Abstract: Presented herein are methodologies for tracking a link state of a physical network connection and selectively reporting the link state to virtual machines that rely on the physical network connection. A method includes receiving an indication, at a hypervisor, which is running on a host computer and which instantiates a virtual switch, that a physical link interconnecting the host computer to a network has failed; determining that the physical link serves the virtual switch; determining whether link state tracking is enabled for the physical link; and when link state tracking is enabled for the physical link, notifying a virtual machine, which is running on the host computer and which is being served by the virtual switch, that a connection between the virtual machine and the network has failed.

Abstract: The subject disclosure relates to methods for monitoring virtual network functions (VNFs) using mirror-ports provided on a virtual switch. A method of the technology can include steps for detecting an instantiation of a virtual network function (VNF), receiving a plurality of operating parameters for the VNF, connecting the VNF with a virtual switch, and automatically discovering an Internet Protocol (IP) address of the VNF. In some aspects, the method can further include operations for instantiating a mirror-port on the virtual switch, the mirror-port configured to provide a communications interface for monitoring the VNF based on a monitoring parameter. Systems and computer-readable media are also provided.

Abstract: Systems, methods, and computer-readable media for providing throughput assurance in a virtual service chain. A virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes can be monitored. An inline statistics agent can generate inline statistics of the operation of the virtual service chain. Further, an actual throughput of the virtual service chain can be identified from the inline statistics. As follows, throughput assurance for the virtual service chain can be provided by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.

Abstract: Systems, methods, and computer-readable media for providing throughput assurance in a virtual service chain. A virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes can be monitored. An inline statistics agent can generate inline statistics of the operation of the virtual service chain. Further, an actual throughput of the virtual service chain can be identified from the inline statistics. As follows, throughput assurance for the virtual service chain can be provided by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.

Abstract: Presented herein are methodologies for tracking a link state of a physical network connection and selectively reporting the link state to virtual machines that rely on the physical network connection. A method includes receiving an indication, at a hypervisor, which is running on a host computer and which instantiates a virtual switch, that a physical link interconnecting the host computer to a network has failed; determining that the physical link serves the virtual switch; determining whether link state tracking is enabled for the physical link; and when link state tracking is enabled for the physical link, notifying a virtual machine, which is running on the host computer and which is being served by the virtual switch, that a connection between the virtual machine and the network has failed.

Abstract: The subject disclosure relates to methods for monitoring virtual network functions (VNFs) using mirror-ports provided on a virtual switch. A method of the technology can include steps for detecting an instantiation of a virtual network function (VNF), receiving a plurality of operating parameters for the VNF, connecting the VNF with a virtual switch, and automatically discovering an Internet Protocol (IP) address of the VNF. In some aspects, the method can further include operations for instantiating a mirror-port on the virtual switch, the mirror-port configured to provide a communications interface for monitoring the VNF based on a monitoring parameter. Systems and computer-readable media are also provided.

Abstract: A classifier network element in a service function chain system receives a classification policy and an access policy from a controller of the service function chain system. The classification policy identifies which service function path network traffic flows will traverse through the service function chain system. The access policy defines criteria for determining whether network traffic flows will be sent along a service function path of the service function chain system. The classifier network element receives an initial packet of a network traffic flow from a source endpoint directed to a destination endpoint. Responsive to a determination that the initial packet of the network traffic flow satisfies the criteria of the access policy, the classifier network element applies the access policy to the network traffic flow.

Abstract: A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time. The network device rejects a newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for a matching packet flow (same source identifier, destination identifier and sender identifier) and falls outside of the counter-based window with respect to the last sequence number stored for the matching packet flow.

Abstract: A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

Abstract: Techniques are provided for determining freshness of control messages in a network. At a first device that is to enter into a secure communication session with a second device, timestamp information and time window size information are sent to the second device in a control message during a first exchange between a first device and a second device. At the first device, timestamp information and time window size information are obtained from a control message received from the second device by the first device during the first exchange. At the first device, the freshness of a control message is tested based on the timestamp information of the control message during a second exchange and the time window size information received from the second device during the first exchange.

Abstract: Techniques are provided for determining freshness of control messages in a network. At a first device that is to enter into a secure communication session with a second device, timestamp information and time window size information are sent to the second device in a control message during a first exchange between a first device and a second device. At the first device, timestamp information and time window size information are obtained from a control message received from the second device by the first device during the first exchange. At the first device, the freshness of a control message is tested based on the timestamp information of the control message during a second exchange and the time window size information received from the second device during the first exchange.

Abstract: A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

Abstract: Techniques are provided for more robust counter-based anti-replay protection with respect to packets sent between network devices. A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time.