Abstract: A packet can be sent on a VLAN from a first machine that has a first address on the VLAN to a second machine that has a second address on the VLAN and that is located at a remote location associated with a remote location identifier. A network appliance can use the second address to determine the remote location identifier, can encapsulate the packet in a local segment packet that includes a local VNID and the remote location identifier; and can send the local segment packet to a local router. The local router can use the remote location identifier and the local VNID to determine a remote router and a remote VNID, can encapsulate the packet in an outer packet, which can be a VxLAN packet, that includes the remote VNID, and can send the outer packet to the remote router.

Abstract: Certain tasks related to processing layer 7 (L7) data streams, such as HTTP data streams, can be performed by an L7 assist circuit instead of by general-purpose CPUs. The L7 assist circuit can normalize URLs, Huffman decode, Huffman encode, and generate hashes of normalized URLs. A L7 data stream, which is reassembled from received network packets, includes an L7 header. L7 assist produces an augmented L7 header that is added to the L7 data stream. The CPUs can use the augmented L7 header, thereby speeding up processing. On the outbound path, L7 assist can remove the augmented L7 header and perform Huffman encoding such that the CPUs can perform other tasks.

Abstract: PCIe devices installed in host computers communicating with service nodes can provide virtualized and high availability PCIe functions to host computer workloads. The PCIe device can receive a PCIe TLP encapsulated in a PCIe DLLP via a PCIe bus. The TLP includes a TLP address value, a TLP requester identifier, and a TLP type. The PCIe device can terminate the PCIe transaction by sending a DLLP ACK message to the host computer in response to receiving the TLP. The TLP packet can be used to create a workload request capsule that includes a request type indicator, an address offset, and a workload request identifier. A workload request packet that includes the workload request capsule can be sent to a virtualized service endpoint. The service node, implementing the virtualized service endpoint, receives a workload response packet that includes the workload request identifier and a workload response payload.

Abstract: Described are platforms, systems, and methods for resource fairness enforcement. In one aspect, a programmable input output (IO) device comprises a memory unit, the memory unit having instructions stored thereon which, when executed by the programmable IO device, cause the programmable IO device to perform operations comprising: receiving an input from a logical interface (LIF); determining, by at least one meter, a metric regarding at least one resource used during a processing of the input through a programmable pipeline; and regulating additional input received from the LIF based on the metric and a threshold for the at least one resource.

Abstract: Described are programmable input output (IO) devices comprising: an match processing unit (MPU) and a memory unit. The MPU comprising at least one arithmetic logic unit (ALU). The memory unit having instructions stored thereon which, when executed by the respective programmable IO device, cause the programmable IO device to perform operations. These operations comprise: receiving, from an inbound interface, a packet comprising packet data for at least one range-based element; determining, via the MPU, a lookup result by performing a modified binary search on an interval binary search tree with the packet data to determine a longest prefix match (LPM), wherein the interval binary search tree maps the at least one range-based element to an associated data element; and classifying the packet based on the lookup result.

Abstract: Methods and system for processing data in a programmable processing pipeline are disclosed. In an embodiment, a method for processing packets in a programmable packet processing pipeline is disclosed. The method involves processing data corresponding to a packet through a match-action pipeline of a programmable packet processing pipeline, and diverting the processing of data corresponding to the packet from the match-action pipeline to a processor core for out-of-pipeline processing.

Abstract: Methods and devices for processing packets with reduced data stalls are provided. The method comprises: (a) receiving a packet comprising a header portion and a payload portion, wherein the header portion is used to generate a packet header vector; (b) producing a table result by performing packet match operations, wherein the table result is generated based at least in part on the packet header vector and data stored in a match table; (c) receiving, at a match processing unit, the table result and an address of a set of instructions associated with the match table; and (d) performing, by the match processing unit, one or more actions in response to the set of instructions until completion of the instructions, wherein the one or more actions comprise modifying the header portion, updating memory based data structure or initiating an event.

Abstract: Described are edge devices configured to perform operations to migrate a workload. These operations comprise: receiving a migration trigger comprising an indication of a migration of a workload from a source edge device; establishing a secure communication channel with the source edge device; receiving a network state for the workload from the source edge device; quiescing a datapath for processing flows associated with the workload; receiving incremental deltas comprising changes to the network state from the source edge device; updating the datapath for processing flows associated with the workload based on the received incremental changes; providing, to the source edge device, a request for a final synchronization; receiving, from the source edge device, a final synchronization delta comprising incremental information for the network state as modified since the most recently received incremental change; and removing the quiescing of the datapath to facilitate use of the network state.

Abstract: A network appliance can be configured for storing a plurality of flow table entries in a flow table of a match-action pipeline, wherein the match-action pipeline is implemented via a packet processing circuit configured to process a plurality of network traffic flows associated with the plurality of flow table entries. An extended packet processing pipeline of the network appliance can read a flow table entry of the flow table. The extended packet processing pipeline can be implemented via a pipeline circuit. The extended packet processing pipeline can determine that a network traffic flow associated with the flow table entry is expired or terminated. The network appliance can delete the flow table entry from the flow table by processing a traffic flow deletion operation after determining that the network traffic flow is expired or terminated.

Abstract: Methods and systems for operating an I/O system are disclosed. Embodiments of the present technology may include a method that involves receiving data at a NIC, caching the data at the NIC, generating a meta-identifier (meta-ID) for the data, writing the data to a host via a PCIe interface, providing the meta-ID to the host, receiving a request for a service at the NIC from the host, the request including the meta-ID, accessing the cached data in the NIC using the meta-ID, and performing the service on the cached data that was accessed in the NIC using the meta-ID.

