Systems and methods for privileged remote access to Operational Technology (OT)/Internet of Things (IOT)/Industrial IOT (IIOT)/Industrial Control System (ICS) infrastructure, implemented in a cloud-based system. The method includes steps of, responsive to determining a user can access an application associated with the OT/IOT/IIOT/ICS infrastructure, determining the user's security and access policies and creating a session for the user; establishing a secure connection to the application via a lightweight connector connected to the application; and brokering a connection between the user's device and the application through the lightweight connector, enabling the user to interact with the application for the OT/IOT/IIOT/ICS infrastructure, based on the user's security and access policies.

Methods and apparatuses for acquisition of an Address Resolution Protocol (ARP)/IPv6 neighbour cache at a user plane function (UPF) entity without performing deep packet inspection for every packet that traverses a network. The ARP broadcast/Internet Control Message Protocol version 6 (ICMPv6) neighbour solicitation multicast from any Ethernet client (a user equipment (UE) or clients behind the UE or clients in a data network (DN)) is responded to by the UPF entity itself, by looking up the ARP/IPv6 Neighbour cache built in the UPF entity, irrespective of whether the UPF entity acts as the core Ethernet switch or whether the core Ethernet switch is in the DN. The solution is simplified to always intercept ARP at the UPF entity and respond to it based on a local ARP/IPv6 Neighbour cache.

Some embodiments provide a method for proxying ARP requests. At an MFE that executes on a host computer operating at a first site to implement a distributed router along with at least one additional MFE at the first site, the method receives, from a router at a remote second site, an ARP request for an IP address associated with a logical switch that spans the first site and the remote second site, and to which both the distributed router and the router at the remote second site connect. The method determines whether a table that includes IP addresses for a set of DCNs that use the distributed router as a default gateway includes the IP address. When the IP address is in the table, the method proxies the request at the host computer. When the particular IP address is not in the table, the MFE does not proxy the request.

The method for an automated IPv6/IPv4 fallback approach in proxy networks is presented. In some embodiments, the method comprises receiving, at a proxy server, a request from a client executing on a client computer for access to a target computer; determining identification-information of the client; determining an address pair including an IPv6 address and an IPv4 address of the proxy server; assigning the address pair to the identification-information of the client; establishing a first communications connection between the client computer and the proxy server using one of IP addresses included in the address pair, and a second communications connection between the proxy server and the target computer using one of IP addresses included in the address pair; and facilitating a network packet flow between the client computer and the target computer using the first communications connection and the second communications connection.

An apparatus comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to: receive (1400) a request to create context for a migrating node and optionally at least one child node of the migrating node; allocate (1402) addresses to the migrating node and optionally the at least one child node of the migrating node; and send (1404) the addresses allocated to the migrating node and optionally the at least one child node of the migrating node, prior to the migrating node migrating from a source to a target.

A method for supporting virtual machine (VM) mobility between network devices connected to a network includes: selecting a first type of route for interconnecting VMs that are connected to the network devices; and adding a feature of a second type of route to the first type of route to enable the network devices to execute proxy address resolution protocol (ARP) for transmitting network traffic between the VMs without requiring each of the network devices to store a physical address of each of the VMs in respective ones of a network address table.

A method for supporting virtual machine (VM) mobility between network devices connected to a network includes: selecting a first type of route for interconnecting VMs that are connected to the network devices; and adding a feature of a second type of route to the first type of route to enable the network devices to execute proxy address resolution protocol (ARP) for transmitting network traffic between the VMs without requiring each of the network devices to store a physical address of each of the VMs in respective ones of a network address table.

Some embodiments provide a method for establishing a virtual private network (VPN) session between a first gateway router located at a first site and a second gateway router located at a second site. The VPN session for exchanging packets along multiple paths between the first and second sites. The method is performed at the second gateway router located at the second site. The method determines whether any intermediate network address translation (NAT) device processes packets on the multiple paths between the first and second sites during the VPN session. Upon determining that no NAT device processes packets on the multiple paths between the first and second sites, the method builds a source port pool at the second site for sending probe packets during the VPN session (1) to identify the multiple paths and (2) to collect metrics associated with each of the identified paths. Upon determining that a NAT device processes packets on the multiple paths between the first and second sites, the method uses destination port identifiers used in probe packets sent by the first gateway at the first site as source port identifiers for sending probe packets during the VPN session (1) to identify the multiple paths and (2) to collect metrics associated with each of the identified paths.

A disclosed method is performed at a first boundary node bordering a BIER domain. The method includes receiving a message associated with a source and group for multicast from outside the BIER domain. The method further includes generating an encapsulated message based on the message, a metric, and a first proxy address of the first boundary node. The method also includes forwarding the encapsulated message through the BIER domain to at least one second boundary node bordering the BIER domain and connectable to the first boundary node. The first boundary node additionally triggers the at least one second boundary node to decapsulate the encapsulated message for forwarding out of the first domain and store a record including the source, the group, the metric representing the cost of the first boundary node to the source, and the first proxy address on the at least one second boundary node.

A disclosed method is performed at a first boundary node bordering a BIER domain. The method includes receiving a message associated with a source and group for multicast from outside the BIER domain. The method further includes generating an encapsulated message based on the message, a metric, and a first proxy address of the first boundary node. The method also includes forwarding the encapsulated message through the BIER domain to at least one second boundary node bordering the BIER domain and connectable to the first boundary node. The first boundary node additionally triggers the at least one second boundary node to decapsulate the encapsulated message for forwarding out of the first domain and store a record including the source, the group, the metric representing the cost of the first boundary node to the source, and the first proxy address on the at least one second boundary node.