A security system that provides for secure communication from a remote system operating on an unsecure network without the need for encrypting the packets related to the communication. The packets for the communications are sent over the network in clear text, which are readable by any systems on the network, however, only the systems that are authorized are able to determine what packets are the correct packets and what packets are the imitation packets. Moreover, a remote secure network may be utilized such that any system operating on an unsecure network may send packets through the remote secure network in a randomized routing in order to aid in hiding the systems sending and receiving the packets and the relays through which the packets are being sent.

The disclosure describes examples where a first data center includes a first gateway router, a first set of computing devices, and a second set of computing devices. The first set of computing devices is configured to execute a software defined networking (SDN) controller cluster to facilitate operation of one or more virtual networks within the first data center. The second set of computing devices is configured to execute one or more control nodes to exchange route information, between the first gateway router and a second gateway router of a second data center different than the first data center, for a virtual network between computing devices within the second data center, and to communicate control information for the second data center to the second set of computing devices, wherein the one or more control nodes form a subcluster of the SDN controller cluster.

A system and method for provisionally authenticating a host moving from one router to another router in a network using border gateway protocol (BGP) is disclosed. A host is initially authenticated at a first BGP router, this discovery is advertised to a second BGP router pursuant to BGP with a new extended community indicating successful authentication (or pre-authentication) of the host at the first BGP router. An indication for re-authentication of the host at the second BGP router is then received, which blocks network traffic from the host to the second BGP router. Due to the notification of a previous authentication of the host, the second BGP router begins a provisional authentication session. In response to a successful completion of the provisional authentication session, the host is authorized to transmit network traffic on the second BGP router and subsequently blocked from doing the same at the first BGP router.

A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

A method (400) for providing support for elasticity within a domain of a multi-domain network. The method comprises receiving (401) information for a requested virtual link forming part of an end-to-end path across the multi-domain network; wherein the information of the virtual link comprises a service parameter and an elasticity parameter. The method further comprises selecting (402) a physical path (150) corresponding to the virtual link on which to send traffic. The physical path is selected based on a service parameter and an elasticity parameter of the physical path.

Presented herein are techniques for use in a network environment that includes one or more service zones, each service zone including at least one instance of an in-line application service to be applied to network traffic and one or more routers to direct network traffic to the at least one service, and a route target being assigned to a unique service zone to serve as a community value for route import and export between routers of other service zones, destination networks or source networks via a control protocol. An edge router in each service zone or destination network advertises routes by its destination network prefix tagged with its route target. A service chain is created by importing and exporting of destination network prefixes by way of route targets at edge routers of the service zones or source networks.

A new host is detected being added to a network cluster, wherein each of a plurality of hosts are on the network cluster. Available interfaces on each of the plurality of hosts on the network cluster are detected responsive to detecting the new host being added. A classless inter-domain routing (CIDR) range is calculated for hosts and interfaces on the network cluster using the available interfaces. Pod routes with interface range and L3 host routes are set for each host.

A system that enables end-user devices that operate within different enterprise networks to exchange data with one another. In particular, the disclosed system uses unique IP addresses that are dedicated solely to supporting a predefined communication service between enterprise computer networks, in order to identify and route each data packet according to the communications service. As part of the communications service, the data packets are transmitted, for example, from a first local service provider network hosting a first enterprise network, through a participating backbone service provider network on the public Internet and based on deterministic routing, and to a second local service provider network hosting a second enterprise network. In handling the data packets in this way, the disclosed system creates an Internet wide-area-network (WAN): the data packets are transmitted over the Internet and conceivably over a large geographic distance between enterprise networks.

A data packet transmission method and a border routing bridge device, where the method includes receiving, by a first border routing bridge device of a first area, a first data packet sent by a border routing bridge device of a second area to the first area, determining, a device identifier group of the second area according to the first data packet, determining, from the device identifier group of the second area, according to the first data packet, a device identifier of a border routing bridge device used to forward a return data packet sent by the target device to the source device, and sending, by the first border routing bridge device, a second data packet carrying the determined device identifier to the target device, where the determined device identifier is used as a source routing bridge device identifier of the second data packet.

A network management system can include multiple network interfaces. For example, the network management system can include a first network interface that can receive a stream of network packets associated with users. The network management system can include a second network interface for transmitting the received stream of network packets. The network management system can shape the stream of network packets before transmission. The network management system can assign the network packets into classes. The classes may have a configured hierarchical relationship. The classes may also have an operational hierarchy based on bandwidth usage during operation. The network management system can shape the stream of network packets based on operational hierarchy of classes and configured hierarchical relationship.