Abstract: In one embodiment, a system and method are disclosed for sending a request and receiving a reply. The request contains a network service header including a flow label field and a target index field. The flow label field contains a set of available flow labels. The target index field includes a value indicating a target node. The reply contains information indicating which of the flow labels can be used to route a packet to each of the next hop nodes downstream from the device that sent the reply. This process can be repeated for other nodes on a path, and other paths in a service topology layer. The information determined by this process can be used to perform other necessary functionalities at the service topology layer.

Abstract: A method implemented by a central controller is provided. The method includes receiving traffic monitoring information from a client, and sending a traffic monitor request to a network controller, the traffic monitor request requesting the network controller to monitor one or more traffic parameters based on the traffic monitoring information. The method further includes receiving a traffic report from the network controller, and responsive to determining that a monitored traffic parameter in the traffic report does not satisfy a condition specified by the traffic monitoring information, initiating a scaling operation based on data contained in the traffic report.

Abstract: In a first enclave of a label switching network (LSN), a protocol data unit (PDU) of the LSN is formatted to include a network service field specifying a service to be applied to the PDU. The service field can be positioned between PDU data link layer and network layer fields. The PDU specifies PDU routing/forwarding information for a path in the LSN ending in an LSN second enclave, and routing/forwarding for a destination between path segments in a non-LSN. The PDU is communicated from the first enclave, via the non-LSN, to the second enclave in accordance with the routing/forwarding information for the destination between path segments in the non-LSN. In the second enclave, each network service specified for the PDU is determined and then applied to the PDU. The second enclave transmits the network serviced PDU from the second enclave in accordance with the routing/forwarding information of the PDU in the label switching network.

Abstract: Embodiments are directed to a service function configured to receive, from a service function forwarder, a data packet comprising a bit field to indicate that a packet drop is to be monitored; apply a policy for the data packet; determine that the data packet is to be dropped based on the policy; set a drop-propagate bit in a header of the data packet; and transmit the data packet to the service function forwarder. Embodiments are directed to a service function forwarder configured to receive a data packet from a service function, the data packet comprising a bit set to indicate that a packet drop is to be monitored; generate an Internet Control Message Protocol (ICMP) message, the ICMP message comprising a destination address for the ICMP message identified from the data packet; transmit the ICMP message to the destination address; and drop the data packet from the service function chain.

Abstract: In a first enclave of a label switching network (LSN), a protocol data unit (PDU) of the LSN is formatted to include a network service field specifying a service to be applied to the PDU. The service field can be positioned between PDU data link layer and network layer fields. The PDU specifies PDU routing/forwarding information for a path in the LSN ending in an LSN second enclave, and routing/forwarding for a destination between path segments in a non-LSN. The PDU is communicated from the first enclave, via the non-LSN, to the second enclave in accordance with the routing/forwarding information for the destination between path segments in the non-LSN. In the second enclave, each network service specified for the PDU is determined and then applied to the PDU. The second enclave transmits the network serviced PDU from the second enclave in accordance with the routing/forwarding information of the PDU in the label switching network.

Abstract: A computer-implemented method for establishing virtual network (VN) routes includes receiving, at a Software Defined Networking (SDN) controller and from a customer network, a first routing request. The first routing request includes a destination address for a VN and a first Quality of Service (QoS) indicator associated with a first service of the VN. The SDN controller determines a first VN route in a provider network based on the first QoS indicator and the destination address. The SDN controller associates a first VN label with the first VN route. The SDN controller transmits a first routing response to the customer network. The first routing response includes the first VN label. The SDN controller transmits the first VN label and first routing information indicating the first VN route to an edge router of the provider network.

Abstract: Various systems and methods for determining whether to allow or continue to allow access to a protected data asset are disclosed herein. For example, one method involves receiving a request to access a protected data asset, wherein the request is received from a first user device; determining whether to grant access to the protected data asset, wherein the determining comprises evaluating one or more criteria associated with the first user device, and the criteria comprises first information associated with a first policy constraint; and in response to a determination that access to the protected data asset is to be granted, granting access to the protected data asset.

Abstract: In one embodiment, a system and method are disclosed for sending a request and receiving a reply. The request contains a network service header including a flow label field and a target index field. The flow label field contains a set of available flow labels. The target index field includes a value indicating a target node. The reply contains information indicating which of the flow labels can be used to route a packet to each of the next hop nodes downstream from the device that sent the reply. This process can be repeated for other nodes on a path, and other paths in a service topology layer. The information determined by this process can be used to perform other necessary functionalities at the service topology layer.

Abstract: A method is described and in one embodiment includes receiving at a forwarding node of a Service Function Chain (“SFC”)-enabled network a packet having a packet header including at least one context header comprising metadata information for the packet, wherein the metadata information comprises price information indicative of a value of a traffic flow of which the packet comprises a part; identifying based on the metadata information and at least one of network state and environmental information a Virtual Network Function (“vNF”) to which to forward the packet for processing; and forwarding the packet to the identified vNF for processing.

