Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: Some embodiments of the invention provide a method for assigning a data flow-specific identification value to each packet of a data flow. In some embodiments, a particular source endpoint transmits packets belonging to several different data flows to one or more destination endpoints. When sending packets, the source endpoint inserts a unique flow identification value to a particular field of the Internet Protocol (IP) header of each packet of a data flow. The use of these flow identification values enables intermediate network elements and the destination endpoint to efficiently identify to which data flow each packet belongs. In some embodiments, the source endpoint inserts the flow identification value into the 16-bit Internet Protocol version 4 (IPv4) identification field of the IP header of the packets.

Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: Techniques disclosed herein provide an approach for diagnosing problems in a network connection established between applications running on two endpoints. In one embodiment, upon identification of a potential issue in the network connection, a connection detector is triggered in one of the endpoints and requests a kernel of that endpoint to transmit an on-demand, non-invasive packet to the other endpoint. The connection detector then determines whether the application running on the other endpoint is available via the connection based on whether an acknowledgment packet is received from the other endpoint after the transmission of the non-invasive packet.

Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: An example method is provided for a source device to perform discovery of a path maximum transmission unit (PMTU) of a path between the source device and a destination device in a communications network. The method may comprise configuring and sending a request message to the destination device via an intermediate device on the path. The request message may be configured to have a size of an estimated PMTU of the path, to cause a reply message to be received from the destination device or at least one report message to be received from the intermediate device, and to include a flag that allows fragmentation of the request message.

Abstract: Example methods are provided to influence path selection during a multipath connection between a first endpoint and a second endpoint. The method may comprise configuring, for a first subflow of a multipath connection, a first set of tuples and establishing, over a network interface of the first endpoint, the first subflow with the second endpoint. The method may further comprise configuring, for a second subflow of the multipath connection, a second set of tuples based a path selection algorithm learned by the first endpoint; and establishing the second subflow with the second endpoint. The method may further comprise sending first packets having the first set of tuples on the first subflow and second packets having the second set of tuples on the second subflow to the second endpoint via an intermediate device that uses the path selection algorithm.

Abstract: Example methods are provided for a first endpoint to transfer a first data set and a second data set to a second endpoint using a multipath connection. The method may comprise detecting the first data set and the second data set from an application executing on the first endpoint for transfer to the second endpoint. The method may comprise, in response to determination that in-order transfer is not required for the first data set and the second data set, establishing a first subflow of a multipath connection with the second endpoint to send the first data set and establishing a second subflow of the multipath connection to send the second data set. The method may further comprise sending the first data set on the first subflow and the second data set on the second subflow to the second endpoint.

Abstract: Example methods are provided to perform data transfer between a first endpoint and a second endpoint. The method may comprise detecting an elephant flow of data from an application executing on the first endpoint for transfer to the second endpoint; and splitting the elephant flow to obtain first packets and second packets. The first endpoint may have cognizance of a first path and a second path between a first network interface of the first endpoint and a second network interface of the second endpoint. The method may comprise establishing a first subflow and a second subflow of a multipath connection with the second endpoint; and sending, over the first network interface, the first packets on the first subflow and the second packets on the second subflow to the second network interface.

Abstract: Techniques disclosed herein provide an approach for providing throughput resilience during link failover when links are aggregated in a link aggregation group (LAG). In one embodiment, failure of a link in the LAG may be detected, and a Transmission Control Protocol/Interact Protocol (TCP/IP) stack notified to ignore packet losses and not perform network congestion avoidance procedure(s) for one round-trip timeout (RTO) period. In a virtualized system in particular, a virtual switch may be configured to generate events in response to detected link failures and notify TCP/IP stacks of a hypervisor and/or virtual machines (VMs) of the link failures. In turn, the notified TCP/IP stacks of the hypervisor and/or VMs may ignore packet losses and not perform network congestion avoidance procedure(s) for one RTO period.

Abstract: An example method is provided to perform egress network interface selection for a network connection with a second endpoint device. The method may comprise: detecting multiple egress network interfaces of the first endpoint device that are capable of communicating with the second endpoint device via multiple routes, wherein each route involves one of the multiple egress network interfaces; and selecting, from the multiple network egress interfaces, an egress network interface based on multiple maximum transmission unit (MTU) values associated with the multiple routes. The method may further comprise setting a size limit for packets transmitted from the second endpoint device to the first endpoint device during the network connection; configuring a connection establishment packet that includes the size limit to establish the network connection; and sending the connection establishment packet to the second endpoint device via the selected egress network interface.

