Abstract: A network device has an input configured to receive a message relating to a given device attempting to forward one or more packets across a computer network. The message has given device information relating to the given device. In addition, the routing device also has a selector, operatively coupled with the input, configured to select (after receiving the given data) a given group routing policy from a plurality of group routing policies. Preferably, the selector is configured to select the given group routing policy as a function of the given device information. The routing device also has an output operatively coupled with the selector. The output is configured to cause routing of device communication across the network using link-layer routes specified by the given group routing policy.

Abstract: Provided is a wireless communication terminal that wirelessly communicates. The wireless communication terminal includes: a transceiver for transmitting and receiving a wireless signal; and a processor for processing the wireless signal. The processor is configured to perform a transmission based on a transmission opportunity (TXOP) limit which is a maximum value of a TXOP, which is a time interval in which a wireless communication terminal has a right to initiate a frame exchange sequence in a wireless medium.

Abstract: A technique for content proxying is described. The technique includes receiving from a first device a stream of data. The stream of data is formatted in a format that does not indicate content length in a header. A received payload of the stream of data is encoded into a data chunk including a chunk length header and the received payload. The data chunk is forwarded to a second device that does not support the format.

Abstract: The present disclosure includes a memory system, a memory controller, and an operation method thereof. The memory system may cache a subset of all map segments in a mapping table indicating mapping information between logical addresses and physical addresses in a map cache, may select map segments on which locking is to be set from the map segments cached in the map cache so as not to be evicted from the map cache based on information on all commands received from a host during a set period of time, and may set lock flags for the map segments on which locking is to be set. Accordingly, the memory system may reduce the overhead occurring in reloading previously evicted map segments in the process of updating a mapping table, and may optimize update performance for a mapping table within a limit that guarantees caching performance to a predetermined level or higher.

Abstract: An apparatus includes a message receiver circuit that receives, at a port of a network node, a message from a neighboring network node. The message includes a maximum transmission unit (“MTU”) of the neighboring network node. The network nodes communicate using a layer-2 protocol. The apparatus includes a comparison circuit that determines if the received MTU is larger than an MTU for the port, and an approval circuit that, after determining that the received MTU is larger than the port's MTU, determines if the received MTU is supported by the network node. The method includes an increase circuit that, after determining that the received MTU is supported, changes the MTU of the network node's ports to match the received MTU, and a message circuit that, after determining that the received MTU is supported, sends a message with the MTU to network nodes connected to ports of the network node.

Abstract: One method occurs at a network test system implemented using at least one processor. The method includes receiving configuration information for configuring a network testing scenario comprising an emulated switching environment, wherein the configuration information includes topology information defining the emulated switching environment; configuring, using the configuration information, the emulated switching environment including allocating, using a switch application-specific integrated circuit (ASIC) resource allocator, resources of at least one physical ASIC switch to multiple emulated switches; and configuring, using the configuration information, a test session for testing a system under test (SUT) using the emulated switching environment and a network visibility infrastructure for obtaining performance information associated with the test session.

Abstract: Systems and methods for automatically configuring security groups during data protection operations including disaster recovery operations. In preparation for recovering a source site to a target site, security information at the source site is collected and classified. The classified security information is stored as a disaster recovery plan at least for security aspects of the disaster recovery process. The disaster recovery plan can be implemented at the target site such that security risks are minimized and connectivity errors are minimized during the recovery process.

