Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. The security appliance may be implemented on-prem or in cloud data center environments. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined.

Abstract: Systems and methods are provided herein for implementing multi-table OpenFlow flows that have combinations of packet edits. This may be accomplished by a network device receiving a first flow entry with a first set of actions to be installed into a flow table. The network device may determine that the first set of actions includes edits to a plurality of fields of a matched data packet. In response, the network device may change the first set of actions of the first flow entry to edit a first field of the data packet and create a second flow entry with a second set of actions to edit a second field of the data packet. The network device may install the first and second flow entries into one or more flow tables of the network device.

Abstract: Provided are a method and an apparatus for isolating transverse communication between terminal devices in an intranet. The method includes: when receiving an ARP (Address Resolution Protocol) packet, an access device in the intranet determines whether to perform a first transverse isolation operation for the ARP packet based on a pre-stored first transverse isolation policy; and when receiving a packet, a gateway device in the intranet determines whether to perform a second transverse isolation operation for the packet according to a pre-stored second transverse isolation policy.

Abstract: The present invention relates to an apparatus and a method for performing communication in a wireless power transmission system. The present specification discloses a wireless power transmission apparatus comprising: a communication/control unit configured to perform negotiation on a first available power index with a wireless power reception apparatus; and a power conversion unit configured to create magnetic coupling of a primary coil according to the first available power index, and transmit power wirelessly to the wireless power reception apparatus. The wireless power transmission apparatus can properly adjust an available power index in a dynamic manner at a time point desired by itself according to a surrounding environment/situation, and leadingly initiate communication and authentication.

Abstract: A network device communication system can configure network devices (e.g., a primary and secondary database) to send and receive sequences messages, such as replication data, over a channel comprising a plurality of private network nodes. The messages can be generated and encrypted using one or more key pairs and changing wrapping replication keys to send and receive the messages between different types of database deployments.

Abstract: An example operation may include one or more of generating a data frame storing content of a simulation, compressing the simulation content within the data frame based on previous simulation content stored in another data frame to generate a compressed data frame, and transmitting the compressed data frame via a blockchain request to one or more endorsing peer nodes of a blockchain network for inclusion of the compressed data frame within a hash-linked chain of blocks of the blockchain network.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: A method for switching data between virtual machines is provided, the method includes acquiring data that is inside a physical host and needs to be sent to a destination node; determining, according to the data, whether the destination node is a node inside the physical host or a node outside the physical host; and when the destination node is a node inside the physical host, determining a destination virtual network interface card (NIC) port, and sending the data to a corresponding destination virtual machine using a virtual NIC corresponding to the destination virtual NIC port; or when the destination node is a node outside the physical host, determining a physical NIC port, and sending the data outside the physical host using a physical NIC corresponding to the physical NIC port. A corresponding apparatus and system are also provided.

Abstract: An apparatus, methods and systems for monitoring data collection in an industrial environment are disclosed. The system may include a data collector communicatively coupled to a plurality of input channels and to a network infrastructure, wherein the data collector collects data based on a selected data collection routine, a data storage structured to store a plurality of collector routes and collected data, a data acquisition circuit structured to interpret a plurality of detection values from the collected data, each of the plurality of detection values corresponding to at least one of the plurality of input channels, and a data analysis circuit structured to analyze the collected data and determine an aggregate rate of data being collected, wherein if the aggregate rate exceeds a current bandwidth allocation rate associated with the network infrastructure, then the data analysis circuit requests an increase to the current bandwidth allocation rate from the network infrastructure.

Abstract: A Software Defined Network (SDN) controller receives a detecting packet reported by a first switch and initiated by a first device. The SDN controller sends, for each of switches having an SDN connection with the SDN controller, the detecting packet and information of all downlink ports of the switch to the switch in a way that the switch is capable of sending the detecting packet through the downlink port. The SDN controller receives a response packet which is sent by a second switch and initially generated by a second device in response to receiving the detecting packet from the second switch, wherein an IP address of the second device matches a destination IP address of the detecting packet. The SDN controller sends forwarding configuration information to the second switch in a way that the second switch is capable of configuring a port through which the response packet is received.

Abstract: Some embodiments provide a method for managing control packet usage within a physical network that implements a plurality of logical networks. The method receives a tunnel monitoring configuration for a logical network. The configuration specifies control packet usage for logical datapaths between logical ports of the logical network. The method maps the logical datapaths to tunnels between host computers that host data compute nodes (DCNs) corresponding to the logical ports. Based on the mappings, the method configures control packet modules executing on the host computers to generate control packets for monitoring the tunnels based on the specified control packet usage.

