Abstract: Examples described herein relate to a network interface device comprising a multi-stage programmable packet processing pipeline circuitry to determine a path to transmit a packet based on relative network traffic transmitted via multiple paths. In some examples, determine a path to transmit a packet is based on Deficit Round Robin (DRR). In some examples, the programmable packet processing pipeline circuitry includes: a first stage to manage two or more paths, wherein a path of the two or more paths of the first stage is associated with two or more child nodes, a second stage to manage two or more paths, wherein a path of the two or more paths of the second stage is associated with two or more child nodes, and at least one child node is associated with the determined path.

Abstract: Examples described herein relate to an interface and circuitry coupled to the interface, the circuitry configured to execute instructions that cause the circuitry to perform floating point (FP) operations based on floating point data received in different packets. The order of the floating point operations can be based on a reorder of the data received in the different packets and wherein the reorder of the data received in the different packets is different than the order in which the packets were received.

Abstract: Examples described herein relate to an interface and circuitry coupled to the interface. The circuitry can provide an endpoint for a Transport Layer Security (TLS) over Remote Direct Memory Access (RDMA) connection with a first network interface device, provide an endpoint for a TLS over RDMA connection with a second network interface device, provide a transport layer endpoint for the packets received from the first network interface device, and provide a transport layer endpoint for the packets received from the second network interface device.

Abstract: Examples described herein relate to an interface and circuitry coupled to the interface. The circuitry can provide an endpoint for a PSP Security Protocol (PSP) connection to a first network interface device, provide an endpoint for a second PSP connection with a second network interface device, provide a transport layer endpoint for the packets received from the first network interface device, and provide a second transport layer endpoint for the packets received from the second network interface device.

Abstract: Examples described herein relate to an interface and circuitry coupled to the interface. The circuitry can provide an endpoint for a Datagram Transport Layer Security (DTLS) connection with a first network interface device, provide an endpoint for a second DTLS connection with a second network interface device, provide a transport layer endpoint for the packets received from the first network interface device, and provide a second transport layer endpoint for the packets received from the second network interface device.

Abstract: Examples described herein relate to a network interface device. The network interface device can include circuitry that is to: receive a first packet comprising a first packet header and a first packet payload; receive multiple subsequent packets comprising multiple packet headers for respective multiple subsequent packets; update at least one of the multiple packet headers; and construct egress packets. In some examples, the egress packets include respective one of the multiple packet headers and the first packet payload.

Abstract: Examples described herein relate to a network interface device. In some examples, packet processing circuitry in the network interface device is to receive a first packet and based on the first packet being associated with an identifier for which an entry is not present in a look-up table accessible to the packet processing circuitry, the packet processing circuitry is to provide the identifier for the first packet and an action for the identifier of the first packet and cause the first packet to configure a second look-up-table accessible to the packet processing circuitry with the action for the identifier.

Abstract: Examples described herein relate to a network interface device comprising a multi-stage programmable packet processing pipeline circuitry to determine a path to transmit a packet based on relative network traffic transmitted via multiple paths. In some examples, determine a path to transmit a packet is based on Deficit Round Robin (DRR). In some examples, the programmable packet processing pipeline circuitry includes: a first stage to manage two or more paths, wherein a path of the two or more paths of the first stage is associated with two or more child nodes, a second stage to manage two or more paths, wherein a path of the two or more paths of the second stage is associated with two or more child nodes, and at least one child node is associated with the determined path.

Abstract: Examples described herein relate to a switch comprising: circuitry, when operational, to receive a packet comprising a header and a payload and in conjunction with performance of computation on the packet payload, forward the packet header, but not the payload, to a destination endpoint. In some examples, the destination endpoint of the packet is to perform management of reliable transport. In some examples, the circuitry includes programmable data plane circuitry comprising ingress pipeline or egress pipeline and one or more match action units (MAUs) to perform processing of the payload, wherein the programmable data plane circuitry is to perform computation on the packet payload.

Abstract: A network element includes one or more hardware memory resources of fixed storage capacity for storing data used to configure a plurality of networking features of the network element. A utilization management process runs on the network element to perform operations including obtaining utilization data representing utilization of the one or more hardware memory resources, and analyzing the utilization data of the one or more hardware memory resources to produce summarized utilization data.

