Abstract: A network is programmed to, based on a service function policy, determine a first service function chain of services to apply to outbound packets of a first type that arrive at a serving gateway; upon classifying a first outbound packet arriving at the serving gateway as the first type based on an identifier of the first outbound packet, route the first outbound packet to the services of the first service function chain; map the identifier to the first type such that the mapping is accessible by the packet gateway; determine a second service function chain of the same services to apply to inbound packets of the first type that arrive at a packet gateway; and upon classifying a first inbound packet arriving at the packet gateway as the first type based on the mapped identifier, route the first inbound packet to the services of the second service function chain.

Abstract: This technology enables directed broadcasts in network fabrics. A control plane node is configured to resolve directed broadcast addresses by mapping the directed broadcast address to a subnet address. A fabric border node receives a directed broadcast, extracts a destination address, and transmits a request to the control plane node to resolve the destination address. The control plane node retrieves the stored mapping and generates a map reply with a multicast destination. The fabric border node encapsulates and forwards the directed broadcast to fabric edge nodes, which decapsulate the directed broadcast and deliver a data set from the directed broadcast to appropriate end point devices. Each fabric edge node may be enabled to determine if the fabric edge node may be connected to a silent host and, based on that determination, request the fabric border node to be added to the multicast destination to receive the directed broadcast.

Abstract: Systems and methods for implementing two-way tire pressure monitoring system (TPMS) learning and authenticated pairing. A random value may be used to determine a test value and a pairing PIN by use of a HMAC (Hash-based Message Authentication Code) function and a pre-shared key that is accessible to a TPMS sensor and a vehicle (e.g., controller system thereof). The random value and test value may be broadcasted by the TPMS sensor and received by the vehicle. The vehicle may calculate the pairing PIN using the random value and the pre-shared key.

Abstract: In some examples, a computing device comprises a first service function instance to apply a service function and a service function forwarder to: receive a first layer 3 routing protocol route advertisement that includes service function instance data for a second service function instance, the service function instance data indicating a service function type and a service identifier for the service function instance; receive a second layer 3 routing protocol route advertisement that includes service function chain data for a service function chain, the service function chain data indicating a service path identifier and one or more service function items; and send, to the second service function instance and based at least on determining a service function item of the one or more service function items indicates the second service function instance, a packet classified to the service function chain.

Abstract: This disclosure describes techniques are described for proactively computing configuration information for policy-driven on-demand tunnel creation and deletion between sites in a software-defined networking in wide area network (SD-WAN) environment. In some examples, a controller device is configured to precompute configuration data for an overlay tunnel through the wide area network to connect a first site and a second site of a plurality of sites in the SD-WAN environment. The controller device is further configured to obtain, after precomputing the configuration data, an indication to configure the overlay tunnel. The controller device is also configured to send, in response to receiving the indication to configure the overlay tunnel, at least some of the configuration data to the first site to configure the first site with the overlay tunnel.

Abstract: A framework for joint computation, caching, and request forwarding in data-centric computing-based networks comprises a virtual control plane, which operates on request counters for computations and data, and an actual plane, which handles computation requests, data requests, data objects and computation results in the physical network. A throughput optimal policy, implemented in the virtual plane, provides a basis for adaptive and distributed computation, caching, and request forwarding in the actual plane. The framework provides superior performance in terms of request satisfaction delay as compared with several baseline policies over multiple network topologies.

Abstract: Systems and methods for a virtual network routing gateway that supports address translation for data plane as well as dynamic routing protocols are disclosed herein. The method can include coupling a gateway with a plurality of ports to a network having a plurality of first IP addresses in a private address space, generating a Network Address Translation (“NAT”) function in the gateway, inputting translation information into the NAT function, advertising routes based on the translation information, populating a unified routing table in the gateway based on the plurality of first IP addresses in the private address space and on translated route advertisements, receive an inbound network packet at the gateway, translating an inbound address of the inbound network packet with the NAT function, and delivering the network packet according to the routing table and based on the translated inbound address.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may receive, from a network, a procedure rejection message for non-cellular access at a non-access stratum (NAS) layer, and provide a first congestion indication from the NAS layer to lower layers for non-cellular access based at least in part on the receiving the procedure rejection message. The UE may refrain, at the lower layers, from initiating establishment of a signaling connection based at least in part on the first congestion indication. Numerous other aspects are provided.

