A telemetry producer sends a hello message to a telemetry registration interface. The interface returns a hello message. The producer sends a producer protocol suite to the interface. An acceptance of the protocol suite and an indication that the protocol suite has been forwarded to a telemetry registration controller is returned. The producer sends a hello message to the controller. The controller returns an acknowledgement and a producer identifier (ID). A second hello message and the producer ID is sent from the producer to the controller. The controller returns a second acknowledgement and the producer ID, indicating the producer registration. A telemetry consumer sends the controller a hello message. An acknowledgement with a consumer identifier (ID), is returned to the consumer. The consumer sends a consumer request packet to the controller. The controller sends the producer ID, and an indication of consumer registration to the consumer.
H04L 43/065 - Generation of reports related to network devices
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Techniques for automating traffic optimizations for egress traffic of an application orchestration system that is being sent over a network to a remote service. In examples, the techniques may include receiving, at a controller of the network, an egress traffic definition associated with egress traffic of an application hosted on the application orchestration system, the egress traffic definition indicating that the egress traffic is to be sent to the remote service. Based at least in part on the egress traffic definition, the controller may determine a networking path through the network or outside of the network that is optimized for sending the egress traffic to the remote service. The controller may also cause the egress traffic to be sent to the remote service via the optimized networking path.
This disclosure describes dynamically monitoring the flow of traffic along a path that can include points across different cloud service provider networks/regions and/or different private networks. Flow monitoring may be started in response to different triggering events. For instance, flow monitoring of network traffic along one or more network paths may be started in response to performance metrics associate with an application within the multi-cloud environment, current/projected network conditions associated with one or more networks within the multi-cloud environment, and the like. In other examples, a user may specify when to perform flow monitoring for one or more network paths.
H04L 43/20 - Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 43/08 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
This disclosure describes techniques and mechanisms for managing congestion within a network with a controller. The techniques include identifying a first designated memory location from which a first destination device reads first data, identifying a second designated memory location from which a second destination device reads second data, writing the first data to the first designated memory location, incrementing, based at least in part on writing the first data, a write index; sending a first indication to the first destination device that the first data is ready to be consumed, determining that the first destination device retrieved the first data from the first designated memory location, and decrementing the write index.
Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.
H04L 61/5014 - Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
H04L 61/103 - Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud‑computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.
H04L 67/289 - Intermediate processing functionally located close to the data consumer application, e.g. in same machine, in same home or in same sub-network
Systems, methods, and computer-readable media are provided for securely advertising autoconfigured prefixes in a cloud environment. In some examples, a method can include, receiving, by a first router, an indication of an available network address prefix. In some aspects, the method can also include selecting, by the first router, a first network address prefix that is within the available network address prefix, wherein the first network address prefix provides at least one route to one or more network elements associated with the first router. In some cases, the method may further include sending, to a second router, a message including a stub registration option that indicates the first network address prefix.
Techniques for scaling additional capacity for secure access solutions and other workloads of enterprise edge networks in and out of a cloud-computing network based on demand. The techniques may include determining that a capacity associated with a secure access node of an enterprise edge network meets or exceeds a threshold capacity. Based at least in part on the capacity meeting or exceeding the threshold capacity, the techniques may include causing a facsimile of the secure access node to be spun up on a cloud-computing network that is remote from the enterprise edge network. In this way, new connection requests received from client devices can be redirected to the facsimile of the secure access node. Additionally, or alternatively, one or more existing connections between client devices and the secure access node may be migrated to the facsimile of the secure access node in the cloud.
Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud‑computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.
G06F 16/58 - Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
10.
APPLICATION SESSION PERSISTENCE ACROSS DYNAMIC MEDIA ACCESS CONTROL (MAC) ADDRESS ROTATIONS
A user device connected to a wireless network maintains session persistence through a MAC address change of a user device. The user device establishes a multi-path communication session including a first subflow associated with a first MAC address for the user device. When the user device changes from the first MAC address to a second MAC address, the user device establishes a second subflow of the multi-path communication session. The second subflow is associated with the second MAC address. After establishing the second subflow associated with the second MAC address, the user device ends the first subflow associated with the first MAC address.
In one embodiment, a method includes receiving one or more 5G software-defined wide area network (SD-WAN) policies, identifying one or more identity -based policies from the one or more 5G SD-WAN policies, communicating the identified one or more identity-based policies to one or more WAN routers, communicating one or more 5G bindings to the one or more WAN routers, and applying the identified one or more identity -based policies to one or more flows between the one or more WAN routers.
The subject matter of this disclosure relates in general to the field of computer networking, and more particularly, to systems and methods for discovery of a tunnel for wide area network. Certain aspects provide a method for network path analysis. The method includes sending a first probe packet configured to identify a network tunnel, wherein the first probe packet includes an identifier of the first probe packet and a first time to live (TTL) value that corresponds to a first network hop; receiving a first response message from the first network hop in the network tunnel, wherein the first response message corresponds to the first probe packet and includes the identifier of the first probe packet; and analyzing the network tunnel based on the first response message including the identifier of the first probe packet.
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
H04L 47/283 - Flow control; Congestion control in relation to timing considerations in response to processing delays, e.g. caused by jitter or round trip time [RTT]
13.
NETWORK CONTROLLER, FAILURE INJECTION COMMUNICATION PROTOCOL, AND FAILURE INJECTION MODULE FOR PRODUCTION NETWORK ENVIRONMENT
Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.
A method of tuning telemetry collection parameters may include, with a collector, receiving source data defining at least one application running on a plurality of nodes, the nodes utilizing a finite number of compute resources. With the collector, a number of score models within a scoring agent of the collector may be executed to define telemetry collection parameters used by the collector for source data collection. The method may also include computing, with the scoring agent, a number of scores based on disturbance features and adaptive feedback, and tuning, with the collector, the telemetry collection parameters based on the scores to obtain tuned telemetry collection parameters.
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 43/08 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
15.
PRIORITIZING VULNERABILITY BASED ON APPLICATION SECURITY CONTEXT
According to some embodiments, a method includes determining a plurality of business transactions for a plurality of services provided by an application. The method further includes calculating a vulnerability score for each determined business transaction. Each vulnerability score is based on one or more application context factors of a plurality of application context factors. The method further includes displaying a graphical user interface. The graphical user interface includes a list of the determined business transactions and the calculated vulnerability score for each determined business transaction in the list.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06Q 20/12 - Payment architectures specially adapted for electronic shopping systems
16.