Abstract: A system includes a provider network and a client network connected via a dedicated physical connection. The client network and the provider network exchange routing information using routing protocol messages, such as border gateway protocol (BGP) update messages exchanged during a BGP session. A provider network includes tag field values in outgoing routing protocol messages that indicate a portion of the provider network wherein resources of the provider network associated with a corresponding route are located. The client network may use the tag field value to determine whether to add the route to a routing table of the client network. A client network may also include tag field values in outgoing routing protocol messages to a provider network. The tag field values may indicate what portions of the provider network are to receive the routes from the client network. For example a tag field value may indicate that a route is to be propagated within a limited portion of the provider network.

Abstract: An automatic aggregated networking device backup link configuration system includes a first networking device having first interfaces, and a second networking device having second interfaces. The first networking device receives second networking device information via at least some of the first interfaces coupled via respective Inter-Chassis Links (ICLs) in an aggregated ICL to respective ones of the second interfaces, and uses the second networking device information to determine that each of the at least some of the first interfaces provide the aggregated ICL to the second networking device. The first networking device then identifies one of the first interfaces that is coupled to a respective one of the second interfaces by a link that is not part of the aggregated ICL, and automatically configures the one of the first interfaces to provide the link that is not part of the aggregated ICL as a backup link.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: A method and system for optimizing internet traffic from a Local Area Network (LAN) to an internet based server utilizes a specific gamer private network (GPN) for the classified latency sensitive internet data. The method includes the steps of creating a gateway computer or a master-slaver computer (device) system within a local area network (LAN), and making this gateway computer control the internet data from any device within the LAN to an outside internet based server. The gateway computer sorts the internet data into various categories, including latency sensitive, bandwidth sensitive and exclusion that is neither latency sensitive nor bandwidth sensitive. Based on these classification results, the internet data within various categories are sent out via the respective routes, so as to achieve a smooth and efficient internet data transmission.

Abstract: An inter-cloud communication method, used to implement communication between two clouds, where virtual machines belonging to a same virtual network are created in the two clouds. A receive end cloud uses a gateway node as an entrance to external communication, and all data packets to be sent to a virtual machine in the receive end cloud are sent to the gateway node, thereby preventing a location change of the virtual machine from affecting a transmit end cloud. In addition, the data packet only needs to pass through the gateway node in the receive end cloud and a computing node on which the virtual machine that receives the data packet is located, that is, the data packet only needs two hops to reach a destination, thereby shortening a communication path, and improving inter-cloud communication efficiency.

Abstract: A cellular communication system comprising a population of cellular communication network nodes comprising a stationary core, a plurality of base stations, and at least one node having mobile station functionality; and a client tunneling functionality co-located with the node having mobile station functionality which is operative to use network topology information obtained via the mobile station functionality to initiate generation of a tunnel having a first end at the node and a second far end at the stationary core.

Abstract: Systems and methods provide for automatically generating a data model of a data center. Inventory data identifying devices in the data center is obtained by querying the devices and/or extracting the data from existing data sources. In addition, switch-to-switch data regarding the linking relationships among switches is obtained by querying the switches in the data center using a discovery protocol. Further, switch-to-server relationship data regarding the linking relationships between switches and servers is obtained at least in part by querying switches in the data center for MAC table data to identify the MAC addresses of servers connected to the switches. The inventory data, switch-to-switch relationship data, and switch-to-server relationship data is persisted to the data model of the data center, thereby providing information identifying devices within the data center and the dependencies and relationships among the devices.

Abstract: A gateway device and a configuration client for supporting selective forwarding of messages published to a group address or a virtual address in a wireless mesh network of communicatively coupled communication devices, such as a Bluetooth Mesh system. The configuration client maintains a mapping between unicast addresses of communication devices and group and virtual addresses in the network. At receipt of a message including a group or virtual address, the gateway device retrieves, from the configuration client, the unicast addresses of those communication devices collectively identified by the group or virtual address in the received message. If the retrieved unicast addresses are all serviced by the gateway device, the message is transmitted by the gateway device on all interfaces corresponding to the communication devices addressed by the retrieved unicast addresses.

Abstract: An identifier associated with a first tenant and an object for deployment into the first tenant is received. The first tenant forms part of a multitenant database system including the first tenant and a second tenant. The application includes objects in a first name space. The object is for use by an application forming part of the multitenant database system. A second namespace unique to the first tenant is determined using the identifier of the first tenant. An object in the second namespace is generated corresponding to the object in the first namespace. The generating includes mapping the object in the first namespace to the second namespace. The object is deployed in the second namespace to the first tenant. The deploying includes persisting the object in the second namespace to a tenant system forming part of the multitenant database system. Related apparatus, systems, techniques and articles are also described.