Abstract: In some examples, a network device may determine whether a first egress network device is segment routing (SR) aware. Based on the first egress network device being SR aware, the network device may initiate establishment of an SR tunnel toward the first egress network device. The network device may forward multicast traffic on the SR tunnel. The network device may also determine whether a second egress network device is SR aware. Based on the second egress network device not being segment routing aware, the network device may initiate establishment of a non-SR tunnel toward the second egress network device. The network device may forward multicast traffic on the non-SR tunnel.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: A dynamic controller to automatically generate layer 3 network connections between devices and/or networks associated with a virtual computing environment in response to a request for such connections is provided such that communications associated with the computing environment may be transmitted between the endpoints. For example, the dynamic controller may connect one or more cloud service provider networks, one or more customer-controlled data centers, one or more customer networks, and the like, based on information provided in a connection request. A layer 3 communication controller may also be instantiated within a core network that manages the flow of communications between the connected networks, such as by translating messages between the connected networks so that messages intended for a connected network may match the supported communication protocols of that network and/or providing one or more security features to the transmitted communications.

Abstract: Presented herein are techniques to facilitate that enable notifications to be sent to multiple consumers for Third Generation Partnership Project (3GPP) architectures. In one example, a method is provided that may include obtaining, at a first network entity, a notification subscription message from a second network entity, the notification subscription message comprising a plurality of notification identifiers associated with the second network entity for notifications that are to be communicated to the second network entity, wherein the plurality of notification identifiers are indicated, at least in part, in a header of the notification subscription message; and communicating one or more notifications to the second network entity, wherein the one or more notifications are load-shared among the plurality of notification identifiers associated with the second network entity.

Abstract: A method for enabling access to varying route attribute states during routing policy application on network devices. Concerning routing policy configurations, it is currently possible to evaluate network routes based on a singular state of one or more route attributes. In some scenarios, however, access to more than one state of the route attribute(s) is desirable. In addressing these scenarios, the disclosed method introduces state namespaces through which different states of the routing attribute(s) are maintained and accessed.

Abstract: A network device has an input configured to receive a message relating to a given user attempting to forward one or more packets across a computer network. The message has given user information relating to the given user. In addition, the routing device also has a selector, operatively coupled with the input, configured to select (after receiving the message) a given group routing policy from a plurality of group routing policies. Preferably, the selector is configured to select the given group routing policy as a function of the given user information. The routing device also has an output operatively coupled with the selector. The output is configured to cause routing of user communication across the network using link-layer routes specified by the given group routing policy.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node.

Abstract: Techniques are described for enabling users to establish Secure Shell (SSH) connections with compute instances running in private subnets of virtual private networks of a cloud provider network. A “bastion” compute instance, including an SSH server and specialized SSH client software, is used to enable connections to compute instances in a private subnet of a virtual private network. A bastion instance is a server designed to be a primary point of access from the internet (e.g., by its inclusion in a public subnet of a virtual private network) and acts as a proxy for compute instances running in a private subnet of a virtual private network. The ability for a bastion instance to establish connections to instances in a private subnet is based on a role attached to the bastion instance, where the role may be defined using an identity and access management service of the cloud provider network.

Abstract: A power/data transmission breakout system includes a power/data transmission breakout device coupled to a powering device and each of a plurality of powered devices. The power/data transmission breakout device receives power and data from the powering device via a first power/data cable that is connected to the power/data transmission breakout device, and identifies a first powered device as a destination for the data. The power/data transmission breakout device then transmits a respective subset of the power that was received from the powering device via each of a plurality of second power/data cables that are each connected to the power/data transmission breakout device and a respective one of the plurality of powered devices, and transmits the data along with the respective subset of the power that was received from the powering device via the second power/data cable that is connected to that first powered device.

Abstract: A system, method and apparatus for routing traffic in ad-hoc networks. A routing blockchain network processes routing node information proposals received from manager nodes of network clusters. Performance metrics of one or more nodes in the system are verified using distributed ledger techniques and provided to the manager nodes as updates to each manager node's routing information. The manager nodes further determine routing paths for ad-hoc communication requests based on an authentication event that defines conditions necessary to route traffic streams in association with a particular resource.

