Systems, methods and computer-readable storage media are provided for performing Internet Protocol (IP) address resolution within a network through a control plane or network controller approach. A provider edge (PE) device receives an Address Resolution Protocol (ARP) request message from a locally connected customer edge (CE) device. The PE device transmits the ARP request message to other locally connected CE devices and generates an IP address resolution request message that includes the IP address of a destination CE device. The IP address resolution request message is transmitted to other PE devices within the network. The PE device receives remote adjacency information associated with the destination CE device and transmits an ARP reply message to the locally connected CE device.
H04L 61/103 - Correspondance entre adresses de types différents à travers les couches réseau, p.ex. résolution d’adresse de la couche réseau dans la couche physique ou protocole de résolution d'adresse [ARP]
Balancing Multi-link Operation, MLO, usage is provided. A list of a plurality of Access Points, APs, for each of a plurality of Multi-link Operation, MLO, types indicating availability of each of the plurality of APs is received (310). A first request indicating an MLO type associated with the first request is a first MLO type is received (320). In response to the first request, a first subset of the list of the plurality of APs that support the MLO type associated with the first request is sent (330). A second request indicating that an MLO type associated with the second request is the first MLO type is received (340). In response to the second request, a second subset of the list of the plurality of APs that support the MLO type associated with the second request is sent (350). The first subset is different from the second subset.
The systems and cold plate pedestal and assembly described decrease mechanical stresses in integrated circuits, while also providing efficient thermal coupling between heat producing components and a cold plate. A cold plate assembly includes a cold plate with a pedestal portion a groove formed in a surface of the pedestal portion. The cold plate assembly also includes a thermal pad layer formed in the groove and a phase change material (PCM) layer formed on the surface of the pedestal portion and a surface of the thermal pad layer formed in the groove.
H01L 23/367 - Refroidissement facilité par la forme du dispositif
H01L 23/427 - Refroidissement par changement d'état, p.ex. caloducs
H01L 27/02 - Dispositifs consistant en une pluralité de composants semi-conducteurs ou d'autres composants à l'état solide formés dans ou sur un substrat commun comprenant des éléments de circuit passif intégrés avec au moins une barrière de potentiel ou une barrière de surface
4.
ROAMING VALIDATION METHOD FOR ACCESS NETWORK PROVIDERS
Roaming validation for Access Network Providers (ANPs), and particularly to protecting communications between Stations (STAs) and ANPs while providing roaming validation for ANPs may be provided. An ANP may first register a roaming federation system. The ANP may determine a roaming message based on subscription features of the network, and the ANP may request signing of the roaming message by the roaming federation system. The ANP may receive the signed roaming message from the roaming federation system and send the signed roaming message to a STA. The ANP may then receive a request to connect to the network from the STA and initiate a connection for the STA.
Techniques for extending network elements to inspect, extract, and complement tracing information added to L7 flows by application distributed tracing systems. The techniques may include receiving a Layer-7 (L7) message of an L7 flow associated with a distributed application and determining that the L7 message includes tracing information. In some examples, the tracing information may be mapped to a marking that is to be included in a Layer 3 (L3) or Layer-4 (L4) packet carrying the L7 message, and the L3 or L4 packet including the marking may be sent to an L3 or L4 network element. In some examples, the L3 or L4 network element may be configured to utilize the marking to determine a network decision for the L3 or L4 packet.
maxmax) comprising a first predetermined value and a preemption Arbitrary Interframe Space Number (AIFSN) of less than or equal to a second predetermined value. AC parameters for others of the plurality of ACs may be received wherein a non-preemption AIFSN associated with any of the others of the plurality of ACs is greater than a sum of the first predetermined value the second predetermined value. Preemption for traffic in the preemption AC may be allowed.
Symbol multiplexing Physical Medium Attachment (PMA) may be provided. A plurality of first lanes may be received and then Alignment Markers (AMs) from the plurality of first lanes may be used to determine symbol boundaries and identify the plurality of first lanes. Next, groups of the plurality of first lanes may be de-skewed and checkerboard patterns in the plurality of first lanes may be undone. Then the plurality of first lanes may be symbol-wise multiplexed to a plurality of second lanes. The plurality of second lanes may then be sent.
Time Sensitive Network (TSN) Quality of Service (QoS) management may be provided. A number of Transmit Opportunities (TxOPs) to use for transmitting data between an Access Point (AP) and a client device over a wireless link may be received. An initial gate configuration to the AP for transmitting data between the AP and the client device over the wireless link for a transmit period of each cycle of a number of cycles may be provided based on the number of TxOPs. A change in a network condition of the wireless link may be detected. The initial gate configuration for the transmit period in a current cycle of the number of cycles may be adjusted in response detecting the change in the network condition of the wireless link.
A managed network supporting backscattering communication devices may be provided. A computing device may determine a plurality of locations respectively associated with a plurality of devices in a preterminal space. At least one of the plurality of devices may be power with energy transmitted from at least one Access Point (AP) to the least one of the plurality of devices at its location. Data may be received from the at least one of the plurality of devices in response to powering the at least one of the plurality of devices.
H04B 5/79 - pour le transfert de données en combinaison avec le transfert d'énergie
G01S 13/75 - Systèmes utilisant la reradiation d'ondes radio, p.ex. du type radar secondaire; Systèmes analogues utilisant des transpondeurs alimentés par les ondes reçues, p.ex. utilisant des transpondeurs passifs
10.
PROXIMITY-AWARE MULTIFACTOR AUTHENTICATION FOR CONTINUOUS TRUSTED ACCESS
Techniques for using device proximity of a primary device and a secondary device to allow or deny connections to network resource(s), as well as terminate existing connections to the network resource(s). The techniques may include monitoring a proximity-based direct networking connection between a primary device and a secondary device, the proximity-based direct networking connection established in association with authenticating the primary device to access a resource. The techniques may also include determining, based at least in part on the monitoring, that a network proximity between the primary device and the secondary device exceeds a threshold proximity. Based at least in part on determining that the network proximity exceeds the threshold proximity, the techniques may include causing termination of the access to the resource for the primary device.
G06F 21/35 - Authentification de l’utilisateur impliquant l’utilisation de dispositifs externes supplémentaires, p.ex. clés électroniques ou cartes à puce intelligentes communiquant sans fils
H04W 12/63 - Sécurité dépendant du contexte dépendant de la proximité
H04W 4/02 - Services utilisant des informations de localisation
H04W 4/80 - Services utilisant la communication de courte portée, p.ex. la communication en champ proche, l'identification par radiofréquence ou la communication à faible consommation d’énergie
11.
STANDARDIZED INTERFACE FOR WIDE AREA NETWORK PROGRAMMING
Techniques for providing a standardized interface that is configured to provide application developers with ways for interacting with different wide area network controllers. A standardized interface may include an application programming interface (API) server that can receive a connectivity request associated with an application that is to be hosted on an application orchestration system. The API server may determine, based at least in part on the connectivity request, a vendor network to be used by the application to send traffic to a remote service. Based at least in part on determining the vendor network, the API server may translate the connectivity request into a first format that is understandable by a controller of the vendor network. The API server may also provide the connectivity request in the first format to the controller of the vendor network such that a path through the vendor network can be determined.
Cluster formation for networks for Ultra-Wideband (UWB) Time-Difference-of-Arrival (TDoA) networks may be provided. A plurality of anchors may be set to a primary setting. Synchronization messages may then be broadcast by the plurality of anchors. Then the plurality of anchors may send responses to the synchronization messages. A room consensus may be performed to determine probabilities of obstacles between the plurality of anchors. The plurality of anchors may then send proposals of one or more clusters based on the room consensus. One or more clusters may be formed by the plurality of anchors based on the proposals.
