Abstract: The rate limiter circuits in the packet processing chip of a NIC are a limited hardware resource that may limit the number of workloads that can be run on a server. Some such chips include an egress packet processing pipeline circuit and a second packet processing pipeline circuit that prepares work for the egress pipeline circuit. Some of the stages of the second pipeline circuit can be configured as a first limiter and a second limiter that implement aspects of different rate limiters such as IOPS limiters, bandwidth limiters, etc. Another pipeline stage can use the outputs of the different rate limiters to make a limiting decision that is written into one of the rate limiter circuits. The second pipeline circuit is thereby implementing virtualized rate limiters where one of the rate limiter circuits performs the rate limiting for the virtualized rate limiters.

Abstract: SR-IOV (single root IO virtualization) capable PCIe devices can implement virtual functions (VFs) that are assigned to VMs running on a host machine, thereby speeding IO operation by writing directly to the VMs' memory while bypassing the hypervisor managing the VMs. As such, VFs thwart the dirty page tracking that hypervisors use to minimize VM downtime when the VM is migrated between hosts. The SR-IOV PCIe devices can help resolve this problem by maintaining dirty page tracking data for VMs running on the host machine. The SR-IOV PCIe devices bypassing the hypervisor while writing into a memory page of the VM can set the dirty page tracking data to indicate the memory pages that are dirty (i.e., written to by the VF), and can provide access to the dirty page tracking data. The hypervisor can thereby obtain and use the dirty page tracking data.

Abstract: A networking device can include a packet processing pipeline circuit and a processor. The packet processing pipeline circuit can be configured to implement a data plane and the processor can be configured to implement a control plane. The packet processing pipeline circuit and the processor can also be configured to send a plurality of heartbeat packets on multiple paths to a second networking device. The data plane can produce and send the heartbeat packets to the second networking device within a heartbeat period. The data plane may send a second plurality of heartbeat packets on multiple paths to the second networking device with a second heartbeat period. The heartbeat packets can have unique packet five tuples that include an IP address of the second networking device.

Abstract: Tenants in data centers may want access to high precision clocks without having to run their own PTP stacks or reference clocks. Furthermore, different tenants may want their workloads synchronized to their own secured clock domain. PTP, the currently dominant synchronization protocol, allows for only 256 clock domains (CDs). Virtual CDs (vCDs) virtualize the concept of clock domains by maintaining a hardware clock within a host computer, receiving a network clock domain packet that includes a clock domain identifier and an origin timestamp produced by a reference clock, using the network clock domain packet to synchronize the hardware clock to the reference clock, and using the hardware clock to provide a hardware timestamp value to a virtual machine (VM) running on the host computer or to a process running on the host computer, wherein the hardware clock is secured from manipulation by the VM or by the process.

Abstract: Described are input output (IO) device configured to perform operations for performing a table lookup with a single wide key larger than a width of a system bus. These operations comprise: receiving the lookup key; performing a plurality of extraction cycles to determine a plurality of key fragments; calculating a final hash value for the lookup key by sequentially calculating, via a hash chain, an interim hash value for each of the key fragments; determine a read access address for a table entry of a logic table based on the final hash value for the lookup key; determine a plurality of read requests based on the read access address; determine a hit on the table entry with the lookup key by issuing each of the read requests to the memory subsystem; and provide the hit on the table entry to the requesting entity or a next processing entity.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: Methods and systems for autonomous rule-based task coordination amongst edge devices are disclosed. Embodiments of the present technology may include a method for processing packet traffic at an edge device, the method including determining a side of a communication that corresponds to an edge device with regard to packet traffic. Embodiments may also include applying a task distribution rule to the packet traffic using the determined side of the communication that corresponds to the edge device to determine if a particular task related to the packet traffic should be executed at the edge device. In some embodiments, the task distribution rule is configured to ensure that the particular task is executed at only one side of the communication.

Abstract: A network appliance or smart switch can include service devices as well as a switching device such as those used in high-speed switches having limited processing ability and are stateless with respect to sessions. Service devices can provide stateful and complex processing. A first exposed port of a switching device can receive network packets and can determine which network packets the service devices are to process to produce processed network packets. A network packet can be sent to a service device in a redirected packet. A processed network packet can be received from a service device in a reinjected packet that is used to recover a port identifier of the first exposed port. The port identifier can be used to determine a network destination of the processed network packet. The processed network packet can be sent from a second exposed port of the switching device toward the network destination.

Abstract: A network appliance can continue operation at a degraded level during an upgrade that requires less free pipeline memory than other upgrade techniques. The network appliance has a control plane and has a data plane with a packet processing pipeline circuit. Before the upgrade, the control plane has configured the packet processing pipeline circuit to process a network flow. The packet processing pipeline may be halted in order to perform a pipeline upgrade during which the packet processing pipeline circuit's pipeline memory is cleared. The packet processing pipeline circuit is restarted after the pipeline upgrade after which the control plane can reconfigure the packet processing pipeline circuit to process the network flow. The packet processing pipeline circuit can therefore process the network flow after the pipeline upgrade.