Abstract: A network element includes one or more hardware memory resources of fixed storage capacity for storing data used to configure a plurality of networking features of the network element. A utilization management process runs on the network element to perform operations including obtaining utilization data representing utilization of the one or more hardware memory resources, and analyzing the utilization data of the one or more hardware memory resources to produce summarized utilization data.

Abstract: An example method includes partitioning a memory element of a router into a plurality of segments having one or more rows, where at least a portion of the one or more rows is encoded with a value mask (VM) list having a plurality of values and masks. The VM list is identified by a label, and the label is mapped to a base row number and a specific number of bits corresponding to the portion encoding the VM list. Another example method includes partitioning a prefix into a plurality of blocks, indexing to a hash table using a value of a specific block, where a bucket of the hash table corresponds to a segment of a ternary content addressable memory of a router, and storing the prefix in a row of the segment.

Abstract: A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

Abstract: An example method includes partitioning a memory element of a router into a plurality of segments having one or more rows, where at least a portion of the one or more rows is encoded with a value mask (VM) list having a plurality of values and masks. The VM list is identified by a label, and the label is mapped to a base row number and a specific number of bits corresponding to the portion encoding the VM list. Another example method includes partitioning a prefix into a plurality of blocks, indexing to a hash table using a value of a specific block, where a bucket of the hash table corresponds to a segment of a ternary content addressable memory of a router, and storing the prefix in a row of the segment.

Abstract: A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for a storage controller (e.g., memory controller, disk controller, etc.) performing a set of multiple operations on cached data with a no-miss guarantee until the multiple operations are complete, which may, for example, be used by a packet processor to quickly update multiple statistics values (e.g., byte, packet, error counts, etc.) based on processed packets. Operations to be performed on data at the same address and/or in a common data structure are grouped together and burst so that they arrive at the storage system in contiguous succession for the storage controller to perform. By not allowing the storage controller to flush the data from its cache until all of the operations are performed, even a tiny cache attached to the storage controller can reduce the bandwidth and latency of updating the data.

Abstract: Sequences of items may be maintained using ordered locks. These items may correspond to anything, but using ordered locks to maintain sequences of packets, especially for maintaining requisite packet orderings when distributing packets to be processed to different packet processing engines, may be particularly useful. For example, in response to a particular packet processing engine completing processing of a particular packet, a gather instruction is attached to the particular identifier of a particular ordered lock associated with the particular packet. If no longer needed for further processing, the packet processing engine is immediately released to be able to process another packet or perform another function. The gather instruction is typically performed in response to the particular ordered lock being acquired by the particular identifier, with the gather instruction causing the processed particular packet to be sent.

Abstract: Sequences of items may be maintained using ordered locks. These items may correspond to anything, but using ordered locks to maintain sequences of packets may be particularly useful. One implementation uses a locking request, acceptance, and release protocol. One implementation associates instructions with locking requests such that when a lock is acquired, the locking mechanism executes or causes to be executed the associated instructions as an acceptance request of the lock is implied by the association of instructions (or may be explicitly requested). In some applications, the ordering of the entire sequence of packets is not required to be preserved, but rather only among certain sub-sequences of the entire sequence of items, which can be accomplished by converting an initial root ordered lock (maintaining the sequence of the entire stream of items) to various other locks (each maintaining a sequence of different sub-streams of items).

Abstract: Data is protected using locks, with the protected data sometimes being included in the locking messages, which may reduce overall processing latency, and/or reduce a bandwidth requirement for and/or number of storage operations accessing the native storage of the protected data. For example, the lock manager receives lock requests from each of the requesters, and selectively grants the lock requests. The protected data is typically communicated in the locking messages when the lock is highly contested, or at least two request for access to the data are pending. The lock manager initiates the sequence by indicating in a grant message to a requester to include the protected data in its release message. The lock manager then copies this data received in the release message to its grant message to the next requestor.

Abstract: A network processor has numerous novel features including a multi-threaded processor array, a multi-pass processing model, and Global Packet Memory (GPM) with hardware managed packet storage. These unique features allow the network processor to perform high-touch packet processing at high data rates. The packet processor can also be coded using a stack-based high-level programming language, such as C or C++. This allows quicker and higher quality porting of software features into the network processor. Processor performance also does not severely drop off when additional processing features are added. For example, packets can be more intelligently processed by assigning processing elements to different bounded duration arrival processing tasks and variable duration main processing tasks. A recirculation path moves packets between the different arrival and main processing tasks.