Abstract: In one embodiment, a method by an apparatus of a segment routing (SR) network includes receiving a data packet and accessing an attestation token for the apparatus. The method further includes determining a location within a header of the received data packet for the attestation token and creating an updated header by encoding the attestation token in the determined location of the header. The method further includes sending the updated header with the encoded attestation token to another apparatus of the SR network.

Abstract: In one embodiment, a method includes a method includes receiving, by a headend node, network traffic. The method also includes determining, by the headend node, that the network traffic matches a service route. The method further includes steering, by the headend node, the network traffic into an SR-TE policy. The SR-TE policy is associated with the service route and includes a security level constraint.

Abstract: In one embodiment, new Segment Routing capabilities are used in the steering of packets through Segment Routing nodes in a network. A Segment List includes a set of one or more Segment List (SL) Groups, each of which identifies one or more Segments contiguously or non-contiguously stored in the Segment List (or stored across multiple Segment Lists) of a Segment Routing packet. Each SL Group typically includes one Segment that is encoded as a Segment Identifier, and may include Segments that are Extended Values. The steering order of SL Groups is not required to be the same order as they are listed in the Segment List, as the value of Segments Left may be increased, remain the same, or decreased (possibly to skip a next SL Group) and possibly based on the result of an evaluation of a conditional expression.

Abstract: In one embodiment, a third-party client network access device sends Internet Protocol (IP) encapsulating packets with a predetermined destination address of a node of the network client service provider (NCSP), with these IP encapsulating packets encapsulating original data packets. These IP encapsulating packets are communicated through the ISP network being used by the NCSP in providing its network services. The predetermined destination address, which is typically also a segment identifier, causes network service processing (e.g., according to a corresponding segment routing function) of the received packet by the node of the NCSP. This processing typically includes creating a segment routing packet encapsulating the original packet (extracted from the received IP encapsulating packet) with its segment list(s) being populated with segment identifier(s) according to a current NCSP segment routing policy reflective of a sequence of forwarding and service chaining operations of the NCSP service offering.

Abstract: The present technology is directed to a system and method for implementing network resource partitioning and Quality of Service (QoS) separation through network slicing. Embodiments of the present invention describe scalable network slicing method based on defining Segment Routing Flexible Algorithm to represent a network slice and assigning a distinct QoS policy queue to each of the Flexible Algorithms configured on a network node. Therefore, scalable network slice based queuing is implemented wherein a single packet processing queue is assigned to each Flex-Algorithm based network slice. QoS policy queue may be implemented in a hierarchical fashion by differentiation between flow packets in a single QoS policy queue based on value of experimental bits in the header.

Abstract: Techniques for implementing bi-directional paths in a segment routing communication network are described. A first segment routing policy, including a first path from a first node in the communication network to a second node in the communication network, is installed. A second segment routing policy, including a second path from the second node to the first node in the communication network, is installed. At the first node, a first identifier associated with the first segment routing policy is bound to a second association identifier associated with the second segment routing policy. At the second node, a second identifier associated with the second segment routing policy is bound to a first association identifier associated with the first segment routing policy.

Abstract: In one illustrative example, a network node (e.g. a router or switch) may receive a data packet and timestamp a copy of the data packet. The node may also compute a signature for the copy and insert the signature in a header of the copy. The node may send the copy to a controller for correlation with one or more other timestamped data packet copies of the data packet from one or more other network nodes having the same signature and for the computation of delay. The original data packet may be forwarded to a next network node without any timestamp or other metadata added to it. The processing of the data packets may be performed as part of a function for punting the timestamped data packet copy and forwarding, or as a function for forwarding and punting the timestamped data packet copy.

Abstract: In one embodiment, a network comprises a first forwarding domain using a first data plane forwarding protocol and a second forwarding domain using a second data plane forwarding protocol different than the first data forwarding plane forwarding protocol. The first forwarding domain includes a first path node and a particular border node. The second forwarding domain includes a second path node and the particular border node. The particular border node performs Segment Routing or other protocol interworking between the different data plane forwarding domains, such as for transporting packets through a different forwarding domain or translating a packet to use a different data forwarding protocol. These forwarding domains typically include Segment Routing (SR) and SR-Multiprotocol Label Switching (SR-MPLS). Paths through the network are determined by a Path Computation Engine and/or based on route advertisements such associated with Binding Segment Identifiers (BSIDs) (e.g.

