Systems and methods for determining network topology by implementing the security parameter index (“SPI”) to map network nodes that are behind a network address translation (“NAT”) address are disclosed.

A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

This disclosure describes techniques for scaling resources that handle, participate, and/or control routing protocol sessions. In one example, this disclosure describes a method that includes instantiating a plurality of containerized routing protocol modules, each capable of storing routing information about a network having a plurality of routers; performing network address translation to enable each of the containerized routing protocol modules to communicate with each of the plurality of routers using a public address associated with the computing system; configuring each of the containerized routing protocol modules to peer with a different subset of the plurality of routers so that each of the containerized routing protocol modules share routing information with a respective different subset of the plurality of routers; and configuring each of the containerized routing protocol modules to peer with each other to share routing information received from the different subsets of the plurality of routers.

Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

A method includes receiving, by a processing system of a user endpoint device, a network cookie directly from an internet service provider who provides a subscriber who is associated with the user endpoint device with connectivity to the internet, storing, by the processing system, the network cookie in a local memory of the user endpoint device, generating, by the processing system, a request to send to the Internet service provider, wherein the request comprises a request for an internet protocol address associated with a uniform resource locator of an internet content provider, attaching, by the processing system, the network cookie to the request, and sending, by the processing system, the request including the network cookie to the Internet service provider.

Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

A network device for use with a client device and a cable modem termination system (“CMTS”), the client device being configured to run applications requiring data traffic of a first and second quality of service (“QoS”). The CMTS is configured to provide a first service flow and a second service flow to the network device. The network device provides a local area network (“LAN”) for connection to the client device and a network address translation (“NAT”). The NAT is configured to map the network device IP address to the client device IP address; divide the source ports into a first range and a low latency range; assign the respective data traffic of the applications to at least one port within the first range and to at least one port within the low latency range; and modify the low latency range of source ports based on a change in data traffic.

A method includes receiving, by a processing system of a user endpoint device, a network cookie directly from an internet service provider who provides a subscriber who is associated with the user endpoint device with connectivity to the internet, storing, by the processing system, the network cookie in a local memory of the user endpoint device, generating, by the processing system, a request to send to the Internet service provider, wherein the request comprises a request for an internet protocol address associated with a uniform resource locator of an internet content provider, attaching, by the processing system, the network cookie to the request, and sending, by the processing system, the request including the network cookie to the Internet service provider.

Systems, devices, and methods for resolving the original private Internet Protocol (IP) address of a User Equipment (UE) device in a cellular communication network; particularly where the UE device is behind a Network Address Translation (NAT) service which replaces the original private IP address of the UE device with a replacement public IP address. An IP address resolver performs an active resolution process which injects a new IP packet to the network, or performs a passive or comparison-based resolution process which compares headers of IP packets, to determine a pair of (i) an original private IP address of a particular UE device, and (ii) a replacement public IP address that is assigned to the UE device by a User Plane Function (UPF) unit. The correlation data or IP address mapping data is provided to servers or applications, to enable them to provide services to the UE device using its original private IP address.