Abstract: Disclosed is a method of establishing secure communications. The method includes receiving an attestation parameter associated with a first peer in a potential peer-to-peer communication, adding the attestation parameter to an MACsec Key Agreement (MKA) protocol key exchange, transmitting the key exchange from the first peer to a second peer in the potential peer-to-peer communication and upon a validation of the attestation parameter by the second peer, enabling secure communication between the first peer and the second peer.

Abstract: Systems and methods are provided for detecting MAC/IP spoofing attacks on networks. A method may include authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device spoofs the MAC address and the IP address of the network device; establishing a Transport Control Protocol (TCP) connection with the network device subsequent to authenticating the network device; sending at least one TCP keepalive message to the IP address of the network device, wherein, responsive to receiving the TCP keepalive message, the attacking device transmits a TCP reset (RST) message; receiving the TCP RST message; and determining the attacking device is present in the network responsive to receiving the TCP RST message.

Abstract: A dynamic SRMS (DSRMS) in a MPLS network generates unique segment identifiers for nodes of the network lacking segment identifiers (SIDs). The DSRMS receives network information from other nodes of the network that may include, for example, Internal Gateway Protocol (IGP) routing information, advertised prefix values for the nodes, and label values used in MPLS routing. The DSRMS analyzes the information and identifies nodes of the network that are not associated with a SID. For each identified node, the DSRMS generates a unique SID and then announces the SID to other nodes within the network. Generating the unique SID may include executing a hashing function using the IP address of the identified node as an input.

Abstract: The invention introduces an apparatus for searching linked lists at least including: a memory arranged to operably store a linked list; a linked-list search engine arranged to operably search content of the linked list until a search success or fail and generate a search result; and a processing unit arranged to operably write the content of the linked list into the memory, drive the linked-list search engine to start a search on the linked list and obtain the search result from the linked-list search engine.

Abstract: In one embodiment, a computer network system, includes a plurality of mesh networks, each mesh network including at least three interconnected respective internal switches with each respective internal switch being connected to each other one of the respective internal switches via a respective internal network connection, and Clos topology network connections connecting the mesh networks in a Clos topology arrangement.

Abstract: A system described herein may provide a technique for intercepting user equipment (“UE”) traffic based on granular characteristics specified by a law enforcement agency (“LEA”) or other authorized requestor. The granular characteristics may indicated a content type, keywords, and/or other characteristics that the requestor may desire to intercept. Traffic attributes, which may be different from the granular characteristics, may be identified based on the granular characteristics. Network components suited to intercepting traffic having the identified attributes may be provisioned to intercept the traffic.

Abstract: In an example, when a network device receives a route advertised by a Border Gateway Protocol (BGP) neighbor, the network device distributes the route to hardware thereof, records the route into a linked list of routes to be advertised, and determines a BGP state of the device. If the BGP state indicates waiting to advertise a route, the network device updates the BGP state to advertising a route after a set time length and advertises a route in the linked list of routes to be advertised. If the BGP state indicates advertising a route, the network device advertises a route in the linked list of routes to be advertised.

Abstract: A disclosed method may include (1) identifying, by a PE router, a conditional advertisement policy that requires installation of at least one address of an active service appliance within a routing table to trigger advertising a route for the active service appliance to one or more additional PE routers, (2) inspecting the routing table for the installation of the address of the active service appliance, (3) determining, based at least in part on the inspection, that the address of the active service appliance is installed in the routing table, (4) determining that the PE router has satisfied the conditional advertisement policy due at least in part to the address of the active service appliance being installed in the routing table, and then in response, (5) directing the PE router to advertise the route to the additional PE routers. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A routing system can provide a Dynamic-Hybrid Forwarding Information Base (DHFIB). A control component of the routing system can build a routing table that includes routing information (e.g., prefixes, addresses, etc.) for use by a first routing component. The routing table can be ordered or ranked based on traffic information from the first routing component. Then, the control component can create the DHFIB from the routing table, wherein the DHFIB is a portion of the routing table and related to the first routing component. As such, the portion of the routing table selected for the DHFIB can be the set of prefixes in the routing table that represent the most frequently routed or most important prefixes in the routing table. Finally, the control component can forward the DHFIB to the first routing component to allow the routing component to route communications.