G01S 5/02 - Localisation par coordination de plusieurs déterminations de direction ou de ligne de position; Localisation par coordination de plusieurs déterminations de distance utilisant les ondes radioélectriques
H04W 64/00 - Localisation d'utilisateurs ou de terminaux pour la gestion du réseau, p.ex. gestion de la mobilité
H04W 84/18 - Réseaux auto-organisés, p.ex. réseaux ad hoc ou réseaux de détection
A system is provided for reducing infrared (IR) light emitting diode (LED) power in a night mode for LED operations. The system may include an input power source, one or more LEDs coupled to the input power source, an auto-exposure controller (AEC) coupled to one or more LEDs, and one or more transistor switches coupled between the one or more LEDs and the AEC. The AEC may be coupled to an image sensor of an imaging system and may configure attributes of exposure frames for the image sensor. The AEC may generate a plurality of pulses that control one or more transistor switches. The AEC may execute an algorithm that synchronizes the activation of one or more LEDs to occur during the exposure frame.
H04N 23/56 - Caméras ou modules de caméras comprenant des capteurs d'images électroniques; Leur commande munis de moyens d'éclairage
H04N 23/74 - Circuits de compensation de la variation de luminosité dans la scène en influençant la luminosité de la scène à l'aide de moyens d'éclairage
H04N 23/11 - Caméras ou modules de caméras comprenant des capteurs d'images électroniques; Leur commande pour générer des signaux d'image à partir de différentes longueurs d'onde pour générer des signaux d'image à partir de longueurs d'onde de lumière visible et infrarouge
H04N 23/65 - Commande du fonctionnement de la caméra en fonction de l'alimentation électrique
According to some embodiments, a method includes detecting a start of an OpenTelemetry span by an application and determining security information related to the start of the OpenTelemetry span. The method further includes monitoring the application for one or more application behaviors during execution of the OpenTelemetry span. The method further includes detecting an end of the OpenTelemetry span by the application, and in response, calculate a security score for the OpenTelemetry span using the security information related to the start of the OpenTelemetry span and the one or more application behaviors detected during execution of the OpenTelemetry span. The method further includes updating a status of the OpenTelemetry span to include the security score and a text string related to the calculation of the security score.
Techniques for a Software-Defined Networking (SDN) controller associated with a multisite network to implement jurisdictional data sovereignty polices in a multisite network, route network traffic flows between user sites and destination services over one or more provider sites, and/or perform a routing operation on the network traffic flow(s) based on the jurisdictional data sovereignty policies. The jurisdictional data sovereignty polices may be implemented using destination group tags (DGTs) and/or source group tags (SGTs). A secure access service edge (SASE) associated with the network controller may generate, store, and distribute the DGTs to provider sites and/or the SGTs to user sites. Based on the SGT and/or DGT associated with a network traffic flow, one or more services may be applied to the network traffic flow, and the network traffic flow may be routed through a particular region of a software-defined access (SDA) transit.
Techniques for combining independent sessions between application(s) and a VPN, proxy service, or similar system, including inner protocol sessions (e.g., such as QUIC, etc.), coming from a single device to form a single logical session, where the single logical session could share a single authentication/authorization token are described. The techniques include receiving, from a device within a network, a request for a first application to access a service associated with the proxy service or the VPN, sending, to the device, a first authentication request, and receiving, from the device, a message including a token. The techniques may further include authenticating, by the proxy service or the VPN, the token using a unique identifier associated with the device and enabling, by the proxy service or the VPN, the device to access the service via a first session flow.
Techniques for preserving privacy while still allowing secure access to private resources. Among other things, the techniques may include receiving a request to provide a remote device with access to a private resource. In some instances, the request may be redirected to an identity provider service to authenticate the user of the remote device to maintain anonymity of an identity of the user. The techniques may also include receiving an indication of an entitlement-set provided by the identity provider service, the indication of the entitlement-set indicative of whether the user is entitled to access the resource without revealing the identity of the user. The techniques may also include at least one of authorizing the remote device to access the resource or refraining from authorizing the remote device to access the resource based at least in part on the indication of the entitlement-set.
This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for a central management plane to automatically create and assign system identifiers to network devices, thereby creating a global network hierarchy within a network. The techniques enable the use of a system identifier to be automatically generated and assigned, as well as configuration and network policies to be automatically generated based on the system identifier. Accordingly, the techniques enable automation of regional connectivity and policy application, a simplified manner of troubleshooting/ debugging of any connectivity issues, and a simplified, aggregated view of statistic and analytics related to problems at site, sub-region, and region levels.
Techniques are described for routing traffic through an interconnect cloud gateway based on cloud traffic routing indicators. The interconnect cloud gateway can advertise the cloud traffic routing indicators, which can include cloud indicators and transport gateway indicators. The cloud indicators can include cloud tags utilized to route cloud traffic. The transport gateway indicators can include transport gateway flags utilized to identify private networks utilized to route the cloud traffic. The cloud traffic can routed during normal private network operation through private networks, which can be dynamically replaced by public networks due to occurrences of failures preventing the data traffic from being routed through the private networks and to cloud networks.
Legacy preamble puncturing for fine timing and frequency offset estimation may be provided. Within a user information field of a trigger frame, a legacy preamble puncturing pattern may be allocated to each of a plurality of client devices wherein each of the plurality of client devices is allocated with at least one respective corresponding non-overlapping sub-channel. Next, from each of the plurality of client devices on their respective corresponding non-overlapping sub-channel, a respective corresponding preamble may be received. Time and frequency synchronization may then be performed for each of the plurality of client devices based on their respective corresponding preamble.
Adapting transmission schedules in a Radio Frequency (RF) environment may be provided. A Central Network Controller (CNC) of a Time Sensitive Network (TSN) may determine that a data path to a client device comprises a wireless link. The CNC of the TSN may generate a proposed transmission schedule for the time sensitive traffic to the client device through the wireless link in response to determining that the data path to the client device comprises the wireless link. The CNC may provide the proposed transmission schedule to a Wireless Network Controller (WLC) of the wireless link. The CNC may receive a confirmation from the WLC that the proposed transmission schedule can be met. The proposed transmission schedule may be configured in response to receiving the confirmation.
A system of one embodiment provides reverse affinity link exclusion for a computer network. The system includes a memory and a processor. The memory is operable to store logical transmission links, logical receiving links, and metrics for data packets of nodes. The system determines a threshold value for node link reliability. The system determines the node link reliability of a receiving node link by evaluating data loss associated with one or more incoming data packets. The sy stem compares the node link reliability to the threshold value. The system identifies the receiving node link when the node link reliability exceeds the threshold value. The system communicates the identified receiving node link to one or more nodes.
A system and method for handling multicast traffic in Ethernet Virtual Private Network multi-homed networks includes receiving a first route table for a first route, determining that the first route table is associated with another peer device in the multi-home network, generating a second route table for a second route, determining a route to transmit data and the determined route is the first route or the second route based on the first preference value and the second preference value, and transmitting the data using the determined route.
Techniques for improving options templates for network traffic monitoring and analysis, using pull mode by a network collector device, and sending an acknowledgement, by the network collector device that the download was successfully received are described. The techniques may include transmitting, by a network collector device and to a network edge device, a request to download a full options template, receiving, by the network collector device, responses from the network edge device, each response including a segment of the full options template and each segment including a last segment flag indicating whether the segment is a last segment, and in response to receiving a segment having the last segment flag set, transmitting, by the network collector device and to the network edge device, an acknowledgement that the full options template has been received.
H04L 41/0859 - Récupération de la configuration du réseau; Suivi de l’historique de configuration du réseau en conservant l'historique des différentes générations de configuration ou en revenant aux versions de configuration précédentes
H04L 43/20 - Dispositions pour la surveillance ou le test de réseaux de commutation de données le système de surveillance ou les éléments surveillés étant des entités virtualisées, abstraites ou définies par logiciel, p.ex. SDN ou NFV
This disclosure describes techniques and mechanisms for intelligently sampling packet flows within a network. The techniques enable the sampling of a limited set of packet flows that show greatest amount of information about the network from the packet flows in order to provide the greatest insight on application performance, network packet, and critical events within the network. Additionally, the techniques provide configurable parameters, such that the techniques are customizable for each user's network.
