Disclosed are systems, apparatuses, methods, and computer-readable media for managing networks. According to at least one example, a method is provided for connecting to a network controller across different regions. The method includes identifying a first connection with a network orchestrator during establishment of a second connection with the network orchestrator from a network controller; establishing a sibling session that links the second connection and the first connection at a control plane; inserting a sibling data message that identifies the sibling session into control messages sent; receiving a message from the network orchestrator over the second connection, the message including an address of the network controller associated with the second connection; and transmitting the second address of the network controller over the first connection to the network orchestrator.

Disclosed are systems, apparatuses, methods, and computer-readable media for managing networks. According to at least one example, a method is provided for connecting to a network controller across different regions. The method includes identifying a first connection with a network orchestrator during establishment of a second connection with the network orchestrator from a network controller; establishing a sibling session that links the second connection and the first connection at a control plane; inserting a sibling data message that identifies the sibling session into control messages sent; receiving a message from the network orchestrator over the second connection, the message including an address of the network controller associated with the second connection; and transmitting the second address of the network controller over the first connection to the network orchestrator.

According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations. The operations comprise receiving a packet comprising a source address; selecting an uplink for the packet, the uplink selected from a plurality of uplinks based on an uplink selection policy; determining whether the source address is valid on the selected uplink; determining whether to keep or re-write the source address based on whether the source address is valid on the selected uplink; keeping the source address when the source address is valid on the selected uplink or re-writing the source address when the source address is not valid on the selected uplink; and sending the packet to the selected uplink.

According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations. The operations comprise receiving a packet comprising a source address; selecting an uplink for the packet, the uplink selected from a plurality of uplinks based on an uplink selection policy; determining whether the source address is valid on the selected uplink; determining whether to keep or re-write the source address based on whether the source address is valid on the selected uplink; keeping the source address when the source address is valid on the selected uplink or re-writing the source address when the source address is not valid on the selected uplink; and sending the packet to the selected uplink.

A method for converting network packets and a circuit system are provided. The circuit system uses firmware therein to record tables for implementing packet conversion between two types of networks (IPv4 and IPv6). In the method, a process of mapping of address and port using encapsulation (MAP-E) or a process of mapping of address and port using translation (MAP-T) is determined according to IPv4 packets routing requirement to embody an uplink and a downlink packet conversion process. A content table stores an IPv6 packet header after the MAP-E or MAP-T process. A control table is referred to for controlling the fields to be updated when adding the IPv6 packet header. A forwarding mapping rule table is referred to for determining to convert a destination IP address of an uplink IPv6 packet, or both a source IP address and a destination IP address of a downlink IPv4 packet.

A method for converting network packets and a circuit system are provided. The circuit system uses firmware therein to record tables for implementing packet conversion between two types of networks (IPv4 and IPv6). In the method, a process of mapping of address and port using encapsulation (MAP-E) or a process of mapping of address and port using translation (MAP-T) is determined according to IPv4 packets routing requirement to embody an uplink and a downlink packet conversion process. A content table stores an IPv6 packet header after the MAP-E or MAP-T process. A control table is referred to for controlling the fields to be updated when adding the IPv6 packet header. A forwarding mapping rule table is referred to for determining to convert a destination IP address of an uplink IPv6 packet, or both a source IP address and a destination IP address of a downlink IPv4 packet.

Systems, devices, and methods are discussed for receiving a first packet type and outputting a second packet type based upon knowledge of a source device and a recipient device.

Techniques for providing a feedback mechanism to enforce a security policy are provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a security policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name based on a feedback mechanism that utilizes network logs (e.g., implemented using a learning process for FQDN to IP address mappings) to facilitate a more effective security policy enforcement. For example, a security device (e.g., a firewall or other network gateway) can perform a learning process for FQDN to IP address mappings that utilizes past successful sessions or trusted information sources to be used as an authorized IP range, and then the security policy can be enriched with the layer 3 information (e.g., IP addresses) and matching the FQDN address objects (e.g., web addresses, such as Uniform Resource Locations). As such, the security device can then be configured to block all connection attempts at layer 3 (e.g., using IP addresses), which improves network security by reducing the opportunity for attackers to, for example, send/download malicious traffic prior to enforcement based on layer 7 information.

A first network device associated with a network may establish an Internet protocol version 6 Multiprotocol BGP session with a second network device associated with the network. The first network device and second network device are both capable of forwarding both IPv4 and IPv6 packets with only an IPv6 address configured on the interface of both the first network device and second network device. The first network device may exchange Multiprotocol Reachability capability with second network device for corresponding 2-tuple Address Family Identifier/Subsequent Address Family Identifier. The first network device may advertise Internet protocol version 4 network layer reachability information and may advertise Internet protocol version 6 network layer reachability information with IPv6 extended next hop encoding using Internet Assigned Numbering Authority assigned capability code value 5 to second network device.

A first network device associated with a network may establish an Internet protocol version 6 Multiprotocol BGP session with a second network device associated with the network. The first network device and second network device are both capable of forwarding both IPv4 and IPv6 packets with only an IPv6 address configured on the interface of both the first network device and second network device. The first network device may exchange Multiprotocol Reachability capability with second network device for corresponding 2-tuple Address Family Identifier/Subsequent Address Family Identifier. The first network device may advertise Internet protocol version 4 network layer reachability information and may advertise Internet protocol version 6 network layer reachability information with IPv6 extended next hop encoding using Internet Assigned Numbering Authority assigned capability code value 5 to second network device.