Abstract: A computer-implemented method for distributing packets for asymmetrical traffic by a network interface card (NIC). The computer-implemented method includes obtaining information of an incoming packet incoming from a source endpoint behind a stateful service and accessing a destination endpoint using a network address translation (NAT) service, hashing the information to calculate queue identification for the packet to direct the packet to the queue associated therewith, executing a NAT on an outgoing packet associated with the incoming packet to allow for retrieval of the queue identification from a header of the outgoing packet, sending the outgoing packet to the destination endpoint, which is responsive with a return packet, stamping the queue identification to the return packet upon the return packet being transmitted back from the destination endpoint and the queue identification being retrieved and instantiating an RSS override operation to redirect the return packet to the queue on the response.

Abstract: A system, method, and computer program product for implementing network state processing is provided. The method includes detecting operational states for ports of a server Internet protocol (IP) data plane component of an integrated switching device. Each operational state is analyzed and matching and action rules associated with the operational states are generated with respect to data packets arriving at the ports. Data describing each operational state is stored within a port cache structure of a port. An incoming data packet is detected at a first port and the matching and action rules are distributed between port engines of the ports. The matching and action rules are executed with respect to the incoming data packet and the incoming data packet is transmitted to a destination port. Operational functionality of the integrated switching device is enabled with respect to execution of the incoming data packet at the destination port.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be communicated from the user space software to a network communication device via an application programming interface. Outbound session packets can be communicated from the user space software to the network communication device. The network communication device can generate encrypted outbound session packets by encrypting the outbound session packets using the private session key; communicate to the client device, via the secured communication tunnel, the encrypted outbound session packets; receive, by the network communication device from the client device, via the secured communication tunnel, inbound session packets; generate decrypted inbound session packets by decrypting the inbound session packets using the private session key; and communicate the decrypted inbound session packets.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be accessed from a cryptographic service. The private session key can be communicated from the user space software to a network communication device. Outbound session packets can be communicated from the user space software to the network communication device. The network communication device can be configured to generate encrypted outbound session packets by encrypting the outbound session packets using the private session key; communicate to the client device, via the secured communication tunnel, the encrypted outbound session packets; receive from the client device, via the secured communication tunnel, inbound session packets; generate decrypted inbound session packets by decrypting the inbound session packets using the private session key; and communicate the decrypted inbound session packets.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be communicated from the user space software to a network communication device via an application programming interface. Outbound session packets can be communicated from the user space software to the network communication device. The network communication device can generate encrypted outbound session packets by encrypting the outbound session packets using the private session key; communicate to the client device, via the secured communication tunnel, the encrypted outbound session packets; receive, by the network communication device from the client device, via the secured communication tunnel, inbound session packets; generate decrypted inbound session packets by decrypting the inbound session packets using the private session key; and communicate the decrypted inbound session packets.

Abstract: A protocol stack can be offloaded to a network communication device. A private session key can be communicated from the user space software to a network communication device via an application programming interface. Outbound session packets can be communicated from the user space software to the network communication device. The network communication device can be configured to process headers in the outbound session packets, generate encrypted outbound session packets by encrypting the outbound session packets using the private session key, and communicate to a client device via the secured communication tunnel, the encrypted outbound session packets.

Abstract: A network communication device can receive a private session key from a data processing system. A first work queue element can be received in a send queue of the network communication device. The first work queue element can indicate outbound session data to be communicated to a client device. Responsive to receiving the first work queue element, the network communication device can generate encrypted outbound session data by encrypting the outbound session data using the private session key. The network communication device can communicate, via remote directory memory access (RDMA) over a secured communication tunnel, the encrypted outbound session data to the client device.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be communicated from the user space software to a network communication device in at least one User Datagram Protocol datagram. Outbound session backets can be communicated from the user space software to the network communication device.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be accessed from a cryptographic service. The private session key can be communicated from the user space software to a network communication device. Outbound session backets can be communicated from the user space software to the network communication device. The network communication device can be configured to generate encrypted outbound session packets by encrypting the outbound session packets using the private session key; communicate to the client device, via the secured communication tunnel, the encrypted outbound session packets; receive from the client device, via the secured communication tunnel, inbound session packets; generate decrypted inbound session packets by decrypting the inbound session packets using the private session key; and communicate the decrypted inbound session packets.

Abstract: Embodiments for providing enhanced endpoint multicast emulation in a computing environment. One or more multicast operations may be executed on an overlay network using endpoint multicast emulation by using an overlay layer or a virtual extensible LAN (“VXLAN”) layer to maintain control over one or more multicast groups.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be communicated from the user space software to a network communication device in at least one User Datagram Protocol datagram. Outbound session backets can be communicated from the user space software to the network communication device.