This disclosure describes techniques for authentication using wearable devices. An example method includes determining that a user is wearing a secondary device; determining that the secondary device has detected a signal output by a primary device; determining that the user has confirmed an authentication factor output by the primary device; and enabling the user to access a secured resource via the primary device.
G06F 1/16 - TRAITEMENT ÉLECTRIQUE DE DONNÉES NUMÉRIQUES - Détails non couverts par les groupes et - Détails ou dispositions de structure
G06F 21/32 - Authentification de l’utilisateur par données biométriques, p.ex. empreintes digitales, balayages de l’iris ou empreintes vocales
G06F 21/34 - Authentification de l’utilisateur impliquant l’utilisation de dispositifs externes supplémentaires, p.ex. clés électroniques ou cartes à puce intelligentes
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04W 12/33 - Sécurité des dispositifs mobiles; Sécurité des applications mobiles utilisant des dispositifs portables, p.ex. utilisant une montre intelligente ou des lunettes intelligentes
H04W 12/63 - Sécurité dépendant du contexte dépendant de la proximité
27.
ADAPTIVE HARQ SELECTION IN HIGH DENSITY ENVIRONMENTS
A network of access points (AP) in a high-density environment may be provided. A number of packet transmission retries for one or more of the AP may be determined by setting a number, m, of retries for transmitting a data packet, where m is the upper limit of the number of retries. Data packets are then transmitted m times. Upon transmitting the data packet m times, a success probability SP(u,m) for transmission of the data packet, where u is the number of users, may be calculated. The transmission of the data packet may be repeated m-x times where x is an integer. Upon calculating the success probability for m-x times, a success probability SP(u,m-x) for transmission of the data packet may be calculated. If SP (u,m-x) is larger than SP(u,m) then x may be decreased by one and actions (b)-(f) may be repeated. If SP (u,m-x) is not larger than SP(u,m) then m-x may be set as the maximum number of retries for the data packet.
A method of creating a connection between a controller and plurality of edge devices may include reading, by a data plane development kit (DPDK) of the controller, a plurality of packets having a common destination port from the plurality of edge devices, and demuxing, by the DPDK, a number of frames of the plurality of packets based on a hash of the plurality of packets, the hash altering the common destination port of the plurality of packets with a corresponding number of sham destination ports. The method may also include, with a TUNTAP interface, injecting the plurality of packets into a network kernel, and with the network kernel, delivering the plurality of packets to a respective one of a plurality of daemon instances.
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
29.
UNICAST TO MULTICAST SERVICE REFLECTION IN SD-WAN FABRIC
Techniques for extending unicast to multicast service reflection to SD-WAN overlay networks using a virtual interface (VIF) through a centralized policy are described herein. The techniques may include receiving, by a network controller of a SD-WAN, a centralized data policy for unicast to multicast service reflection, transmitting, by the network controller and to a network edge device, the centralized data policy, designating, by the network edge device, a primary replicator to act as a multicast source and replicate packets toward a last hop router (LHR), configuring, on the primary replicator, a VIF usable to translate unicast packets to multicast packets, and applying, by the primary replicator, the centralized data policy on received packets.
H04L 45/645 - Fractionnement de la couche de calcul de la route et de la couche de routage, p.ex. pour un acheminement selon l’élément de calcul de la route [PCE] ou basé sur la fonctionnalité Openflow
Techniques for forward error correction are disclosed. These techniques include receiving a forward error correction codeword transmitted over a communication network, the codeword including a parity portion and a payload portion. The techniques further include determining, based on the parity portion, to disable forward error correction for the codeword. The techniques further include disabling forward error correction for the codeword.
A Fifth Generation (5G) and Wi-Fi Multi-Access Point Coordination (MAPc) function may be provided. A MAPc processor may determine a first traffic flow and a second traffic flow for a User Equipment (UE) and a property of the first traffic flow and of the second traffic flow. The MAPc processor may schedule restricted Target Wake Time (rTWT) service intervals on a Wi-Fi AP for the first traffic flow, and the MAPc processor may schedule rTWT service intervals on a 5G AP for the second traffic flow. The rTWT service intervals on the Wi-Fi AP may be at different times than the rTWT service intervals on the 5G AP.
Network traffic interference detection and management may be provided. An infringement event by an infringing Access Point (AP) on a Restricted Target Wake Time (rTWT) transmission opportunity (TxOp) associated with a victim AP may be detected, and information associated with the infringement event may be added to an infringement list, wherein the information includes a MAC address associated with the infringing AP. A controller, may receive the infringement list and notify the infringement event to the infringing AP. The infringing AP may determine whether a transmission associated with the infringement event is low latency and high priority. When the transmission is not low latency and high priority the infringing AP may modify future transmissions based on the notification. When the transmission is low latency and high priority the infringing AP may notify the controller that the transmission is low latency and high priority. The controller may then create a negotiation between the victim AP and the infringing AP, wherein the negotiation comprises managing future transmissions of the victim AP and the infringing AP.
H04W 28/16 - Gestion centrale des ressources; Négociation de ressources ou de paramètres de communication, p.ex. négociation de la bande passante ou de la qualité de service [QoS Quality of Service]
H04W 72/512 - Critères d’affectation ou de planification des ressources sans fil sur la base des propriétés du terminal ou du dispositif lorsqu’un faible temps de latence est requis, p.ex. URLLC
H04W 72/541 - Critères d’affectation ou de planification des ressources sans fil sur la base de critères de qualité en utilisant le niveau d’interférence
H04W 72/566 - Critères d’affectation ou de planification des ressources sans fil sur la base de critères de priorité de l’information, de la source d’information ou du destinataire
Per station multi-link time scheduling may be provided. An Access Point (AP) may receive a request from a Multi-Link Device (MLD) to send a plurality of data traffics in a network for a predetermined interval. A Quality of Service (QoS) requirement may be determined for each of the plurality of data traffics. A Traffic Identifier (TID)-to-link assignment may be determined for each of the plurality of data traffics. Determining the TID-to-link assignment may comprise determining a link state of each of a plurality of links envisioned for the MLD for the predetermined interval. Each of the plurality of data traffics may be assigned to one or more of the plurality of links based on the QoS requirement for each of the plurality of data traffics and the link state of each of the plurality of links envisioned for the MLD. The TID-to-link assignment may be sent to the MLD.
Techniques for using more-specific routing to perform scalable Layer-2 (L2) stretching of subnets across hybrid-cloud environments. Routing tables in a public cloud may allow for routes that are more specific than the default local route, and the more-specific routes may be used to send all traffic to a dedicated, cloud router. The more-specific routes are set up for a VPC where a subnet resides such that the more specific-routes cover at least a portion of subnet range. The next hop for the more-specific routes point to the cloud router which is capable of doing host routing and segmentation extension. Thus, traffic originating from endpoints in a VPC is routed to the cloud router, and the cloud router determines whether the traffic is to be re-routed back to a destination endpoint in the VPC (or another cloud location), or sent to a destination endpoint residing in the on-premises site.
This disclosure describes techniques and mechanisms for determine a change window of least impact based on the type of activity, urgency, and preference, and highlighting risk(s) of choosing a change window. The techniques streamline and automate change window technology and provide customized and personalized change window option(s) to an administrator of a network.
H04L 41/08 - Gestion de la configuration des réseaux ou des éléments de réseau
H04L 41/082 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant des mises à jour ou des mises à niveau des fonctionnalités réseau
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
36.
METHOD AND PROCEDURE FOR REAL TIME DETERMINATION OF MINIMUM FIBRE CHANNEL BUFFER TO BUFFER CREDITS ON AN INTER SWITCH LINK
A method for the real time determination of minimum fibre channel buffer to buffer credits on an inter switch link. In one particular embodiment, a method includes communicating a first frame to a receiving switch with a first timestamp, receiving a second frame with a second and third timestamp, adding a fourth timestamp to the second frame, calculating the round trip link latency time value using the first timestamp, the second timestamp, the third timestamp, and the fourth timestamp, and calculating the minimum number of buffer to buffer credits to be configured on the link to nondisruptively transmit traffic.