Abstract: A system and method for protocol independent receive side scaling (RSS) includes storing a plurality of RSS hash M-tuple definitions, each definition corresponding to one of a set of possible protocol header combinations for routing an incoming packet, the set of possible protocol header combinations being modifiable to include later-developed protocols. Based on initial bytes of the incoming packet, a pattern of protocol headers is detected, and used to select one of the plurality of RSS hash M-tuple definitions. The selected RSS hash M-tuple definition is applied as a protocol-independent arbitrary set of bits to the headers of the incoming packet to form a RSS hash M-tuple vector, which is used to compute a RSS hash. Based on the RSS hash, a particular queue is selected from a set of destination queues identified for the packet, and the packet is delivered to the selected particular queue.

Abstract: A method for data migration includes: receiving by a SMF current location information of a terminal; the SMF is at a core data management center, a first service and a service message are added in the SMF; determining whether it is necessary to switch a path of a business service currently in use for the terminal on the basis of the current location information and original location information of the terminal; and when the determination result is yes, migrating path information of the business service from an original business application to a target business application, the original business application corresponds to the original location information, the target business application corresponds to the current location information; the original business application and the target business application are for providing the business service to the terminal, and have subscribed to the first service.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: Discussed herein is technology for verifiable network configuration repair. A method can include adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG), adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG), determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG, determining a set of paths (pathtset) over the determined simple paths that satisfies the policies, and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.

Abstract: Embodiments of the present invention provide an association establishment method and apparatus. The method includes: broadcasting, by an access point AP, a trigger frame, wherein the trigger frame is used to trigger one or more unassociated stations STAs to perform uplink data transmission and indicate one or more available subchannels for random accessing of the unassociated STAs; receiving, by the AP, one or more association request messages sent on available subchannels acquired by the unassociated STAs; broadcasting, by the AP, a multi-block acknowledgement M-BA frame, wherein the M-BA frame includes one or more pieces of association acknowledgement information and the association acknowledgement information is acknowledgement information of the association request message. In this way, the AP is associated with the unassociated stations STA, and communication reliability is ensured.

Abstract: Methods and apparatus for selective histogramming are configured to histogram a total number of virtual bins over a plurality of phases using a total number of counters, wherein the total number of counters is less than the total number of virtual bins.

Abstract: An example data center system includes server devices hosting data of a first tenant and a second tenant of the data center, network devices of an interconnected topology coupling the server devices including respective service virtual routing and forwarding (VRF) tables, and one or more service devices that communicatively couple the network devices, wherein the service devices include respective service VRF tables for the first set of server devices and the second set of server devices, and wherein the service devices apply services to network traffic flowing between the first set of server devices and the second set of server devices using the first service VRF table and the second service VRF table.

Abstract: An apparatus and a method for processing an uplink signal of cable broadcasting network including: modulating uplink data to be transmitted to a broadcasting station which is located at an end of the cable broadcasting network into a plurality of symbols; performing a correlation-coding on the plurality of symbols; and outputting an analog radio frequency (RF) signal corresponding to the plurality of correlation-coded symbols are provided.

Abstract: The techniques discussed herein include an offload controller, a virtual routing controller, and/or virtual routing objects. In some instances the virtual routing controller may be configured and/or positioned to peer client premises equipment (CPE). This may include establishing an external gateway protocol session with CPE and generating a virtual routing object based at least in part on the session. In some examples, this virtual routing object may be used to configure routes between a switch and a virtual private cloud (VPC) and/or virtual machine (VM).

Abstract: Embodiments of this application provide a method and an apparatus for determining virtual machine VM migration. The method includes: after a VM is migrated, sending a gratuitous ARP packet or a RARP packet to an in-migration VTEP device; obtaining, by the VTEP device, a MAC address of the VM, searching an ARP cache table based on the MAC address, and obtaining an IP address of the VM; and constructing an ARP unicast request packet by using the IP address as a destination IP address, and if the VTEP device receives an ARP response packet sent by the VM for the ARP unicast request packet, determining that the VM is migrated.

Abstract: Examples classify a payload field within a domain name system (DNS) packet according to a level of risk associated with the payload field. Based on the classification of the payload field and based on a weight associated with the level of risk, the examples determine a value of the DNS packet. Based on the value, the examples identify whether the DNS packet is malicious.