Abstract: A circuit used in a network device, which includes a memory and an analyzer. The memory stores an ACL look-up table, wherein the ACL look-up table includes multiple ACL rules, and each ACL rule contains at least a comparison field, a control field, and a logical operation field. The comparison field includes comparison information of a communication protocol, the control field indicates whether said each ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logical operation used when said each ACL rule needs to be combined with the next ACL rule. The analyzer is configured to sequentially compare the packet according to multiple ACL rules recorded in the ACL look-up table, so as to generate at least one comparison result for determining the processing method of the packet.

Abstract: Provided are a method and a device for determining and sending a priority of a packet, and a routing system. The method comprises: receiving an ARP packet; determining the white list protection entry of the ARP packet according to the dynamic routing protocol subscription information. By means of the present disclosure, the technical problem in the related art that the ARP packet cannot be interacted normally due to an ARP attack is solved.

Abstract: A reverse network tracing mechanism is described. In an embodiment, a network information request is received that is addressed to a predetermined destination. It is determined that the network information request has an expired timer and a message is returned indicating that a return network path routing procedure has been initiated. After determining that the network information request has an unexpired timer, contents of the network information request are modified to enable identification of at least a portion of the return path from the predetermined destination to a source address of the network information request.

Abstract: Techniques are described for distributing, to a distributed network of central stations, alarm events detected in monitoring system data collected by sensors included in monitoring systems located at monitored properties. A system receives monitoring system data collected by sensors included in monitoring systems located at monitored properties, tracks alarm events detected within the monitoring system data, and generates, for central station servers in a distributed network of central stations, load profiles that reflect a volume of alarm events being handled at each of the central station servers at a particular period of time. The system determines capacities to handle additional alarm events for the central station servers, determines relative priorities for the central station remote servers based on the determined capacities, and directs subsequent alarm events to the central station servers based on the relative priorities.

Abstract: Example methods are provided for a host to perform packet handling based on a microprocessor architecture configuration that includes a first node and a second node. One example method may comprise detecting, from a virtualized computing instance supported by the host, an egress packet for transmission to a destination via one of multiple physical network interface controllers (PNICs) of the host. The method may also comprise: identifying the first node assigned to the virtualized computing instance and selecting a first PNIC associated with the first node assigned to the virtualized computing instance. The multiple PNICs may include the first PNIC, and a second PNIC associated with the second node. The method may further comprise sending the egress packet to the destination via the first PNIC associated with the first node.

Abstract: Some embodiments provide a method for an edge computing device in a first datacenter that implements a logical network gateway for processing data traffic for a particular LFE between the first datacenter and multiple other datacenters. For each particular other datacenter, the method stores a record that maps logical network addresses for DCNs connected to the particular LFE and operating in the particular datacenter to a group of TEP addresses corresponding to logical network gateways that handle data traffic for the particular LFE between the particular datacenter and the other datacenters, including the first datacenter. Upon receiving a data message for the particular LFE from a host computer in the first datacenter, the method uses a destination address of the data message to identify one of the groups of TEP addresses. The method encapsulates the data message with one of the TEP addresses from the identified group of TEP addresses.

Abstract: Embodiments of the present disclosure relate to a method, a device, and a computer program product for data processing. The method comprises determining information associated with an attribute of a data packet from a source device; determining, based on the information, a target operation to be performed on the data packet; performing the target operation on the data packet; and causing the data packet on which the target operation has been performed to be sent to a target device of the data packet. In this manner, by using advantages of programmable switches, encapsulation and decapsulation operations are introduced for communications between edge Internet of Things network devices and data center applications, which can significantly increase the throughput.

