Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: Some embodiments provide a method for an integrated network management and modification analysis system. At the integrated system, the method receives a proposed modification to configuration data for a logical network stored by the integrated system as a set of rules. Without implementing the proposed modification, the method analyzes changes to the rules that would occur based on the proposed modification. The method provides a graphical user interface (GUI) that indicates logical network entities affected by the proposed modification. In response to a command to implement the proposed modification, the method generates an updated set of rules at the integrated system and stores the updated set of rules for distribution to managed forwarding elements that implement the logical network.

Abstract: Some embodiments provide a method for managing a set of forwarding elements. The method receives configuration information for a set of gateways specifying (i) multiple gateways for implementing logical router ports and (ii) a ranking order of the gateways in the set. The method configures a first gateway in the ranking order as a master gateway for the set of gateways. Upon receiving a first notification that the first gateway is not operational, the method configures a second gateway in the ranking order as the master gateway for the set of gateways. Upon receiving a second, subsequent notification that the first gateway has resumed operation, the method maintains the second gateway in the ranking order as the master gateway for the set of gateways and configures the first gateway in the ranking order as a first standby gateway.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a method for an integrated network management and modification analysis system. At the integrated system, the method receives a proposed modification to configuration data for a logical network stored by the integrated system as a set of rules. Without implementing the proposed modification, the method analyzes changes to the rules that would occur based on the proposed modification. The method provides a graphical user interface (GUI) that indicates logical network entities affected by the proposed modification. In response to a command to implement the proposed modification, the method generates an updated set of rules at the integrated system and stores the updated set of rules for distribution to managed forwarding elements that implement the logical network.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.

Abstract: A method, computer readable medium and apparatus for providing a virtual individual server service within a communications network are disclosed. For example, the method receives a request from a subscriber of the communications network to subscribe to the virtual individual server service, provides a virtual individual server to the subscriber in response to the request and executes at least one application via the virtual individual server using at least one piece of personal information associated with the subscriber.

Abstract: Some embodiments provide a method for managing a set of forwarding elements. The method receives configuration information for a set of gateways specifying (i) multiple gateways for implementing logical router ports and (ii) a ranking order of the gateways in the set. The method configures a first gateway in the ranking order as a master gateway for the set of gateways. Upon receiving a first notification that the first gateway is not operational, the method configures a second gateway in the ranking order as the master gateway for the set of gateways. Upon receiving a second, subsequent notification that the first gateway has resumed operation, the method maintains the second gateway in the ranking order as the master gateway for the set of gateways and configures the first gateway in the ranking order as a first standby gateway.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: Some embodiments provide a method for using headerspace analysis. The method receives several flow entries for distribution to a forwarding element in a network. Each flow entry includes a set of conditions to be matched by a packet header and a set of actions to perform on a packet that matches the set of conditions. The method models each of the flow entries as a function that operates on a representation of a packet header. The method determines a set of packet headers of packets to be received by the forwarding element. The method determines a set of the flow entries that are not matched by a packet header of any packet to be received by the forwarding element by applying the functions to representations of the identified set of packet headers.

Abstract: Some embodiments provide a method that uses headerspace analysis. The method receives several flow entries for distribution to a set of forwarding elements that implement a logical network. The method models each of the flow entries as a function that operates on a representation of a packet header. The method uses the modeled functions to identify a set of paths from a packet source to a packet destination. For each particular path of the identified paths, the method uses inverses of the modeled functions to determine a set of packet headers. Packets sent from the packet source with any packet header in the set of packet headers follow the particular path through the flow entries.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.