Abstract: Techniques disclosed herein provide an approach for providing throughput resilience during link failover when links are aggregated in a link aggregation group (LAG). In one embodiment, failure of a link in the LAG may be detected, and a Transmission Control Protocol/Interact Protocol (TCP/IP) stack notified to ignore packet losses and not perform network congestion avoidance procedure(s) for one round-trip timeout (RTO) period. In a virtualized system in particular, a virtual switch may be configured to generate events in response to detected link failures and notify TCP/IP stacks of a hypervisor and/or virtual machines (VMs) of the link failures. In turn, the notified TCP/IP stacks of the hypervisor and/or VMs may ignore packet losses and not perform network congestion avoidance procedure(s) for one RTO period.

Abstract: Techniques disclosed herein provide an approach for diagnosing problems in a network connection established between applications running on two endpoints. In one embodiment, upon identification of a potential issue in the network connection, a connection detector is triggered in one of the endpoints and requests a kernel of that endpoint to transmit an on-demand, non-invasive packet to the other endpoint. The connection detector then determines whether the application running on the other endpoint is available via the connection based on whether an acknowledgment packet is received from the other endpoint after the transmission of the non-invasive packet.

Abstract: Example methods are provided to perform data transfer between a first endpoint and a second endpoint. The method may comprise detecting an elephant flow of data from an application executing on the first endpoint for transfer to the second endpoint; and splitting the elephant flow to obtain first packets and second packets. The first endpoint may have cognizance of a first path and a second path between a first network interface of the first endpoint and a second network interface of the second endpoint. The method may comprise establishing a first subflow and a second subflow of a multipath connection with the second endpoint; and sending, over the first network interface, the first packets on the first subflow and the second packets on the second subflow to the second network interface.

Abstract: Example methods are provided for a first endpoint to transfer a first data set and a second data set to a second endpoint using a multipath connection. The method may comprise detecting the first data set and the second data set from an application executing on the first endpoint for transfer to the second endpoint. The method may comprise, in response to determination that in-order transfer is not required for the first data set and the second data set, establishing a first subflow of a multipath connection with the second endpoint to send the first data set and establishing a second subflow of the multipath connection to send the second data set. The method may further comprise sending the first data set on the first subflow and the second data set on the second subflow to the second endpoint.

Abstract: Example methods are provided to influence path selection during a multipath connection between a first endpoint and a second endpoint. The method may comprise configuring, for a first subflow of a multipath connection, a first set of tuples and establishing, over a network interface of the first endpoint, the first subflow with the second endpoint. The method may further comprise configuring, for a second subflow of the multipath connection, a second set of tuples based a path selection algorithm learned by the first endpoint; and establishing the second subflow with the second endpoint. The method may further comprise sending first packets having the first set of tuples on the first subflow and second packets having the second set of tuples on the second subflow to the second endpoint via an intermediate device that uses the path selection algorithm.

Abstract: Some embodiments of the invention provide a method for assigning a data flow-specific sequential value to each packet of a data flow that is sent from a source endpoint to a destination endpoint in a network. In some embodiments, the source endpoint receives the data flow from a source application while the destination endpoint delivers the data flow to a destination application. The method of some embodiments assigns separate monotonically incrementing values to the packets of each data flow between the same two endpoints by inserting the incremental values into the IPv4 identification field in each packet's IP header. Some embodiments use this sequential value in order to discover any potential error condition in packet transmission. Some embodiments use the IPv4 identification field values to calculate the transmission rate of a data flow at only one observation point.

Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: A computer implemented method receives a client request message to initiate a network connection. In response to the client request, the method generates a key to represent the client request. The key is generated independent of information provided in the client request message and is generated to correspond to a desired address in a data structure used to track client request message. The method then enters the generated key at the desired address in the data structure and transmits a response message that includes the key back to the client. The network connection between the client and the computer system is established according to the key.

Abstract: A management module is implemented in a virtualization software of a virtualized computing device having one or more virtual machines and a virtual switch configured therein. The management module detects a mismatch between a maximum transmission unit (MTU) of the virtual switch and an MTU of a virtual network interface of a virtual machine. An error message may be immediately returned so that the MTU of the virtual network interface may be corrected in response thereto. Otherwise, an error flag indicating the MTU mismatch is set but the connection between the virtual switch and the virtual network interface is allowed to be established. The error flag may be used as a prompt to correct the MTU of the virtual network interface at a later time or to connect the virtual network interface to a different virtual switch.