Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.

Abstract: For a virtual distributed network environment employing physical forwarding elements that includes both software forwarding elements and third party devices serving as hardware forwarding elements, a scalable method for synchronizing configuration data of logical forwarding elements that are distributed across the various physical forwarding elements is provided. The method generates and updates the configuration data at a set of central controllers and then distributes the configuration data to the physical forwarding elements. The method delivers the updated configuration data to some of the physical forwarding elements by (i) determining a delta/differential between the updated configuration data held at the central controller and the obsolete configuration data held at those physical forwarding elements and (ii) delivering the determined differential configuration data to the physical forwarding elements.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: Some embodiments provide a method for distributing firewall configuration in a datacenter comprising multiple host machines. The method retrieves a rule in the firewall configuration for distribution to the host machines. The firewall rule is associated with a minimum required version number. The method identifies a high-level construct in the firewall rule. The method queries a translation cache for the identified high-level construct. The translation cache stores previous translation results for different high-level constructs. Each stored translation result is associated with a version number. When the translation cache has a stored previous translation result for the identified high-level construct that is associated with a version number that is equal to or newer than the minimum required version number, the method uses the previous translation result stored in the cache to translate the identified high-level construct to a low-level construct.

Abstract: A method of allocating network bandwidth in a network that includes several tenant virtual machines (VMs). The method calculates a first bandwidth reservation for a flow between a source VM and a destination VM that are hosted on two different host machines. The source VM sends packets to a first set of VMs that includes the destination VM. The destination VM receives packets from a second set of VMs that includes the source VM. The method receives a second bandwidth reservation for the flow calculated at the destination. The method sets the bandwidth reservation for the flow as a minimum of the first and second bandwidth reservations.

Abstract: Some embodiments provide a method for managing firewall protection in a datacenter that includes multiple host machines that each hosts a set of data compute nodes. The method maintains a firewall configuration for the host machines at a network manager of the data center. The firewall configuration includes multiple firewall rules to be enforced at the host machines. The method aggregates a first set of updates to the firewall configuration into a first aggregated update and associates the first aggregated update with a first version number. The method distributes a first host-level firewall configuration update to a first host machine based on the first aggregated update and associates the first host machine with the first version number. The method aggregates a second set of updates to the firewall configuration into a second aggregated update and associates the second aggregated update with a second version number.

Abstract: An approach for securing a DHCP server against unauthorized client attacks in a SDN environment is presented. In an embodiment, a method comprises: determining a count of sub-interfaces implemented on an interface card of a virtual machine; setting a count of unique client identifiers for the virtual machine to zero; determining whether a dynamic host configuration protocol (DHCP) request has been received from the virtual machine; in response to determining that a DHCP request has been received from the virtual machine, incrementing the count of unique client identifiers; determining whether the count of unique client identifiers exceeds the count of sub-interfaces implemented on the interface card of the virtual machine; and in response to determining that the count of unique client identifiers does not exceed the count of sub-interfaces implemented on the interface card of the virtual machine, forwarding the DHCP request to an uplink port.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer.

Abstract: Some embodiments provide a novel method for load balancing data messages that are sent by a source compute node (SCN) to one or more different groups of destination compute nodes (DCNs). In some embodiments, the method deploys a load balancer in the source compute node's egress datapath. This load balancer receives each data message sent from the source compute node, and determines whether the data message is addressed to one of the DCN groups for which the load balancer spreads the data traffic to balance the load across (e.g., data traffic directed to) the DCNs in the group. When the received data message is not addressed to one of the load balanced DCN groups, the load balancer forwards the received data message to its addressed destination. On the other hand, when the received data message is addressed to one of load balancer's DCN groups, the load balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message to the identified DCN.

Abstract: Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.

Abstract: Some embodiments provide a network system that includes several host machines for hosting virtual machines, divided into several different domains. The network system includes several local domain management servers. A first local domain management server of a first domain is for (i) initiating creation of a set of distributed virtual switch ports associated with a particular logical network identifier on a host machine within its domain and (ii) attaching a first virtual machine on the host machine to a created port associated with the particular logical network identifier in order for the first virtual machine to send traffic over the logical network. The network system includes a second level management server for coordinating the use of logical network identifiers between multiple different logical domain management servers in order for the first virtual machine to communicate via the logical network with a second virtual machine in a second domain.