LOCALIZATION OF TELEMETRY ISSUES BASED ON LOGICAL DATA FLOWS
In one embodiment, an illustrative method herein may comprise: determining, by a process, a directed acyclic graph that defines pathways of telemetry metrics for a given observed system; processing, by the process, telemetry metrics received from distributed sources to detect and localize a problem from the telemetry metrics; consulting, by the process, the directed acyclic graph to find one or more common pathways of the directed acyclic graph that relate to the problem against all other pathways of the directed acyclic graph to establish a reduced telemetry search space corresponding to the one or more common pathways; and enabling, by the process, a root cause analysis operation for the problem based on the reduced telemetry search space.
H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Systems, methods, and computer-readable media are disclosed for facilitating bi-directional edge proxy-to-edge proxy communications across an enterprise firewall in 5G service-based architecture. In one aspect, a method includes receiving a subscription request from a user device to operate on a visited private network; determining that the user device is associated with a home network; and establishing a communication protocol between a security edge protection proxy of the visited private network and a security edge protection proxy of the home network, wherein the communication protocol enables bi-directional exchange of roaming signals between the visited private network and the home network while user device is operating on the visited private network.
A method for optical transceiver misconnection identification that allows a simple low-level process to monitor and communicate optical transceiver characteristics information between two optical transceiver modules regardless of their transceiver type to determine if they are correctly connected or mismatched. If a mismatch is determined, the knowledge gained about the transceiver type of a far end module may be obtained (and presented to an installer) and used by an installer to select and install a module that is operationally compatible with the far end optical module.
H04B 10/071 - Arrangements for monitoring or testing transmission systems; Arrangements for fault measurement of transmission systems using a reflected signal, e.g. using optical time domain reflectometers [OTDR]
The present disclosure is directed to managing network traffic in a cloud-based secure access service. In one aspect, a method includes determining, by a controller of a cloud-based secure access service, that data packets from a user device should be dropped, a plurality of user devices, including the user device, being remotely connected to the controller for access to the cloud-based secure access service; determining, by the controller, a type of remote connection through which the user device is connected to the controller, each type of remote connection having a corresponding communication prototype; and transmitting a message, by the controller, to the user device, over a control protocol corresponding to the type of remote connection through which the user device is connected to the controller, the message providing a signal to the user device to drop packets at the user device prior to sending the packets to the controller.
Embodiments herein describe a focal polarization displacer with a birefringent crystal disposed within the focal region of a lens. The birefringent crystal separates optical signals into at least two separate signals based on having different polarization states and an optical axis of the birefringent crystal is set so that focal points of the two separate signals are at an output surface of the polarization displacer where the two separate signals are output from the polarization displacer. This output surface can be a surface of the birefringent crystal or a surface of additional layer coupled to the crystal such as a polarization rotator or dielectric layer.
In one embodiment, an illustrative method may comprise: monitoring, by a process, a behavior of an application between one or more client devices and an application programming interface service; establishing, by the process, an application model of objects and functions within the application based on the behavior; and determining, by the process, an authorization logic of the application for the objects and functions based on the application model. In one embodiment, the illustrative method further comprises: testing one or more authorization approaches against the application to determine one or more discrepancies within the authorization logic indicative of faulty authorizations; and mitigating the one or more discrepancies.
Presented herein are a variety of palette mode encoding and decoding techniques that can achieve further compression benefits. The techniques can be generalized to use arbitrary block partitions instead of rows, for instance columns of identical indices, or quadrants of identical indices.
H04N 19/103 - Selection of coding mode or of prediction mode
H04N 19/119 - Adaptive subdivision aspects e.g. subdivision of a picture into rectangular or non-rectangular coding blocks
H04N 19/176 - Methods or arrangements for coding, decoding, compressing or decompressing digital video signals using adaptive coding characterised by the coding unit, i.e. the structural portion or semantic portion of the video signal being the object or the subject of the adaptive coding the unit being an image region, e.g. an object the region being a block, e.g. a macroblock
H04N 19/593 - Methods or arrangements for coding, decoding, compressing or decompressing digital video signals using predictive coding involving spatial prediction techniques
H04N 19/91 - Entropy coding, e.g. variable length coding [VLC] or arithmetic coding
23.
REMOTE FRONT-DROP FOR RECOVERY AFTER PIPELINE STALL
This disclosure describes techniques for performing a remote front-drop of data for recovery after a pipeline stall. The techniques include using a receiver-side dropping strategy that is driven from the sender-side. Components of a pipeline determine whether a pipeline is operating within specified latency constraints (e.g., experiencing a pipeline stall). Upon detecting a pipeline stall, the sending device is notified of the stall. Once the sending device is notified of the pipeline stall, the sending device can determine what action(s) to perform to address the pipeline stall. For example, the sending device may instruct one or more components of the pipeline to discard already sent data that has not been processed. This allows the older data to be dropped on the stalled pipeline while keeping the more recently sent data.
Techniques for NAT-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.
This technology allows time synchronization in wireless networks with mobile stations. A wireless network controller transmits instructions to access points ("APs") within the wireless network to monitor transmissions for time synchronization. One or more second APs observe fine time measurement ("FTM") exchanges between a first AP and a mobile station. A particular second AP determines whether to perform a time synchronization with the first AP based on the detection of the FTM exchange or a determination that the station is moving toward the second AP. For time synchronization, the second AP determines the time that the first AP transmitted the FTM exchange and the time of transmission from the first AP to the second AP. The second AP synchronizes a second AP clock to the summation of the time of the transmission of the FTM exchange and the time of transmission from the first AP to the second AP.
Techniques for dynamically adapting a router capacity to system needs in a network. The border router may receive a list of summarized prefixes for endpoint devices associated with the router from control-plane nodes. The router may store the list of summarized prefixes in memory of the border router. Once the router receives traffic that is destined for endpoint devices associated with the border router, it may determine that the destination address is included in the summarized prefixes. In some examples, the router may download complete prefixes from the control- plane nodes, and forward the traffic to the destination address indicated by the complete prefixes.
This technology allows for determining the location of client devices via radio scanning for triggered orthogonal frequency-division multiple access ("OFDMA") uplinks. Access points ("APs") are configured for OFDMA transmissions. A first AP transmits a trigger frame on particular channel to stations in the wireless network. Neighboring APs scan channels for trigger frames ("TF"). Upon detection of a TF, neighboring APs associate a station identifier with a frequency allocation, or resource unit, in the TF. The neighboring APs receive an OFDMA uplink from the stations, determine a received signal strength indicator ("RSSI") value for each frequency allocation in the OFDMA uplink, and transmit the RSSI values with the associated station identifier to the first AP. The first AP determines the location of each station by mapping a distance value to the RSSI values.
