Techniques are described for onboarding virtualized network devices to a cloud-based WAN assurance system. For example, a virtualized network device receives, from a network device conductor that manages a plurality of network devices, a registration code for registering with the cloud-based WAN assurance system. In response to receiving the registration code and instructions, the network device sends the registration code to the cloud-based WAN assurance system. The cloud-based WAN assurance system verifies the network device based on the registration code, and assigns a distinct (e.g., unique) device identifier to the network device, and sends the distinct device identifier and a secret key to the network device. The network device uses the secret key to create a new secure connection with the cloud-based WAN assurance system, for streaming telemetry data to the WAN assurance system. The cloud-based WAN assurance system analyzes the network device telemetry data to provide WAN assurance.

Techniques are described for onboarding virtualized network devices to a cloud-based WAN assurance system. For example, a virtualized network device receives, from a network device conductor that manages a plurality of network devices, a registration code for registering with the cloud-based WAN assurance system. In response to receiving the registration code and instructions, the network device sends the registration code to the cloud-based WAN assurance system. The cloud-based WAN assurance system verifies the network device based on the registration code, and assigns a distinct (e.g., unique) device identifier to the network device, and sends the distinct device identifier and a secret key to the network device. The network device uses the secret key to create a new secure connection with the cloud-based WAN assurance system, for streaming telemetry data to the WAN assurance system. The cloud-based WAN assurance system analyzes the network device telemetry data to provide WAN assurance.

There is disclosed in one example a radio access network (RAN) user plane processing entity (UPPE) for a mobile data network, including: a hardware platform; a virtual switch to operate on the hardware platform; a network interface to communicatively couple to a local server; and a software defined networking controller, including a radio access network (RAN) control plane (CP) sniffer, and configured to: receive a control plane traffic offloading rule via a northbound interface, the traffic offloading rule configured to offload a class of traffic to the local server; operate the RAN CP sniffer to build a user-plane flow control message according to the offloading rule; and send the flow control message to the virtual switch.

There is disclosed in one example a radio access network (RAN) user plane processing entity (UPPE) for a mobile data network, including: a hardware platform; a virtual switch to operate on the hardware platform; a network interface to communicatively couple to a local server; and a software defined networking controller, including a radio access network (RAN) control plane (CP) sniffer, and configured to: receive a control plane traffic offloading rule via a northbound interface, the traffic offloading rule configured to offload a class of traffic to the local server; operate the RAN CP sniffer to build a user-plane flow control message according to the offloading rule; and send the flow control message to the virtual switch.

This disclosure describes techniques that include determining, at an egress node in an SRm6 network, how to process a packet that may arrive without a segment routing header and/or a compressed routing header. In one example, this disclosure describes a method that includes receiving, by an egress node of a segment routing network, segment routing advertisements; configuring, by the egress node and based on the segment routing advertisements, information enabling the egress node to recognize encapsulated packets arriving at the egress node without a compressed routing header; receiving, by the egress node, a packet that does not have a compressed routing header; and de-encapsulating, by the egress node and based on the stored information, the packet.

This disclosure describes techniques that include determining, at an egress node in an SRm6 network, how to process a packet that may arrive without a segment routing header and/or a compressed routing header. In one example, this disclosure describes a method that includes receiving, by an egress node of a segment routing network, segment routing advertisements; configuring, by the egress node and based on the segment routing advertisements, information enabling the egress node to recognize encapsulated packets arriving at the egress node without a compressed routing header; receiving, by the egress node, a packet that does not have a compressed routing header; and de-encapsulating, by the egress node and based on the stored information, the packet.

A packet forwarding method includes obtaining, by a network device, a first tunnel identifier of a first packet. When the first tunnel identifier is a first value, and forwarding, by the network device, the first packet based on a first routing group in a virtual routing and forwarding (VRF) table. The first routing group consists of one or more local routes, and each next-hop outbound interface of the one or more local routes is a local outbound interface. The network device forwards the packet based on a local routing group including only a local route in the VRF table such that the packet is forwarded to a local virtual machine for processing, and is not forwarded to another tunnel endpoint device during packet forwarding.

A communication system and a communication method for reporting a compromised state in one-way transmission are provided. The communication method includes: receiving a packet by a first port; coupling an error checking circuit to the first port, wherein the error checking circuit checks a header of the packet; coupling a first unidirectional coupler to the first port and the error checking circuit, and coupling a second unidirectional coupler to the first port and the error checking circuit; in response to an error being in the header, disabling the first unidirectional coupler and the data inspection circuit and enabling the second unidirectional coupler by the error checking circuit; receiving the packet from the communication device by a receiving server; and in response to determining the received packet is incomplete by the receiving server, outputting the compromised state by the receiving server.

Techniques to facilitate adaptive sampling of security policy violations are disclosed herein. In at least one implementation, a variable sampling rate for sampling a fixed amount of security policy violation reports per unit time based on a violation rate is determined. The variable sampling rate is applied to sample the fixed amount of the security policy violation reports per unit time. When the violation rate exceeds a threshold, the variable sampling rate is switched to a fixed sampling rate for sampling a variable amount of the security policy violation reports per unit time. The fixed sampling rate is applied to sample the variable amount of the security policy violation reports per unit time.

A cellular data communication network includes a gNodeB connected to a UPF by an IP network. A first translation module translates GFP packets into IP packets transmitted over the IP network. A second translation module translates the IP packets back into IP packets and forwards the IP packets to the UPF. A PFCP proxy snoops information and provides it to a BGP module that programs the translation modules and a routing module to perform routing of packets in bypass of the UPF. The BGP module may program the first translation module with an SR policy associated with a binding SID that is bound to an interface to the gNodeB. The SR policy may invoke translation according to a function. The routing module may be programmed to embed GTP information in an SRH header that is used by the first translation module. BGP module may also distribute routing and VPN updates.