Abstract: Processing apparatus in the form of a parallel processing configuration having a plurality of processors and at least one shared memory that is shared between the processors. Each processor is operated at a clock speed that is lower than the clock speed of the memory.

Abstract: A hosting system is provided. The hosting system includes a grid of hardware nodes for provisioning virtual servers including a first virtual server for a first user and a second virtual server for a second user. The hosting system further includes dedicated servers including a first dedicated server for the first user and a second dedicated server for the second user. A switch, in response to the first virtual server and the second virtual server having overlapping virtual local area network (VLAN) identifications (IDs), defines a first broadcast domain for the first user and a second broadcast domain for the second user, places the first virtual server and the first dedicated server in the first broadcast domain, and places the second virtual server and the second dedicated server in the second broadcast domain.

Abstract: A receiving node receives a virtual LDP initialization (vInit) message from a first node, where the vInit message comprises a request to establish a vLDP session between a requesting node and a target node. If the receiving node does not own a destination address of the vInit message, the receiving node is determined to be a relay node. The relay node inserts a relay label into the vInit message, where the relay label is an outgoing label that the relay node uses to reach the first node, and forwards the vInit message toward the destination address. If the receiving node owns the destination address, the receiving node is determined to be the target node, which extracts a stack of relay labels from the vInit message. The relay labels are used to define a return path to the requesting node for messages transmitted over the vLDP session.

Abstract: A communication apparatus includes a transmitting and receiving unit that is connected to a network and that transmits and receives data, a relaying unit that, when data is received through a communication that is not addressed to the communication apparatus, relays the communication, and a discarding unit that, when data is received through the same communication as a communication that has been relayed previously, discards the data.

Abstract: Embodiments of the present disclosure relate to assisting forwarding of multicast traffic over Ethernet Virtual Private Network (EVPN) from a multicast source to a host multi-homed to multiple provider edge (PE) devices. Embodiments are based on the inclusion of an Ethernet Segment Identification (ESI) to EVPN type-6 routes advertised by PE devices which received a multicast Join message. Other PE devices receiving such routes are able to determine whether they belong to the ES identified by the ESI and to determine whether they are designated forwarders (DFs) for the host. Furthermore, PE devices which are the DFs are configured to re-originate the EVPN type-6 routes, i.e. re-send the advertisements, indicating themselves as DFs. This ensures that a remote PE device associated with the multicast source will also send multicast traffic to such DF PE devices, which, in turn, would allow the multicast traffic to successfully reach the host.

Abstract: Aspects of the present disclosure involve systems, methods, computer program products, and the like, for implementing and utilizing one or more service labels in a Multiprotocol Label Switching (MPLS) network for delivery service through the network. The general, the service label acts to instantiate a service tunnel between two or more devices of the network, such as between a service or provider edge device and a metro device of the network. The service label is unique and arbitrary label per service to a network device. Once the service tunnel is established between the devices, one or more Internet Protocol (IP) or Ethernet services can be multiplex over the service tunnel to the network device. Also, one or more service labels (tunnels) can be established between any two or more network devices to allow for greater flexibility and scale.

Abstract: A network management (NM) computing system generates a first work zone associated with a first remote network and a second work zone associated with a second remote network. Each work zone includes a respective virtual firewall and a respective virtual jump host. The NM computing system establishes a first and second communication path between the first virtual jump host and the first remote network via a multiprotocol layer switching network system, receives a data packet including a firewall identifier associated with the first virtual firewall and a local address associated with a destination device within the first remote network, routes the data packet through the first firewall to the first virtual jump host based on the firewall identifier, and transmits, by the first virtual jump host, the data packet to the first remote network using the first communication path and/or the second communication path.

Abstract: A computer-implemented method of routing protection is provided comprising: receiving, by one or more processors of an active network element from a remote peer device, a plurality of data packets; sending, by the one or more processors of the active network element to a plurality of standby network elements, a multicast data packet comprising combined data of the plurality of data packets; receiving, by the one or more processors of the active network element from at least one of the standby network elements, an acknowledgment of receipt of the multicast data packet; and in response to the receipt of the acknowledgment, sending, by the one or more processors of the active network element to the remote peer device, an acknowledgment of receipt of the plurality of data packets.

Abstract: In general, embodiments of the invention relate to a system and method for configuring and managing a network. More specifically, embodiments of the invention relate to segregating traffic in a network based on application domains. Further, embodiments of the invention provide a mechanism to efficiently implement traffic segregation in a network using application domain specific virtual routing and forwarding (VRF) tables.

