Abstract: Methods and systems for implementing security operations in an input/output (I/O) device are disclosed. In an embodiment, an I/O (Input/Output) device involves an I/O port, a host bus configured to be connected to a host, a data processing pipeline within the I/O device coupled to the I/O port and to the host bus to process and forward data between the I/O port and the host bus, and a hardware security module (HSM) within the I/O device coupled to the host bus and to the data processing pipeline, the HSM comprising a crypto engine configured to encrypt and decrypt data of the data processing pipeline, and a secure key storage coupled to the crypto engine containing encryption keys for use in encrypting and decrypting packets, wherein the secure key storage contains keys that are encrypted by the HSM and that are accessible through the HSM.

Abstract: A network appliance can be configured for storing a plurality of flow table entries in a flow table of a match-action pipeline, wherein the match-action pipeline is implemented via a packet processing circuit configured to process a plurality of network traffic flows associated with the plurality of flow table entries. An extended packet processing pipeline of the network appliance can read a flow table entry of the flow table. The extended packet processing pipeline can be implemented via a pipeline circuit. The extended packet processing pipeline can determine that a network traffic flow associated with the flow table entry is expired or terminated. The network appliance can delete the flow table entry from the flow table by processing a traffic flow deletion operation after determining that the network traffic flow is expired or terminated.

Abstract: Methods and system for directing traffic flows to a fast data path or a slow data path are disclosed. Parsers can produce packet header vectors (PHVs) for use in match-action units. The PHVs are also used to generate feature vectors for the traffic flows. A flow training engine produces a classification model. Feature vectors input to the classification model result in output predictions predicting if a traffic flow will be long lived or short lived. The classification models are used by network appliances to install traffic flows into fast data paths or the slow data paths based on the predictions.

Abstract: InfiniBand transport protocol today supports RDMA operations such as read and write with each operation having an opcode defined in the InfiniBand standard. Currently, new RDMA operations require extending the transport protocol by defining a new opcode, its respective header and enhancing InfiniBand implementations to support this new behavior. A more robust way of extending RDMA without requiring an expanding set of opcodes is to register computer code by associating it with a code key similar to a memory key. An InfiniBand channel adapter receiving an RDMA request that includes a code key executes the associated computer code, perhaps compiling it first, in response to receiving the RDMA request. The RDMA response returned to the requester includes an execution result indicating an outcome of executing the executable computer code.

Abstract: The InfiniBand transport protocol supports the concept of a SRQ (shared receive queue) by which multiple QPs (queue pairs) can share the same receive queue resources. According to the InfiniBand Specification, when a SRQ is enabled, flow control needs to be disabled. The lack of flow control mechanism results in there being no fairness guarantees across multiple requesters. Fairness across requesters can be obtained by implementing a SRQ configured to receive request messages from requesters initiating transactions that consume WQEs (work queue elements) of the SRQ, monitoring consumption of the WQEs by the requesters, determining that a requester has a WQE consumption exceeding a policing threshold, and in response to determining that the WQE consumption of the requester exceeds the policing threshold, sending a response message to the requester that results in reducing the WQE consumption of the requester.

Abstract: Virtual functions (VFs) running on SR-IOV (single root IO virtualization) capable PCIe devices can migrate in association with VMs using the VFs. A SR-IOV capable PCIe device installed in a host computer can implement the VFs. A VM running on the host and associated with the VF can use the VF to obtain a service such as network communications or access to a NAS device. Migrating the VF in association with the VM can include halting the VM in a VM state on the host, halting the VF in a PCIe state and then obtaining a PCIe state data, restarting the VF in the PCIe state on a second PCIe device of a second host based on the PCIe state data, and restarting the VM in the VM state on the second host, wherein the VM is configured to use the VF on the second PCIe device.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: N-way associative cache pools can be implemented in an N-way associative cache. Different cache pools can be indicated by pool values. Different processes running on a computer can use different cache pools. An N-way associative cache circuit can be configured to have one or more stripe mode cache pools that are N-way associative. A cache control circuit can receive a physical address for a memory location and can interpret the physical address as fields including a tag field that contains a tag value and a set field that contains a set value. The physical address can also be used to determine a pool value that identifies one of the stripe mode cache pools. A set of N cache entries in the one of the stripe mode cache pools can be concurrently searched for the tag value. The set of N cache entries is determined using the set value.

Abstract: Inbound packets can be received by a network device that determines a receive pipeline latency metric based on a plurality of receive pipeline residency times of the inbound packets and determines a receive queue latency metric based on a plurality of receive queue residency times of the inbound packets. The receive queue latency metric and the receive pipeline latency metric can be reported to a data collector. The network appliance may also receive a plurality of outbound packets on a transmit queue, determine a transmit queue latency metric based on the transmit queue residency times of the outbound packets, and determine a transmit pipeline latency metric based on the transmit pipeline residency times of the outbound packets. The outbound packets may be transmitted toward their destination. The transmit queue latency metric and the transmit pipeline latency metric can be reported to the data collector.

Abstract: Methods and systems for distributing instructions amongst processing units in a processing pipeline are disclosed. A method includes compiling a set of instructions for a stage of a multistage programmable processing pipeline in which the stage of the multistage programmable processing pipeline includes multiple processing units configured to processes instructions in parallel, wherein compiling the set of instructions includes, identifying first and second subsets of instructions within the set of instructions that can be executed independent of each other, assigning the first subset of instructions to a first processing unit of the stage, assigning the second subset of instructions to a second processing unit of the stage, and executing the first and second subsets of instructions in parallel at the first and second processing units, respectively.