Abstract: Presented herein are techniques to analyze network traffic and equipment based on telemetry generated by a plurality of network devices. A method includes generating first telemetry at a first network device, receiving, at the first network device, via an Internet Protocol anycast addressing scheme, at least one of second telemetry generated at a second network device, and third telemetry generated at a third network device, performing, on the first network device using a local processing unit, first analytics on the first telemetry, performing, on the first network device using the local processing unit, second analytics on the at least one of the second telemetry and the third telemetry, and transmitting data resulting from the first analytics and the second analytics to a fourth network device.

Abstract: A system can include a memory and a processing device, operatively coupled to the memory, to perform operations including receiving a header block of an ordered set of blocks. The header block includes a header block payload and a first digest. The operations further include authenticating, based on the header block payload, the header block, and receiving a first data block of the ordered set of blocks. The first data block includes a first data block payload and a second digest. The operations further include authenticating, based on the first digest, the first data block, and processing the first data block payload.

Abstract: A cable assembly includes connectors and protection switching circuitry. A first connector connects the cable assembly to a first switch, which has a first network path to a first host device. A second connector connects the cable assembly to a second switch, which has a second network path to the first host device. A third connector is connected to the first and second connectors via respectively a first cable and a second cable and connects the cable assembly to a second host device. The protection switching circuitry is embedded in the cable assembly and: establishes a communications connection to transfer data between the host devices using a first data path, which includes the first network path, connector, cable, and switch; determines the first data path is degraded; and in responsive, switches the communications connection to a second data path, which includes the second network path, connector, cable, and switch.

Abstract: A memory attachment and routing chip includes a single die having a set of external ports; at least one memory attachment interface comprising a memory controller to attach to external memory, and a fabric core in which routing logic is implemented. The routing logic can (i) receive a first packet of a first type from a first port of the set of ports, the first type of packet being a memory access packet with a memory address which lies in a range of memory addresses associated with the memory attachment and routing chip, detect the memory address and route the packet of the first type to the memory attachment interface. The routing logic can (ii) receive a second packet of a second type, the second type of packet being an inter-processor packet comprising a destination identifier identifying a processing chip external to the memory attachment.

Abstract: Presented herein are techniques to provide an operator-encrypted application specific user equipment (UE) route selection policy (URSP) to a UE via different network elements and/or distribution techniques. In one example, a method may include obtaining, by a network element, a policy object from a policy function of a mobile network operated by a mobile network operator, wherein the policy object comprises an application specific user equipment route selection policy (URSP) for an application in which the application specific URSP is encrypted by the policy function; and providing, by the network element, the policy object to a user equipment that has at least one session established with the mobile network, wherein the user equipment is to decrypt the application specific URSP to facilitate network communications for the application via the user equipment.

Abstract: Various embodiments of a scanning engine are described. In some embodiments, the scanning engine comprises discovery components associated with different Internet providers and/or protocol detection components associated with the different Internet providers. When a first discovery component associated with a first Internet provider does not receive a response from a port at an Internet address, then a second discovery component associated with a second Internet provider sends packets to that port at that Internet address to attempt to elicit a response. When a first protocol inspection component associated with a first Internet provider is not able to communicate with a port at an Internet address, then it provides information that can be obtained by a second protocol inspection component associated with a second Internet provider. That second protocol inspection component attempts to communicate with the port at the Internet address through the second Internet provider using various communication protocols.

Abstract: The present disclosure is directed to BIER forwarding over varying BSL domains, the methods including the steps of receiving, at a border node, a packet comprising a BIER header having a BIER bit string with a first bit string length; reading an incoming label of the packet comprising instructions to split the BIER header into a plurality of smaller headers associated with a plurality of smaller bit strings; generating a set of split bit masks; performing a separate bitwise AND operation on each split bit mask and the BIER bit string to generate the plurality of smaller bit strings, each copied to a corresponding smaller header of the plurality of smaller headers; and performing a lookup for each of the plurality of smaller headers on a respective forwarding table to determine one or more egress routers to which to transmit the packet.

