Abstract: A method for introducing in-network services in an end-to-end communication path between two hosts includes: providing at least one middlebox entity and performing a registration procedure that includes registering the in-network services together with their respective service level agreements at the at least one middlebox entity; by at least one of the two hosts, sending a subscription for the in-network services to the at least one middlebox entity together with a policy list containing at least host-specific security requirements; by the at least one middlebox entity, evaluating potential conflicts between the host-specific security requirements and the service level agreements of the in-network services, and, in case no conflicts are detected, authenticating the in-network services; and inserting the authenticated in-network services within the end-to-end communication path and starting encrypted communication between the two hosts.

Abstract: A method for service function chaining within an end-to-end path of a network connection between a source and destination node includes: executing, for a defined service function chain including an ordered sequence of network service functions, an address resolution process that translates names of the network service functions of the defined service function chain into their corresponding IP addresses. The address resolution process is performed at a name server of the destination node by a sequence of name server queries sent in succession to respective name servers of each of the selected network service functions of the defined service function chain in accordance with their order. Each of the name server queries is answered by a response from a name server of the respective network service function that includes IP addresses of selected instances of a respective network service function chosen by the respective name server according to predefined criteria.

Abstract: A method operates a software defined network that has a number of data plane elements having flow table entries that define forwarding functions of the data plane elements; and at least one control plane element for programming the forwarding functions of the data plane elements by instructing the data plane elements to install appropriate flow table entries. The method includes: obtaining, by the data plane elements, flow table entry installation time information and making this information available directly or indirectly to the at least one control plane element; and using, by the at least one control plane element, the flow table entry installation time information for deciding on which of the data plane elements to install a particular flow table entry and/or when to transmit an instruction to one or more of the data plane elements to install a particular flow table entry.

Abstract: A method for service function chaining within an end-to-end path of a network connection between a source and destination node includes: executing, for a defined service function chain including an ordered sequence of network service functions, an address resolution process that translates names of the network service functions of the defined service function chain into their corresponding IP addresses. The address resolution process is performed at a name server of the destination node by a sequence of name server queries sent in succession to respective name servers of each of the selected network service functions of the defined service function chain in accordance with their order. Each of the name server queries is answered by a response from a name server of the respective network service function that includes IP addresses of selected instances of a respective network service function chosen by the respective name server according to predefined criteria.

Abstract: A method for introducing in-network services in an end-to-end communication path between two hosts includes: providing at least one middlebox entity and performing a registration procedure that includes registering the in-network services together with their respective service level agreements at the at least one middlebox entity; by at least one of the two hosts, sending a subscription for the in-network services to the at least one middlebox entity together with a policy list containing at least host-specific security requirements; by the at least one middlebox entity, evaluating potential conflicts between the host-specific security requirements and the service level agreements of the in-network services, and, in case no conflicts are detected, authenticating the in-network services; and inserting the authenticated in-network services within the end-to-end communication path and starting encrypted communication between the two hosts.