An example method to provide communication between a first computer in a first computer network and a second computer in a second computer network is disclosed. The method includes aliasing the second computer's address in the second computer network to a loopback interface of a third computer in the first computer network and establishing a tunnel between the third computer and a fourth computer in the second computer network. Establishing the tunnel includes configuring the fourth computer to forward traffic received from the tunnel to the second computer. The method further includes configuring routing in the first computer network to direct traffic destined for the second computer network to the third computer, and configuring the first computer to transmit packets destined for the second computer with the second computer's address in the second computer network.

Systems and methods for effectively managing security and privacy measures during a user's connectivity session with a VPN service are provided. The systems and methods use a computer program that introduces a double-NAT feature at the network layer and a temporary hash table containing the minimally necessary temporary data to link two NAT sessions together in a secure manner. The systems and methods avoid including the dynamic management of IP addresses or requiring each client to have an IP address assigned beforehand to avoid compromising the user's identity by hard linking the session traces with the client.

Systems and methods for effectively managing security and privacy measures during a user's connectivity session with a VPN service are provided. The systems and methods use a computer program that introduces a double-NAT feature at the network layer and a temporary hash table containing the minimally necessary temporary data to link two NAT sessions together in a secure manner. The systems and methods avoid including the dynamic management of IP addresses or requiring each client to have an IP address assigned beforehand to avoid compromising the user's identity by hard linking the session traces with the client.

A cellular data communication network includes a gNodeB connected to a UPF by an IP network. A first translation module translates GFP packets into IP packets transmitted over the IP network. A second translation module translates the IP packets back into IP packets and forwards the IP packets to the UPF. A PFCP proxy snoops information and provides it to a BGP module that programs the translation modules and a routing module to perform routing of packets in bypass of the UPF. The BGP module may program the first translation module with an SR policy associated with a binding SID that is bound to an interface to the gNodeB. The SR policy may invoke translation according to a function. The routing module may be programmed to embed GTP information in an SRH header that is used by the first translation module. BGP module may also distribute routing and VPN updates.

Methods and systems for an accelerated and offload dual border relay. A method includes receiving, by a hardware border relay from a network device, an Internet Protocol (IP) packet, determining, by the hardware border relay, a packet type of the IP packet, translating, by the hardware border relay provisioned with IPv6 transition technology rules, the IP packet to a hardware translated IP packet when the IP packet is a first type, translating, by the offload border relay provisioned with MAP-T rules, the IP packet to an offload translated IP packet when the IP packet is a second type, transmitting, by the offload border relay to the hardware border relay, the offload translated IP packet when the IP packet is the second type, and transmitting, by the hardware border relay, one of the offload translated IP packet and the hardware translated IP packet to another network device.

A method for establishing Segment Routing (SR) tunnel based on Internet Protocol version 6 (IPv6) data-plane using a path computation element communication protocol (PCEP) includes generating, by a path computation element (PCE), a first PCEP message, wherein the first PCEP message comprises indicating information and segment identifier (SID), and wherein the indicating information indicates that the SID is an IPv6 prefix of a node in a tunnel. A first path computation client (PCC) receives a first PCEP message from a PCE and the first PCC establishes an SR for IPv6 forwarding plane (SRv6) tunnel from the first PCC to a second PCC.

A method for establishing Segment Routing (SR) tunnel based on Internet Protocol version 6 (IPv6) data-plane using a path computation element communication protocol (PCEP) includes generating, by a path computation element (PCE), a first PCEP message, wherein the first PCEP message comprises indicating information and segment identifier (SID), and wherein the indicating information indicates that the SID is an IPv6 prefix of a node in a tunnel. A first path computation client (PCC) receives a first PCEP message from a PCE and the first PCC establishes an SR for IPv6 forwarding plane (SRv6) tunnel from the first PCC to a second PCC.

Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, a gateway server including a first VPN termination point that authenticates and terminates the first VPN tunnel, a stitcher server including a second VPN termination point that authenticates and terminates a second VPN tunnel, and a mid-link server coupled to the first VPN tunnel and the second VPN tunnel. The mid-link server may include a plurality of Access Resource Servers (ARSs), and the gateway server and the stitcher server may communicate via a network connecting the plurality of ARSs.

Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.

Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.