Abstract: Provided is a relay device including: a relay unit configured to perform a relay process for a frame transmitted and received between the function units; and a relay management unit. The relay unit receives, from a function unit, a target frame which is transmitted and received according to a predetermined communication protocol and includes information with which a request source of a service is identifiable and information with which a content of the requested service is identifiable, duplicates target data which is at least a part of the received target frame, outputs the duplicated target data to the relay management unit, and relays the received target frame to another function unit. The relay management unit performs determination regarding setting change in the relay process of the relay unit, on the basis of the target data received from the relay unit.

Abstract: Disclosed herein are system, method, and computer program product embodiments for compressing metadata in a Software-as-a-Service (SaaS) system. A metadata compression service operating on a computing device detects one or more global properties in entity metadata of each tenant in a plurality of tenants. The metadata compression service partitions the plurality of tenants into one or more groups and identifies common properties in each group. The metadata compression service compiles the one or more global properties in a global-level list and the one or more common properties for each group in a group-level list. The metadata compression service obtains one or more tenant-specific properties in the entity metadata of each tenant in the plurality of tenants and defines a data structure of an entity object for the tenant using the global-level list, the group-level list for the group that contains the tenant, and the one or more tenant-specific properties.

Abstract: An edge utility management method includes receiving an application to be deployed on an edge device, wherein the application comprises a plurality of separately-deployable application parts; obtaining application profiles for one or more of the applications parts; obtaining hardware profiles for one or more hardware resources of the edge device; deploying the application parts to selected hardware resources based on the application profiles and the hardware profiles; and facilitating communication between the deployed application parts during execution of the application.

Abstract: A session border controller has a processor operable to receive a message from a connected peer node. The processor inputs the message to a Message Manipulation Function, MMF, which identifies the message as a SIP message, and in response obtains external state data associated with the message from a source independent from the message. The external state data is provided to the MMF. The SIP message is modified using the MMF according to one or more conditions or rules associated with the received external state data; and the modified message is output.

Abstract: A packet transmission method includes a first virtual extensible local area network tunnel endpoint (VTEP) receiving a first packet from a first host and sending a second packet to a third VTEP based on a first IP address corresponding to the first host, where the second packet is obtained by the first VTEP by encapsulating the first packet, where the first host is multi-homed to a second VTEP and the first VTEP, where the second VTEP is configured to send a packet from the first host to the third VTEP based on a second Internet Protocol (IP) address corresponding to the first host, and where the first IP address is the same as the second IP address.

Abstract: Address resolution information acquisition (ARIA) for a computing device is described. In some examples, ARIA includes a computing device (e.g., an Internet of things (IoT) node, a gateway, a server) determining, without use of an address resolution protocol (ARP), address resolution information of one or more other computing devices (e.g., a IoT node, a gateway, a server). In one example, the computing device uses data flowing to or from its application layer, transport layer, or network layer to determine address resolution information of another computing device. The address resolution information can comprise one or more of a link layer address (e.g., a media access control (MAC) address) and an Internet layer address (e.g., an Internet protocol (IP) address). Usage of a cache for storing or deleting address resolution information can also be part of ARIA.

Abstract: A transmission pipe configuration method, including receiving a device address of a first network domain, a device address of a second network domain from, generating an identifier of a transmission pipe based on the device address of the first network domain and the device address of the second network domain, where the transmission pipe connects a first border transport device and a second border transport device, and sending to the first border transport device, the identifier of the transmission pipe and the device address that is of the second network domain and that corresponds to the transmission pipe. The identifier of the transmission pipe and the device address are used to generate a forwarding table of the first border transport device, the forwarding table indicating a forwarding relationship where service data is forwarded from the first network domain to the second network domain using the transmission pipe.

Abstract: Methods and apparatus are disclosed herein for coordinating seamless service continuity to Edge Application Server (EAS) at relocation in a cellular communications system. In some embodiments, an Application Function (AF) sends to a Policy Control Function (PCF) a steering request comprising a keepExistingPSA indication that indicates that a current user plane (UP) path to a current Data Network Access Identifier (DNAI) and to an EAS should be maintained while a new path to a new DNAI and EAS is established. The PCF generates Policy and Charging Control (PCC) rules including the keepExistingPSA indication, and provides the PCC rules to a Session Management Function (SMF). The SMF determines, based on the keepExistingPSA indication, that simultaneous connectivity over the source PSA and the target PSA is to be provided, and configures the target PSA while maintaining the UP connectivity over the source PSA to the current DNAI and to the EAS.