Abstract: Methods and systems for implementing communications between a Management Controller (MC) and a Network Controller (NC) are disclosed. Embodiments of the present technology may include a method for implementing communications between an MC and an NC that involves establishing Internet Protocol (IP) connectivity between the MC and the NC using Network Controller Sideband Interface (NC-SI) control packets and communicating between the MC and the NC via an NC-SI and the established IP connectivity.

Abstract: A packet can be sent on a VLAN from a first machine that has a first address on the VLAN to a second machine that has a second address on the VLAN and that is located at a remote location associated with a remote location identifier. A network appliance can use the second address to determine the remote location identifier, can encapsulate the packet in a local segment packet that includes a local VNID and the remote location identifier; and can send the local segment packet to a local router. The local router can use the remote location identifier and the local VNID to determine a remote router and a remote VNID, can encapsulate the packet in an outer packet, which can be a VxLAN packet, that includes the remote VNID, and can send the outer packet to the remote router.

Abstract: Certain tasks related to processing layer 7 (L7) data streams, such as HTTP data streams, can be performed by an L7 assist circuit instead of by general-purpose CPUs. The L7 assist circuit can normalize URLs, Huffman decode, Huffman encode, and generate hashes of normalized URLs. A L7 data stream, which is reassembled from received network packets, includes an L7 header. L7 assist produces an augmented L7 header that is added to the L7 data stream. The CPUs can use the augmented L7 header, thereby speeding up processing. On the outbound path, L7 assist can remove the augmented L7 header and perform Huffman encoding such that the CPUs can perform other tasks.

Abstract: PCIe devices installed in host computers communicating with service nodes can provide virtualized and high availability PCIe functions to host computer workloads. The PCIe device can receive a PCIe TLP encapsulated in a PCIe DLLP via a PCIe bus. The TLP includes a TLP address value, a TLP requester identifier, and a TLP type. The PCIe device can terminate the PCIe transaction by sending a DLLP ACK message to the host computer in response to receiving the TLP. The TLP packet can be used to create a workload request capsule that includes a request type indicator, an address offset, and a workload request identifier. A workload request packet that includes the workload request capsule can be sent to a virtualized service endpoint. The service node, implementing the virtualized service endpoint, receives a workload response packet that includes the workload request identifier and a workload response payload.

Abstract: Described are platforms, systems, and methods for resource fairness enforcement. In one aspect, a programmable input output (IO) device comprises a memory unit, the memory unit having instructions stored thereon which, when executed by the programmable IO device, cause the programmable IO device to perform operations comprising: receiving an input from a logical interface (LIF); determining, by at least one meter, a metric regarding at least one resource used during a processing of the input through a programmable pipeline; and regulating additional input received from the LIF based on the metric and a threshold for the at least one resource.

Abstract: Described are programmable input output (IO) devices comprising: an match processing unit (MPU) and a memory unit. The MPU comprising at least one arithmetic logic unit (ALU). The memory unit having instructions stored thereon which, when executed by the respective programmable IO device, cause the programmable IO device to perform operations. These operations comprise: receiving, from an inbound interface, a packet comprising packet data for at least one range-based element; determining, via the MPU, a lookup result by performing a modified binary search on an interval binary search tree with the packet data to determine a longest prefix match (LPM), wherein the interval binary search tree maps the at least one range-based element to an associated data element; and classifying the packet based on the lookup result.

Abstract: Methods and system for processing data in a programmable processing pipeline are disclosed. In an embodiment, a method for processing packets in a programmable packet processing pipeline is disclosed. The method involves processing data corresponding to a packet through a match-action pipeline of a programmable packet processing pipeline, and diverting the processing of data corresponding to the packet from the match-action pipeline to a processor core for out-of-pipeline processing.

Abstract: Methods and devices for processing packets with reduced data stalls are provided. The method comprises: (a) receiving a packet comprising a header portion and a payload portion, wherein the header portion is used to generate a packet header vector; (b) producing a table result by performing packet match operations, wherein the table result is generated based at least in part on the packet header vector and data stored in a match table; (c) receiving, at a match processing unit, the table result and an address of a set of instructions associated with the match table; and (d) performing, by the match processing unit, one or more actions in response to the set of instructions until completion of the instructions, wherein the one or more actions comprise modifying the header portion, updating memory based data structure or initiating an event.

Abstract: Described are edge devices configured to perform operations to migrate a workload. These operations comprise: receiving a migration trigger comprising an indication of a migration of a workload from a source edge device; establishing a secure communication channel with the source edge device; receiving a network state for the workload from the source edge device; quiescing a datapath for processing flows associated with the workload; receiving incremental deltas comprising changes to the network state from the source edge device; updating the datapath for processing flows associated with the workload based on the received incremental changes; providing, to the source edge device, a request for a final synchronization; receiving, from the source edge device, a final synchronization delta comprising incremental information for the network state as modified since the most recently received incremental change; and removing the quiescing of the datapath to facilitate use of the network state.

Abstract: A network appliance can be configured for storing a plurality of flow table entries in a flow table of a match-action pipeline, wherein the match-action pipeline is implemented via a packet processing circuit configured to process a plurality of network traffic flows associated with the plurality of flow table entries. An extended packet processing pipeline of the network appliance can read a flow table entry of the flow table. The extended packet processing pipeline can be implemented via a pipeline circuit. The extended packet processing pipeline can determine that a network traffic flow associated with the flow table entry is expired or terminated. The network appliance can delete the flow table entry from the flow table by processing a traffic flow deletion operation after determining that the network traffic flow is expired or terminated.