Techniques for combining the functionality of fabric interconnects and switches (e.g., Top-of-Rack (ToR) switches) into one network entity, thereby reducing the number of devices in a fabric and complexity of communications in the fabric. By collapsing FI and ToR switch functionality into one network entity, server traffic may be directly forwarded by the ToR switch and an entire tier is now eliminated from the topology hierarchy which may improve the control, data, and management plane. Further, this disclosure describes techniques for dynamically managing the number of gateway proxies running on one or more computer clusters based on a number of managed switch domains.
In one embodiment, a method includes identifying, by a router, a first tenant. The first tenant is associated with a first tenant virtual private network (VPN). The method also includes determining, by the router, a mapping of the first tenant VPN to a first device VPN and generating, by the router, a first label representing the first device VPN. The method further includes adding, by the router, the first label to a first network packet and communicating, by the router, the first network packet with the first label to a controller.
A split enclosure apparatus for fan-less cooling may be provided. The apparatus may comprise a device and a housing. The device may comprise a plurality of components. The housing may enclose the device and may comprise a first external surface, a second external surface, and a joint between the first external surface and the second external surface. The first external surface may be dedicated to cooling a first one of the plurality of components. The second external surface may be dedicated to cooling a second one of the plurality of components. The joint between the first external surface and the second external surface may be electrically conductive and thermally resistive.
A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.
In an example method, an instruction to begin monitoring incoming traffic of a multicast data flow is received by a router. The instruction is received from a downstream router. The example method further includes monitoring incoming traffic of the multicast data flow. At least partly in response to determining that an expected amount of the incoming traffic of the multicast data flow is being received at the router, reporting to a network administrator device, a location of the router in the multicast data flow. Further, at least partly in response to determining that an expected amount of the incoming traffic of the multicast a data flow is not being received, sending, by the router and to an upstream router, an instruction to begin monitoring incoming traffic of the multicast data flow.
Techniques and mechanisms for managing a set of data network nodes in a Network Management System (NMS). In some examples, a network orchestrator receives a first service request to trigger a first service transaction to re-configure the set of data nodes in the data network, and trigger, the first service transaction to re-configure the set of data nodes. In some examples, the network orchestrator receives a second service request to trigger a second service transaction to re-configure the set of data nodes. The orchestrator determines whether the second service transaction conflicts with the first service transaction that is currently running. If the second service transaction does not conflict with the first service, it triggers processing the second service. If the second service transaction does conflict with the first service transaction, it delays from processing the second service transaction.
Techniques for maintaining geographic-based data privacy rules in networked environments. An example method includes receiving a request from a user device; generating, based on the request, a query for data associated with fulfilling the request; transmitting, to a data controller, the query; transmitting, to the data controller, an indication of a geographic region in which at least one device implementing the entity is located; and receiving, from the data controller, a portion of the data associated with fulfilling the request.
In one embodiment, a method includes determining, by a network node, that a first plurality of tunnel interfaces resides in a core region of a network and determining, by the network node, that a second plurality of tunnel interfaces resides in an access region of the network. The method also includes configuring, by the network node, a first tunnel interface as a core regional fallback path for the core region of the network and configuring, by the network node, a second tunnel interface as an access regional fallback path for the access region of the network.
A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.
In one embodiment, a method includes receiving, by a first node of a node cluster in a software-defined wide area network (SD-WAN), traffic from a wide area network (WAN), assigning, by the first node of the node cluster, flow ownership of the traffic to the first node, and communicating, by the first node of the node cluster, the traffic to a local area network (LAN). The method also includes receiving, by the first node of the node cluster, return traffic from a second node of the node cluster and detecting, by the first node of the node cluster, a diversion of the return traffic. The method further includes relinquishing, by the first node of the node cluster, the flow ownership and assigning, by the first node of the node cluster, the flow ownership to the second node of the node cluster.
Systems and methods are provided for providing differential treatment to user traffic involving optimized reporting of start and stop traffic. The systems and method can include detecting, at a user plane function, an initiation of a type of traffic being performed at the user plane function, providing, by the user plane function, a start event trigger of the type of traffic detected by the user plane function to a session management function, and receiving, at the user plane function, a policy associated with the type of traffic from the session management function, the policy including instructions preventing submissions of subsequent event triggers to the session management function until an end of the type of traffic, the subsequent event triggers being associated with the type of traffic detected by the user plane function.
Techniques for an email-security system to detect multi-stage email scam attacks, and engage an attacker to obtain additional information. The system may analyze emails for users and identify scam emails by analyzing metadata of the emails. The system may then classify the scam emails into particular classes from among a group of scam-email classes. The system may then engage the attacker that sent the scam email. In some instances, the scam emails may be multi-stage attacks, and the system may automatically engage the attacker to move to the next stage of the scam attack. For instance, the system may send a lure email that is responsive to the particular scam class to prompt or provoke the attacker to send more sensitive information, such as a phone number, a bank account, etc. The system may then harvest this sensitive information of the attacker, and use that information for various remedial actions.
In one embodiment, a microservice, that provides one or more services for one or more distributed business transactions offered by an application, obtains a service request for a particular business transaction involving a particular user device executing the application. The microservice determines whether the service request includes an indication of authentication results for the particular business transaction that satisfy one or more authentication requirements of the microservice. The microservice sends, based on the indication of authentication results for the particular business transaction not satisfying the one or more authentication requirements of the microservice, a request for the particular user device to perform authentication for the particular business transaction to satisfy the one or more authentication requirements. The microservice completes, based on the indication of authentication results for the particular business transaction satisfying the one or more authentication requirements of the microservice, a particular service as per the service request.
G06Q 20/36 - Payment architectures, schemes or protocols characterised by the use of specific devices using electronic wallets or electronic money safes
G06Q 20/40 - Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check of credit lines or negative lists
42.
EFFICIENT VALIDATION OF TIME-SYNCHRONIZATION ACCURACY IN A SCHEDULED TIME SENSITIVE NETWORK (TSN)
A reverse time synchronization may be performed between a sending device and a receiving device. Then a Time Error (TE) between the sending device and the receiving device may be determined based on the reverse time synchronization. A gate time on the receiving device may be scheduled based on the determined TE.
In part, the disclosure relates to an apparatus that may include a first lens; wherein the first lens is enabled to be optically connected to an optical fiber; an isolator core optically coupled to the first lens; a second lens optically coupled to the isolator core; wherein the second lens is enabled to be optically connected to another optical fiber; wherein the isolator core is enabled to allow optical power from the first lens to propagate through the isolator core; wherein the isolator core is enabled to block optical power from the second lens from propagating through the isolator core;a first optical filter optically coupled to the first lens; and a second optical filter optically coupled to the second lens; wherein the second optical filter is enabled to reflect a first frequency; wherein the isolator core is enabled to absorb a remaining portion of the first frequency.
G02B 6/293 - Optical coupling means having data bus means, i.e. plural waveguides interconnected and providing an inherently bidirectional system by mixing and splitting signals with wavelength selective means
Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.