Abstract: A computer-implemented method for establishing virtual network (VN) routes includes receiving, at a Software Defined Networking (SDN) controller and from a customer network, a first routing request. The first routing request includes a destination address for a VN and a first Quality of Service (QoS) indicator associated with a first service of the VN. The SDN controller determines a first VN route in a provider network based on the first QoS indicator and the destination address. The SDN controller associates a first VN label with the first VN route. The SDN controller transmits a first routing response to the customer network. The first routing response includes the first VN label. The SDN controller transmits the first VN label and first routing information indicating the first VN route to an edge router of the provider network.

Abstract: Embodiments are directed to a service function configured to receive, from a service function forwarder, a data packet comprising a bit field to indicate that a packet drop is to be monitored; apply a policy for the data packet; determine that the data packet is to be dropped based on the policy; set a drop-propagate bit in a header of the data packet; and transmit the data packet to the service function forwarder. Embodiments are directed to a service function forwarder configured to receive a data packet from a service function, the data packet comprising a bit set to indicate that a packet drop is to be monitored; generate an Internet Control Message Protocol (ICMP) message, the ICMP message comprising a destination address for the ICMP message identified from the data packet; transmit the ICMP message to the destination address; and drop the data packet from the service function chain.

Abstract: Presented herein are techniques for use in a network environment that includes one or more service zones, each service zone including at least one instance of an in-line application service to be applied to network traffic and one or more routers to direct network traffic to the at least one service, and a route target being assigned to a unique service zone to serve as a community value for route import and export between routers of other service zones, destination networks or source networks via a control protocol. An edge router in each service zone or destination network advertises routes by its destination network prefix tagged with its route target. A service chain is created by importing and exporting of destination network prefixes by way of route targets at edge routers of the service zones or source networks.

Abstract: In one embodiment, a system and method are disclosed for sending a request and receiving a reply. The request contains a network service header including a flow label field and a target index field. The flow label field contains a set of available flow labels. The target index field includes a value indicating a target node. The reply contains information indicating which of the flow labels can be used to route a packet to each of the next hop nodes downstream from the device that sent the reply. This process can be repeated for other nodes on a path, and other paths in a service topology layer. The information determined by this process can be used to perform other necessary functionalities at the service topology layer.

Abstract: In a first enclave of a label switching network (LSN), a protocol data unit (PDU) of the LSN is formatted to include a network service field specifying a service to be applied to the PDU. The service field can be positioned between PDU data link layer and network layer fields. The PDU specifies PDU routing/forwarding information for a path in the LSN ending in an LSN second enclave, and routing/forwarding for a destination between path segments in a non-LSN. The PDU is communicated from the first enclave, via the non-LSN, to the second enclave in accordance with the routing/forwarding information for the destination between path segments in the non-LSN. In the second enclave, each network service specified for the PDU is determined and then applied to the PDU. The second enclave transmits the network serviced PDU from the second enclave in accordance with the routing/forwarding information of the PDU in the label switching network.

Abstract: Aspects of the embodiments are directed to a service classifier configured for steering cloned traffic through a service function chain. The service classifier is configured to create a cloned data packet by creating a copy of a data packet; activate a mirror bit in a network service header (NSH) of the cloned data packet, the mirror bit identifying the cloned packet to a service function forwarder network element as a cloned packet; and transmit the cloned packet to the service function forwarder network element.

Abstract: Embodiments are directed to a service function configured to receive, from a service function forwarder, a data packet comprising a bit field to indicate that a packet drop is to be monitored; apply a policy for the data packet; determine that the data packet is to be dropped based on the policy; set a drop-propagate bit in a header of the data packet; and transmit the data packet to the service function forwarder. Embodiments are directed to a service function forwarder configured to receive a data packet from a service function, the data packet comprising a bit set to indicate that a packet drop is to be monitored; generate an Internet Control Message Protocol (ICMP) message, the ICMP message comprising a destination address for the ICMP message identified from the data packet; transmit the ICMP message to the destination address; and drop the data packet from the service function chain.

Abstract: In a first enclave of a label switching network (LSN), a protocol data unit (PDU) of the LSN is formatted to include a network service field specifying a service to be applied to the PDU. The service field can be positioned between PDU data link layer and network layer fields. The PDU specifies PDU routing/forwarding information for a path in the LSN ending in an LSN second enclave, and routing/forwarding for a destination between path segments in a non-LSN. The PDU is communicated from the first enclave, via the non-LSN, to the second enclave in accordance with the routing/forwarding information for the destination between path segments in the non-LSN. In the second enclave, each network service specified for the PDU is determined and then applied to the PDU. The second enclave transmits the network serviced PDU from the second enclave in accordance with the routing/forwarding information of the PDU in the label switching network.

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract: Presented herein are techniques performed in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes the respective network nodes in a service path. At a network node, an indication is received of a failure or degradation of one or more service functions or applications applied to traffic at the network node. Data descriptive of the failure or degradation is generated. A previous service hop network node at which a service function or application was applied to traffic in the service path is determined. The data descriptive of the failure or degradation is communicated to the previous service hop network node.

Abstract: A method implemented by a central controller is provided. The method includes receiving traffic monitoring information from a client, and sending a traffic monitor request to a network controller, the traffic monitor request requesting the network controller to monitor one or more traffic parameters based on the traffic monitoring information. The method further includes receiving a traffic report from the network controller, and responsive to determining that a monitored traffic parameter in the traffic report does not satisfy a condition specified by the traffic monitoring information, initiating a scaling operation based on data contained in the traffic report.