Abstract: A method is performed at a switch fabric that communicates with a storage array target port. The method includes sending frames to the target port responsive to receiving buffer-to-buffer (B2B) credits that indicate a receive buffer at the target port is available for the frames. The method further includes, in response to detecting a credit stall at the target port, operating in a virtual lane mode. The operating in the virtual lane mode includes: determining whether a frame destined for the target port is a command frame or a data frame; based on the determining, marking the frame to indicate that the frame is destined for a particular virtual lane among virtual lanes of the receive buffer; and receiving from the target port a per-virtual lane B2B credit that indicates the particular virtual lane is available and, in responsive, sending the frame to that virtual lane on the target port.

Abstract: In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated.

Abstract: The embodiments herein relate to a method in a mobility management node (108) for handling overload in a communications network (100). When overload in the communications network (100) has been detected, the mobility management node (108) receives information indicating at least one blocked IP address to which access should be blocked. The mobility management node (108) receives a communication request message from a UE (101) via a RAN node (105). The communication request message is a request for communication by the UE (101). The mobility management node (108) determines that the UE's (101) request for communication should be rejected when the UE (101) is associated with a blocked IP address.

Abstract: This application provides a communication method and a communications apparatus. The communication method may includes receiving, by a first forwarding device in a mobile network, a first data packet, where the first data packet carries first data from a first terminal device, the first data packet includes a target field, information carried in the target field is used to determine target information. The target information may include information about at least one second terminal device or information about a first area, the second terminal device is a terminal device to which the first data needs to be sent, and the first area is an area to which the first data needs to be broadcast.

Abstract: This technology enables normalized lookup and forwarding for diverse virtual private networks in multi-site network fabric deployments. A source device on a first Layer 2 site transmits a frame to a destination device on the same subnet, but on a second Layer 2 site. The frame is encapsulated and routed to a fabric border node. The fabric border node matches the source subnet to the destination subnet and transmits an address request protocol (“ARP”). In response to not receiving a reply to the ARP, the fabric border node transmits a map request to a Layer 3 transit fabric control plane node. The control plane node extracts a destination identifier from the map request and determines that the destination identifier is a Layer 2 identifier. The control plane node transmits a map reply to the fabric border node, where the frame is re-encapsulated and forwarded to the destination device.

Abstract: Systems and methods are provided herein for an efficient method of tunneling that enables a network to transition from one address family to another address family with a reduction in traffic loss. This may be accomplished by updating network devices to support a second address family in addition to a first address family. Once the second address family is supported by the network devices, tunnel endpoints using those network devices can establish a second tunnel based on the second address family. As the second tunnel is established, the network continues to use a first tunnel to route network traffic while the first tunnel uses the first address family.

Abstract: A programmable network switch includes at least one pipeline including a packet parser configured to parse packets received by the programmable network switch. The programmable network switch further includes a plurality of ports for communication with a plurality of Data Storage Devices (DSDs). Packets comprising commands are received by the programmable network switch to perform at least one of retrieving data from and storing data in the plurality of DSDs. The commands are sent by the programmable network switch to the plurality of DSDs via the plurality of ports, and the use of each port for sending the commands is monitored. According to one aspect, it is determined which port to use to send a command based on the monitored use of at least one port of the plurality of ports.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: Anomaly detection for one or more streams of time-series data can use an encoder/decoder pair, such as in a variational autoencoder (VAE) in combination with an aggregator or classifier, such as a random isolation forest (RIF). A particular application relates to detecting anomalies in network updates in a large number of network devices that can transmit the updates to a collector for analysis. The encoder/decoder pair can include a neural network with long short-term memory cells or similar type cells. Using the combination, a single anomaly score can be produced from multiple streams of the time-series data.

Abstract: A multi-thread processor has a canonical thread map register which outputs a sequence of thread_id values indicating a current thread for execution. The thread map register is programmable to provide granularity of number of cycles of the canonical sequence assigned to each thread. In one example of the invention, the thread map register has repeating thread identifiers in a sequential or non-sequential manner to overcome memory latency and avoid thread stalls. In another example of the invention, separate interrupt tasks are placed on each thread to reduce interrupt processing latency.