H04L 47/283 - Commande de flux; Commande de la congestion par rapport à des considérations temporelles en réponse à des retards de traitement, p.ex. causés par une gigue ou un temps d'aller-retour [RTT]
H04L 47/30 - Commande de flux; Commande de la congestion en combinaison avec des informations sur l'occupation de mémoires tampon à chaque extrémité ou aux nœuds de transit
H04L 47/215 - Commande de flux; Commande de la congestion en utilisant le schéma du seau à jetons
37.
IDENTITY-BASED POLICY ENFORCEMENT IN WIDE AREA NETWORKS
Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.
H04L 41/0895 - Configuration de réseaux ou d’éléments virtualisés, p.ex. fonction réseau virtualisée ou des éléments du protocole OpenFlow
H04L 41/40 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant la virtualisation des fonctions réseau ou ressources, p.ex. entités SDN ou NFV
This disclosure describes techniques for performing multi-factor authentication (MFA) by utilizing user generated authenticating gestures. The techniques may include establishing and monitoring peer-to-peer communication links between user devices. The techniques may include monitoring channel properties for fluctuations in the channel properties associated with the user generated authenticating gesture passing through signals of the communication links. The techniques may further include comparing a gesture performed by a user to a predefined authenticating gesture. The techniques may include determining a pattern of fluctuations in the channel properties associated with the predefined authenticating gesture. The techniques may include determining a confidence score associated with comparing the gesture performed and the predefined authenticating gesture. The techniques may further include determining a proximity of the user and/or the gesture to the user device. The techniques may further include granting or denying the user based at least in part on the proximity and/or the comparison.
Techniques and architecture are described for for protecting non-http and TCP/UDP applications in a zero trust network access (ZTNA)/web virtual private network (VPN) environment by establishing a secure communication channel between a native application and an application server providing an application service. More particularly, the present disclosure describes techniques and architecture that leverage the firewall wherein a thin client on a client device enables a client desktop, establishes a secure channel from a native application, e.g., the client desktop, to the firewall, and acts as a proxy.
G06F 21/33 - Authentification de l’utilisateur par certificats
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04W 12/069 - Authentification utilisant des certificats ou des clés pré-partagées
40.
WORKLOAD MIGRATION FOR MULTIPATH ROUTED NETWORK SESSIONS
Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.
A method of congestion mitigation may include determining whether a host is sending a read command or a write command to an NVMe controller, and in response to a determination that the host is sending the read command, transmitting the read command via a first transmission control protocol (TCP) connection between the host and the NVMe controller. The method may further include in response to a determination that the host is sending the write command, transmitting the write command via a second TCP connection between the host and the NVMe controller.
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 13/00 - Interconnexion ou transfert d'information ou d'autres signaux entre mémoires, dispositifs d'entrée/sortie ou unités de traitement
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p.ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
42.
CONTROL FLOW INTEGRITY ENFORCEMENT FOR APPLICATIONS RUNNING ON PLATFORMS
Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining telemetry representing execution of a process on a computing system and accessing a learned control flow diagram graph for the process. A transfer of an instruction pointer is determined based on the telemetry and a validity of the transfer is determined based on the learned control flow directed graph. If invalid, then an action to terminate the process is determined, otherwise the action may be allowed to execute when valid.
G06F 21/52 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
43.
DEVICE AUTHENTICATION AND NETWORK FUNCTION REGISTRATION AND DISCOVERY FOR 5G VERTICAL NETWORKS
The present disclosure provides solutions to registration and discovery of NFs in the vertical 5G networks, at the operator network, as well as handling tasks such as authentication of connecting end terminals at the operator network level. In one aspect, a method includes receiving, at network controller of an operator network and from an end terminal, a request for access to a network function (NF) of a vertical network, the request including a type of the NF in the vertical network; authenticating, at the network controller, the end terminal; upon authenticating the end terminal, identifying, at the network controller, the NF requested by the end terminal based at least on the type of the NF included in the request; and facilitating, by the network controller, access to the NF in the vertical network by the end terminal.
Techniques and apparatus for optimizing transmitter equalization are described. An example technique includes capturing a single output signal transmitted from a port on at least one channel of a host device. An impulse response of the channel is determined based at least in part on the single output signal. A transmitter feedforward equalization (FFE) is generated, based at least in part on the impulse response of the channel. The transmitter FFE is applied to the channel of the port of the host device.
Coordinated Orthogonal Frequency Division Multiple Access (C-OFDMA) in high density networks may be provided. A primary Access Point (AP) and a subordinate AP may be caused to use an omnidirectional antenna pattern during a synchronization period. Next, the primary AP and the subordinate AP may be caused to use an omnidirectional antenna pattern during a time in which the primary AP sends a subordinate Trigger Frame (TF) during a first C-OFDMA period. The primary AP and the subordinate AP may then be caused to use a directional antenna pattern during times in which the primary AP and the subordinate AP Uplink (UL) data during the first C-OFDMA period and Downlink (DL) data during the first C-OFDMA period.
H04B 7/06 - Systèmes de diversité; Systèmes à plusieurs antennes, c. à d. émission ou réception utilisant plusieurs antennes utilisant plusieurs antennes indépendantes espacées à la station d'émission
H04W 16/28 - Structures des cellules utilisant l'orientation du faisceau
H04W 84/12 - Réseaux locaux sans fil [WLAN Wireless Local Area Network]
A system of one embodiment that provides stateless symmetric forwarding of packets in a computer network. The system includes a memory and a processor. The system is operable to determine a cluster state of a plurality of border routers in a cluster. The system is operable to communicate the cluster state to at least one branch node in the computer network. The system is operable to generate a network level consistent hash based on the cluster state. The system is operable to route a first packet through a first border router of the plurality of border routers in the cluster using the network level consistent hash. After the first packet is sent through a first border router, the system is further operable to route a second packet through the first border router of the plurality of border routers in the cluster using the network level consistent hash.
This disclosure describes techniques and mechanisms for performing user defined network (UDN) service authorization based on secondary identity credentials within a wireless network. For instance, the techniques may include receiving, from a user device, a first request to access a wireless network (e.g., such as a WLAN), where the first request may include primary access credentials for accessing the WLAN. Once primary access authentication of the user device is complete, the techniques may include receiving a second request from the user device to access a UDN group within the wireless network. The second request can include secondary credentials for accessing the UDN group. In response to the second request, a secondary LAP dialogue may be established to authenticate the user device using the secondary credentials. Once the secondary credentials are authenticated, the techniques may include granting the user device access to the UDN group.
Disclosed are a system and a method for selecting an additional radio link from a second access point after a connection with a first access point has been established. The first and second access points cooperate with each other by sharing information about performance and available resources. They communicate this information to a multi-link non-AP MLD device requesting the additional radio link so that the non-AP MLD can make a selection that matches the needs of its request. Information about performance includes throughput, a delay between access points, and a delay between access points and a gateway connected to the access points.
H04W 76/34 - Libération sélective de connexions en cours
H04W 48/12 - Distribution d'informations relatives aux restrictions d'accès ou aux accès, p.ex. distribution de données d'exploration utilisant un canal de commande descendant
H04W 84/12 - Réseaux locaux sans fil [WLAN Wireless Local Area Network]
49.
POWER GUIDANCE FOR BATTERY-POWERED IOT AND SMART DEVICES
Methods and a system described herein manage the power of loTs and smart devices operating on a wireless network. When an access point coupled to the network receives a low power indication from a battery-powered loT or smart device, it may take several actions in response. In one case, it extends the target wake time to become longer and longer to preserve the device' s battery. In addition, the device changes its operation to conserve power. In another case, it provides power over the wireless network to the wireless device. The access point restores the target wake time when the device returns to a power-ok condition. The device resumes operation according to the parameters in effect before the low power condition occurs.
