Abstract: Techniques are disclosed for sending Protocol Independent Multicast (PIM) messages across a Layer-3 (L3) transport network. In one example, a first network device receives, via an L2 network from a multicast sender device, a multicast packet for a multicast group associated with a multicast service. The first network device generates, based on the multicast packet, a unicast L3 packet comprising a PIM register request configured to register the first network device as a multicast source for the multicast group. A header of the unicast L3 packet specifies a source address comprising a network address translation (NAT) to an address of a virtual loopback interface of a second network device. The virtual loopback interface is associated with a PIM service between the first and second network devices for the multicast service. The first network device forwards the unicast L3 packet across an L3 transport network to the second network device.

Abstract: Techniques are disclosed for a network device that performs gradual failover of sessions from a first link to a second link. For example, a network device forwards network traffic of a plurality of sessions over the first link. The network device determines that a performance of the first link does not satisfy a performance requirement. Based on the determination, the network device forwards network traffic of a first portion of the plurality of sessions over a second link and not the first link. The network device determines that a performance of the second link satisfies the performance requirement while carrying the network traffic of the first portion. Based on the determination, the network device forwards network traffic of a second, larger portion of the plurality of sessions over the second link and not the first link.

Abstract: A network communication system and method provide a point-to-point connection (“PTP connection”) between a first site and a second site. To that end, the PTP connection includes an intermediate network device between the first and second sites, a first link from the first site to the intermediate network device, and a second link from the intermediate network device. The system and method then predict usage of the PTP connection, and dynamically change (e.g., in real-time or non-real time), as a function of predicting usage, the PTP connection by changing one or more of the first link, the intermediate network device, and the second link.

Abstract: Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.

Abstract: Techniques are disclosed for computing a cost of an advertised route to a next-hop network device along a path to a destination based at least in part on a preference for the path. In one example, a computing system computes a cost of a route to a next-hop network device along a path to a destination. The computed cost is based at least in part on (1) a metric for the route and (2) a preconfigured preference for the path. In some examples, the preference for the path is based at least in part on (a) a type of the path as compared to other types of other paths to the destination or (b) a latency of the path as compared to other latencies of the other paths. The computing system sends a route advertisement for the route that includes data indicative of the cost of the route.

Abstract: Techniques are described for forming on-demand mesh connections between spoke routers of a Software-Defined Wide Area Network (SD-WAN) arranged in a hub-and-spoke topology. A first spoke router modifies the first packet to include metadata specifying first reachability information and first Internet Protocol (IP) address information for the first spoke router. The first spoke router forwards the first packet to a hub router for forwarding to a second spoke router. The first spoke router receives a second packet from the hub router that includes metadata specifying second reachability information and second IP address information for the second spoke router. In response to determining that the first reachability information is compatible with the second reachability information, the first spoke router initiates a peering connection with the second spoke router along a path which bypasses the hub router for forwarding subsequent packets of the forward packet flow.

Abstract: Techniques are described for forming on-demand mesh connections between spoke routers of a Software-Defined Wide Area Network (SD-WAN) arranged in a hub-and-spoke topology. A first spoke router modifies the first packet to include metadata specifying first reachability information and first Internet Protocol (IP) address information for the first spoke router. The first spoke router forwards the first packet to a hub router for forwarding to a second spoke router. The first spoke router receives a second packet from the hub router that includes metadata specifying second reachability information and second IP address information for the second spoke router. In response to determining that the first reachability information is compatible with the second reachability information, the first spoke router initiates a peering connection with the second spoke router along a path which bypasses the hub router for forwarding subsequent packets of the forward packet flow.

Abstract: A router determines whether or not to establish a stateful routing session based on the suitability of one or more candidate return path interfaces. This determination is made when a first packet for a new session arrives at the router on a given ingress interface. For example, the router may be configured to require the ingress interface be used for the return path of the session, and the router may evaluate whether the ingress interface is suitable for the return path and may drop the session if the ingress interface is unsuitable for the return path. In other examples, the router may be configured to not require that the ingress interface be used for the return path, and the router may evaluate whether at least one interface is suitable for the return path and drop the session if no interface is suitable for the return path.

Abstract: In exemplary embodiments of the present invention, a router determines whether or not to establish a stateful routing session based on the suitability of one or more candidate return path interfaces. This determination is typically made at the time a first packet for a new session arrives at the router on a given ingress interface. In some cases, the router may be configured to require that the ingress interface be used for the return path of the session, in which case the router may evaluate whether the ingress interface is suitable for the return path and may drop the session if the ingress interface is deemed by the router to be unsuitable for the return path. In other cases, the router may be configured to not require that the ingress interface be used for the return path, in which case the router may evaluate whether at least one interface is suitable for the return path and drop the session if no interface is deemed by the router to be suitable for the return path.