Abstract: A network device is described that includes one or more processors configured to select a prioritized sub-set of a plurality of routing protocol sessions based on peer priority information. The one or more processors are configured to establish one or more routing protocol sessions of the prioritized sub-set. The one or more processors are configured to, in response to determining that a threshold for establishing the prioritized sub-set of the plurality of routing protocol sessions is satisfied, establish one or more routing protocol sessions of the plurality of routing protocol sessions that are not included in the prioritized sub-set. The one or more processors are configured to forward network traffic using the established one or more routing protocol sessions of the prioritized sub-set and the established one or more routing protocol sessions of the plurality of routing protocol sessions that are not included in the prioritized sub-set.

Abstract: A method and apparatus of a device that starts an address resolution service on a network element after a boot-up of this network element is described. In an exemplary embodiment, the network element sends an indication of the boot-up. The network element further sends a request for an address resolution table and receives a reply with the requested address resolution table. In addition, the network element starts the address resolution service using the requested address resolution table.

Abstract: One embodiment provides a method, including: receiving, at an aggregate server, messages from each of a plurality of entities, each of the plurality of entities formatting a message sent from a given entity in a message structure corresponding to the given entity; analyzing the received messages, wherein the analyzing comprises identifying the message structure of the message, identifying elements of the message based upon the message structure, and extracting at least one actionable portion of the message based upon the identified elements of the message, wherein the at least one actionable portion comprises a portion of the message corresponding to an interest of an entity associated with the aggregate server, wherein the analyzing comprises discarding portions of the message not related to the interest, wherein the analyzing comprises; and performing an action based upon the at least one actionable portion of the message. Other aspects are claimed and described.

Abstract: The present disclosure discloses a flow specification (FlowSpec) message processing method. In the method, a controller forwards device interface information reported by the forwarding device; selects at least one forwarding device interface to which a FlowSpec rule needs to be applied from the received forwarding device interface information; generates an application interface rule based on the at least one forwarding device interface to which the FlowSpec rule needs to be applied; and sends a FlowSpec message to the forwarding device.

Abstract: A software updating method is applied in a device governing an internet of things (IoT). A public key of a server and software updating information of an adjacent device is broadcast as control information by the server, the IoT device encrypts the software updating information according to the public key of the adjacent device, sends the encrypted software updating information to the adjacent device, and downloads software updating information from the adjacent device. When the control information includes address for storing the software in the server and the software updating information of the adjacent device, the IoT device downloads the software corresponding to the software updating information from the adjacent device.

Abstract: Systems, apparatuses, and methods for implementing real-time, low-latency packetization protocols for live compressed video data are disclosed. A wireless transmitter includes at least a codec and a media access control (MAC) layer unit. In order for the codec to communicate with the MAC layer unit, the codec encodes the compression ratio in a header embedded inside the encoded video stream. The MAC layer unit extracts the compression ratio from the header and determines a modulation coding scheme (MCS) for transferring the video stream based on the compression ratio. The MAC layer unit and the codec also implement a feedback loop such that the MAC layer unit can command the codec to adjust the compression ratio. Since the changes to the video might not be implemented immediately, the MAC layer unit relies on the header to determine when the video data is coming in with the requested compression ratio.

Abstract: A memory system is disclosed, which relates to technology for implementing data communication between memory devices. The memory system includes a plurality of memory devices and a memory controller. The memory devices allow a data packet composed of data and header information to be directly communicated between the memory devices. The memory controller transmits the data packet to a source memory device from among the plurality of memory devices, and receives the data packet from a last memory device from among the plurality of memory devices. Each of the memory devices hashes the header information such that the data is accessed, using a result of the hash, in address regions located at different positions.