Abstract: This disclosure describes various methods, systems, and devices related to mirrored traffic forwarding in a hybrid network. An example method includes receiving, from a source forwarder in a source network, a mirrored data packet. A session of the mirrored data packet may be identified based on a header of the mirrored data packet. A destination forwarder in a destination network may be identified based on the session. The destination network may be different than the source network. The mirrored data packet may be forwarded to the destination forwarder.

Abstract: Presented herein are methodologies for implementing multi-domain cloud security and ways to partition end-points in data center/cloud network topologies into hierarchical domains to increase security and key negotiation efficiency. The methodology includes receiving, from a first endpoint, at a cloud security protocol stack, a packet encrypted in accordance with a cloud security key negotiated between the first endpoint and a second endpoint; extracting a cloud security globally unique domain-id from the packet; querying a cloud security domain repository using the cloud security globally unique domain-id as an index to identify a first cloud security domain, among a plurality of cloud security domains, to which the first endpoint and the second endpoint belong; and selecting the first cloud security domain to process the packet.

Abstract: Techniques for key distribution are provided. A first symmetric key is generated for a first downstream site, and a second symmetric key is generated for a second downstream site. The first symmetric key is transmitted to the first downstream site, and the second symmetric key is transmitted to the second downstream site. Upon receiving an indication that the first symmetric key was successfully deployed at the first downstream site, the first symmetric key is deployed on a first network node of an upstream site. Finally, upon determining that the second symmetric key was not successfully deployed at the second downstream site, techniques include refraining from deploying the second symmetric key to a second network node of the upstream site, where the second network node continues to communicate with the second downstream site using an original symmetric key.

Abstract: The disclosure provides an approach for authenticating the contents of a control message sent between data centers. The data centers are located in a computing system comprising multiple data centers. The computing system has a controller, and each data center has a local controller. The message contents comprise a tree of data objects. The tree is converted to a hash tree, and the root hash of the hash tree is stored on a distributed blockchain. Storage on the distributed blockchain ensures that the root hash is not tampered with by an attacker. The receiver of the message then authenticates that the hash tree has not been modified by comparing various hash values, as described herein.

Abstract: This disclosure describes various methods, systems, and devices related to mirrored traffic forwarding in a hybrid network. An example method includes receiving, from a source forwarder in a source network, a mirrored data packet. A session of the mirrored data packet may be identified based on a header of the mirrored data packet. A destination forwarder in a destination network may be identified based on the session. The destination network may be different than the source network. The mirrored data packet may be forwarded to the destination forwarder.

Abstract: Presented herein are methodologies for implementing multi-domain cloud security and ways to partition end-points in data center/cloud network topologies into hierarchical domains to increase security and key negotiation efficiency. The methodology includes receiving, from a first endpoint, at a cloud security protocol stack, a packet encrypted in accordance with a cloud security key negotiated between the first endpoint and a second endpoint; extracting a cloud security globally unique domain-id from the packet; querying a cloud security domain repository using the cloud security globally unique domain-id as an index to identify a first cloud security domain, among a plurality of cloud security domains, to which the first endpoint and the second endpoint belong; and selecting the first cloud security domain to process the packet.

Abstract: The disclosure provides an approach for authenticating the contents of a control message sent between data centers. The data centers are located in a computing system comprising multiple data centers. The computing system has a controller, and each data center has a local controller. The message contents comprise a tree of data objects. The tree is converted to a hash tree, and the root hash of the hash tree is stored on a distributed blockchain. Storage on the distributed blockchain ensures that the root hash is not tampered with by an attacker. The receiver of the message then authenticates that the hash tree has not been modified by comparing various hash values, as described herein.

Abstract: For each node in a plurality of nodes corresponding to a particular computer network element, the performance metric data regarding the node based on a first time interval is received. The plurality of nodes is organized in a tree structure which comprises a plurality of spine nodes, a plurality of leaf nodes, a plurality of host nodes, and a plurality of container nodes. The metric data is applied for a recursive partitioning algorithm on the plurality of nodes to generate an allocation strategy for the plurality of container nodes. The allocation strategy defines a topology of the tree structure that maximizes usage of computing resources on each node based on the first time interval.

Abstract: Techniques for key distribution are provided. A first symmetric key is generated for a first downstream site, and a second symmetric key is generated for a second downstream site. The first symmetric key is transmitted to the first downstream site, and the second symmetric key is transmitted to the second downstream site. Upon receiving an indication that the first symmetric key was successfully deployed at the first downstream site, the first symmetric key is deployed on a first network node of an upstream site. Finally, upon determining that the second symmetric key was not successfully deployed at the second downstream site, techniques include refraining from deploying the second symmetric key to a second network node of the upstream site, where the second network node continues to communicate with the second downstream site using an original symmetric key.

Abstract: For each node in a plurality of nodes corresponding to a particular computer network element, the performance metric data regarding the node based on a first time interval is received. The plurality of nodes is organized in a tree structure which comprises a plurality of spine nodes, a plurality of leaf nodes, a plurality of host nodes, and a plurality of container nodes. The metric data is applied for a recursive partitioning algorithm on the plurality of nodes to generate an allocation strategy for the plurality of container nodes. The allocation strategy defines a topology of the tree structure that maximizes usage of computing resources on each node based on the first time interval.