Abstract: Described in example embodiments herein are methods and systems for implementing sending packets from a first network node to a second network node. Packets belonging to the same session may be sent through the same or different tunnels. The second network node processes packets belonging to the same session using the same core. In accordance with an example embodiment, the first network node informs the second network code the core to process the packets. Optionally, selection of core at the second network node is assisted by a core identity created by the first network based on the session. The core identity may be stored in the header or payload of the packets. In an example embodiment, the second network determines the core for processing packet belonging to the same session.

Abstract: Aspects of the subject disclosure may include, for example, obtaining traffic that is conveyed at least in part within a private cloud network, based on the obtaining, identifying characteristics of the traffic, and based on the identifying of the characteristics of the traffic, causing at least one action to be performed within the private cloud network. Other embodiments are disclosed.

Abstract: Some embodiments provide a method for configuring an edge computing device to implement a logical router belonging to a logical network. The method configures a datapath executing on the edge computing device to use a first routing table associated with the logical router for processing data messages routed to the logical router. The method configures a routing protocol application executing on the edge computing device to (i) use the first routing table for exchanging routes with a network external to the logical network and (ii) use a second routing table for exchanging routes with other edge computing devices that implement the logical router.

Abstract: A packet-filtering system described herein may be configured to filter packets with encrypted hostnames in accordance with one or packet-filtering rules. The packet-filtering system may resolve a plaintext hostname from ciphertext comprising an encrypted Server Name Indication (eSNI) value. The packet-filtering system may resolve the plaintext hostname using a plurality of techniques. Once the plaintext hostname is resolved, the packet-filtering system may then use the plaintext hostname to determine whether the packets are associated with one or more threat indicators. If the packet-filtering system determines that the packets are associated with one or more threat indicators, the packet-filtering system may apply a packet filtering operation associated with the packet-filtering rules to the packets.

Abstract: Methods and systems for flexible nodal layer 3 overlay of layer 2 traffic is described. A network includes an access device for receiving layer 2 traffic from user devices, a packet inspection device for inspecting the layer 2 traffic, and a layer 3 tunnel instantiation device for encapsulating the layer 2 traffic into layer 3 traffic. The layer 3 tunnel instantiation device provides a first tunnel endpoint for a layer 3 tunnel, which is connected to a second tunnel endpoint instantiated at a network gateway. The layer 3 tunnel instantiation device establishes a moveable demarcation between a layer 2 domain and a layer 3 domain with respect to the packet inspection device, where the access device and the packet inspection device operate in the layer 2 domain. The layer 3 traffic is transmitted over the layer 3 tunnel.

Abstract: A method for communicating between a first network and a second network is described. The method includes receiving, by a network device via a persistent control channel established between the network device and a server device connected to a first network, a first message that includes: (1) information indicating a tunneling protocol, and (2) information associated with a first tunneling payload. The persistent control channel is for communicating: (1) messages including control information, and (2) messages including tunneling payloads. The method also includes transmitting, by the network device to an endpoint device connected to a second network, a second message including the information associated with the first tunneling payload.

Abstract: A system and method are provided in which a first MTU (maximum transmission unit) size is determined messages traveling in a first direction along a path. A second MTU size is determined for messages traveling in a second direction along the same path. Messages are sent in the first and second directions based on the first and second MTU size, respectively. In some embodiments, different sizes are chosen for the DL MTU and the UL MTU. In some embodiments, triggers are used to proactively change the MTU size with network conditions. In some embodiments, packet segmentation may be performed at the eNB/gNB. In some embodiments, mobility support is provided with packet segmentation. In some embodiments, dedicated bearers are pre-established that support specific MTU sizes. In some embodiments, the SDAP (service data adaptation protocol) may announce the MTU size to use for a given flow on the UL.

Abstract: A server fabric adapter (SFA) communication system is disclosed. In some embodiments, the SFA communication system comprises an SFA communicatively coupled to a plurality of controlling hosts, a plurality of endpoints, and a plurality of network ports. The SFA is configured to receive a network packet from a network port of the plurality of network ports; separate the network packet into different portions, each portion including a header or a payload; map each portion of the network packet to: (i) a controlling host of the plurality controlling hosts, the controlling host being designated as a destination controlling host, or (ii) an endpoint of the plurality of endpoints, the endpoint being designated as a destination endpoint; and forward a respective portion of the network packet to the destination controlling host or the destination endpoint.

