A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Methods, systems, and computer program products for managing Internet of Things (IoT) network-connected devices.

An example embodiment may include a computational instance and a computing device within a remote network management platform. The computing device may be configured to: receive, from a client device of the managed network, a request to redirect, to a second URL, future requests addressed to a first URL; provide, to the client device, instructions to generate a certificate that binds an identity of the entity that operates the managed network to the first URL; receive, from the client device, the certificate; store the certificate and a corresponding cryptographic key; and generate a mapping between the first URL and the second URL. The computational instance may be configured to, in response to receiving a content request referencing the destination, generate a content response containing content from the destination, where any hyperlinks to the second URL in the content are replaced with hyperlinks to the first URL.

A network connection method is provided. The network connection method includes: transmitting a detection instruction in a preset format to a second network device to instruct the second network device to query second network address information conforming to a standard of the detection instruction according to the protocol identification information; receiving the second network address information fed back by the second network device according to the first network address information, and connecting to the second network device according to the second network address information. According to the network connection method in the present application, network address information of other network devices can also be obtained by only sending an unidirectional detection instruction although other network devices are unknown to the first network device, so that these network devices can be conveniently connected through a network application.

Some implementations of the disclosure are directed to a media access controller (MAC) of a mobile satellite terminal that may autonomously determine whether or not wake up a software processor of the mobile satellite terminal depending on information contained in a packet received from a user device. The MAC may receive a frame contained in a packet transmitted by a user device to the mobile satellite terminal; automatically determine whether to accept or drop the frame by applying one or more programmed filters to the frame; if the frame is accepted: store the frame in the memory, and cause a power controller to power on the software processor to process the stored frame; and if the frame is not accepted: drop the frame without causing the power controller to power on the software processor.

A device may provide path data identifying a primary path and one or more alternate paths for segment routing traffic in the network, and may receive performance data indicating a performance degradation in the primary path. The device may determine that the performance data satisfies a first threshold, and may request, based on the performance data satisfying the first threshold, alternate path performance data. The device may receive the alternate path performance data based on the request, and may compare the alternate path performance data for the one or more alternate paths. The device may select a particular alternate path, of the one or more alternate paths, based on comparing the alternate path performance data for the one or more alternate paths, and may trigger, based on the performance data satisfying a second threshold, a failover of the traffic from the primary path and to the particular alternate path.

Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include determining a number of hops from a source that is the user device and a destination, including determining metrics from the source to the destination; performing a trace to all intermediate nodes between the source and the destination, including determining metrics from the source to each of the intermediate nodes; and combining and presenting the metrics from the source to the destination and from the source to each of the intermediate nodes.

Shared memory communication is facilitated between systems of a computing environment capable of communicating over a network using transmission control protocol/Internet protocol (TCP/IP). The network includes a network path between one system and another system of the computing environment, where the network path passes through one or more routers of the network. The facilitating includes obtaining performance-related data for shared memory communication of the one system with the other system across the network path using a remote direct memory access (RDMA) protocol. Based on the performance-related data, the facilitating includes dynamically determining whether to use the RDMA protocol for shared memory communication of the one system with the other system across the network path, rather than the TCP/IP protocol.

This disclosure describes techniques for identifying an application (e.g., accessing application) that is attempting to access a resource. In some examples, access may be managed by an authentication service. When an access request is received at the authentication service from an application on a client device, the authentication service may ask the application to communicate with an identification agent on the client device. The identification agent may perform one or more tests to discover the identity of the application. In some cases, the identification agent may send the identity of the application to the authentication service. The authentication service may then allow or deny access by the accessing application to the resource based at least in part on the discovered identity.

There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.