H02J 50/20 - Circuits ou systèmes pour l'alimentation ou la distribution sans fil d'énergie électrique utilisant des micro-ondes ou des ondes radio fréquence
50.
LEVERAGING CONTEXTUAL METADATA COMMUNICATION TO IMPROVE DNS SECURITY
Techniques for leveraging efficient metadata communications to improve domain name system (DNS) security are described. The DNS service uses a hash value to uniquely identify a client, and detect any change in metadata in order to keep policies up-to-date for the client. In an example method a first DNS query for a client device is intercepted. A cryptographic hash function is applied to metadata associated with the client device to generate a hash value. The hash value is added to an additional records section of the first DNS query to generate a second DNS query. The second DNS query is transmitted to a DNS service. The metadata associated with the client device is transmitted to the DNS service on an out-of-band encrypted channel. A DNS response, including the hash value, is received from the DNS service and transmitted to the client device.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/59 - Utilisation de mandataires pour l’adressage
A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow¬ specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.
Techniques for a hub node to, provisioned in a network site of a hub and spoke overlay network, to receive a network advertisement from the spoke, decode network routing requirements from a border gateway protocol (BGP) large community' associated with the network advertisement, and store the network routing requirements in association with a route associated with the spoke. The routing requirements may indicate one or more service(s) to be applied to the packet, a trust level associated with the spoke, and/or a. trust zone associated with the spoke. The hub node may receive a packet from the spoke to be transmitted to destination spoke. The hub node may then route the packet to the destination spoke, drop the packet, or send the packet to a service node configured to apply the one or more services to the packet based on the routing requirements.
Described herein are systems and methods for reducing collisions in a wireless network with overlapping basic service sets by synchronizing contention slots among stations (access points or non-access point clients), some of which are out of range, competing for the use of the wireless medium. In some embodiments, the contention slots of competing stations are synchronized by controlling the time of transmission and the time of the spacing between frames to be an integer multiple of the time of a contention slot. In some embodiments, slot boundaries are enforced by controlling guard intervals or by trigger-based uplink communications. In other embodiments, a central network controller, such as a network controller, synchronizes slots when an access point or station joins the wireless network or uses a neighbor discovery protocol among access points. The contention slots are synchronous in all cases throughout the overlapping basic service sets.
A method includes determining, based on (i) a transmit time and a receive time of a request packet from a first access point (AP) to a client device and (ii) a transmit time and a receive time of a response packet from the client device to the first AP, a distance between the first AP and the client device and adjusting a transmit power of the first AP based at least in part on the distance between the first AP and the client device.
H04W 52/14 - Analyse séparée de la liaison montante ou de la liaison descendante
H04W 36/00 - Dispositions pour le transfert ou la resélection
H04W 52/28 - Commande de puissance d'émission [TPC Transmission power control] le TPC étant effectué selon des paramètres spécifiques utilisant le profil utilisateur, p.ex. la vitesse, la priorité ou l'état du réseau, p.ex. en attente, libre ou absence de transmission
H04L 1/00 - Dispositions pour détecter ou empêcher les erreurs dans l'information reçue
55.
ADDING CONTROL OR MANAGEMENT DATA TO BLOCK ACKNOWLEDGE OR PROTOCOL DATA UNIT
Disclosed methods and systems for efficiently gathering reports from stations coupled to an access point via a wireless network. In some cases, the reports may be attached to block acknowledge frames, which often occur. Alternatively, when multiple stations operate with assigned resource units during a transmission opportunity (TXOP), the reports are embedded in the spare capacity of a physical protocol data units used during the TXOP.
Intelligent distribution of packet flows may be provided. Compute resource data may be received. Next, packets may be classified into flows that may be persistently mapped to compute resources for a lifetime of the flows. Based on the compute resource data, the flows may then be allocated to the compute resources.
Techniques for a hub node, provisioned in a site of a hub and spoke overlay network, to receive, store, and/or forward network routing information associated with a spoke, and send packets directly to spoke(s) that are remote from the hub node. A first hub node may receive a network advertisement including a border gateway protocol (BGP) large community string from a first spoke local to the first hub node. The first hub node may send the BGP large community string to a second hub node remote from the first hub node. The second hub node may decode network routing information from the BGP large community string and store the network routing information locally. The second hub node may send a packet from a second spoke local to the second hub node directly to the first spoke without the data packet being routed via the first hub node.
Techniques for beamforming from wireless stations (STAs) are disclosed. These techniques include identifying a plurality of STAs for a beamforming group, for transmission to a wireless access point (AP). The techniques further include receiving, at the AP, first data transmitted from each of the plurality of STAs in the beamforming group to the AP at least partially at the same time, wherein the transmitting the first data from each of the plurality of STAs results in constructive interference between the transmissions from the plurality of STAs to the AP, and wherein the same first data is received from each of the plurality of STAs in the beamforming group.
H04B 7/0452 - Systèmes MIMO à plusieurs utilisateurs
H04B 7/06 - Systèmes de diversité; Systèmes à plusieurs antennes, c. à d. émission ou réception utilisant plusieurs antennes utilisant plusieurs antennes indépendantes espacées à la station d'émission
H04B 7/024 - Utilisation coopérative d’antennes sur plusieurs sites, p.ex. dans les systèmes à plusieurs points coordonnés ou dans les systèmes coopératifs à "plusieurs entrées plusieurs sorties" [MIMO]
A method includes grouping a plurality of access points based on a proximity of the plurality of access points to each other and determining, based on AFC reports for each of the plurality of access points, a first frequency band in which a threshold number of the plurality of access points are prevented from operating or are limited to operating at a first power that is lower than a maximum allowed standard power. The method also includes determining whether power cutoff in the first frequency band should be static or dynamic and if the power cutoff should be static, instructing the plurality of access points to use a portion of the first frequency band. The method further includes, if the power cutoff should be dynamic, instructing a first subset of the plurality of access points to operate at the first power in the first frequency band.
H04W 52/14 - Analyse séparée de la liaison montante ou de la liaison descendante
H04W 52/36 - Commande de puissance d'émission [TPC Transmission power control] utilisant les limitations de la quantité totale de puissance d'émission disponible avec une plage ou un ensemble discrets de valeurs, p.ex. incrément, variation graduelle ou décalages
H04W 16/00 - Planification du réseau, p.ex. outils de planification de couverture ou de trafic; Déploiement de réseau, p.ex. répartition des ressources ou structures des cellules
60.
INFRASTRUCTURE-LED OPTIMIZATION FOR WI-FI 7 MULTILINK DEVICES
Methods and a system described herein form collections of stations based on capabilities and classification of the station and on radio capacity and link budgets of the bands in which the stations operate. Once a collection is formed, a check occurs to determine if there is a rebalancing event, such as a change in the capabilities and classification of a station or a change in the radio capacity and link budgets. If so, then the stations are reassigned to different collections. If no rebalancing event occurs, then the assignment is checked to determine if the loads on the links are well-balanced. If so, a radio link recommendation is sent to the stations.
Enhanced network level information for power control is described. The enhanced network level information enables network connected electronic devices to enter and exit standby modes based on system level information. The network level information also enables the use of a respective network connected device in a seamless manner from the perspective of the user, while decreasing the amount of energy consumed by the device when not in active operation. In some examples, a Network Monitoring Application (NMA) classifies electronic devices into power control categories, monitors a physical environment associated with the plurality of connected electronic devices, and provides a power control signal to the various electronic devices upon detection of a change in the physical environment.
Systems and techniques for performing traffic management in a wireless network using predictive traffic identifier (TID)-to-link mapping are described. An example technique includes obtaining one or more metrics associated with communication between a client station (STA) and an access point (AR) in a wireless network. The communication between the client STA and the AR is based on a first TID-to-link map. A second TID-to-link map is determined, based at least in part on evaluating the one or more metrics with a machine learning model. Communications between the client STA and AR are performed, based on the second TID-to-link map.
