Abstract: A control system authorizes access to a networked resource. The control system includes a client agent associated with a client resource running at a user device, and a destination agent associated the networked resource. The client agent transparently injects one or more identity tokens associated with the client resource and one or more access tokens associated with the networked resource into a network request issued by the client resource and directed to the networked resource. The destination agent intercepts the network request and uses the access tokens to selectively route the network request in accordance with one or more security policies associated with the access tokens.

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

Abstract: Example embodiments relate to providing efficient routing in software defined networks. In example embodiments, an indirect group table includes a first group entry that is associated with a first route tree in a software defined network, wherein the indirect group table affects a plurality of forwarding table entries associated with the first group entry. A failure is detected in the first route tree during a data transmission, and a notification of the failure is sent to a remote controller device, where the remote controller device identifies a second route tree that does not include the failure. After the remote controller device updates the first group entry to be associated with the second route tree, the data transmission is performed using the second route tree.

Abstract: Disclosed herein are a system, non-transitory computer readable medium, and method for governing communications of a bare metal guest in a cloud network. A network interface handles packets of data in accordance with commands by a control agent.

Abstract: In some examples, input network policies are combined to form a composite network policy, each input network policy of the input network policies specifying at least one characteristic of communications allowed between endpoint groups in a network. Metadata associated with the composite network policy is added, the metadata including information regarding a reason for disallowance of a communication between endpoint groups.

Abstract: A control system authorizes access to a networked resource. The control system includes a client agent associated with a client resource running at a user device, and a destination agent associated the networked resource. The client agent transparently injects one or more identity tokens associated with the client resource and one or more access tokens associated with the networked resource into a network request issued by the client resource and directed to the networked resource. The destination agent intercepts the network request and uses the access tokens to selectively route the network request in accordance with one or more security policies associated with the access tokens.

Abstract: Example implementations disclosed herein can be used to allocate network resources in a software defined network (SDN). In one example implementation, a method can include receiving a plurality of resource allocation proposals from a plurality of controller modules, instructing the controller modules to generate votes for the plurality of resource allocation proposals, and selecting one of the plurality of resource allocation proposals based on the votes to instantiate the selected resource allocation proposal in the SDN.

Abstract: A control system facilitates communication between a plurality of networked services. The control system includes a client agent associated with a first service of the networked services, and a destination agent associated with a second service of the networked services. The client agent includes an injection mechanism that intercepts a network request issued by the first service, transparently injects a token into the network request while the network request is in transit, and automatically transmits the network request to the second service in accordance with one or more security policies associated with the second service. The destination agent includes an interception mechanism that intercepts the network request, extracts the tokens from the network request, and determines whether to forward the network request to the second service.

Abstract: Example embodiments relate to providing efficient routing in software defined networks. In example embodiments, an indirect group table includes a first group entry that is associated with a first route tree in a software defined network, wherein the indirect group table affects a plurality of forwarding table entries associated with the first group entry. A failure is detected in the first route tree during a data transmission, and a notification of the failure is sent to a remote controller device, where the remote controller device identifies a second route tree that does not include the failure. After the remote controller device updates the first group entry to be associated with the second route tree, the data transmission is performed using the second route tree.

Abstract: Example embodiments relate to providing efficient routing in software defined networks. In example embodiments, an indirect group table includes a first group entry that is associated with a first route tree in a software defined network. A failure is detected in the first route tree during a data transmission, and a notification of the failure is sent to a remote controller device, where the remote controller device identifies a second route tree that does not include the failure. After the remote controller device updates the first group entry to be associated with the second route tree, the data transmission is performed using the second route tree.

Abstract: Identifying a component within an application executed in a network includes obtaining a traffic matrix, the traffic matrix defining a rate for which packets of data are exchanged between VMs corresponding to an application, analyzing the traffic matrix to identify VMs within a component, modifying the traffic matrix to create a modified traffic matrix, and defining, for the application, a tenant application graph (TAG) model based on the modified traffic matrix.

Abstract: In some examples, input network policies are combined to form a composite network policy, each input network policy of the input network policies specifying at least one characteristic of communications allowed between endpoint groups in a network. Metadata associated with the composite network policy is added, the metadata including information regarding a reason for disallowance of a communication between endpoint groups.

Abstract: Each network policy of network policies specifies at least one characteristic of communications allowed between endpoint groups, each endpoint group of the endpoint groups including at least one endpoint. The network policies are merged according to composition constraints included in the network policies.

Abstract: A control system facilitates communication between a plurality of networked services. The control system includes a client agent associated with a first service of the networked services, and a destination agent associated with a second service of the networked services. The client agent includes an injection mechanism that intercepts a network request issued by the first service, transparently injects a token into the network request while the network request is in transit, and automatically transmits the network request to the second service in accordance with one or more security policies associated with the second service. The destination agent includes an interception mechanism that intercepts the network request, extracts the tokens from the network request, and determines whether to forward the network request to the second service.

Abstract: According to an example, a method for bandwidth guarantee and work conservation includes determining virtual machine (VM) bandwidth guarantees assigned to VMs in a network including a source VM that communicates with destination VMs. The method further includes assigning minimum bandwidth guarantees to communications between the source VM with the destination VMs by dividing a VM bandwidth guarantee assigned to the source VM between the destination VMs based on active VM-to-VM communications between the source VM and the destination VMs. The method also includes allocating, by a processor, spare bandwidth capacity in the network to a communication between the source VM and a destination VM based on the assigned minimum bandwidth guarantees.

Abstract: Examples relate to fast failover recovery in software defined networks. In some examples, a failure in a first primary tree is detected during data transmission of a data packet, where the primary tree is associated with a first group entry that is configured to direct each of the data packets to one of a first set of destination devices. A notification of the failure is sent to a remote controller device, where the remote controller device identifies backup trees of the route trees that does not include the failure. After the remote controller device updates the first group entry to be associated with a first backup tree that minimizes congestion, each of the data packets are sent to one of a second set of destination devices that are associated with the first backup tree.

Abstract: Examples relate to dynamic allocation of flow table capacity. In some examples, packet-in events of a networking device are monitored and processed to create active flow entries in a flow table. After detecting that the packet-in events at the networking device exceed an overload threshold, the active allocation of the flow table is increased. At this stage, a backup flow is removed from the flow table based on the active allocation.

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

Abstract: Example implementations disclosed herein can be used to allocate network resources in a software defined network (SDN). In one example implementation, a method can include receiving a plurality of resource allocation proposals from a plurality of controller modules, instructing the controller modules to generate votes for the plurality of resource allocation proposals, and selecting one of the plurality of resource allocation proposals based on the votes to instantiate the selected resource allocation proposal in the SDN.

Abstract: Placing virtual machines (VMs) on physical hardware to guarantee bandwidth includes obtaining a Tenant Application Graph (TAG) model, the TAG model representing a network abstraction model based on an application communication structure between VMs of components, determining bandwidths for the components based on the TAG model, and placing the VMs of the components on physical hardware based on the bandwidths for the components.