System, methods, and computer-readable media for switching a dynamic radio of a single RU between Radio Access Technology (RAT) protocols based on a Software-Defined RAN intelligent controller (SD-RIC). The SD-RIC efficiently assigning RAN resources by converting a radio access point to either 5G or Wi-Fi based on the load conditions and the number of users seen on the network, so that it appropriately serves the customer and end devices. To determine the load conditions may be based on active users on a particular cell, and then the resource utilization cue is a connection latency. A single radio unit includes a primary radio and a secondary radio, each being independently tuned. The primary radio is static while a secondary one can be influenced based on the conditions, turning into N-RU or Wi-Fi.
This disclosure describes techniques for detecting and monitoring paths in a network. The techniques include causing a source node to generate probe packets to traverse a multiprotocol label switching (MPLS) network, for instance. In some examples, the probe packets include entropy values that correspond to individual equal-cost multi-path (ECMP) paths of the network. The probe packets may be received at an SDN controller from a sink node after traversing the network. Analysis of the probe packets allow path discovery and mapping of the entropy values to ECMP paths. The mapping of discovered paths may be used for optimization of network monitoring activities, including second subsequent probe packets over particular ECMP paths based on the mapped entropy values.
A method is provided for avoiding context transfers by a first Access and Mobility Management Function (AMF) connected to a first gNB to a second AMF when a user equipment (UE) in idle mode moves from the first gNB to a second gNB. The method may include provisioning the first AMF and the second AMF with the same tracking area identity (TAI), the first AMF and the second AMF being connected to a respective enterprise gNB. The method may also include configuring the 5G packet core network comprising a session management function (SMF) in communications with the first AMF and the second AMF, to avoid transferring a UE context from the first AMF to the second AMF when the user equipment (UE) in the idle mode moves from a first AMF to the second AMF. The UE context remains with the first AMF.
Techniques and architecture are described for providing a service, e.g., a security service such as a firewall, across different virtual networks/VRFs/VPN IDs. The techniques and architecture provide modifications in enterprise computing fabrics by modifying pull-based overlay protocols such as, for example, locator/identifier separation protocol (LISP), border gateway protocol ethernet virtual private network (BGP EVPN), etc. A map request carries additional information to instruct a map-server that even though mapping (destination prefix and firewall service RLOC for the destination) is known within the map-server's own virtual network/VRF for firewall service insertion, the map-server still should do a lookup across virtual networks/VRFs and discover the final destination's DGT (destination group tag) and include that in the map reply.
Dynamic spectrum access mode based on station capabilities is provided by categorizing functionalities of Access Points (APs) and mobile stations (STA) in a wireless network; identifying interference induced by external signaling devices on channels in the wireless network; calculating an impact factor of the interference based on proximity of the external signaling devices to the wireless network, a pattern of the external signaling devices, and an extent of overlap with frequencies used by the external signaling devices and the wireless network; and in response to identifying a given STA that is paired with a given AP in the wireless network, wherein the given STA and the given AP are both categorized as being capable of both multilink communications and preamble puncturing, assigning network resources for the given STA to communicate with the given AP via one of multilink communications or preamble puncturing based on the impact factor of the interference.
Techniques for a head-end node in one or more network autonomous systems to utilize a protocol to instantiate services on tail-end nodes. The head-end node can use a service request mechanism that is enabled by the protocol to request service instantiation on the tail-end node without a network operator having to manually configure the tail-end node, or even having access to the tail-end node. Additionally, the protocol may further provide mechanisms to define handling attributes for traffic of the service (e.g., Service-Level Agreement (SLA) parameters, an underlay transport protocol, etc.), service acknowledgement mechanisms for the head-end node to determine that the service was instantiated on the tail-end node, and so forth. In this way, a head-end node can be used to instantiate a service on a tail-end node without a network operator having to have direct access to the tail-end node to manually configure the tail-end node.
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
H04L 47/2425 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
Techniques for tunneling Layer 2 ethernet frames over a connection tunnel using the MASQUE protocol are described herein. The MASQUE protocol may be extended to include a new entity, configured to proxy ethernet frames using a MASQUE proxy connection, and an associated CONNECT method, CONNECT-ETH. Using the extended MASQUE protocol, an Ethernet over MASQUE (EoMASQUE) tunnel may then be established between various networks that are remote from one another and connected to the internet. An EoMASQUE tunnel, established between separate remote client premises, and/or between a remote client premise and an enterprise premise, may tunnel ethernet packets between the endpoints. Additionally, a first EoMASQUE tunnel, established between a first client router provisioned in a first remote client premise and an EoMASQUE proxy node, and a second EoMASQUE tunnel, established between a second client premise and the EoMASQUE proxy node, may tunnel ethernet packets between the first and second client premise.
H04L 61/103 - Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
The present disclosure provides a hierarchical method of identifying unauthorized network traffic in a network by applying, at one of a first plurality of nodes of a network, a first level of network traffic analysis to identify received network traffic as one of authorized or suspicious network traffic, the one of the first plurality of nodes having a first path for traffic routing and a second path to one of a second plurality of nodes of the network, the second path used for forwarding the suspicious network traffic to the one of the second plurality of nodes; tagging the received network traffic as the suspicious network traffic; and sending the suspicious network traffic to the one of the second plurality of nodes over the second path, the second network node applying a second level of network analysis to determine if the received network traffic is authorized, unauthorized or remains suspicious.
In an example method, a head node connected to a source device transmits a multicast data flow from the source device to receiving devices connected to tail nodes using Default MDT. The example method further includes determining that requirements have been met to begin transmitting the multicast data flow using Data MDT. The method may further include determining whether the tail nodes are able to receive the multicast data flow using Data MDT. In response to determining that all the tail nodes are able to receive the multicast data flow using Data MDT, switch to transmitting the multicast data flow to the tail nodes using Data MDT. In response to determining that at least one of the tail nodes is unable to receive the multicast data flow using the Data MDT, continue transmitting the multicast data flow using Data MDT.
Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud‑based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.
Techniques and mechanisms for monitoring and processing telemetry information of an Internet Protocol version 6 (IPv6) packet in a network. The IPv6 packet includes an IPv6 header having a Segment Identifier (SID) field, and a function field. According to this disclosure, the function field may include a function associated with an operation for collecting telemetry information of a first node indicated by the SID field. When the function executed by the first node, it may collect the telemetry information from the first node, and export the telemetry information to a collector node. Further, the function may indicate an operation for collecting the telemetry information of a set of paths including one or more nodes, where the telemetry path can be changed dynamically. In this way, each node in the telemetry path may define a new path for collecting the telemetry information.