Method for application control and Quality of Service (QoS) handling may be provided. A request may be received for scheduling a communication between an Access Point (AP) and a user device for sending data of an application. It may be determined that the request does not comprise network characteristics of the application. In response to determining that the request does not comprise the network characteristics of the application, the network characteristics may be requested from a Wireless Local Area Network (WLAN) controller. The network characteristics may be received from the WLAN controller. Schedules for the application may be determined based on the network characteristics. The schedules may be enabled.
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04W 28/02 - Gestion du trafic, p.ex. régulation de flux ou d'encombrement
H04W 84/12 - Réseaux locaux sans fil [WLAN Wireless Local Area Network]
64.
MULTICAST MTRACE EXTENSION TO TRACE ANY-SOURCE MULTICAST (ASM) SOURCE
In one embodiment, a method by a router in a multicast network for multicast mtrace extension to trace one or more any-source multicast (ASM) sources includes transmitting a mtrace (*,G) route to a last hop router, receiving an active source list, and creating a mtrace (S,G) route for a rendezvous point (RP) to initiate based on the received active source list.
This disclosure describes techniques and mechanisms for providing an intelligent de-scheduler filtering system that minimizes service disruptions within a network. The techniques may provide continuous monitoring of clusters within a dynamic system and provide an intelligent determination of pod(s) within a cluster to move by utilizing a disruption score based on disruption policies, balancer policies, service level agreement policies, and other data associated with the cluster and/or pods. The techniques enable a subset of pods that are flagged as violating compute usage to be selected to be moved, such that the subset will result in the least disruption to move to help restore or realign compute resources in the system.
Techniques for communication network routing include receiving, at a routing device associated with a first site in an overlay communication network, a dynamic parameter value associated with each of a plurality of additional sites in the overlay communication network. The plurality of additional sites are each configured to provide a first network service for a computing device in the first site. A second site in the overlay communication network is selected, from among the plurality of additional sites, based on a first dynamic parameter value associated with the first site and a received second dynamic parameter value associated with the second site. The first network service is provided from the second site for the computing device, based on the selecting the second site.
H04L 45/64 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données à l'aide d'une couche de routage superposée
H04L 67/1021 - Sélection du serveur pour la répartition de charge basée sur la localisation du client ou du serveur
H04W 40/20 - Sélection d'itinéraire ou de voie de communication, p.ex. routage basé sur l'énergie disponible ou le chemin le plus court sur la base de la position ou de la localisation géographique
Disclosed are systems, apparatuses, methods, and computer-readable media for providing interoperable heterogenous networks. A method comprises configuring a logical network with a first network and a second network; receiving a request message from a source device by the first border device in the first network, wherein the request message includes a related to a media access control (MAC) address associated with a destination device in the second network; sending a proxy message to the second border device based on the request message, the proxy message having a source address that identifies an external IP address associated with the first border device; receiving a response message including the MAC address of the destination device, wherein the response message is addressed to the external address of the first border device; and sending a border gateway protocol (BGP) update including the MAC address of the destination device.
H04L 61/103 - Correspondance entre adresses de types différents à travers les couches réseau, p.ex. résolution d’adresse de la couche réseau dans la couche physique ou protocole de résolution d'adresse [ARP]
68.
QUALITY OF EXPERIENCE REPORTING OVER NON-ACCESS STRATUM (NAS) SIGNALING
Disclosed herein are systems, methods, and computer-readable media for reporting QoE of a UE, as measured and determined from the perspective of the UE to one or more core components of the cellular network to which the UE is attached. The QoE may then be used by the one or more core components for managing and adjusting, if necessary, the cellular services provided to the UE. In one aspect, a method includes determining, at a user device, a quality of experience (QoE) of user device connected to a cellular network and transmitting, via a non-access stratum (NAS) signaling, a value of the QoE from the user device to a core network element of the cellular network, wherein the core network element utilizes the QoE value to manage network access and a quality of service (QoS) of the user device.
In one embodiment, a method by a router in a multicast network includes receiving a multicast trace query comprising a data packet, editing the multicast trace query to include data corresponding to the data packet, transmitting the edited multicast trace query to a subsequent router, transmitting a first message indicating the edited multicast trace query was transmitted to the subsequent router, and starting a timer for a determined period of time.
Systems, methods, and computer-readable media are disclosed for dynamically onboarding a UE between private 5G networks. In one aspect, a private 5G (P5G) federation system can receive a request from a user device for registration with a serving private 5G network, which is part of a P5G federation system. The P5G federation system can further determine that the user device is authenticated with a home private 5G network of the user device, which is also part of the P5G federation system. The P5G federation system can transmit, to the serving private 5G network, a security profile of the user device that is received from the home private 5G network. As follows, the P5G federation system can facilitate onboarding of the user device to the serving private 5G network with the security profile.
A network device has a first OS component, a second OS component is added to run concurrently with the first. The first OS component transmits routing information to the second OS component where it is stored in memorv. The second OS component registers with a routing infrastructure to receive packets that are routed to the first OS component. A timestamp and a first ID are added to a first instance of a packet and transmitted to the first OS component. The timestamp and a second ID are added to a second instance of the packet and transmitted to the second OS component. First functionality data for the first OS component is transmitted to a controller. Second functionality data for the second OS component is transmitted to the controller. The first and second functionality data are compared to determine whether to replace the first OS component with the second OS component.
H04L 45/655 - Interaction entre les entités de calcul de routes et les entités de transmission, p.ex. pour la détermination de la route ou pour la mise à jour des tables de flux
72.
SOFTWARE-AS-A-SERVICE PROBE AGGREGATION IN NETWORKS
Techniques for sharing the probing of software-as-a-service clouds among a cluster of routers are described herein. The techniques may include establishing a first path between a cluster of routers and an application infrastructure. Establishing a second path between the cluster of routers and the application infrastructure. Designating a first router in the cluster of routers to send probes over the first path to the application infrastructure. Designating a second router in the cluster of routers to send probes over the second path to the application infrastructure. Distributing, by the first router and to the cluster of routers, first routing performance data indicating a performance of the first path when communicating with the application infrastructure over the first path, distributing, by the second router and to the cluster of routers, second routing performance data indicating a performance of the second path when communicating with the application infrastructure over the second path.
H04L 45/302 - Détermination de la route basée sur la qualité de service [QoS] demandée
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04W 40/12 - Sélection d'itinéraire ou de voie de communication, p.ex. routage basé sur l'énergie disponible ou le chemin le plus court sur la base de la qualité d'émission ou de la qualité des canaux
73.
SYSTEMS AND METHODS FOR APPLICATION CLUSTERING BASED ON INCLUDED LIBRARIES AND OBSERVED EVENTS
A system of one embodiment that provides proactive security policy suggestions for applications based on the applications' software composition and runtime behavior. The system includes a memory and a processor. The system is operable to access data that represents one or more features of an application. The application is running on one or more nodes in a computer network, and a feature indicates an application library of the node. The system is operable to apply a clustering algorithm to the data to generate a plurality of cluster sets. The system is operable to determine a security policy to apply to a cluster set of the plurality of cluster sets and apply the security policy to an application whose features are represented by the data in the cluster set.
G06F 21/50 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
74.
PARALLEL EXECUTION OF NETWORK SERVICES WITH OVERLAPPING DEVICE CONFIGURATION
Techniques, methods, and systems for managing a set of data network nodes in a Network Management System (NMS). In some examples, a method may include receiving, at the network orchestrator, a service invocation for a service transaction associated with a transaction object; storing, by the network orchestrator, service metadata as part of the transaction object; determining whether there is a service metadata conflict associated with the transaction object; and in response to determining that there is the service metadata conflict associated with the transaction object, retrying the service transaction; or in response to determining that there is no service metadata conflict associated with the transaction object, applying the service metadata to one or more nodes of the set of data nodes.
