A method performed by a computing system includes receiving a first request from a first pod being executed on the computing system, responding to the first request with an Internet Protocol (IP) address and a first port range, receiving a second request from a second pod being executed on the computing system, and responding to the second request with the Internet Protocol (IP) address and a second port range that is different than the first port range. The method further includes, with a networking service implemented within the kernel, processing network traffic between external entities and the first and second pods by updating source and destination IP addresses and ports of packets of the network traffic.

Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include determining a number of hops from a source that is the user device and a destination, including determining metrics from the source to the destination; performing a trace to all intermediate nodes between the source and the destination, including determining metrics from the source to each of the intermediate nodes; and combining and presenting the metrics from the source to the destination and from the source to each of the intermediate nodes.

Presented herein is a solution in which a Producer that provides Transport Layer Security (TLS) over a hybrid Information Centric Network (hICN) announces two different hICN prefixes or namespaces. One hICN prefix is for performing a TLS handshake (also called a handshake prefix or handshake namespace) and another hICN prefix (also called a secure prefix or secure namespace) is to publish content in a secure, and confidential manner with a Consumer that correctly performs a TLS handshake. While the handshake prefix is public and shared by multiple Consumers, a secure prefix is uniquely assigned to a Consumer after the TLS handshake successfully terminates. Content published under the secure prefix is encrypted with the encryption key established during the TLS handshake. Names used in the secure namespace are private, meaning only the Consumer and Producer that perform the handshake can infer any information about a content by looking on the name.

Embodiments of the present disclosure include systems and methods for fault detection and recovery over a network. A value of a set of values is stored in packets transmitted during a data transaction between a source and destination. The value corresponds to ports used by one or more switches in the path between the source and destination. The destination includes the value in an acknowledgement packet. Logic circuits in the source device track packets and corresponding values. When a status indicates a particular packet has not received an acknowledgement, the value for the packet may be removed from the set of values. Particular ports that may be congested or down may be detected and the packets re-routed using the logic circuits in the source device.

Techniques are disclosed for maintaining processing unit core affinity for fragmented packets. In one example, a service physical interface card (PIC) implementing a service plane of a network device receives fragmented and/or non-fragmented packet data for a traffic flow. The service PIC comprises at least one processing unit comprising multiple cores. A routing engine operating in a control plane of the network device defines one or more core groups comprising a subset of the cores. The routing engine assigns the traffic flow to a core group and a forwarding engine operating in a forwarding plane of the network device forwards the packet data for the traffic flow to the assigned core group. A core of the assigned core group applies a network service to the fragmented and/or non-fragmented packet data for the traffic flow, and the forwarding engine forwards the packet data for the traffic flow toward a destination.

Systems and methods include receiving one or more disaster recovery configurations; identifying activation of a disaster recovery mode; and controlling traffic flow such that the traffic is any of blocked to all destinations, allowed to all destinations, and allowed to preselected destinations based on the one or more received disaster recovery configurations.

Systems, methods, and apparatus to monitor mobile Internet activity are disclosed. An example apparatus includes at least one memory, machine-readable instructions, programmable circuitry to execute the machine-readable instructions to at least assign a first port of a proxy server to a mobile device associated with a panelist, cause transmission of configuration data to the mobile device to instruct the mobile device to transmit future requests the first port of the proxy server, obtain a first request for media on the first port originating from the mobile device, and after a determination that the first request originated from an Internet Protocol (IP) address associated with an IP address range representative of devices on a cellular network, service the first request, generate a data association, request the media from an Internet media provider identified in the first request, and cause transmission of the media to the mobile device.

This disclosure describes techniques for identifying an application (e.g., accessing application) that is attempting to access a resource. In some examples, access may be managed by an authentication service. When an access request is received at the authentication service from an application on a client device, the authentication service may ask the application to communicate with an identification agent on the client device. The identification agent may perform one or more tests to discover the identity of the application. In some cases, the identification agent may send the identity of the application to the authentication service. The authentication service may then allow or deny access by the accessing application to the resource based at least in part on the discovered identity.

There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

A network apparatus receives a first message relating to a transport layer security (TLS) handshake process for an initialization phase of a Quic user datagram protocol (UDP) Internet Connection (QUIC) connection from a client computing device toward a target computing device, wherein the first message of the TLS handshake process comprises at least a connection identifier. The network apparatus generates a second message relating to the TLS handshake process in response to the first message, wherein a cipher suite value of the second message is set to an invalid cipher suite value for the client computing device and wherein the invalid cipher suite value is unsupported by the client computing device, and sends the second message to the client computing device to cause the client computer device to close the QUIC connection.