Fabrication-tolerant on-chip multiplexers and demultiplexers are provides via a lattice filter interleaver configured to receive an input signal including a plurality of individual signals and to produce a first interleaved signal with a first subset of the plurality of individual signals and a second interleaved signal with a second subset of the plurality of individual signals; a first Bragg interleaver configured to receive the first interleaved signal and produce a first output signal including a first individual signal of the plurality of individual signals and a second output signal including a second individual signal of the plurality of individual signals; and a second Bragg interleaver configured to receive the second interleaved signal and produce a third output signal including a third individual signal of the plurality of individual signals and a fourth output signal including a fourth individual signal of the plurality of individual signals.
H04J 14/02 - Wavelength-division multiplex systems
G02B 6/12 - Light guides; Structural details of arrangements comprising light guides and other optical elements, e.g. couplings of the optical waveguide type of the integrated circuit kind
G02B 6/293 - Optical coupling means having data bus means, i.e. plural waveguides interconnected and providing an inherently bidirectional system by mixing and splitting signals with wavelength selective means
57.
LIMITING DISCOVERY OF A PROTECTED RESOURCE IN A ZERO TRUST ACCESS MODEL
According to an embodiment, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations. The operations comprise determining that an endpoint device has requested to discover a location of a protected resource that is protected by a gateway, determining whether the endpoint device has provided a token that is valid, and permitting the endpoint device to discover the location of the protected resource based on determining that the endpoint device has provided the token that is valid. The token indicates that the endpoint device successfully completed a first multi-factor authentication procedure in connection with accessing an authentication enforcement resource.
A grating coupler (300) with a wafer bonded configuration includes: a substrate (310); an oxide layer (240) disposed on the substrate (310); a silicon nitride layer (230) disposed above the oxide layer (240); a first silicon layer (250) disposed above the silicon nitride layer (230); a second silicon layer (260) disposed above the first silicon layer (250); and a bi-layer grating (370) disposed above the silicon nitride layer (230). The bi-layer grating (370) includes (i) a first etched layer of the first silicon layer (250) and (ii) a second etched layer of the second silicon layer (260).
Presented herein are techniques for cropping video streams to create an optimized layout in which participants of a meeting are a similar size. A user device receives a plurality of video streams, each video stream including at least one face of a participant participating in a video communication session. Faces in one or more of the plurality of video streams are cropped so that faces in the plurality of video streams are approximately equal in size, to produce a plurality of processed video streams. The plurality of processed video streams are sorted according to video stream widths to produce sorted video streams and the plurality of sorted video streams are distributed for display across a smallest number of rows possible on a display of the user device.
A system and method for dynamic enablement of a RLC mode of a Data Radio Bearer (DRB) based on UE radiofrequency (RF) conditions. A threshold value for a network characteristic is provided to a gNodeB. Changes in the network characteristic correlates to changes in RF channel conditions of the UE. The trigger configures the gNodeB to identify when the network characteristic meets the threshold value for selectively controlling operation of the gNodeB at one of a plurality of different operation modes including an initial radio link control (RLC) mode based on the network characteristic. A Protocol Data Unit (PDU) session is established with the gNodeB operating in an initial RLC mode with the possibility to dynamically switch to a different RLC mode based on RF channel conditions.
Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.
In one embodiment, a method for link state flooding between a network node and a receiving node includes determining a current transmit rate that Link State Protocol Data Units (LSPs) are being transmitted from the network node to the receiving node. The method further includes determining an LSP acknowledgment rate that indicates a rate at which a plurality of LSP acknowledgments are received at the network node from the receiving node. The method further includes determining a new transmit rate based on the current transmit rate and the LSP acknowledgment rate. The method further includes transmitting a plurality of LSPs from the network node to the receiving node using the new transmit rate.
H04L 45/028 - Dynamic adaptation of the update intervals, e.g. event-triggered updates
H04L 45/00 - Routing or path finding of packets in data switching networks
63.
TRANSITION OF USER EQUIPMENT TO A 5GC NETWORK POST VOICE CALL TERMINATION IN VIEW OF EPS FALLBACK TRANSITION OF USER EQUIPMENT TO A 5GC NETWORK POST VOICE CALL TERMINATION IN VIEW OF EPS FALLBACK
Systems and methods are provided for providing transference of a user equipment to a 5G network when a voice call is terminated. The systems and method can include receiving, at a mobility management entity, a voice call termination message from a serving gateway, determining, by the mobility management entity, whether the user equipment includes a 5G subscription and 5G capability based on the voice call termination message, and providing, by the mobility management entity, a handover message to the user equipment to initiate a handover to the 5G network based on the determining of whether the user equipment includes the 5G subscription and 5G capability.
A system is provided for supporting roaming between LTE EPC network and 5G network of a first mobile network operator by 5GC network of a second network operator. The system may include the EPC network including a serving gateway in communication with a 4G base station being in the EPC network. The system may also include the 5G network of the first mobile network operator including a vSMF in communication with a 5G base station being in the 5G network of the first network operator. The system may also include the 5GC network of the second network operator including a hSMF. The vSMF is configured to receive a communication from the serving gateway to anchor mobility between the LTE EPC network and the 5G network of the first mobile network operator, and to communicate with the hSMF in the 5GC network of the second network operator using 5G roaming interfaces.
The disclosure provides a method for providing an enterprise gNB for connection to a 5G packet core network. The method includes provisioning the enterprise gNB. The enterprise gNB hosts a local user plane function (L-UPF). The method also includes configuring the 5G packet core network comprising a session management function (SMF) to select the local user plane function to service user equipment (UE) connected to the enterprise gNB.
In one embodiment, a method herein comprises: intercepting runtime calls from a telemetry invocation for method entry to discover loaders; determining whether an implementation tenant is already allocated for a particular discovered loader; allocating, in response to no implementation tenant being already allocated for the particular discovered loader, a particular implementation tenant from a plurality of available implementation tenants, wherein a corresponding loader for the particular implementation tenant is set to delegate from the particular discovered loader; and calling, in response to the particular implementation tenant being allocated or being already allocated for the particular discovered loader, a method entry for the particular implementation tenant to perform an associated interception operation while using direct telemetry class and/or method calls.
Ranging and timing may be provided. A station may send an action frame. The action frame may include an Identifier (ID) associated with an upcoming Timing Measurement (TM)/Fine Timing Measurement (FTM) session. The action frame may indicate a purpose of the upcoming TM/FTM session. Next, the station may send, subsequent to sending the action frame, a TM/FTM session request associated with the action frame. The station may then perform the purpose indicated by the action frame.