H04L 41/0853 - Récupération de la configuration du réseau; Suivi de l’historique de configuration du réseau en recueillant activement des informations de configuration ou en sauvegardant les informations de configuration
H04L 41/0806 - Réglages de configuration pour la configuration initiale ou l’approvisionnement, p.ex. prêt à l’emploi [plug-and-play]
H04L 41/5041 - Gestion des services réseau, p.ex. en assurant une bonne réalisation du service conformément aux accords caractérisée par la relation temporelle entre la création et le déploiement d’un service
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/0895 - Configuration de réseaux ou d’éléments virtualisés, p.ex. fonction réseau virtualisée ou des éléments du protocole OpenFlow
75.
DYNAMICALLY ENABLING A TRANSPORT CONTROL PROTOCOL PROXY FOR SATELLITE NETWORKS
Techniques for a TCP proxy to communicate over a LEO satellite network on behalf of a client device by selecting a TCP congestion-control algorithm that is optimal for the LEO satellite network based on the time of day and/or location of the TCP proxy. Based on the locations of satellites during the day as they traverse predefined and patterned orbital paths, different TCP congestion-control algorithms may be more optimized to communicate data through the LEO satellite network. However, client devices generally use a single TCP congestion-control algorithm to communicate over WAN networks. Accordingly, a TCP proxy may be inserted on, for example, a router to communicate with tire client device using a TCP congestion-control algorithm that the client device is configured to use, but then communicate over the LEO satellite network using a different TCP congestion-control algorithm that is optimal based on the time of day and/or other factors.
H04L 47/10 - Commande de flux; Commande de la congestion
H04L 47/12 - Prévention de la congestion; Récupération de la congestion
H04L 47/193 - Commande de flux; Commande de la congestion au niveau des couches au-dessus de la couche réseau au niveau de la couche de transport, p.ex. liée à TCP
H04L 47/283 - Commande de flux; Commande de la congestion par rapport à des considérations temporelles en réponse à des retards de traitement, p.ex. causés par une gigue ou un temps d'aller-retour [RTT]
76.
OPTIMAL DATA PLANE SECURITY & CONNECTIVITY FOR SECURED CONNECTIONS
Techniques for creating an optimal and secure data plane based on network constraints. The techniques include establishing an initial networking connection (118) for a data flow between a client device (102) and a resource (104) such that data plane traffic of the data flow is routed through a relay node (122) disposed between the client device and the resource, determining, using a Session Traversal Utilities for Network Address Translators (STUN) server (124), an alternate networking connection (126) for the data flow that bypasses the relay node, and based at least in part on a determination that the alternate networking connection is a more optimal path for the data plane traffic than the initial networking connection, causing the data plane traffic of the data flow to be routed over the alternate networking connection.
H04L 61/2575 - Traversée NAT en utilisant la récupération de correspondance d'adresses, p.ex. traversée simple du protocole de datagramme utilisateur via des utilitaires NAT [STUN] de session de traversée d'adresse réseau
77.
AUTHENTICATION AND ENFORCEMENT OF DIFFERENTIATED POLICIES FOR A BRIDGE MODE VIRTUAL MACHINE IN A MAC-BASED AUTHENTICATION NETWORK
Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a wireless host device in a media access control (MAC)-based authentication network are described. In an example method a wireless host device is authorized to join a fabric enabled wireless network. A VM executes in bridge mode on the wireless host device. At the fabric edge, a source MAC address of the VM is determined. A session is created between the VM and an authentication server. The VM is authenticated. A policy for the VM is determined. A source internet protocol (IP) address is assigned to the VM to create a MAC -IP binding. A data-plane device in the fabric enabled wireless network is programmed to apply the policy to traffic communicated with the VM. Finally, the data-plane device applies the policy for the VM based at least in part on the MAC-IP binding.
H04L 61/103 - Correspondance entre adresses de types différents à travers les couches réseau, p.ex. résolution d’adresse de la couche réseau dans la couche physique ou protocole de résolution d'adresse [ARP]
H04L 61/5014 - Adresses de protocole Internet [IP] en utilisant le protocole de configuration dynamique de l'hôte [DHCP] ou le protocole d'amorçage [BOOTP]
The present disclosure relates to simultaneous operation of Wi-Fi access points in a super cell mode and a standalone mode and controlling connectivity of end terminals thereto. In one aspect, a method includes receiving a configuration for a group of access points operating within a network, the configuration allowing each access point of the group to operate in a super cell mode over a shared frequency channel and a standalone mode over a non-shared frequency channel. The method further includes determining, for an end terminal, whether the end terminal is to connect to the network over the shared frequency channel or the non-shared frequency channel based on a network policy to yield a determination; and controlling connectivity of the end terminal to at least one access point of the group of access points over the shared frequency channel or the non-shared frequency channel based on the determination.
This disclosure describes multiplexed optical transceivers, such as DWDM multiplexer/demultiplexers, which are aggregated in a server chassis to establish a fabric topology interconnecting blade servers to a dedicated switch module. Blade servers installed in the server chassis can utilize not just Ethernet interfaces to connect to network segments, but also PCIe interfaces as well as a combination of Ethernet and PCIe interfaces. The aggregated optical transceivers multiplex and demultiplex wavelength-specific optical signals using a laser source, reducing power consumption over switched fabric ASICs. Servicing of the multiplexed optical transceivers is facilitated by installation and replacement of a laser source. Scaling and redundancy of fabric topology interconnects can be facilitated by selection of laser sources generating expanded ranges of discrete wavelengths. Furthermore, chassis management can be facilitated by configuring network controllers of blade servers to transport chassis management instructions over the fabric topology in-band over a network interface, rather than by an out-of-band pathway.
This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.
In one embodiment, a method includes receiving, by a network node, traffic within a hierarchical software-defined wide area network (SD-WAN) network. The method also includes determining, by the network node, a destination of the traffic. The destination region is within the hierarchical SD-WAN network. The method further includes classifying, by the network node, the traffic based on a destination match condition. The destination match condition is associated with two or more destination regions.
In one embodiment, a method includes acquiring an Internet Protocol version 6 (IPv6) address for a physical interface of a first network element. The method also includes configuring an Internet Protocol version 4 (IPv4) over IPv6 tunnel between the first network element and a second network element using the physical interface of the first network element. The method further includes acquiring an updated IPv6 address for the physical interface of the first network element and using an IPv6 Service Level Agreement (SLA) Hypertext Transfer Protocol (HTTP) operation to notify the second network element of the updated IPv6 address to establish a bidirectional IPv4 over IPv6 tunnel.
Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a random IP address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a random IP address that cannot be used to identity the endpoint device or service. The client device may then communicate data packets to the server using the random IP address as the destination address, and a gateway that works in conjunction with DNS can convert the random IP address to the actual IP address of the server using NAT and forward the data packet onto the server.
H04L 61/2503 - Traduction d'adresses de protocole Internet [IP]
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
An efficient method to handle fragmented packets in multi-node all-active clusters. In one particular embodiment, a method includes receiving an initial fragment packet at a node in a cluster, creating a secondary flow table, linking the secondary flow table to a primary flow table, determining the primary flow owner of the initial fragment packet, and transmitting initial and succeeding fragment packets out of the cluster through, if possible, the primary flow owner.
In one embodiment, a method includes receiving traffic and identifying one or more attributes associated with the traffic. The method also includes dynamically selecting a load balancing algorithm based on the one or more attributes in accordance with a load balancing scheme. The method further includes performing load balancing on the traffic in accordance with the load balancing algorithm and communicating the traffic from a first network element to a second network element in accordance with the load balancing.
According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.
Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key -value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key -value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.