Abstract: The use of overlay networks, such as Network Virtualization using Overlays over Layer 3 (NVO3), is a growing trend to address networking issues in data centers that make use of virtualization and cloud computing techniques. Additional considerations may be required to support multipath forwarding scenarios.

Abstract: Methods and systems are used for using services in stacked services. As an example, a first service instance of a first service bound to a first application is instantiated. A second service instance of a second service is instantiated from within a first service broker. The second service instance is bound to the first service to be used indirectly in a context of the first application. A subaccount of the first application is provided to the second service as a first consumer. A third service instance of a third service is instantiated from within a second service broker. The third service instance is bound to the second service to be used indirectly in a context of the first application. The first application uses the second service indirectly through the first service. The subaccount of the first application is provided to the third service as the first consumer.

Abstract: According to one example, a method includes processing a communication session with a first virtual machine of a plurality of virtual machines associated with a network node and monitoring packet loss on a leg of the communication session between a first endpoint and a second endpoint. The method further includes, in response to determining that the packet loss exceeds a first threshold, toggling on an enhanced mode for a codec associated with the communication session, the enhanced mode providing increased error resilience. The method further includes, in response to determining that the toggling on the enhanced mode causes the first virtual machine to exceed a processing capacity threshold, moving the communication session to a second virtual machine of the plurality of virtual machines.

Abstract: Embodiments of the present invention provide a method and an apparatus for establishing an interface between VNFMs, and a system, and relate to the field of communications technologies, so as to improve efficiency of communication between the VNFMs to some extent.

Abstract: The present disclosure discloses a data packet processing method applied to a computing device in software-defined networking. After receiving a data packet of a data flow, a NIC queries a flow table set according to matching information of the data packet; and if a flow table is obtained from the flow table set the NIC processes the data packet according to the flow table; or if no flow table can be obtained from the flow table set, the NIC sends the data packet to a virtual switch to obtain a flow table corresponding to the data flow, and saves the flow table into the flow table set, so that the NIC can process a subsequent data packet of the data flow. An operating load of the virtual switch is reduced, and operating efficiency of the computing device is improved.

Abstract: An interaction method includes receiving an order request sent by a first communication terminal, and acquiring a first communication number according to the order request; allocating a second communication number to the first communication number, and setting a correlation between the first communication number and the second communication number; sending first correlation information to a basic communication server, the first correlation information carrying the first communication number and the second communication number; binding the second communication number with the order request; issuing the order request, the order request carrying the second communication number; receiving response information sent by a second communication terminal, and obtaining a third communication number according to the response information; and sending second correlation information to the basic communication server, the second correlation information carrying at least the second communication number and the third communica

Abstract: The present application discloses a data flow processing method and apparatus for a data flow system. A specific implementation of the method includes: acquiring a to-be-processed data flow, and determining, according to a data flow processing instruction, at least one data flow processing node corresponding to the to-be-processed data flow and a passing order in which the to-be-processed data flow passes through the at least one data flow processing node; and connecting together the at least one data flow processing node according to the passing order to obtain a data flow processing channel, and importing the to-be-processed data flow to the data flow processing channel for data processing. This implementation improves the utilization of data flow processing nodes and the data flow processing efficiency.

Abstract: Various embodiments relate to a method and apparatus for guaranteeing symmetrical delay in both directions for a Time-Division Multiplexing Pseudowire (“TDM-PW”) service on a packet switching network (“PSN”), the method including the steps of using a transport method to specify a first path including a corresponding pair of unidirectional service tunnels for the TDM PW service between a master router and a slave router, detecting a failure on either of the corresponding pair of unidirectional service tunnels of the first path between the master router and the slave router, switching the master router and the slave router to a second path including a corresponding pair of unidirectional service tunnels, resetting a jitter buffer on the master router and the slave router and adjusting the jitter buffer to a halfway point, and transmitting and receiving data using the second path including the corresponding pair of unidirectional service tunnels.

Abstract: A method and apparatus for implementing a virtual local area network. The method includes determining a global virtual local area network for transmitting a data frame in response to receiving the data frame at a first switch, encapsulating the data frame based at least in part on said determination and transmitting it to at least one second switch over the determined global virtual local area network. The data frame is received at the second switch and an identifier of the global virtual local area network is obtained according to the data frame. Based at least in part on the identifier of the global virtual local area network, it is determined that which local virtual local area network served by the second switch the de-capsulated data frame can be sent to.