Abstract: Described are platforms, systems, and methods for actuating transmission control protocol/Internet protocol (TCP/IP) through a method comprises: identifying a computer workload during a handshake process for establishing a network connection with a remote host; configuring, based on the computer workload, one or more TCP/IP parameters of the network connection; and completing the handshake process to establish the network connection with the remote host.

Abstract: Described are platforms, systems, and methods for processing a chain of operations through an input output (IO) subsystem without central processing unit (CPU) involvement. In one aspect, a computer-implemented method comprises: providing, via the CPU, the chain of operations to the IO subsystem, wherein the IO subsystem is coupled to the one or more processors over Peripheral Component Interconnect Express (PCIe); processing, with the IO subsystem, the chain of operations by: retrieving, from a memory, data associated with the chain of operations; executing each of the operations in the chain to determine an output based on the data and output determined for any prior executed operation in the chain; and providing the output of each the executed operations for execution of the respective next operation in the chain; and providing, via the IO subsystem, an output for the chain of operations to the CPU.

Abstract: Described are platforms, systems, and methods for providing an in-line, transparent Transmission Control Protocol (TCP)/Transport Layer Security (TLS) proxy. In one aspect, a programmable input output (IO) device comprises at least one advanced reduced instruction set computer (RISC) machine (ARM) core communicably coupled to at least one central processing unit (CPU) core of a host device; a programmable P4 pipeline comprising a cryptographic offload subsystem; and a memory unit. The programmable IO device executing instruction stored on the memory unit comprising: establishing a session for an incoming TCP connection received from a remote host via the at least one ARM core; processing data packets received from the remote host via the programmable P4 pipeline; decrypting the received data packets via the cryptographic offload subsystem; and providing the decrypted data packets to the host device.

Abstract: Methods and system for directing traffic flows to a fast data path or a slow data path are disclosed. Parsers can produce packet header vectors (PHVs) for use in match-action units. The PHVs are also used to generate feature vectors for the traffic flows. A flow training engine produces a classification model. Feature vectors input to the classification model result in output predictions predicting if a traffic flow will be long lived or short lived. The classification models are used by network appliances to install traffic flows into fast data paths or the slow data paths based on the predictions.

Abstract: A multitude of data transfer queues can have data transfer operations that are scheduled for a processing circuit to perform. Some of the data transfer queues may submit so many or such large data transfer operations that others receive little or no attention. The situation can be resolved in the data plane via a processing circuit that performs the data transfer operations in conjunction with priority evaluation operations that can assign the data transfer queues to different scheduler priority classes. A scheduler can schedule data transfer operations based on the scheduler priority classes of the data transfer queues.

Abstract: Cloud services are often implemented as instances of applications having one or more components running on the nodes (e.g., host computers or servers) of a data center. Network services are thereby provided to a workload that uses the network resources of network interface devices (e.g., a NIC, switch, or router). The workload is a first instance of an application. The network interface devices can produce resource usage measurements of usage metrics that quantify usage of the network resources by the workload. The resource measurements can be used to produce an application network profile of the application. The application network profile can be used to select at least one of a plurality of nodes on which a second instance of the application is launched.

Abstract: A network appliance can queue a first packet and a second packet of a network traffic flow in an input queue of a match-action pipeline. The match-action pipeline can be implemented via a packet processing circuit of the network appliance and can be configured to process a plurality of network traffic flows. Submitting the first packet to the match-action pipeline can cause a first flow miss. The second packet can be moved to a burst queue of the network appliance and a match-action configuration can be generated based on the first packet. The second packet can be moved from the burst queue to the input queue after the match-action pipeline is configured with the match-action configuration. The match-action pipeline can then process the second packet.

Abstract: A network appliance having a control plane and a data plane can process substantially every input packet at wire speed in a programmable packet processing pipeline of the data plane. Sensors, which can be processes implemented within the pipeline, can measure parameters of the network traffic flows and of the network appliance in accordance with monitoring policies. Reporting policies can be triggered when any one of many criteria are met by the parameters. The reporting policy can result in a report being sent to an outside recipient. Alternatively, the reporting policy can result in the network appliance implementing additional monitoring or reporting policies.

Abstract: Load balancing of NVMe targets based on real time metrics can be obtained for NAS appliances mirroring a namespace by assigning the NAS appliances to service sets that include an active load balancing set, a monitored inactive set, and an out of service set. Storage performance metrics of the NAS appliances can be tracked by monitoring IO operations for accessing a NAS mirroring the namespace in a non-volatile memory. Based on the storage metrics, NAS appliances can be moved from one of the service sets to another. Dummy IO operations can be used to track the storage performance metrics of monitored inactive NAS appliances such that a monitored inactive NAS may be moved to the active load balancing set when certain performance constraints are met.

Abstract: A compressed flow log can be created from flow log entries. Flow log entries include field values for flow log fields. The entries can be compressed based on tuples (e.g., primary tuple, secondary tuple, tertiary tuple, etc.) specified by tuple definitions that specify the flow log fields in tuple content values. A first primary tuple content value can be based on a primary tuple definition and the field values of a first flow log entry included in flow log entries. A first primary tuple symbol can be associated with the first primary tuple content value. The first flow log entry can be used to create a first compressed flow log entry that includes the first primary tuple symbol. The first compressed flow log entry can be included in the compressed flow log, and the compressed flow log can be transmitted to a flow log consumer.