In one embodiment, an illustrative method herein may comprise: determining, by a device of a communication session, that a new epoch has occurred within the communication session, wherein the communication session has one or more member devices; generating, by the device and in response to the new epoch, a new key encryption key and a key bundle comprising one or more keys to decrypt content of the communication session from one or more previous epochs of the communication session; encrypting, by the device, the key bundle with the new key encryption key to create an encrypted key bundle; and sharing, from the device, the encrypted key bundle with the one or more member devices to allow the one or more member devices to access the content of the communication session from the one or more previous epochs.
Techniques for encoding metadata representing a policy into a QUIC connection ID are described herein. A metadata-aware network including one or more enforcement nodes, a policy engine, and/or a connection datastore may be utilized to enforce a policy and route communications on a QUIC connection. The policy engine may be configured to encode metadata representing one or more network policies into a QUIC source connection ID (SCID) and/or may store a mapping between the SCID and a corresponding destination connection ID (DCID) in the connection datastore. The policy engine may communicate with a QUIC application server and/or one or more QUIC proxy nodes to encode the SCID into a QUIC packet. The enforcement nodes may access the metadata and enforce the policies via a connection ID included in a QUIC header of a QUIC packet or by performing a lookup in the connection datastore using the connection ID.
Techniques for identifying one or more wireless access points (APs), from among a plurality of APs including 6GHz radios, as candidates to operate in standard power indoor (SPI) mode. Identification is based on at least one of: determining that network switches associated with the wireless APs meet a threshold requirement relating to power over ethernet (PoE) for operating in SPI mode, determining, based on at least one of radio frequency (RF) density and channel quality relating to the plurality of APs, that the one or more APs should operate in SPI mode as opposed to lower power indoor (LPI) mode, and determining that operating the one or more APs in SPI mode improves quality of service (QoS) metrics for the plurality of APs as opposed to operating the one or more APs in LPI mode. The one or more wireless APs are configured to operate in SPI mode.
Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/ application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.
Techniques and mechanisms for using a domain-specific language (DSL) to express overall network behaviors by describing what network-level behavior is desired. A compiler breaks down the DSL into portions of executable code that are to be run at different network devices and locations of the network architecture. In some instances, the executable code output from the compiler may be used to determine what network functions, network devices, and/or network topology is required to implement the overall network behavior that is desired. In other examples, an inventory and/or topology of available network devices may be fed into the compiler, and the compiler may compile the DSL into executable code that is able to be supported by the inventory and/or topology of available network devices. Thus, the DSL can be used to describe overall network behaviors to easily generate executable code that is used to implement a desired network-level behavior.
H04L 41/0226 - Mapping or translating multiple network management protocols
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/0823 - Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
H04L 41/5051 - Service on demand, e.g. definition and deployment of services in real time
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
H04L 41/0895 - Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
H04L 41/0897 - Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
H04L 43/20 - Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
73.
AUTOMATED NEIGHBOR DISCOVERY TECHNIQUES FOR HYBRID ENVIRONMENTS
Various embodiments herein disclose coordinating neighbor discovery between access points (APs) with auxiliary radios and APs without auxiliary radios. A corresponding wireless controller comprises a processor and a memory storing instructions that, when executed, cause the controller to perform operations. The operations comprise grouping APs into a first group of more flexible APs and a second group of less flexible APs and querying the second group of APs for a corresponding broadcast interval. The operations further comprise identifying when the second group of APs is scheduled to broadcast parameters, and a broadcast interval for each of the second group of APs and generating a schedule based on the scheduled broadcast and the broadcast interval for each of the second group of APs. The operations additionally comprise providing the generated schedule to the first group of APs and the second group of APs.
Systems and techniques are provided for implementing multiprotocol label switching (MPLS) header extensions. In some examples, a method can include, receiving, by a router of a MPLS network, a data packet. In some aspects, the method can include adding, by the router of the MPLS network, at least one entry to an MPLS stack of the data packet, wherein the at least one entry includes an MPLS extension indicator (MEI) that is associated with at least one of an in-stack extension header presence indicator (IPI) and a bottom-of-stack extension header presence indicator (BPI). In some examples, the method can include adding, based on the IPI and the BPI, at least one of an in-stack extension header and a bottom-of-stack extension header to the MPLS stack of the data packet.
Various embodiments herein disclose coordinating frequencies for an access point (AR). A corresponding method comprises evaluating a performance profile for the AR, the performance profile comprising a first part related to a first network generated by a first radio of the AR and a second part related to a second network generated by a second radio of the AR. The method also comprises selecting first channels on which the AR generates the first network based on the performance profile and spectral regrowth profiles for transmission power levels of the first radio. The method additionally comprises selecting second channels on which the AR generates the second network based at least in part on the performance profile and the spectral regrowth profiles. Furthermore, the method comprises enabling communications between a first set of devices on the first channels and enabling communications between a second set of devices on the second channels.
Techniques for the transparent rolling of nodes in a cloud-delivered headend service without disrupting client traffic or making users aware of the various nodes in the system being rolled are described herein. The techniques may include receiving an indication that a first node of a network is to be rolled. Based at least in part on the indication, new connection requests may not be sent to the first intermediate node. Additionally, a client device having an existing connection through the first node may be identified. In some examples, a request may be sent to the client device to prompt the client device to establish a new connection. After determining that the new connection has been established such that the new connection flows through a second node of the network, the first node may be rolled.
A multi-layer substrate (110) stacking a plurality of insulating substrates supports one or more devices (112,114). Each substrate includes a face supporting conductive traces (140,142,144) and edges surrounding the face at a substantially perpendicular angle. The multi- layer substrate includes a ground plane (120) on a first substrate and a power plane (130) on a second substrate. The ground plane (120) is connected to at least one ground pad (122,124) disposed on a first edge of the first substrate, which provides a low inductance ground path to the ground plane (120). The power plane (130) is connected to at least one power pad (132) disposed on a second edge of the second substrate, which provides a low inductance power path to the power plane (130).
This disclosure describes techniques for performing domain name system (DNS) support on public resolvers. For instance, an electronic device may send a query to a local DNS resolver. The electronic device may then receive an answer from the local DNS resolver that includes a pattern. Using the answer, the electronic device may generate a DNS packet that includes at least the answer and a query for a first Internet Protocol (IP) address associated with a first IP version, such as IPv6. The electronic device may then send the DNS packet to a public DNS resolver. Using the DNS packet, the public DNS resolver may generate a synthesized IP address associated with the first IP version. For example, the public DNS resolver may identify a second IP address associated with a second IP version, such as IPv4, and generate the synthesized IP address using the second IP address and the answer.