Abstract: Disclosed herein are methods of forwarding data over an IP network. The methods may include receiving a packet from a source host connected to the IP network, identifying the IP address of a destination host designated in the packet, determining the location on the IP network where the destination host designated by the packet is connected, without reference to the MAC address specified in the packet, by using location-identification information stored on the IP network, and forwarding the packet to the location on the IP network where the destination host is connected without reference to the MAC address specified in the packet. Also disclosed herein are related network devices implementing such techniques and operations, as well as IP networks which include such network devices.

Abstract: A border gateway receives a first overlay packet sent by a remote acceleration gateway, where a first service request packet is encapsulated in the first overlay packet, a source Internet Protocol (IP) address of the first service request packet is an IP address of a client, and a destination IP address is a public IP address associated with a virtual machine; the border gateway decapsulates the first overlay packet to obtain the first service request packet, encapsulates the first service request packet to generate a second overlay packet, and sends the second overlay packet to a virtual forwarding device, implementing transparent transmission of a source address of a service request packet.

Abstract: A network device comprises a receive processor configured to generate respective packet descriptors that include i) respective header information extracted from headers of packets received via a plurality of network interfaces, the packets also including trailers, and ii) respective trailer information extracted from the trailers of the packets. A packet processor is configured to process the header information and the trailer information in the packet descriptors to determine actions to be performed on the packets, including determining network interfaces via which at least some packets are to be transmitted by the network device. A transmit processor is configured to transmit the at least some packets via the plurality of network interfaces in accordance with the determining of network interfaces by the packet processor.

Abstract: There is provided a method performed by a session management function (SMF) node of a network for establishing a PFCP session. A plurality of service functions (SFs) are selected (102) to connect in a service function chain for handling the PFCP session. Each of the plurality of SFs is capable of activating a feature of the PFCP session and is supported by a user plane function (UPF) node. The selection is based on a load of each of the plurality of SFs. For each UPF node that supports one or more of the selected plurality of SFs, transmission of a request is initiated (104) to the UPF node to establish the PFCP session with the UPF node. The request comprises an indication of the one or more of the selected plurality of SFs that the UPF node supports.

Abstract: A routing system can provide a Dynamic-Hybrid Forwarding Information Base (DHFIB). A control component of the routing system can build a routing table that includes routing information (e.g., prefixes, addresses, etc.) for use by a first routing component. The routing table can be ordered or ranked based on traffic information from the first routing component. Then, the control component can create the DHFIB from the routing table, wherein the DHFIB is a portion of the routing table and related to the first routing component. As such, the portion of the routing table selected for the DHFIB can be the set of prefixes in the routing table that represent the most frequently routed or most important prefixes in the routing table. Finally, the control component can forward the DHFIB to the first routing component to allow the routing component to route communications.

Abstract: A method for transferring a message in a communications network for communication between a road user and at least one further road user. The road user and the further road user each include an evaluation unit for transferring messages via the communications network. The method includes: receiving a first message in the evaluation unit, the first message including message segments, each including a priority value; determining an instantaneous capacity utilization of the communications network; filtering message segments to be transferred out of the first message, based on the priority values and the instantaneous capacity utilization of the communications network; and generating a second message including the message segments to be transferred, and sending the second message via the communications network.

Abstract: Methods and apparatus are provided for routing Flex Ethernet (FlexE) data in a network. In an example aspect, a method comprises receiving data on a first FlexE physical layer (PHY) group, determining, from first FlexE overhead on the first FlexE PHY group, that data in one or more time slots on the first FlexE PHY group is associated with a predetermined path in the network, determining a second FlexE PHY group for the data in the one or more time slots based on at least a portion of the predetermined path in the network, and sending the data on the second FlexE PHY group.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Systems and methods are described for electronically transmitting adaptively collapsible data across a network, whereby a baseline hierarchy of relationships based on precedence is generated for a set of data fields for data generated at an electrical system, and selecting one or more data fields for inclusion in a transmission package based on the hierarchy of relationships and a configurable condition, the configurable condition serving to potentially collapse (or deprecate) a data field, setting a status subfield to indicate inclusion or exclusion of the data field in a payload region of the transmission package and, when a particular data field is to be omitted, including only the status subfield for that data field and omitting the data corresponding to the data field.