Abstract: Certain embodiments described herein are generally directed to systems and methods for preventing access to files on a virtual machine. One example method involves receiving network information associated with a network connection opened at the virtual machine and determining a process that opened the network connection. The method further involves receiving information indicative of a file access event attempted at the virtual machine and determining the process that opened the network connection initiated the file access event. The method further involves transmitting information indicative of the file access event and the network connection to a security virtual machine and receiving an enforcement decision for the file access event from the security virtual machine based on the information indicative of the file access event and the network connection. The method further involves applying the enforcement decision to either allow or prevent the file access event by the process.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: In one aspect, A computerized method of a gateway distributing routes learned through routing protocols (RP) into a Border Gateway Protocol (BGP) includes the step of providing a first gateway that receives a route over a routing protocol. The method includes the step of with the first gateway, redistributing the route to one or more peer routers as a BGP route based on one or more specified criteria. The method includes the step of setting a gateway precedence based on the redistribution of the route to the one or more peer routers as the BGP route. The method includes the step of, based on the gateway precedence, setting a second gateway to automatically redistribute the route with different priorities to influence steering of traffic to a preferred gateway.

Abstract: A security system for a customer computer site includes a cloud-based manager (CBM) and on-site components. The on-site components include a manager appliance, guest agents of the CBM installed within respective virtual machines, and host agents of the CBM installed on hypervisors on which the virtual machines. The guest agents have a many-to-one relationship with the host agents, which have a many-to-one relationship with the appliance. In a scenario, many guest agents may generate alarms and send them to the host agents. Each host agent consolidates alarms across the different virtual machines it hosts and pushes the consolidated alarms to the manager appliance. The appliance batch processes the consolidated alarms across host agents, and pushes the batched alarms to the CBM, which deduplicates the alarms and notifies an administrator.

Abstract: Some embodiments provide a method for an end machine, that implements a distributed application, to redirect new network connection requests to other end machines that also implement the distributed application. The method receives a set of measurement data from a set of resources of the end machine and determines whether a measurement data received from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method notifies a load balancer that balances new requests for connection to the distributed application between the end machines. The notification causes the load balancer not to send any new connection request to the end machine and redirect them to other end machines.

Abstract: A method is provided that uses a consistent hashing technique to dispatch incoming packets in a stable system prior to adding of a node. The method uses a hash table and assigns hash buckets in the table to each network node. A set of fields in each incoming packet is hashed and is used to identify the corresponding hash bucket. The packets are then dispatched to the network nodes based on the nodes' hash buckets. During an observation period, the method identifies the ongoing sessions by creating a bit vector table that is used to identify the old and new sessions during a re-dispatching period. The method uses the consistent hashing method and the probabilistic method dispatch the incoming packets such that each packet that belongs to an old session is dispatched to the same old node that has been processing the other packets of the session.

Abstract: Example methods are provided for first host to perform multicast packet handling in a software-defined networking (SDN) environment. The method may comprise: in response to the first host detecting, from a first virtualized computing instance, a request to join a multicast group address, obtaining control information from a network management entity. The control information may include one or more destination addresses associated with one or more second hosts that have joined the multicast group address on behalf of multiple second virtualized computing instances. The method may also comprise: in response to the first host detecting an egress multicast packet that includes an inner header addressed to the multicast group address, generating one or more encapsulated multicast packets based on the control information and sending the one or more encapsulated multicast packets in a unicast manner or multicast manner, or a combination of both.

Abstract: Some embodiments provide a method for detecting a failure of a layer 2 (L2) bump-in-the-wire service at a device. In some embodiments, the device sends heartbeat signals to a second device connected to L2 service nodes in order to detect failure of the L2 service (e.g., a failure of all the service nodes). In some embodiments, the heartbeat signals are unidirectional heartbeat signals (e.g., a unidirectional bidirectional-forwarding-detection (BFD) session) sent from each device to the other. The heartbeat signals, in some embodiments, use a broadcast MAC address in order to reach the current active L2 service node in the case of a failover (i.e., an active service node failing and a standby service node becoming the new active service node). The unidirectional heartbeat signals are also used, in some embodiments, to decrease the time between a failover and data messages being forwarded to the new active service node.