Presented herein are embodiments that provide mobile edge computing (MEC) with low latency traffic segregation within a packet data network (PDN) using dedicated bearers. Techniques are provided that are performed at an edge user plane entity and a control plane entity to coordinate the directing of low latency traffic over a dedicated bearer broken out at the edge, and to communicate normal latency traffic over a default bearer that is centrally broken out.

This application relates generally to automated systems and methods for identifier propagation across uniform resource locator requests. In an embodiment, a system includes at least one processor operatively coupled with a datastore, the at least one processor configured to receive, from a user device, a current rule identifier appended to a request component uniform resource locator. The at least one processor is further configured to retrieve, from the datastore, a rule definition associated with the current rule identifier, wherein the rule definition comprises a rule condition and a rule consequence. The at least one processor is further configured to execute the rule consequence in response to determining that the rule condition is satisfied.

In secure and seamless remote access to enterprise applications with zero user intervention, a first set of policies is generated at a controller based on a user role. A user device associated with the user role is in an enterprise network. The first set of policies is pushed to the security agent in the user device associated with a user, an enterprise server, and a secure remote access gateway from the controller. Upon determining that the user device moves to a remote network, a secure connection is initiated by the security agent from the user device to the secure remote access gateway. Upon determining by the controller that the user is authenticated for the secure connection, a second set of policies is generated by the controller for the user device, the enterprise server and the secure remote access gateway. The second set of policies is pushed to the devices.

The method and system enable secure forwarding of a message from a first computer to a second computer via an intermediate computer in a telecommunication network. A message is formed in the first computer or in a computer that is served by the first computer, and in the latter case, sending the message to the first computer. In the first computer, a secure message is then formed by giving the message a unique identity and a destination address. The message is sent from the first computer to the intermediate computer after which the destination address and the unique identity are used to find an address to the second computer. The current destination address is substituted with the found address to the second computer, and the unique identity is substituted with another unique identity. Then the message is forwarded to the second computer.

A method for generating a security policy for a network includes classifying a sample of network flows into at least one flow type selected from a group including a service flow, mirror flow, network address translation flow, and arbitrary flow; grouping the network flows based on flow type and one or more of an associated service port, source port, and destination port. Network security rules for the network are automatically generated based on the groups of network flows. The network security rules may further be transformed into a security policy and configuration files.

A method for a virtual machine to access a physical server in a cloud computing system is disclosed. A cloud platform allocates, to the service deployed on the physical server, a publishing IP address and a publishing port and sends a NAT rule to an access network element of the virtual machine. When receiving a service access request for accessing the service, the access network element modifies, according to the NAT rule, a destination address of the service access request into the IP address and the port that are of the physical server, and routes the modified service access request to the physical server, so that the virtual machine can access the service on the physical server without knowing a real IP address and port of the physical server.

The disclosed systems and methods provide end-to-end multipath TCP (MPTCP) through a network gateway. The method includes detecting a MPTCP subflow having a first IP address as a source address and a second IP address as a destination address, wherein none of the gateways is the source or the destination of the MPTCP subflow; associating a third IP address with the MPTCP subflow; and advertising, to at least one endpoint of the MPTCP subflow, the third IP address.

Some aspects of the methods and systems presented relate to performing stateless address translation between IPv4 capable devices to IPv6 capable networks and devices. Stateless address translation may form a new IPv6 addresses by combining the IPv4 address of a device with an IPv6 prefix address assigned to the translator. The translation may also combine the IPv4 destination address and UDP port information with the new IPv6 address. Existing Domain Name Systems (DNSs) may be leveraged for resolving the IPv4 and IPv6 addresses across different networks.

Some aspects of the methods and systems presented relate to performing stateless address translation between IPv4 capable devices to IPv6 capable networks and devices. Stateless address translation may form a new IPv6 addresses by combining the IPv4 address of a device with an IPv6 prefix address assigned to the translator. The translation may also combine the IPv4 destination address and UDP port information with the new IPv6 address. Existing Domain Name Systems (DNSs) may be leveraged for resolving the IPv4 and IPv6 addresses across different networks.

A NAT entry management method and a NAT device are disclosed. The method includes: receiving and storing, by a NAT device, a connection parameter, where the connection parameter includes an address of a controller; receiving a packet sent by a network device, where a source address of the packet is a private address of the network device and a destination address of the packet is the address of the controller; performing NAT on the packet, where an after-NAT source address of the packet is a public address; and when a static entry condition is met, generating a target static NAT entry, where the static entry condition includes that the destination address of the packet is the address of the controller. This can prevent aging of the NAT entry from affecting communication between the network device and the controller.