Abstract: In one embodiment, a method includes receiving a packet associated with a flow at a network device, classifying the packet at the network device based on information received from a policy layer, inserting a Network Address Translation (NAT) indicator for the flow into the packet, and transmitting the packet in a service chain comprising network address translation. The NAT indicator is associated with the flows before and after network address translation to provide symmetry between the service chain and a return traffic service chain. An apparatus and logic are also disclosed herein.

Abstract: A network service packet (NSP) header security method includes receiving an NSP on a communication interface, analyzing, by a processor, the NSP in order to identify a plurality of service functions and an associated service function path for the plurality of service functions, identifying, by the processor, which security function or functions may be performed by each of the plurality of service functions on an NSP header to be generated for the NSP, requesting, by the processor, at least one key for securing at least part of the NSP header, receiving the at least one key on the communication interface, generating, by the processor, the NSP header for the NSP, securing, by the processor, the NSP header based on the at least one key, and sending, on the communication interface, the NSP with the NSP header to one of the plurality of service functions.

Abstract: A network service packet (NSP) header security method includes receiving an NSP on a communication interface, analyzing, by a processor, the NSP in order to identify a plurality of service functions and an associated service function path for the plurality of service functions, identifying, by the processor, which security function or functions may be performed by each of the plurality of service functions on an NSP header to be generated for the NSP, requesting, by the processor, at least one key for securing at least part of the NSP header, receiving the at least one key on the communication interface, generating, by the processor, the NSP header for the NSP, securing, by the processor, the NSP header based on the at least one key, and sending, on the communication interface, the NSP with the NSP header to one of the plurality of service functions.

Abstract: A network service packet (NSP) header security method includes receiving an NSP on a communication interface, analyzing, by a processor, the NSP in order to identify a plurality of service functions and an associated service function path for the plurality of service functions, identifying, by the processor, which security function or functions may be performed by each of the plurality of service functions on an NSP header to he generated for the NSP, requesting, by the processor, at least one key for securing at least part of the NSP header, receiving the at least one key on the communication interface, generating, by the processor, the NSP header for the NSP, securing, by the processor, the NSP header based on the at least one key, and sending, on the communication interface, the NSP with the NSP header to one of the plurality of service functions.

Abstract: In one embodiment, a network service packet header security method includes receiving a network service packet, analyzing the network service packet in order to identify a plurality of service functions and an associated service function path for the service functions, identifying which security function or functions may be performed by each of the service functions on a network service packet header to be generated for the network service packet, requesting at least one key for securing at least part of the network service packet header, receiving the at least one key, securing the network service packet header based on the at least one key, and sending the network service packet with the network service packet header to one of the service functions. Related apparatus and methods are also described.

Abstract: In one embodiment, a method includes storing a service topology route at a network device interconnecting at least two zones comprising a plurality of hosts, and propagating the service topology route to create a service chain comprising a service node in communication with the network device. The service topology route creates a forwarding state at network devices in the service chain for use in inter-zone routing in a virtual private network. An apparatus and logic are also disclosed herein.

Abstract: In one embodiment, an apparatus in a network determines particular metadata to communicate infrastructure information associated with a particular packet to another apparatus in the network. The apparatus sends into the network the particular packet including a metadata channel, comprising said particular metadata, external to the payload of the particular packet. Examples of infrastructure metadata carried in a packet include, but are not limited to, information defining service chaining for processing of the packet, contextual information for processing of the packet, specific handling instructions of the packet, and operations, maintenance, administration (OAM) instrumentation of the packet.

Abstract: Packets are encapsulated and sent from a service node to an application node for applying one or more Layer-4 to Layer-7 services to the packets, with service-applied packets being returned to the service node. An identification of a virtual private network (VPN) may be carried within a request packet, encapsulating a particular packet, sent by a service node to an application node for applying a service to the particular packet; with the corresponding response packet sent to the service node including an identification of the VPN for use by the service node in forwarding the services-applied packet. Additionally, parameters may be included in a request packet to identify a particular service of a general service to be applied to a particular packet encapsulated in the request packet.

Abstract: Packets are encapsulated and sent from a service node to an application node for applying one or more Layer-4 to Layer-7 services to the packets, with service-applied packets being returned to the service node. An identification of a virtual private network (VPN) may be carried within a request packet, encapsulating a particular packet, sent by a service node to an application node for applying a service to the particular packet; with the corresponding response packet sent to the service node including an identification of the VPN for use by the service node in forwarding the services-applied packet. Additionally, parameters may be included in a request packet to identify a particular service of a general service to be applied to a particular packet encapsulated in the request packet.

Abstract: In one embodiment, a method includes receiving a packet associated with a flow at a network device, classifying the packet at the network device based on information received from a policy layer, inserting a Network Address Translation (NAT) indicator for the flow into the packet, and transmitting the packet in a service chain comprising network address translation. The NAT indicator is associated with the flows before and after network address translation to provide symmetry between the service chain and a return traffic service chain. An apparatus and logic are also disclosed herein.

