devices. The techniques are also described for providing traffic steering to a backup cascade port in the event the assigned active cascade port is unreachable, and, if the cascade port remains unreachable for a specified duration, the aggregation device may assign new active and backup cascade ports for the extended port.

Abstract: The techniques describe adaptive load-balancing based on traffic feedback from packet processors. In one example, a source virtual network node of the network device may determine whether a particular destination packet processor is or may become oversubscribed. For example, source packet processors of the source virtual network node may exchange feedback messages including traffic flow rate information. The source virtual network node may compute a total traffic flow rate and compare the total traffic flow rate with a bandwidth of the particular destination packet processor. In response to determining that the bandwidth of the destination packet processor is oversubscribed, the source virtual network node may update a forwarding plane data structure to reduce a likelihood of selecting the destination packet processor to which to forward packet flows.

Abstract: A device implementing the subject system may include a processor configured to send, to a service provider, a request for a service provided by the service provider. The processor may be further configured to receive, in response to sending the request for the service, a request for a verified claim, the verified claim comprising first information to identify a user of a device and being a digital certificate signed by a server, the verified claim being associated with the device. The processor may be further configured to send, in response to receiving the request for the verified claim, the verified claim to the service provider, and receive a request for second information to identify the user, the second information being different than the first information, the request for the second information being based on a determination that the first information is not sufficient to identify the user.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to receive a first request to revoke a verified claim, the verified claim comprising information to identify a user of a device, wherein the verified claim includes a hardware reference key of the device, and wherein the hardware reference key is a public key of a public-private key pair, a corresponding private key of which is securely stored on the device. The at least one processor may be further configured to in response to receiving the request, send, to the device, a second request to revoke the verified claim on the device, and add the verified claim to a revocation list.

Abstract: A device implementing a system for using a verified claim of identity may include at least one processor configured to receive a response vector corresponding to a verified claim of a user of a device, the verified claim comprising plural data fields to identify the user and being a digital certificate signed by a server, the verified claim being associated with the device, the response vector comprising, for each field of the plural data fields, a confidence score indicating a likelihood that the field is accurate. The at least one processor may be further configured to receive, from the device, a request for a service, determine, in response to receiving the request, that service is to be provided to the device based on the response vector and the verified claim, and provide the service to the device based on the determining.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to receive a verified claim including information to identify a user of a device, the verified claim being signed by a server based on verification of the information by an identity verification provider separate from the server, the verified claim being specific to the device. The at least one processor is further configured to send, to a service provider, a request for a service provided by the service provider, and receive, from the service provider and in response to the sending, a request for the verified claim. The at least one processor is further configured to send, in response to the receiving, the verified claim to the service provider.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to send, to a service provider, a request for a service provided by the service provider. The at least one processor may be further configured to receive, from the service provider and in response to the sending, a request for a verified claim, the verified claim comprising plural data fields to identify a user of a device and being a digital certificate signed by a server, the verified claim being associated with to the device. The at least one processor may be further configured to, in response to the receiving, determine a confidence assessment for the verified claim based on a comparison between the plural data fields in the verified claim and corresponding data locally-stored on a device, and send the confidence assessment and the verified claim to the service provider.

Abstract: The techniques describe packet reordering for packets flowing on a new path in response to a change in internal forwarding paths in a network device. For example, a network device may dynamically change the selection of an internal forwarding path to achieve fabric path optimization (“OFP”) or to ensure optimized load balancing. Packets forwarded on the new path are buffered such that the transmission of packets forwarded on the new path are delayed for a buffering time period of at least the time in which a packet is being sent from the source packet processor to the initial destination packet processor.

Abstract: The techniques describe directly forwarding a packet from an ingress packet forwarding engine to a particular destination packet forwarding engine (PFE) when internal packet load balancing may otherwise result in an increased number of fabric hops. For example, a source PFE may receive incoming packets destined for a router reachable only by a particular destination PFE (e.g., egress PFE). Rather than load balancing the incoming packets to a destination PFE that is likely to be a non-egress PFE, a source PFE obtains fabric path information associated with the egress PFE from a destination PFE such that source PFE may forward incoming packets directly to the egress PFE.

Abstract: The techniques describe detecting connectivity failure of an aggregated interface. To monitor connectivity of the aggregated interface, a packet processor of a plurality of packet processors is set as a session master responsible for managing an active forwarding plane connectivity detection session with a peer session master node. The other local packet processors of the virtual network node are selected as session standby nodes that each have a passive forwarding plane connectivity detection session running to the peer session master node. If a session master node goes down (i.e., by link or node failure), one of the local session standby nodes may detect the failure and is set as a new session master node by activating its passive session having the same session parameters.

Abstract: Techniques are described for providing targeted selection of cascade ports of an aggregation device. In one example, the disclosed techniques enable dynamic assignment of active and backup cascade ports of an aggregation device for each extended port of satellite devices. In this example, rather than allocating resources for each of the extended ports of the satellite devices on all of the cascade ports of the aggregation device, the aggregation device instead allocates resources for each of the extended port only on the assigned active and backup cascade ports for the respective one of the extended ports of the satellite devices. The techniques are also described for providing traffic steering to a backup cascade port in the event the assigned active cascade port is unreachable, and, if the cascade port remains unreachable for a specified duration, the aggregation device may assign new active and backup cascade ports for the extended port.

Abstract: The techniques describe adaptive load-balancing based on traffic feedback from packet processors. In one example, a source virtual network node of the network device may determine whether a particular destination packet processor is or may become oversubscribed. For example, source packet processors of the source virtual network node may exchange feedback messages including traffic flow rate information. The source virtual network node may compute a total traffic flow rate and compare the total traffic flow rate with a bandwidth of the particular destination packet processor. In response to determining that the bandwidth of the destination packet processor is oversubscribed, the source virtual network node may update a forwarding plane data structure to reduce a likelihood of selecting the destination packet processor to which to forward packet flows.

Abstract: The techniques describe packet reordering for packets flowing on a new path in response to a change in internal forwarding paths in a network device. For example, a network device may dynamically change the selection of an internal forwarding path to achieve fabric path optimization (“OFP”) or to ensure optimized load balancing. Packets forwarded on the new path are buffered such that the transmission of packets forwarded on the new path are delayed for a buffering time period of at least the time in which a packet is being sent from the source packet processor to the initial destination packet processor.

Abstract: The techniques describe directly forwarding a packet from an ingress packet forwarding engine to a particular destination packet forwarding engine (PFE) when internal packet load balancing may otherwise result in an increased number of fabric hops. For example, a source PFE may receive incoming packets destined for a router reachable only by a particular destination PFE (e.g., egress PFE). Rather than load balancing the incoming packets to a destination PFE that is likely to be a non-egress PFE, a source PFE obtains fabric path information associated with the egress PFE from a destination PFE such that source PFE may forward incoming packets directly to the egress PFE.