Abstract: Techniques are disclosed for session-based load-balancing of network traffic to network service instances. In one example, a network device receives a first packet of a forward packet flow from a network service instance of a plurality of network service instances after application of a network service. The first packet specifies a Media Access Control (MAC) address of the network service instance as a source MAC address. The network device defines a session comprising the forward packet flow and a reverse packet flow and stores an association between the session and the MAC address of the network service instance. The network device determines that a second packet received from a destination device is associated with the reverse packet flow of the session. The network device forwards the second packet to the same network service instance based on the association between the session and the MAC address of the network service instance.

Abstract: One function of a communications network, or of nodes in such a network, is to gather data that is useful in assessing network performance, and quantifying metrics of node and/or network performance. Various embodiments disclosed herein improve the ability of nodes and networks to gather such data, and quantify metrics of node and/or network performance by selectively marking existing network traffic, and in preferred embodiments without having to dilute network traffic by generating and transmitting dummy data packets.

Abstract: Techniques are disclosed for computing a cost of an advertised route to a next-hop network device along a path to a destination based at least in part on a preference for the path. In one example, a computing system computes a cost of a route to a next-hop network device along a path to a destination. The computed cost is based at least in part on (1) a metric for the route and (2) a preconfigured preference for the path. In some examples, the preference for the path is based at least in part on (a) a type of the path as compared to other types of other paths to the destination or (b) a latency of the path as compared to other latencies of the other paths. The computing system sends a route advertisement for the route that includes data indicative of the cost of the route.

Abstract: Techniques are disclosed for sending Protocol Independent Multicast (PIM) messages across a Layer-3 (L3) transport network. In one example, a first network device receives, via an L2 network from a multicast sender device, a multicast packet for a multicast group associated with a multicast service. The first network device generates, based on the multicast packet, a unicast L3 packet comprising a PIM register request configured to register the first network device as a multicast source for the multicast group. A header of the unicast L3 packet specifies a source address comprising a network address translation (NAT) to an address of a virtual loopback interface of a second network device. The virtual loopback interface is associated with a PIM service between the first and second network devices for the multicast service. The first network device forwards the unicast L3 packet across an L3 transport network to the second network device.

Abstract: A router advertises an aggregated service or route that can be evaluated by other routers as a unitary segment rather than as a group of individual links/paths associated with the aggregated service or route. The aggregated service or route can be based on service and topology state information received from one or more other routers and can be advertised with the router as the nexthop for the aggregated service or route. The router can advertise an aggregated metric for the aggregated service or route for use in such evaluation. An aggregated route can be associated with different aggregated metrics for different services.

Abstract: A first router generates session establishment metrics for use in network path selection. For example, a plurality of routers connect a client device to a network service instance hosted by a server. A first router is connected to the network service instance via first and second paths. The first router receives session performance requirements for a session between the client device and the network service instance. The first router forwards, along the first path, network traffic for the session by modifying a first packet of the session to include a session identifier for the session. The first router determines that session establishment metrics for the session do not satisfy the session performance requirements. In response, the first router forwards, along the second path, the network traffic for the session by modifying a second packet of the session to include the session identifier for the session.

Abstract: Techniques are described for a router providing metric-based multi-hop path selection. For example, a first router of a plurality of routers receives a plurality of network performance metrics for a plurality of links interconnecting the plurality of routers. The plurality of links form a plurality of multi-hop paths through the plurality of routers to a service instance. The router determines, based on the plurality of network performance metrics for the plurality of links, an end-to-end performance of each of the plurality of multi-hop paths. The router selects a multi-hop path over which to forward traffic associated with the session based on the end-to-end performance of each of the plurality of multi-hop paths and one or more performance requirements for a service associated between a session between a client device and the service instance. The router forwards the traffic to the service instance along the selected multi-hop path.

Abstract: Techniques are described for a router providing metric-based multi-hop path selection. For example, a first router of a plurality of routers receives a plurality of network performance metrics for a plurality of links interconnecting the plurality of routers. The plurality of links form a plurality of multi-hop paths through the plurality of routers to a service instance. The router determines, based on the plurality of network performance metrics for the plurality of links, an end-to-end performance of each of the plurality of multi-hop paths. The router selects a multi-hop path over which to forward traffic associated with the session based on the end-to-end performance of each of the plurality of multi-hop paths and one or more performance requirements for a service associated between a session between a client device and the service instance. The router forwards the traffic to the service instance along the selected multi-hop path.

Abstract: One function of a communications network, or of nodes in such a network, is to gather data that is useful in assessing network performance, and quantifying metrics of node and/or network performance. Various embodiments disclosed herein improve the ability of nodes and networks to gather such data, and quantify metrics of node and/or network performance by selectively marking existing network traffic, and in preferred embodiments without having to dilute network traffic by generating and transmitting dummy data packets.

Abstract: Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.

Abstract: Routing packets by a router involves establishing a first flow configured for forwarding the packets from a first ingress interface to a first egress interface of the router; determining a condition to modify the first flow; deactivating the first flow; establishing a second flow configured for forwarding the packets from at least one of (1) the first ingress interface to a second egress interface, (2) a second ingress interface to the first egress interface, or (3) a second ingress interface to a second egress interface; and activating the second flow.