Federated multi-access edge computing availability notifications may be provided by: transmitting, from a User Equipment (UE) to an Access Point (AP) of a wireless network, an attach request for the wireless network that includes authentication credentials for an identity provider independent from the wireless network to authenticate the UE to the wireless network; receiving, at the UE via the AP, an authentication success message for the wireless network from the independent identity provider; transmitting, from the UE to the AP, a Multi-access Edge Computing (MEC) query; and receiving, at the UE from the AP, a MEC response that identifies MEC resources that are available to the UE based on an identity for the UE confirmed by the identity provider to the wireless network.
In one embodiment, network node-to-node connectivity verification is performed in a network including data path processing of packets within a packet switching device. In one embodiment, an echo request connectivity test packet, emulating an echo request connectivity test packet received from a first connected network node, is inserted by the packet switching device prior in its data processing path prior to ingress processing performed for packets received from the first connected network node. A correspondingly received echo reply connectivity test packet is intercepted by the packet switching device during data path egress processing performed for packets to be forwarded to the first connected network node.
H04L 43/0811 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
Disclosed are methods, systems, and non-transitory computer-readable storage media for evaluating software posture as a condition of zero trust access. The present technology provides a client-side validation agent and a validation service which in tandem can capture and evaluate data representative of parameters associated with an application executing on a user device. The validation service can validate the application to a networked service, and in turn the networked service can permit communication to the application running on the user device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
Embodiments herein describe an optical system that includes a photonic integrated circuit (PIC) bonded to a package containing an electrical integrated circuit (EIC). However, this bond can prevent an edge coupler from optically aligning an optical fiber to an edge of the PIC in order to transfer optical signals. To provide room for the edge coupler, the PIC is arranged to overhang the package containing the EIC so that the package does not interfere with the ability of the edge coupler to align with the side or edge of the PIC. In this manner, an optical fiber can be optically aligned (e.g., butt coupled) to the edge of the PIC rather than having to use a grating coupler or some other less efficient optical coupling in order to transfer optical signals between the PIC and the optical fiber.
G02B 6/42 - Coupling light guides with opto-electronic elements
H01L 25/16 - Assemblies consisting of a plurality of individual semiconductor or other solid state devices the devices being of types provided for in two or more different main groups of groups , or in a single subclass of , , e.g. forming hybrid circuits
In one embodiment, a multi -microphone system for an endpoint device receives input signals for a remote conference between the endpoint device and at least one other endpoint device. The multi -microphone system may include at least a top microphone unit and a bottom microphone unit. A signal degradation event that causes degradation of signals received by the top microphone unit or the bottom microphone unit is detected. Then, based on information regarding the signal degradation event, it is determined whether the signal degradation event affects one or both of the top microphone unit and the bottom microphone unit. In response, an output signal is generated for transmission to the at least one other endpoint device, and the output signal uses a portion of the input signals that excludes signals received by the top microphone unit and/or the bottom microphone unit determined to be affected by the signal degradation event.
H04R 1/40 - Arrangements for obtaining desired frequency or directional characteristics for obtaining desired directional characteristic only by combining a number of identical transducers
Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network- based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.
Disclosed are systems, apparatuses, methods, and computer-readable media for secure network routing. A method includes: receiving, at a network node, an advertisement message for a network route including an IP address prefix; receiving, at the network node, a route origin authorization associated with the IP address prefix, the route origin authorization including a digital signature and a security requirement of a route to a destination that corresponds to the IP address prefix; determining, by the network node, one or more network nodes satisfies the security requirement to yield a determination; and determining, by the network node, to route network traffic to the IP address prefix based on the determination. In one example, the method can include, when the one or more network nodes satisfies the security requirement, advertising the route to the one or more network nodes that satisfies the security requirement.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
Embodiments presented in this disclosure generally relate to techniques for interconnecting integrated circuits. More specifically, embodiments disclosed herein provide a back mounted interposer (BMI) to facilitate interconnecting of integrated circuits. One example apparatus includes an integrated circuit (106), an interposer (102), and a circuit board (104), at least a portion of the circuit board (104) being disposed between the integrated circuit (106) and the interposer (102), where the circuit board (104) is configured to provide electrical connection between the interposer (102) and the integrated circuit (106) via connection elements (112) on a first surface (170) of the interposer. The apparatus also includes an interface on a second surface (172) of the interposer, the interface being configured to provide signals from the integrated circuit (106) to an electrical component (130).
H05K 1/11 - Printed elements for providing electric connections to or between printed circuits
H05K 1/14 - Structural association of two or more printed circuits
H05K 3/34 - Assembling printed circuits with electric components, e.g. with resistor electrically connecting electric components or wires to printed circuits by soldering
87.
DISTRIBUTED ROUTING CONTROLLERS FOR MULTI-REGION SDWAN
According to some embodiments, a software defined wide area network (SD-WAN) includes a first region and a second region. The first region includes multiple first routing controllers and multiple first SD-WAN edge routers. The second region includes multiple second routing controllers and multiple second SD-WAN edge routers. Each first SD-WAN edge router of the first region is configured to establish Overlay Management Protocol (OMP) peering connections with the plurality of first routing controllers of the first region but to avoid establishing OMP peering connections with the plurality of second routing controllers of the second region. Each second SD-WAN edge router of the second region is configured to establish OMP peering connections with the plurality of second routing controllers of the second region but to avoid establishing OMP peering connections with the plurality of first routing controllers of the first region.
H04L 43/20 - Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
H04L 45/302 - Route determination based on requested QoS
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 45/655 - Interaction between route computation entities and forwarding entities, e.g. for route determination or for flow table update
Techniques for management of traffic in a network. The techniques provide application awareness in a Network Address Translation (NAT) system. In some examples, a first traffic is received at a first switch in a network from a first application hosted behind the first switch. The first switch identifies a first resource tag associated with the application from the first traffic. Further, the first switch identifies a first rule from the first resource tag indicating that the first traffic is to be routed through an intermediate device that performs network address translation. Moreover, the first switch transmits the traffic to an intermediate device, which perform NAT to translate the source IP address of the first traffic to a second IP address. Finally, the intermediate device sends the traffic to a destination device indicated by the first traffic.
A system is provided that includes a power transmitter configured to provide power to a current loop, a power receiver configured to receive the power from the current loop. The power receiver is configured to, on a periodic basis, disconnect from the current loop to stop pulling power from the current loop for a period of time to enable a safety check to be performed by the power transmitter. The power transmitter is configured to: monitor current on the current loop; determine whether a current level on the current loop passes the safety check within a predetermined time interval since a determination that the current level was not within a safe range; and control connectivity of the power to the current loop depending on whether the safety check has or has not passed within the predetermined time interval.
H02H 3/08 - Emergency protective circuit arrangements for automatic disconnection directly responsive to an undesired change from normal electric working condition, with or without subsequent reconnection responsive to excess current
H02H 7/00 - Emergency protective circuit arrangements specially adapted for specific types of electric machines or apparatus or for sectionalised protection of cable or line systems, and effecting automatic switching in the event of an undesired change from norm
H02J 3/00 - Circuit arrangements for ac mains or ac distribution networks
H02J 13/00 - Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.
