Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Systems and methods are provided to use a custom tuple definition to route packets of network traffic. Each packet can correspond to a different custom tuple definition based on the custom tuple definitions provided. Each custom tuple definition may be applied to a subset of network traffic based on certain parameters. A stateful network routing service may intercept packets and determine a tuple value for the packet based on a corresponding tuple definition and information from the packet. The stateful network routing service may route the packet based on the tuple value of the packet to a network appliance. Further, subsequent packets associated with the same tuple value may be routed to the same network appliance. In some embodiments, the custom tuple definition may be used to determine multiple tuple values for a subset of network traffic.

Abstract: Systems and methods are provided to enable packets of network traffic to be hashed to available network gateway. Each packet can include a route table with a pool of network gateways as a next-hop of the packet. A network device may intercept the packet and hash the packet to a network gateway of the pool of network gateways. The network gateway can correspond to a stateful network router and the stateful network router can transmit the packet to a network appliance. The network device can monitor and perform health-checks on the network gateways, the stateful network routers, and the network appliances. The network device can remove components that are no longer healthy or available and can add components that subsequently become healthy.

Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Systems and methods are provided to use a custom tuple definition to route packets of network traffic. Each packet can correspond to a different custom tuple definition based on the custom tuple definitions provided. Each custom tuple definition may be applied to a subset of network traffic based on certain parameters. A stateful network routing service may intercept packets and determine a tuple value for the packet based on a corresponding tuple definition and information from the packet. The stateful network routing service may route the packet based on the tuple value of the packet to a network appliance. Further, subsequent packets associated with the same tuple value may be routed to the same network appliance. In some embodiments, the custom tuple definition may be used to determine multiple tuple values for a subset of network traffic.

Abstract: Systems and methods are provided to enable packets of network traffic to be hashed to available network gateway. Each packet can include a route table with a pool of network gateways as a next-hop of the packet. A network device may intercept the packet and hash the packet to a network gateway of the pool of network gateways. The network gateway can correspond to a stateful network router and the stateful network router can transmit the packet to a network appliance. The network device can monitor and perform health-checks on the network gateways, the stateful network routers, and the network appliances. The network device can remove components that are no longer healthy or available and can add components that subsequently become healthy.

Abstract: Systems and methods are provided to enable packets of network traffic to be routed to a network appliance. Bidirectional flows of network traffic can be routed to the same network appliance based on flow information of the corresponding packets. A network device may intercept the packet corresponding to a first flow and route the packet to a specific network appliance based on the first flow information. The network device may generate a direction agnostic tuple value based on data groups of the first flow information. The network device may propagate the direction agnostic tuple value across availability zones to a second network device in a different availability zone to store the direction agnostic tuple value for use for subsequent packets. The second network device can receive a second packet and transmit the second packet to the same network appliance based on the direction agnostic tuple value.

Abstract: Systems and methods are provided to add flow validation information to packets of network traffic. Each packet can have flow validation information added corresponding to the source and destination of the packet. A stateful network routing service may intercept packets and obtain or generate flow validation information based on the source and destination of the packet. The stateful network routing service may add the information to the packet and transmit the enriched packet to a network appliance. The stateful network routing service may receive a second enriched packet from the network appliance. The stateful network routing service can compare the enriched packet with the second enriched packet. Based on the comparison of the enriched packets, the stateful network routing service can determine whether the packet should be transmitted to the destination or dropped.

Abstract: Systems and methods are provided to perform operations on a packet of network traffic based on a routing rule of the packet. A stateful network routing service may include multiple network gateways for receiving packets of network traffic. The stateful network routing service may receive a packet and obtain or generate a routing rule based on the source and destination of the packet based on receiving the packet via a client-facing network gateway. The stateful network routing service may transmit the packet to a network appliance based on the routing rule. The stateful network routing service may further receive a packet via an appliance-facing network gateway. Based on receiving the packet via the appliance-facing network gateway, the stateful network routing service may decapsulate the packet and transmit the packet to a network destination. The stateful network routing service may further validate the packet.

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

Abstract: Systems and methods are provided to add flow identification information to packets of network traffic. Each packet can have flow identification information added based on the packet being sent to a full-proxy mode appliance. A stateful network routing service may intercept packets and determine the packets are to be sent to a full-proxy mode appliance. Based on this determination, the stateful network routing service may obtain or generate flow identification information to identify the packet. The stateful network routing service may add the information to the packet and transmit the enriched packet to a full-proxy mode network appliance. The stateful network routing service may receive a second enriched packet from the network appliance. The stateful network routing service can parse the second enriched packet for flow identification information and identify the second enriched packet based on the flow identification information.

Abstract: In one embodiment, a service domain router (SDR) establishes a virtual fabric interface between the SDR and at least one peer SDR in a computer network. When the SDR receives a routing advertisement from the peer SDR, where the routing advertisement provides nexthop (NH) information for one or more network routes, the SDR may add the one or more network routes to a routing information base (RIB) listing the peer SDR as a next-to-nexthop (NNH) for the network routes. A forwarding information base (FIB) on the network device then resolves the NNH for the corresponding network routes to an egress interface of the peer SDR, such that packets received at the SDR and destined along a particular route of the one or more network routes may be forwarded via the egress interface of the peer SDR.

Abstract: In one embodiment, a packet switching device assigns a same particular packet switching label to each particular route of a plurality of particular routes having the same one or more best paths, wherein the plurality of particular routes includes routes from at least two different forwarding groups. A forwarding group is defined as a specific route, one or more routes associated with a same customer edge router, or one or more routes associated with a single virtual routing and forwarding domain (VRF). The packet switching device advertises to other packet switching device(s) to add this same particular label to packets having one of the plurality of particular routes, which they do. The packet switching device then packet switches packets based on the particular label received in a label field in a header of these packets.

Abstract: In one embodiment, a packet switching device assigns a same particular packet switching label to each particular route of a plurality of particular routes having the same one or more best paths, wherein the plurality of particular routes includes routes from at least two different forwarding groups. A forwarding group is defined as a specific route, one or more routes associated with a same customer edge router, or one or more routes associated with a single virtual routing and forwarding domain (VRF). The packet switching device advertises to other packet switching device(s) to add this same particular label to packets having one of the plurality of particular routes, which they do. The packet switching device then packet switches packets based on the particular label received in a label field in a header of these packets.

Abstract: A router is described that includes a routing table containing route information and a module to evaluate a route and detect a loop path associated with the route using the routing table. A process is described to detect and eliminate routing loops associated with recursive routes in a routing table, so as to provide a routing table that will be loop free.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with subsets of the Forward Information Base (FIB) distributed among line cards in a switching device; especially wherein one or more of the line cards does not contain the complete FIB, and this line card forwards packets, for which it does not have the forwarding information, to another line card which has the forwarding information for the packet.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with subsets of the Forward Information Base (FIB) distributed among line cards in a switching device; especially wherein one or more of the line cards does not contain the complete FIB, and this line card forwards packets, for which it does not have the forwarding information, to another line card which has the forwarding information for the packet.

Abstract: A method of selecting routing tables to include in a network line card consists of determining dependencies of local routes on remote routes using a reference count on prefixes, and selectively downloading remote routes when resolution of a route has a dependency on a remote route. In one embodiment, only remote routes that are needed to forward traffic are downloaded to a network line card.