Abstract: Two versions of a database can be held in two trees that have many of the same nodes. Both trees can be concurrently searched using recursive algorithms. A root node indicator indicates a root node for a tree search algorithm. The root node indicator can indicate a first root node of a first tree. A tree search algorithm can identify a record node in the first tree. Intermediate nodes between the record node and the first root node can be identified and retained nodes can be identified. A second root node and replacement intermediate nodes can be instantiated. A second tree that includes the second root node, the replacement intermediate node, and the retained nodes can be created. The root node indicator can be set to indicate the second root node after creating the second tree.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: This disclosure provides methods and systems for reducing congestion in RoCEv2 networks. The method is configured to operate large-scale in data centers on traffic flowing from a sender node to a receiver node. The method described has three stages: a fast start stage, a transition stage, and a regulation stage. In the fast start stage, the sender sends data to the receiver at a fast initial rate. This may continue until the receiver observes a congestion event. When this happens, the sender reduces the data transfer rate as the method enters the transition stage. From a reduced rate, the method enters the regulation stage, where the rate is increased using a combination of a feedback control loop and an additive increase multiplicative decrease (AIMD) algorithm.

Abstract: Methods and systems for implementing traffic mirroring for network telemetry are disclosed. An embodiment of a method for implementing traffic mirroring for network telemetry involves identifying network traffic at a network appliance that is to be subjected to traffic mirroring for network telemetry, and selecting from available options of transmitting enhanced mirrored network traffic from the network appliance to a collector, wherein the enhanced mirrored network traffic is generated at the network appliance by at least one of compressing and encrypting the network traffic, and transmitting mirrored network traffic from the network appliance to the collector without compressing or encrypting the network traffic.

Abstract: Described are platforms, systems, and methods for resource fairness enforcement. In one aspect, a programmable input output (IO) device comprises a memory unit, the memory unit having instructions stored thereon which, when executed by the programmable IO device, cause the programmable IO device to perform operations comprising: receiving an input from a logical interface (LIF); determining, by at least one meter, a metric regarding at least one resource used during a processing of the input through a programmable pipeline; and regulating additional input received from the LIF based on the metric and a threshold for the at least one resource.

Abstract: PCIe devices installed in host computers communicating with service nodes can provide virtualized NVMe over fabric services. A workload on the host computer can submit an SQE on a NVMe SQ. The PCI device can read the SQE to obtain a command identifier, an OpCode, and a namespace identifier (NSID). The SQE can be used to produce a LTP packet that includes the opcode, the NSID, and a request identifier. The LTP packet can be sent to the service node, which may access a SAN in accordance with the opcode and NSID, and can respond to the LTP with a second LTP that includes the request identifier and a status indicator. The PCI device can use the status indicator and the request identifier to produce a CQE that is placed on a NVMe CQ associated with the SQ.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field. The first packet can be routed to a selected service node that is in the replication chain that includes a plurality of service nodes that are configured for chain replication of a service state information. A service node configured for NAT or some other service can use the first packet to produce a translated packet that can be transmitted toward a destination indicated by the destination address.

Abstract: Network appliances can use packet processing pipeline circuits to implement network rules for processing network packet flows by configuring the pipeline's processing stages to execute specific policies for specific network packets in accordance with the network rules. Trace reports that indicate network rules implemented at specific processing stages can be more informative than those indicating policies implemented by the processing stages. A method implemented by a network appliance can store network rules for processing network flows by the processing stages of a packet processing pipeline circuit. The method can produce a trace report in response to receiving a trace directive for one of the network flows wherein one of the processing stages has applied a network rule to a network packet in one of the network flows. The trace report can indicate the network rule in association with the processing stage and the network flow.

Abstract: A network appliance can have an input port that can receive network packets at line rate, two or more ingress queues, a line rate classification circuit that can place the network packets on the ingress queues at the line rate, a packet buffer that can store the network packets, and a sub line rate packet processing circuit that can process the network packets that are stored in the packet buffer. The line rate classification circuit can place a network packet on one of the ingress queues based on the network packet's packet contents. A buffer scheduler can select network packets for processing by a sub line rate packet processing circuit based on the priority levels of the ingress queues.

Abstract: Methods and systems for implementing security operations in an input/output (I/O) device are disclosed. In an embodiment, an I/O (Input/Output) device involves an I/O port, a host bus configured to be connected to a host, a data processing pipeline within the I/O device coupled to the I/O port and to the host bus to process and forward data between the I/O port and the host bus, and a hardware security module (HSM) within the I/O device coupled to the host bus and to the data processing pipeline, the HSM comprising a crypto engine configured to encrypt and decrypt data of the data processing pipeline, and a secure key storage coupled to the crypto engine containing encryption keys for use in encrypting and decrypting packets, wherein the secure key storage contains keys that are encrypted by the HSM and that are accessible through the HSM.

Abstract: Methods and system for directing traffic flows to a fast data path or a slow data path are disclosed. Parsers can produce packet header vectors (PHVs) for use in match-action units. The PHVs are also used to generate feature vectors for the traffic flows. A flow training engine produces a classification model. Feature vectors input to the classification model result in output predictions predicting if a traffic flow will be long lived or short lived. The classification models are used by network appliances to install traffic flows into fast data paths or the slow data paths based on the predictions.