Abstract: A network interface card (NIC) and a method for stablishing a connection between virtual machines of a network. The NIC includes: a programmable switching ASIC (application-specific integrated circuit), a central processing unit (CPU), multiple Ethernet controllers, and multiple on-board transceivers functioning as external ports. The switching ASIC functions as a switch that manipulates data traffic within the NIC including by switching the data traffic between and among the CPU, the Ethernet controllers, and the on-board transceivers. The method includes: installing rules that route a Synchronize (SYN) packet from a source virtual machine (VM) through a software engine, appending a signed cookie to the SYN packet; verifying that a policy represented by the signed cookie appended to the SYN packet matches a policy of a destination VM; and returning the SYN packet to the source VM which establishes a connection between the source VM and the destination VM.

Abstract: A system, method, and computer program product for implementing network state processing is provided. The method includes detecting operational states for ports of a server Internet protocol (IP) data plane component of an integrated switching device. Each operational state is analyzed and matching and action rules associated with the operational states are generated with respect to data packets arriving at the ports. Data describing each operational state is stored within a port cache structure of a port. An incoming data packet is detected at a first port and the matching and action rules are distributed between port engines of the ports. The matching and action rules are executed with respect to the incoming data packet and the incoming data packet is transmitted to a destination port. Operational functionality of the integrated switching device is enabled with respect to execution of the incoming data packet at the destination port.

Abstract: The invention relates to a server for providing a graphical user interface to a client over a communication network. The graphical user interface comprises a graphical user interface element, the graphical user interface element being formed by an element shape and an element text, the element shape being represented by element shape data, the element text being represented by element text data. The server comprises an encoder configured to encode the element shape data into video data, a detector configured to detect a change associated with the graphical user interface element within the graphical user interface, and a communication interface configured to separately transmit the video data and the element text data over the communication network, the element text data being transmitted upon detection of the change associated with the graphical user interface element for providing the graphical user interface to the client.

Abstract: A network interface card (NIC) and a method for stablishing a connection between virtual machines of a network. The NIC includes: a programmable switching ASIC (application-specific integrated circuit), a central processing unit (CPU), multiple Ethernet controllers, and multiple on-board transceivers functioning as external ports. The switching ASIC functions as a switch that manipulates data traffic within the NIC including by switching the data traffic between and among the CPU, the Ethernet controllers, and the on-board transceivers. The method includes: installing rules that route a Synchronize (SYN) packet from a source virtual machine (VM) through a software engine, appending a signed cookie to the SYN packet; verifying that a policy represented by the signed cookie appended to the SYN packet matches a policy of a destination VM; and returning the SYN packet to the source VM which establishes a connection between the source VM and the destination VM.

Abstract: The present disclosure provides a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN). The system comprises at least one data storage or memory, configured to store flow states of data flows, and to share and update the flow states across the system, at least one shared-state forwarding element (FE) configured to block, forward, or replicate a received data flow based on a flow state of the data flow and/or a comparison of the data flow with predetermined patterns, and at least one inspection element (IE), configured to receive a replicated data flow, and to classify, whether the data flow is malicious or allowed. The IE is configured to alter the flow state of the data flow according to a classification result. The present disclosure provides a corresponding method for detecting and preventing intrusion of malicious data flows in a SDN.

Abstract: An optical port routing enclosure and programmable NIC card as well as cluster topologies leveraging same are provided.

Abstract: A system for processing packets in a network is provided. The system includes a computing platform running a software framework configured for accessing packets flowing into a packet processing pipeline of a node in the network; and identifying at least one pattern in said packets. Based on this pattern, the systems routes a first portion of the packets into the packet processing pipeline and offloads a second portion of the packets to the computing platform to be processed by the software framework.

Abstract: A virtual address of a destination of a packet is parsed into a set of virtual address components. A subset of the set of virtual address components is tokenized into a token. The token is converted into at least a portion of a hostname. A look-up of a real network address corresponding to the hostname is performed. The packet is caused to be transmitted to the real network address, wherein the real network address corresponds to a host machine on a physical network, the receiving virtual entity operating on the host machine.

Abstract: A virtual address of a destination of a packet is parsed into a set of virtual address components. A subset of the set of virtual address components is tokenized into a token. The token is converted into at least a portion of a hostname. A look-up of a real network address corresponding to the hostname is performed. The packet is caused to be transmitted to the real network address, wherein the real network address corresponds to a host machine on a physical network, the receiving virtual entity operating on the host machine.