Described embodiments provide systems and methods for tunneling data packets to a server. A computing device can include a processor and a network interface. The processor is configured to execute a network service, a local application, and a virtual private network (VPN) application. The network service can receive a packet from the local application for transmission via a VPN tunnel, the packet comprising a source address of the computing device and a source port associated with the local application. The network service can determine that the packet matches a first tunnel filter. The network service can encapsulate, responsive to the determination that the packet matches the first tunnel filter, the packet with the header comprising a localhost destination address and a destination port associated with the VPN application. The network service can provide the encapsulated packet to the VPN application.

Cloud based router with policy enforcement. In some implementations, a system is provided. The system includes a plurality of access points. The plurality of access points receive data packets from a plurality of client devices. The system also includes a plurality of tunnel devices coupled to the plurality of access points. The plurality of tunnel devices generate encapsulated packets based on the data packets received by the plurality of access points. The system further includes a plurality of packet forwarding components coupled to the plurality of tunnel devices via a first set of tunnels. The plurality of packet forwarding components receive the encapsulated packets from the plurality of tunnel devices and forward the encapsulate packets. The system further includes a plurality of network access controllers coupled to the plurality of packet forwarding components via a second set of tunnels. The plurality of network access controllers enforce one or more network policies for the plurality of client devices, as the plurality of client devices move between the plurality of access points.

Embodiments of this application describe an in-situ flow detection-based packet processing method. After receiving a first packet encapsulated by using a first bearer protocol, a first node may obtain, based on the first packet, a second packet encapsulated by using a second bearer protocol. A first packet header of the first packet includes first in-situ flow detection information, and a packet header of the second packet also includes the first in-situ flow detection information. It can be learned that, when re-encapsulating the first packet by using the second bearer protocol, the first node does not remove the first in-situ flow detection information, but adds the first in-situ flow detection information to the packet encapsulated by using the second bearer protocol. Therefore, even if the first bearer protocol and the second bearer protocol are deployed in a detection domain, the first in-situ flow detection information is not removed due to re-encapsulation of the packet, and may be transmitted across the entire detection domain.

Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

The present technology provides a system and method for implementing targeted collection of in-situ Operation, Administration and Maintenance data from select nodes in a Segment Routing Domain. The selection is programmable and is implemented by setting an iOAM bit in the function arguments field of a Segment Identifier. In this way only the nodes associated with local Segment Identifiers (Function field of a Segment Identifier) with an iOAM argument bit are directed to generate iOAM data. The iOAM data generated by target nodes may be stored in TLV field of the segment routing header. The Segment Routing packet is then decapsulated at a Segment Routing egress node and the Header information with the collected iOAM data is sent to a controller entity for further processing, analysis and/or monitoring.

Disclosed herein is a method, a computer program product, and a carrier for indicating one-way latency in a data network (N) between a first node (A) and a second node (B), wherein the data network (N) lacks continuous clock synchronization, comprising: a pre-synchronisation step, a measuring step, a post-synchronisation step, an interpolation step, and generating a latency profile. The present invention also relates to a computer program product incorporating the method, a carrier comprising the computer program product, and a method for indicating server functionality based on the first aspect.

Methods and systems anchor hypertext transfer protocol (HTTP) level communication in an information-centric networking (ICN) network. Both content requests and responses to servers within the ICN network and to servers located outside the ICN network, in an IP network for example, are disclosed. Communication may be between two IP capable only devices at the HTTP level, one connected to an ICN network while the other one is connected either to an ICN or IP network. The disclosed namespace 200 enables IP based HTTP communication within the ICN network. An information-centric networking (ICN) network attachment point (NAP) or border gateway (BGW) may receive an HTTP request packet and encapsulate the received HTTP request packet. The ICN NAP/BGW may then forward the HTTP request packet towards the local ICN network servers. The HTTP request packet may be published to a named content identifier (CID) that may be determined through a hash function of a fully qualified domain name (FQDN). The ICN NAP may receive a HTTP response packet for a subscribed information item, which may be included in a named rCID. The named rCID may be determined through a hash function of a uniform resource locator (URL). Instead of using the hash of a URL and an FQDN directly, a separate scope identifier, which may be a root identifier, may be chosen for HTTP-over-ICN communication for the overall ICN namespace. The scope identifier may include a particular structure for the ICN namespace being built up. Using a root identifier may allow for separating HTTP-over-ICN communication from other ICN communication, for example, for operational or migration reasons. Under the root scope identifier, there may be two sub-scope identifiers, a first sub-scope identifier (I) for communication within the ICN network and a second sub-scope identifier (O) for communication to IP addresses outside the ICN network. The ICN may be based on the PURSUIT publish-subscribe architecture or on the Named Data Networking (NDN) project and the like.

In an example, a SDN controller may acquire a path maximum transmission unit (PMTU) of a Virtual Extensible Local Area Network (VXLAN) tunnel from a source VXLAN tunnel end point (VTEP) to a destination VTEP of a data packet, and may transmit a control entry to the source VTEP in such a way that an individual VXLAN packet has a length within the packet length corresponding to the PMTU.

The present disclosure provides a configuration data distribution method, including: determining an encapsulation manner of configuration data according to identifiers of Optical Network Units (ONUs) and a preset corresponding relationship between the identifiers of the ONUs and the encapsulation manner of the configuration data of the ONUs; and encapsulating the configuration data according to the determined encapsulation manner, and distributing the encapsulated configuration data to corresponding gateways according to the encapsulation manner of the ONUs or the identifiers of the ONUs.

A packet processing method and a network device in a hybrid access network. The method comprises sending, by a first network device, a first data packet in a first sending window to a second network device by using a first tunnel. In response to receiving a first acknowledgement response sent by the second network device, increasing, by the first network device, a size of the first sending window based on a first proportion. In response to not receiving, within a first predetermined time, the first acknowledgement response, decreasing the size of the first sending window based on a second proportion; and in response to determining that the size of the first sending window is greater than or equal to a first threshold, sending a second data packet to a second receiving window of the second network device by using a second sending window.