In one embodiment, systems and methods for performing asynchronous local migration of metadata between data stores and asynchronous remote replication of metadata between sites are described. The methods may use various configurations, including 1-to-1, 1-to-N, N-to-1, M-to-N, etc.. The method for performing asynchronous local migration at a first site may include pausing critical operation(s) at an old data store, copying metadata from the old data store to a new data store, flagging table(s) in the old data store as complete, and deleting the metadata from the old data store. The method for asynchronous remote replication may include determining that local migration is complete, identifying second metadata from the new data store for which the first site is a primary authority, sending, to the second site, the second metadata, receiving, from the second site, third metadata for which the second site is the primary authority and storing the third metadata.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuées; Architectures de systèmes de bases de données distribuées à cet effet
An air mover may be provided. The air mover may comprise an air mover motor shaft, a bearing, a bearing housing, a circuit board, an accelerometer device, a temperature sensing device, and a controller. The air mover motor shaft may be associated with a motor. The bearing housing may support the bearing that supports rotation of the air mover motor shaft. The circuit board may be attached to the bearing housing. The accelerometer device may be disposed on the circuit board. The temperature sensing device may be disposed on the circuit board wherein the temperature sensing device may be located on the circuit board in order to obtain a temperature of the bearing housing. The controller may be disposed on the circuit board and may be operative to control the motor, collect vibration data from the accelerometer device, and collect temperature data from the temperature sensing device.
Techniques for an email-security system to screen emails, extract information from the emails, analyze the information, assign probability scores to the emails, and classify the emails as likely fraudulent or not. The system may analyze emails for users and identify fraudulent emails by analyzing the contents of the emails. The system may evaluate the contents of the emails to determine probability score(s) which may further determine an overall probability score. The system may then classify the email as fraudulent, or not, and may perform actions including blocking the email, allowing the email, flagging the email, etc. In some instances, the screened emails may include legitimate brand domain addresses, names, images, URL(s), and the like. However, the screened emails may contain a reply-to domain address that matches a free email service provider domain. In such instances, the email-security system may assign a probability score indicative that the screened email is fraudulent.
According to certain embodiments, a method determines a number of transmittedpackets that a first node transmitted to a second node via a link and a number of receivedpackets that the second node received from the first node via the link. The number oftransmitted packets and the number of received packets are determined for each interval of aplurality of intervals. The method further comprises determining a plurality of packet lossvalues. Each packet loss value is associated with a respective interval and is determined basedon the number of transmitted packets and the number of received packets associated with therespective interval. The method further comprises determining variability based on theplurality of packet loss values and configuring a value associated with reordering detectionbased on whether the variability exceeds a threshold.
In one embodiment, a method includes determining an attack tactic risk score for one or more attack tactics based on a dataset of actual loss events and determining an incident risk score for an incident based on the one or more attack tactic risk scores. The method also includes determining a priority value for an asset. The asset is associated with the incident. The method further includes generating an asset risk score for the asset based on the priority value of the asset and the incident risk score.
G06Q 10/0635 - Analyse des risques liés aux activités d’entreprises ou d’organisations
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
According to one or more embodiments of the disclosure, an example method herein may comprise: providing a core technology stack for an extensibility platform; managing a plurality of solution packages within the extensibility platform that are separated from the core technology stack, each of the plurality of solution packages defining a data model, access to that data model, and dependencies for that data model, wherein the plurality of solution packages have one or more globally shared core solution packages; operating according to one or more tenant-based solution packages within the plurality of solution packages within the extensibility platform, the one or more tenant¬ based solution packages defining corresponding tenant-specified models and configurations for soft-coded customized extension points for the extensibility platform; and managing multi-tenancy of an observability data ingestion pipeline of the extensibility platform according to the plurality of solution packages including the soft- coded customized extension points for the extensibility platform.
In one embodiment, a method includes receiving a historical text document that is associated with a breach event. The method also includes searching for an attack tactic within the historical text document using a machine learning algorithm. The method further includes generating a probability that the attack tactic exists within the historical text document, comparing the probability to a predetermined probability threshold, and categorizing the historical text document based on the probability.
In one embodiment, a method comprises: accessing information from an extensibility platform configured to monitor observability data from a monitored computer network topology; receiving a query regarding the information, the query formatted according to a unified query language for the extensibility platform; determining which specific requested data from the information to return in response to the query based on a fetch block within the query; determining one or more bounding blocks within the query that establish one or more boundaries on the query, wherein one of the one or more bounding blocks comprises a topology boundary block to define a specific topology of the monitored computer network topology, wherein the specific topology identifies one or more entities within the monitored computer network topology to which the query is specifically directed; and returning results of the query as defined by the requested data to return and limited to the specific topology.
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/122 - Découverte ou gestion des topologies de réseau des topologies virtualisées, p.ex. les réseaux définis par logiciel [SDN] ou la virtualisation de la fonction réseau [NFV]
96.
SYSTEMS AND METHODS FOR DERIVING APPLICATION SECURITY SIGNALS FROM APPLICATION PERFORMANCE DATA
In one embodiment, a method includes receiving, by a network component, application performance data. The application performance data is associated with one or more applications. The method also includes determining to transform, by the network component, the application performance data into application security data, generating, by the network component, a baseline for the application security data, and detecting, by the network component, an anomaly in the baseline. The method further includes determining, by the network component, a potential security threat based on the anomaly.
In an example method, a presence of a component with a cryptographic identity is detected. The component is detected by an authenticator component capable of authenticating a component. The example method further includes determining an authentication status of the detected component. The authentication status of the component is added to an extensible list of volatile, runtime data. Further, the authenticator component signs the extensible list with a private key to create a group identity. Finally, the authenticator component sends the group identity to a next higher component in an authentication hierarchy.
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
98.
DYNAMIC HASHING FRAMEWORK FOR SYNCHRONIZATION BETWEEN NETWORK TELEMETRY PRODUCERS AND CONSUMERS
A telemetry producer sends a hello message to a telemetry registration interface. The interface returns a hello message. The producer sends a producer protocol suite to the interface. An acceptance of the protocol suite and an indication that the protocol suite has been forwarded to a telemetry registration controller is returned. The producer sends a hello message to the controller. The controller returns an acknowledgement and a producer identifier (ID). A second hello message and the producer ID is sent from the producer to the controller. The controller returns a second acknowledgement and the producer ID, indicating the producer registration. A telemetry consumer sends the controller a hello message. An acknowledgement with a consumer identifier (ID), is returned to the consumer. The consumer sends a consumer request packet to the controller. The controller sends the producer ID, and an indication of consumer registration to the consumer.
H04L 43/065 - Génération de rapports liés aux appareils du réseau
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p.ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Techniques for automating traffic optimizations for egress traffic of an application orchestration system that is being sent over a network to a remote service. In examples, the techniques may include receiving, at a controller of the network, an egress traffic definition associated with egress traffic of an application hosted on the application orchestration system, the egress traffic definition indicating that the egress traffic is to be sent to the remote service. Based at least in part on the egress traffic definition, the controller may determine a networking path through the network or outside of the network that is optimized for sending the egress traffic to the remote service. The controller may also cause the egress traffic to be sent to the remote service via the optimized networking path.
H04L 45/302 - Détermination de la route basée sur la qualité de service [QoS] demandée
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
This disclosure describes dynamically monitoring the flow of traffic along a path that can include points across different cloud service provider networks/regions and/or different private networks. Flow monitoring may be started in response to different triggering events. For instance, flow monitoring of network traffic along one or more network paths may be started in response to performance metrics associate with an application within the multi-cloud environment, current/projected network conditions associated with one or more networks within the multi-cloud environment, and the like. In other examples, a user may specify when to perform flow monitoring for one or more network paths.
H04L 43/20 - Dispositions pour la surveillance ou le test de réseaux de commutation de données le système de surveillance ou les éléments surveillés étant des entités virtualisées, abstraites ou définies par logiciel, p.ex. SDN ou NFV
H04L 41/0806 - Réglages de configuration pour la configuration initiale ou l’approvisionnement, p.ex. prêt à l’emploi [plug-and-play]
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p.ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
H04L 43/0817 - Surveillance ou test en fonction de métriques spécifiques, p.ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité en vérifiant le fonctionnement
H04L 43/0876 - Utilisation du réseau, p.ex. volume de charge ou niveau de congestion