Abstract: A network appliance can be configured for storing a plurality of flow table entries in a flow table of a match-action pipeline, wherein the match-action pipeline is implemented via a packet processing circuit configured to process a plurality of network traffic flows associated with the plurality of flow table entries. An extended packet processing pipeline of the network appliance can read a flow table entry of the flow table. The extended packet processing pipeline can be implemented via a pipeline circuit. The extended packet processing pipeline can determine that a network traffic flow associated with the flow table entry is expired or terminated. The network appliance can delete the flow table entry from the flow table by processing a traffic flow deletion operation after determining that the network traffic flow is expired or terminated.

Abstract: InfiniBand transport protocol today supports RDMA operations such as read and write with each operation having an opcode defined in the InfiniBand standard. Currently, new RDMA operations require extending the transport protocol by defining a new opcode, its respective header and enhancing InfiniBand implementations to support this new behavior. A more robust way of extending RDMA without requiring an expanding set of opcodes is to register computer code by associating it with a code key similar to a memory key. An InfiniBand channel adapter receiving an RDMA request that includes a code key executes the associated computer code, perhaps compiling it first, in response to receiving the RDMA request. The RDMA response returned to the requester includes an execution result indicating an outcome of executing the executable computer code.

Abstract: The InfiniBand transport protocol supports the concept of a SRQ (shared receive queue) by which multiple QPs (queue pairs) can share the same receive queue resources. According to the InfiniBand Specification, when a SRQ is enabled, flow control needs to be disabled. The lack of flow control mechanism results in there being no fairness guarantees across multiple requesters. Fairness across requesters can be obtained by implementing a SRQ configured to receive request messages from requesters initiating transactions that consume WQEs (work queue elements) of the SRQ, monitoring consumption of the WQEs by the requesters, determining that a requester has a WQE consumption exceeding a policing threshold, and in response to determining that the WQE consumption of the requester exceeds the policing threshold, sending a response message to the requester that results in reducing the WQE consumption of the requester.

Abstract: Virtual functions (VFs) running on SR-IOV (single root IO virtualization) capable PCIe devices can migrate in association with VMs using the VFs. A SR-IOV capable PCIe device installed in a host computer can implement the VFs. A VM running on the host and associated with the VF can use the VF to obtain a service such as network communications or access to a NAS device. Migrating the VF in association with the VM can include halting the VM in a VM state on the host, halting the VF in a PCIe state and then obtaining a PCIe state data, restarting the VF in the PCIe state on a second PCIe device of a second host based on the PCIe state data, and restarting the VM in the VM state on the second host, wherein the VM is configured to use the VF on the second PCIe device.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: N-way associative cache pools can be implemented in an N-way associative cache. Different cache pools can be indicated by pool values. Different processes running on a computer can use different cache pools. An N-way associative cache circuit can be configured to have one or more stripe mode cache pools that are N-way associative. A cache control circuit can receive a physical address for a memory location and can interpret the physical address as fields including a tag field that contains a tag value and a set field that contains a set value. The physical address can also be used to determine a pool value that identifies one of the stripe mode cache pools. A set of N cache entries in the one of the stripe mode cache pools can be concurrently searched for the tag value. The set of N cache entries is determined using the set value.

Abstract: Inbound packets can be received by a network device that determines a receive pipeline latency metric based on a plurality of receive pipeline residency times of the inbound packets and determines a receive queue latency metric based on a plurality of receive queue residency times of the inbound packets. The receive queue latency metric and the receive pipeline latency metric can be reported to a data collector. The network appliance may also receive a plurality of outbound packets on a transmit queue, determine a transmit queue latency metric based on the transmit queue residency times of the outbound packets, and determine a transmit pipeline latency metric based on the transmit pipeline residency times of the outbound packets. The outbound packets may be transmitted toward their destination. The transmit queue latency metric and the transmit pipeline latency metric can be reported to the data collector.

Abstract: Methods and systems for distributing instructions amongst processing units in a processing pipeline are disclosed. A method includes compiling a set of instructions for a stage of a multistage programmable processing pipeline in which the stage of the multistage programmable processing pipeline includes multiple processing units configured to processes instructions in parallel, wherein compiling the set of instructions includes, identifying first and second subsets of instructions within the set of instructions that can be executed independent of each other, assigning the first subset of instructions to a first processing unit of the stage, assigning the second subset of instructions to a second processing unit of the stage, and executing the first and second subsets of instructions in parallel at the first and second processing units, respectively.

Abstract: Methods and systems for implementing communications between a Management Controller (MC) and a Network Controller (NC) are disclosed. Embodiments of the present technology may include a method for implementing communications between an MC and an NC that involves establishing Internet Protocol (IP) connectivity between the MC and the NC using Network Controller Sideband Interface (NC-SI) control packets and communicating between the MC and the NC via an NC-SI and the established IP connectivity.