Abstract: HA peers can include networking devices that have data planes and control planes that configure the data plane to use status data in a memory for processing network packets of network flows. The HA peers synchronize the status data such that one peer can take over when another fails. When a HA peer is brought up, data plane syncing synchronizes data for new network flows but not existing network flows. A first bulk sync operation synchronizes data for existing flows but not for new flows. A second bulk sync operation can synchronize the data for flows that changed state during the first bulk sync operation. Data plane syncing can sync data for all flows after the first bulk sync operation.

Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

Abstract: Methods and network interface devices for establishing a secure and authenticated network connection are provided. The method comprises: receiving, from a requesting entity, a destination IP address and a first certificate that is used to establish a secure network connection, wherein the first certificate comprises a first security attribute that is associated with a source destination IP address; identifying, with aid of one or more processors, a stored second security attribute associated with the destination IP address; and determining, with aid of the one or more processors, a policy action based at least in part on the first security attribute and the second security attribute.

Abstract: Data centers often run long lived services such as web servers that are intended to run for hours, days, or even longer before being torn down and replaced with another instance of the long-lived service. Currently, many applications are being implemented with microservice architectures that run short lived services that start up, implement an operation, and are then torn down. An aspect of starting up a service is creating administrative data structures such as InfiniBand queue pairs. A packet processing pipeline having a DMA output stage can be configured to create the administrative data structures, thereby increasing the rate at which the administrative data structures are created. As a result, services running in data centers can be started up more rapidly and efficiently.

Abstract: Two versions of a database can be held in two trees that have many of the same nodes. Both trees can be concurrently searched using recursive algorithms. A root node indicator indicates a root node for a tree search algorithm. The root node indicator can indicate a first root node of a first tree. A tree search algorithm can identify a record node in the first tree. Intermediate nodes between the record node and the first root node can be identified and retained nodes can be identified. A second root node and replacement intermediate nodes can be instantiated. A second tree that includes the second root node, the replacement intermediate node, and the retained nodes can be created. The root node indicator can be set to indicate the second root node after creating the second tree.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: This disclosure provides methods and systems for reducing congestion in RoCEv2 networks. The method is configured to operate large-scale in data centers on traffic flowing from a sender node to a receiver node. The method described has three stages: a fast start stage, a transition stage, and a regulation stage. In the fast start stage, the sender sends data to the receiver at a fast initial rate. This may continue until the receiver observes a congestion event. When this happens, the sender reduces the data transfer rate as the method enters the transition stage. From a reduced rate, the method enters the regulation stage, where the rate is increased using a combination of a feedback control loop and an additive increase multiplicative decrease (AIMD) algorithm.

Abstract: Methods and systems for implementing traffic mirroring for network telemetry are disclosed. An embodiment of a method for implementing traffic mirroring for network telemetry involves identifying network traffic at a network appliance that is to be subjected to traffic mirroring for network telemetry, and selecting from available options of transmitting enhanced mirrored network traffic from the network appliance to a collector, wherein the enhanced mirrored network traffic is generated at the network appliance by at least one of compressing and encrypting the network traffic, and transmitting mirrored network traffic from the network appliance to the collector without compressing or encrypting the network traffic.

Abstract: Described are platforms, systems, and methods for resource fairness enforcement. In one aspect, a programmable input output (IO) device comprises a memory unit, the memory unit having instructions stored thereon which, when executed by the programmable IO device, cause the programmable IO device to perform operations comprising: receiving an input from a logical interface (LIF); determining, by at least one meter, a metric regarding at least one resource used during a processing of the input through a programmable pipeline; and regulating additional input received from the LIF based on the metric and a threshold for the at least one resource.

Abstract: PCIe devices installed in host computers communicating with service nodes can provide virtualized NVMe over fabric services. A workload on the host computer can submit an SQE on a NVMe SQ. The PCI device can read the SQE to obtain a command identifier, an OpCode, and a namespace identifier (NSID). The SQE can be used to produce a LTP packet that includes the opcode, the NSID, and a request identifier. The LTP packet can be sent to the service node, which may access a SAN in accordance with the opcode and NSID, and can respond to the LTP with a second LTP that includes the request identifier and a status indicator. The PCI device can use the status indicator and the request identifier to produce a CQE that is placed on a NVMe CQ associated with the SQ.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field. The first packet can be routed to a selected service node that is in the replication chain that includes a plurality of service nodes that are configured for chain replication of a service state information. A service node configured for NAT or some other service can use the first packet to produce a translated packet that can be transmitted toward a destination indicated by the destination address.