Abstract: In one embodiment, Ethernet Virtual Private Network (EVPN) is implemented using Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) underlay network and SRv6-enhanced Border Gateway Protocol (BGP) signaling. A particular route associated with a particular Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) Segment Identifier (SID) is advertised in a particular route advertisement message of a routing protocol (e.g., BGP). The SID includes encoding representing a particular Ethernet Virtual Private Network (EVPN) Layer 2 (L2) flooding Segment Routing end function of the particular router and a particular Ethernet Segment Identifier (ESI), with the particular SID including a routable prefix to the particular router. The particular router receives a particular packet including the particular SID; and in response, the particular router performs the particular EVPN end function on the particular packet.

Abstract: The present technology is directed to a system and method for implementing network resource partitioning and Quality of Service (QoS) separation through network slicing. Embodiments of the present invention describe scalable network slicing method based on defining Segment Routing Flexible Algorithm to represent a network slice and assigning a distinct QoS policy queue to each of the Flexible Algorithms configured on a network node. Therefore, scalable network slice based queuing is implemented wherein a single packet processing queue is assigned to each Flex-Algorithm based network slice. QoS policy queue may be implemented in a hierarchical fashion by differentiation between flow packets in a single QoS policy queue based on value of experimental bits in the header.

Abstract: In one embodiment, a Segment Routing network node provides processing and network efficiencies in protecting Internet Protocol version 6 (IPv6) Segment Routing (SRv6) packets and functions using Security Segment Identifiers, which are included in Segment Lists of a Segment Routing Header of a SRv6 packet. The Security Segment Identifier provides, inter alia, origin authentication, integrity of information in one or more headers of the packet, and/or anti-replay protection. In one embodiment, a Security Segment Identifier includes a value determined based on a secured portion of the packet. A typically secured portion includes the Source and Destination Addresses, one or more Segment Identifiers in a Segment List and the Segments Left value. In one embodiment, the Destination Address and/or a Segment Identifier in the Segment List includes and an anti-replay value (e.g., sequence number or portion thereof) which is also in the secured portion of the packet.

Abstract: In one embodiment, segment routing network processing of packets is performed, including using segment routing packet policies and functions providing segment routing processing signaling and packet forwarding efficiencies in a network. A segment routing node signals to another segment routing node using a signaled segment identifier in a segment list of a segment routing packet with the segments left identifying a segment list element above the signaled segment identifier. A downstream segment routing node receives the segment routing packet, obtains this signaled segment identifier, and performs processing of one or more packets based thereon. In one embodiment, a provider edge node replaces its own segment identifier in a received customer packet, with a downstream customer node using the replaced (signaling) segment identifier (of a provider edge node/segment routing function) for accessing a return path through the provider network.

Abstract: In one embodiment, a Segment Routing gateway receives Segment Routing packets encapsulating native packets. The Segment Routing gateway stores the Segment Routing encapsulating headers. The native packets are communicated to a service function (or other device). Upon return, Segment Routing packets are generated including the returned native packets using correspondingly stored Segment Routing encapsulating headers, possibly updated with new policies. Segment Routing includes, but is not limited to, SRv6 and SR-MPLS. In one embodiment, the native packet is sent from a physical interface of the SR gateway to the service function, and returned to the SR gateway on one of its physical interface(s). In one embodiment, shared storage is accessible to both the SR gateway and the service function (or other device), so references (e.g., memory locations or pointers) are communicated between the SR gateway and the service function (or other device).

Abstract: In one embodiment, Ethernet Virtual Private Network (EVPN) is implemented using Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) underlay network and SRv6-enhanced Border Gateway Protocol (BGP) signaling. A particular route associated with a particular Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) Segment Identifier (SID) is advertised in a particular route advertisement message of a routing protocol (e.g., BGP). The SID includes a locator of a particular router and a function encoding representing a particular EVPN end function of the particular router, with the particular SID including a routable prefix to the particular router. The particular router receives a particular packet including the particular SID; and in response, the particular router performs the particular EVPN end function on the particular packet. In one embodiment, the particular packet includes a Segment Routing Header (SRH) including the particular SID as the currently active SID.