Techniques for utilizing a cloud service to compute an end-to-end SLA-aware path using dynamic software-defined cloud interconnect (SDCI) tunnels between a user device and an access point-of-presence (POP) node and inter-POP tunnels of the SDCI. The cloud service may include a performance aware path instantiation (PAPI) component including a POP database for storing performance metrics associated with the POPs of the SDCI, an enterprise policy database for storing user specific policies, and/or a path computation component. The path computation component may compute the path, based on the user specific policies, performance metrics associated with the POP nodes, and/or real-time contextual data associated with the user device and/or destination device. The path may include a first tunnel between the user device and the most optimal access POP node of the SDCI and a second tunnel between the access POP node, through the internal POP nodes, and to the destination device.
H04L 41/5051 - Service on demand, e.g. definition and deployment of services in real time
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 47/2425 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/342 - Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
H04L 43/08 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
In one embodiment, a device obtains test results for tests targeted at a web application, the tests performed by a plurality of agents. The device maps a portion of the test results to a component of the web application based on identifying information within the portion of the test results. The device makes, based on the portion of the test results that are mapped to the component of the web application, a determination that the component of the web application is experiencing an outage. In one embodiment, the device causes, based on the determination that the component of the web application is experiencing the outage, a mitigation action for the outage.
H04L 41/046 - Network management architectures or arrangements comprising network management agents or mobile agents therefor
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 43/0805 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
H04L 41/0654 - Management of faults, events, alarms or notifications using network fault recovery
H04L 41/0253 - Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using browsers or web-pages for accessing management information
H04L 41/12 - Discovery or management of network topologies
H04L 43/08 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/028 - Capturing of monitoring data by filtering
In one embodiment, a method comprises: obtaining, by a process, path trace data collected by a plurality of performance monitoring agents across a computer network; obtaining, by the process, one or more catalogs having application-based correlation information for the path trace data; generating, by the process, network mapping directed graphs by correlating the path trace data using the one or more catalogs, the network mapping directed graphs logically comprising nodes categorized at a plurality of levels of aggregation and edges connecting the nodes; associating, by the process, test-based performance data with the edges of the network mapping directed graphs; and providing, by the process, at least one Sankey diagram based on the network mapping directed graphs and test-based performance data associated with their edges for selectable display by a user interface.
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
H04L 41/046 - Network management architectures or arrangements comprising network management agents or mobile agents therefor
H04L 43/08 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
In one embodiment, a method includes receiving energy efficiency data from a plurality of nodes within a network. The method also includes determining an energy efficiency node quotient for each of the plurality of nodes within the network to generate a plurality of energy efficiency node quotients and determining an energy efficiency path quotient for each of a plurality of paths within the network to generate a plurality of energy efficiency path quotients. The method further includes determining one or more policies associated with the plurality of paths and selecting a path from the plurality of paths based at least on the plurality of energy efficient path quotients and the one or more policies.
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 45/302 - Route determination based on requested QoS
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
95.
COLLECTING KEY PERFORMANCE INDICATORS IN A 5G NETWORK
The present technology discloses methods, systems, and non-transitory computer-readable storage media for identifying a data communication session within a 5G enterprise network and providing assurance based on the identified data communication session. The present technology provides for establishing a data communication session for user equipment on a 5G network, generating a protocol data unit (PDU) session identifier for the data communication session, and distributing the PDU session identifier to one or more packet core nodes in the 5G network. The PDU session identifier can then be used for collecting one or more key performance indicators in association with the data communication session.
Systems, methods, and computer-readable media are provided for performing secure frame encryption as a service. For instance, a network device can receive a first request for encrypting a first media stream associated with a first endpoint. In response to the first request, the network device can obtain a first encryption key for encrypting the first media stream associated with the first endpoint. The network device can receive, from the first endpoint, a first plurality of media frames corresponding to the first media stream and encrypt each of the first plurality of media frames using the first encryption key to yield a first plurality of encrypted media frames. The network device can packetize the first plurality of encrypted media frames into a first plurality of data packets for transmission to a second endpoint.
H04N 19/40 - Methods or arrangements for coding, decoding, compressing or decompressing digital video signals using video transcoding, i.e. partial or full decoding of a coded input stream followed by re-encoding of the decoded output stream
H04N 21/2343 - Processing of video elementary streams, e.g. splicing of video streams or manipulating MPEG-4 scene graphs involving reformatting operations of video signals for distribution or compliance with end-user requests or end-user device requirements
97.
PERFORMANCE MEASUREMENT, TELEMETRY, AND OAM IN MPLS NETWORKS USING ENTROPY LABELS
Techniques are described for utilizing entropy labels of a Multiprotocol Label Switching (MPLS) label stack for performing monitoring operations (e.g., telemetry, performance measurement, OAM, etc.) without altering the MPLS label stack and/or packet path (e.g., ECMP path). The techniques may include determining, by a node of a network, to perform a monitoring operation associated with traffic that is to be sent along a path through the network. In some examples, the node may receive a packet that is to be sent along the path and encapsulate the packet with an MPLS header. The MPLS header may include an entropy label, entropy label indicator, or other label that is capable of carrying a flag indicating the monitoring operation to be performed. The flag may be carried in a TTL field or traffic class field of the label such that the MPLS label stack is not altered to trigger the monitoring operation.
Systems, methods, and computer-readable media are provided for dynamic allocation of network security resources and measures to network traffic between end terminals on a network and a network destination, based in part on an independently sourced reputation score of the network destination. In one aspect, a method includes receiving, at a cloud network controller, a request from an end terminal for information on a network destination; determining, at the cloud network controller, a reputation score for the network destination; determining, at the cloud network controller, one or more security measures to be applied when accessing the network destination, based on the reputation score; and communicating, by the cloud network controller, the one or more security measures to the end terminal, wherein the end terminal communicates the one or more security measures to a third-party security service provider for applying to communications between the end terminal and the network destination.
In one embodiment, a device instruments an application to generate OpenTelemetry trace data during execution of the application. The device identifies, based on where the application was instrumented, a particular method of the application. The device determines that a circuit breaker should be inserted for the particular method of the application. The device inserts a circuit breaker for the particular method.
In various embodiments, a device receives a first video stream of a video conference. The device receives a second video stream of the video conference. The second video stream includes an indicated location for video of the second video stream relative to video of the first video stream. The device merges the first video stream and the second video stream into an overlapped video having the video of the second video stream located at the indicated location relative to the video of the first video stream. The device provides the overlapped video for display.
patents