Abstract: In some implementations, a first network device may encode Internet Protocol version 4 (IPv4) network layer reachability information (NLRI) using Internet Protocol version 6 (IPv6) next hop encoding to generate encoded IPv4 NLRI. The first network device may include information indicating border gateway protocol (BGP) labeled unicast (BGP-LU) in the encoded IPv4 NLRI. The first network device may advertise the encoded IPv4 NLRI. The first network device may establish a communication session with a second network device, wherein the communication session is established via an IPv6 core network. The first network device may forward, via the communication session, one or more IPv4 packets using the encoded IPv4 NLRI.

Abstract: The technology described herein is directed towards automatic virtual subnet delegation. An automated process scans the subnets of a virtual network and builds a tree of the IP space, including allocated and unused space designations. User-defined parameters and organization policy data are used to determine the number of IP addresses needed for an application or the like. By traversing the tree of existing IP space, the technology described herein finds and places a new subnet, such as to ensure a high utilization of the overall IP space or based on an alternative type-of-fit criterion. When the virtual subnet space is created in the cloud, a public cloud-specific subnet identifier is returned to the user to utilize in deploying the application. Another use of the technology described herein is to track and optimize IP space allocation for existing virtual networks in the public cloud, including to identify underutilized and/or improperly-sized subnets.

Abstract: A method includes receiving, by a network node, a first data packet from a client, wherein the first data packet includes an identifier of a service. The method further includes obtaining, by the network node, flow affinity attribute information of the service based on the identifier of the service, wherein the flow affinity attribute information of the service includes a flow affinity type of the service and a flow affinity timeout time of the service. The method further includes establishing, by the network node, a flow entry based on the flow affinity attribute information of the service in response to the first data packet being a 1st data packet in a data flow, wherein the flow entry is useable to forward a subsequent data packet in the data flow.

Abstract: Provided are a service flow transmission method and apparatus, a device, and a storage medium. The service flow transmission method includes: acquiring service flows; and performing transmission via different FlexE outgoing interfaces according to priorities of the service flows. By means of determining priorities of service flows, and performing transmission via different FlexE outgoing interfaces according to the priorities of the service flows, mutual interference between service flows can be prevented.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: A network device includes at least one port and a processor for use in a network for communicating a packet. The processor is configured to obtain a packet header for a packet and perform telemetry using postcard and/or passport approaches. The processor uses a repurposed field in the packet header to indicate telemetry is to be performed on the packet.

Abstract: An information processing apparatus with a plurality of network interfaces is provided. The information processing apparatus comprises at least one memory that stores a set of instructions, and at least one processor that executes the instructions to control to receive a request via one of the plurality of networks, generate a response to a source of the received request, the response indicating the source of the request set as a destination address and a destination address of the request set as a source address, and in a case where the network interface having received the request is different from a network interface determined to be used for communication with a destination identified by the destination address set in the generated response, prevent the response from the different network interface.

Abstract: Techniques are disclosed for session-based load-balancing of network traffic to network service instances. In one example, a network device receives a first packet of a forward packet flow from a network service instance of a plurality of network service instances after application of a network service. The first packet specifies a Media Access Control (MAC) address of the network service instance as a source MAC address. The network device defines a session comprising the forward packet flow and a reverse packet flow and stores an association between the session and the MAC address of the network service instance. The network device determines that a second packet received from a destination device is associated with the reverse packet flow of the session. The network device forwards the second packet to the same network service instance based on the association between the session and the MAC address of the network service instance.

Abstract: In general, this disclosure describes techniques for leveraging a containerized routing protocol process to implement virtual private networks using routing protocols. In an example, a system comprises a container orchestration system for a cluster of computing devices, the cluster of computing devices including a computing device, wherein the container orchestration system is configured to: deploy a containerized application to a compute node; and in response to deploying the containerized application to the compute node, configure in the compute node a virtual routing and forwarding (VRF) instance to implement a virtual private network (VPN) for the containerized application.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).