Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows in-network and network-border protection for Internet of things (IoT) devices by securely partitioning network space and defining service-based access to IoT devices. The disclosed segmented attack prevention system for IoT networks (SAPSIN) segments the IoT network into two virtual networks: a service network and a control network; and define access control rules for each virtual network. In the service network, SAPSIN utilizes a service-based approach to control device access, allowing only configured protocol, applications, network ports, or address groups to enter or exit the network. In control network, the SAPSIN provides the access control rules by defining a threshold for the number of configuration requests within a predetermined time. As a result, SAPSIN protects IoT devices against intrusion and misuse, without the need for device-specific software or device-specific security hardening.

Various examples and schemes pertaining to simple Ethernet header compression are described. A first network node transmits a first packet with a full header to a second network node. The first network node determines whether a header compression context for the full header has been established by the second network node. In response to determining that the header compression context for the full header has been established by the second network node, the first network node transmits a second packet with a compressed header to the second network node. In response to determining that the header compression context for the full header has not been established by the second network node, the first network node transmits the second packet or a third packet with the full header to the second network node.

Systems, methods, and computer-readable media for requesting a cellular IP address by initiating a call with a modem, establishing data packet network connectivity with the cellular IP address, assigning the cellular IP address to a virtual L2-bridge interface, wherein the virtual L2-bridge interface includes a MAC address, mapping a MAC address of a virtual machine with the MAC address of the virtual L2-bridge interface, detecting a change in the cellular IP address, and updating the virtual L2-bridge interface with a different cellular IP address while maintaining the data packet network connectivity.

To reduce overhead generated by maintaining a full mesh network with static spoke-to-spoke tunnels while providing the efficiency of spoke-to-spoke communication, BGP configuration is automated to provide for dynamic establishment of spoke-to-spoke tunnels. A virtual Internet Protocol (VIP) address is assigned to each spoke in the network. Spokes advertises their VIP address to the hub for communication to the other spokes. A spoke sets the route next hop in its routing table for a remote spoke to the VIP of the remote spoke. Establishment of a tunnel between spokes is initiated after detecting data is to be communicated between the spokes while data is temporarily routed through the hub. Data is routed directly to the receiving spoke through the dynamic tunnel once the tunnel is active. Tunnels between spokes are terminated dynamically after a period of inactivity to reduce overhead caused by consistent maintenance of dynamic tunnels with low use.

A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Among other things, a communication system comprising at least one remote unit and controller is described. The at least one remote unit wirelessly exchanges radio frequency (RF) signals with mobile devices. Each RF signal comprises information destined for, or originating from, at least one of the mobile devices. The at least two remote units and the controller communicate baseband data corresponding to the information across an intermediate network. The at least two remote units each implement at least some physical layer processing for an air interface used to wirelessly communicate with the subscriber devices. The controller is configured to perform at least some receive signal processing using combined data resulting from combining at least some of the baseband data communicated from more than one of the at least two remote units.

A computing device may receive, based on a scan of a bar code associated with a device, information associated with the bar code. The information may be used to retrieve a dedicated activation service set identifier (SSID), which may be sent to one or more gateways. A first gateway may indicate that it is connected to the device using the dedicated activation SSID, and the device may be connected to the first gateway using a specific SSID that is different from the dedicated activation SSID.

In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

A method includes defining a first specification for a first network slice, determining a first equilibrium value for a first time period for the first network slice offering, receiving a first bid price for the first network slice for the first time period from a first customer, comparing the first equilibrium value to the first bid price; and providing services using the network slice to the customer during the time period in accordance with the first specification and the bid price if the bid price meets or exceeds the equilibrium value.

A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.