Abstract: In one embodiment, segment routing network processing of packets is performed on segment routing packets to use engineered segment routing reverse reply paths which provide efficiencies in communicating packets in a network. In one embodiment, a source node selects a segment identifier of a destination node, with the segment identifier specifying a function value of a dynamic return path segment routing function in order to invoke this function on the destination node. The source node then sends a segment routing packet to the destination address of this segment identifier. Reacting to receipt of this packet and the function value of the dynamic return path segment routing function in the destination address or current segment identifier of the packet, a receiving node generates a responding segment routing packet including the segment identifiers from the received packet in reverse traversal order.

Abstract: In one embodiment, segment routing network processing of packets is performed, including using segment routing packet policies and functions providing segment routing processing signaling and packet forwarding efficiencies in a network. A segment routing node signals to another segment routing node using a signaled segment identifier in a segment list of a segment routing packet with the segments left identifying a segment list element above the signaled segment identifier. A downstream segment routing node receives the segment routing packet, obtains this signaled segment identifier, and performs processing of one or more packets based thereon. In one embodiment, a provider edge node replaces its own segment identifier in a received customer packet, with a downstream customer node using the replaced (signaling) segment identifier (of a provider edge node/segment routing function) for accessing a return path through the provider network.

Abstract: Various implementations disclosed herein enable malleable routing for data packets. For example, in various implementations, a method of routing a type of data packets is performed by a device. In some implementations, the device includes a non-transitory memory and one or more processors coupled with the non-transitory memory. In some implementations, the method includes determining a routing criterion to transmit a set of data packets across a network. In some implementations, the method includes identifying network nodes and communication links in the network that satisfy the routing criterion. In some implementations, the method includes determining a route for the set of data packets through the network nodes and the communication links that satisfy the routing criterion. In some implementations, the method includes configuring the network nodes that are on the route with configuration information that allows the set of data packets to propagate along the route.

Abstract: In one embodiment, new Segment Routing capabilities are used in the steering of packets through Segment Routing nodes in a network. A Segment List includes a set of one or more Segment List (SL) Groups, each of which identifies one or more Segments contiguously or non-contiguously stored in the Segment List (or stored across multiple Segment Lists) of a Segment Routing packet. Each SL Group typically includes one Segment that is encoded as a Segment Identifier, and may include Segments that are Extended Values. The steering order of SL Groups is not required to be the same order as they are listed in the Segment List, as the value of Segments Left may be increased, remain the same, or decreased (possibly to skip a next SL Group) and possibly based on the result of an evaluation of a conditional expression.

Abstract: In one embodiment, a Segment Routing gateway receives Segment Routing packets encapsulating native packets. The Segment Routing gateway stores the Segment Routing encapsulating headers. The native packets are communicated to a service function (or other device). Upon return, Segment Routing packets are generated including the returned native packets using correspondingly stored Segment Routing encapsulating headers, possibly updated with new policies. Segment Routing includes, but is not limited to, SRv6 and SR-MPLS. In one embodiment, the native packet is sent from a physical interface of the SR gateway to the service function, and returned to the SR gateway on one of its physical interface(s). In one embodiment, shared storage is accessible to both the SR gateway and the service function (or other device), so references (e.g., memory locations or pointers) are communicated between the SR gateway and the service function (or other device).

Abstract: In one embodiment, Ethernet Virtual Private Network (EVPN) is implemented using Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) underlay network and SRv6-enhanced Border Gateway Protocol (BGP) signaling. A particular route associated with a particular Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) Segment Identifier (SID) is advertised in a particular route advertisement message of a routing protocol (e.g., BGP). The SID includes a locator of a particular router and a function encoding representing a particular EVPN end function of the particular router, with the particular SID including a routable prefix to the particular router. The particular router receives a particular packet including the particular SID; and in response, the particular router performs the particular EVPN end function on the particular packet. In one embodiment, the particular packet includes a Segment Routing Header (SRH) including the particular SID as the currently active SID.