Abstract: Packets are encapsulated and sent from a service node to an application node for applying one or more Layer-4 to Layer-7 services to the packets, with service-applied packets being returned to the service node. An identification of a virtual private network (VPN) may be carried within a request packet, encapsulating a particular packet, sent by a service node to an application node for applying a service to the particular packet; with the corresponding response packet sent to the service node including an identification of the VPN for use by the service node node in forwarding the services-applied packet. Additionally, parameters may be included in a request packet to identify a particular service of a general service to be applied to a particular packet encapsulated in the request packet.

Abstract: An application node advertises service(s), using a routing protocol, that it offers to other network nodes. For example, the routing protocol used to advertise service(s) in a Service Provider Network is typically an link-state, Interior Gateway Protocol (IGP), such as, but not limited to, Intermediate System to Intermediate System (IS-IS) or Open Shortest Path First (OSPF). Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more advertised services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000).

Abstract: An application node advertises service(s), using a label distribution protocol, that it offers to other network nodes and a corresponding label to use to identify these services(s). For example, a Targeted Label Distribution Protocol (tLDP) session may be established between a packet switching device and the application node providing these services to communicate the advertisement. Packets are encapsulated and sent from a service node (e.g., packet switching device) with the corresponding label to have one or more advertised services applied to the packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000).

Abstract: In one embodiment, a method includes receiving from a label distribution peer, a prefix/FEC to label mapping at a network device and processing the prefix/FEC to label mapping at the network device, wherein processing includes determining if a next hop interface of the prefix/FEC is in a same area as a link between the network device and the label distribution peer. The method further includes retaining the prefix/FEC to label mapping if the label distribution peer is a next hop for the prefix/FEC and if the next hop interface of the prefix/FEC is in the same area as the link between the network device and the label distribution peer, otherwise discarding the prefix/FEC to label mapping. An apparatus is also disclosed.

Abstract: In one embodiment, a method includes storing a service topology route at a network device interconnecting at least two zones comprising a plurality of hosts, and propagating the service topology route to create a service chain comprising a service node in communication with the network device. The service topology route creates a forwarding state at network devices in the service chain for use in inter-zone routing in a virtual private network. An apparatus and logic are also disclosed herein.

Abstract: In one embodiment, a network device determines identities of each peer device in a second routing domain attached to edge devices in a first routing domain. The network device associates each address prefix reachable in the second routing domain with an identity of each peer device in the second routing domain that advertised the address prefix and with an identity of one or more edge devices in the first routing domain to which that peer device is attached. The network device determines an address prefix is associated with a same identity of a peer device in the second routing domain but with different edge devices in the first routing domain. The network device assigns the different edge devices in the first routing domain associated with the determined address prefix to a shared risk node group (SRNG).

Abstract: In one embodiment, an apparatus in a network determines particular metadata to communicate infrastructure information associated with a particular packet to another apparatus in the network. The apparatus sends into the network the particular packet including a metadata channel, comprising said particular metadata, external to the payload of the particular packet. Examples of infrastructure metadata carried in a packet include, but are not limited to, information defining service chaining for processing of the packet, contextual information for processing of the packet, specific handling instructions of the packet, and operations, maintenance, administration (OAM) instrumentation of the packet.

Abstract: The protection of multi-segment pseudowires by utilizing backup paths is disclosed herein. Disclosed embodiments include methods that establish at least one backup path for multi-segment pseudowires, the establishing being performed prior to detection of failure in the primary path. Upon detecting a path failure, the detected failure is signaled to the head-end, a backup path is chosen, and reachability information associated with the chosen backup path is signaled across the backup path before reverse traffic is switched to the backup path. In other disclosed embodiments, apparatus are configured to establish, prior to detection of failure in the primary path, at least one backup path for the multi-segment pseudowire.

Abstract: In one embodiment, service routers may register their serviced VPNs with a service directory/broker (SDB), and edge routers may register their attached VPNs. The SDB may then return service headers, each corresponding to a particular VPN, and also returns an address of a service router corresponding to each service header to the edge routers. An edge router may then push an appropriate service header onto a received packet, and forward the packet to the corresponding service router, which forwards the packet based on a maintained VRF for a VPN according to the service header (e.g., thus the edge routers need only maintain limited/reduced VRFs). Also, services provided by the service routers may be distinguished using service headers accordingly. In this manner, the edge routers may forward packets requiring one or more desired services to service routers configured to perform such services.

Abstract: In one embodiment, a device of a particular non-backbone routing domain in a computer network determines whether each of one or more routes is reachable within the particular non-backbone domain. The device may then generate a filtered set of label mappings having only those of the one or more routes reachable within the particular non-backbone domain. Accordingly, the device may advertise label mappings only of the filtered set to one or more neighboring devices.