Abstract: In one embodiment, a controller device in a computer network domain learns border gateway protocol (BGP) egress peering segments from one or more border routers of the domain, and determines a selected flow to segment route via a particular egress peering segment, the selected flow from a given routing device within the domain to a given destination of a remote domain. As such, the controller device may then instruct the given routing device to segment route the selected flow via the particular egress peering segment. In another embodiment, an egress border router shares its BGP egress peering segments, and receives a flow to segment route. The egress border router may determine, from a segment route contained within the flow, to which particular egress peering segment of the border router to segment route the flow, and forwards the flow out of the domain via the particular egress peering segment.

Abstract: A system comprising a plurality of service nodes, a controller and a network device in communication with the controller. Each of the plurality of service nodes is configured to support one or more service functions to establish a service function chain that includes a plurality of service functions to be performed by routing traffic among the plurality of service nodes. The controller is configured to generate provisioning information for the service function chain. The provisioning information includes at least one condition upon which a service function reclassification or branching operation is to be performed by at least one service node. The network device is in communication with the controller, and is configured to distribute the provisioning information for the service function chain to the plurality of service nodes using a distributed routing protocol.

Abstract: A method is provided in one particular example and may include obtaining routing information for a plurality of Internet Protocol (IP) addresses in a first network that natively supports a first Internet protocol, the routing information for the plurality of IP addresses in the first network further comprising an additional IP address in the first network and an indication that the additional IP address in the first network is to be used as a tunnel endpoint within the first network for receiving data destined to any of the plurality of IP addresses in the first network; and sending data destined to any one of the plurality of IP addresses in the first network to the additional IP address in the first network.

Abstract: A system comprising a plurality of service nodes, a controller and a network device in communication with the controller. Each of the plurality of service nodes is configured to support one or more service functions to establish a service function chain that includes a plurality of service functions to be performed by routing traffic among the plurality of service nodes. The controller is configured to generate provisioning information for the service function chain. The provisioning information includes at least one condition upon which a service function reclassification or branching operation is to be performed by at least one service node. The network device is in communication with the controller, and is configured to distribute the provisioning information for the service function chain to the plurality of service nodes using a distributed routing protocol.

Abstract: A system comprising a plurality of service nodes, a controller and a network device in communication with the controller. Each of the plurality of service nodes is configured to support one or more service functions to establish a service function chain that includes a plurality of service functions to be performed by routing traffic among the plurality of service nodes. The controller is configured to generate provisioning information for the service function chain. The provisioning information includes at least one condition upon which a service function reclassification or branching operation is to be performed by at least one service node. The network device is in communication with the controller, and is configured to distribute the provisioning information for the service function chain to the plurality of service nodes using a distributed routing protocol.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: A system comprising a plurality of service nodes, a controller and a network device in communication with the controller. Each of the plurality of service nodes is configured to support one or more service functions to establish a service function chain that includes a plurality of service functions to be performed by routing traffic among the plurality of service nodes. The controller is configured to generate provisioning information for the service function chain. The provisioning information includes at least one condition upon which a service function reclassification or branching operation is to be performed by at least one service node. The network device is in communication with the controller, and is configured to distribute the provisioning information for the service function chain to the plurality of service nodes using a distributed routing protocol.

Abstract: In one embodiment, an edge router receives an update message from a neighboring EBGP edge router, creates a modified origin validation state extended community, prepares a modified update message by attaching the modified origin validation state extended community to the update message, and sends the modified update message to a route reflector. The route reflector receives the modified update message, performs a prefix origin validation and a path validation based on the information contained in the modified update message, prepares a validation message based on the prefix origin validation and path validation, and sends the validation message to the edge router and to all other neighboring IBGP edge routers. The edge routers receive the validation message from the route reflector, parse the validation message, and inherit a validation state parsed from the validation message.

Abstract: In one embodiment, a router selects a particular peer from an original update group used with an Exterior Gateway Protocol (EGP) such as Border Gateway Protocol (BGP). The original update group includes a plurality of peers of the router that share a same outbound policy and that receive common update messages, from the router, of routing table information. The router determines that the particular peer is a potential slow peer based on a first type of indicia, wherein a slow peer is a peer that cannot keep up with a rate at which the router generates update messages over a prolonged period of time. The router confirms that one or more second types of indicia are consistent with the particular peer being a slow peer. In response to the confirmation, the router determines that the particular peer is a slow peer.

Abstract: A method is provided in one particular example and may include obtaining routing information for a plurality of Internet Protocol (IP) addresses in a first network that natively supports a first Internet protocol, the routing information for the plurality of IP addresses in the first network further comprising an additional IP address in the first network and an indication that the additional IP address in the first network is to be used as a tunnel endpoint within the first network for receiving data destined to any of the plurality of IP addresses in the first network; and sending data destined to any one of the plurality of IP addresses in the first network to the additional IP address in the first network.

Abstract: A method is provided in one particular example and may include obtaining routing information for a natively supported Internet protocol of a first network that uses a first routing policy; identifying a route with a tunnel endpoint using the routing information, where the tunnel endpoint supports transitioning between a plurality of Internet protocols; generating tunnel information for the route; and sending the route and the tunnel information to a network element in a second network that uses a second routing policy.

Abstract: In one embodiment, a controller device in a computer network domain learns border gateway protocol (BGP) egress peering segments from one or more border routers of the domain, and determines a selected flow to segment route via a particular egress peering segment, the selected flow from a given routing device within the domain to a given destination of a remote domain. As such, the controller device may then instruct the given routing device to segment route the selected flow via the particular egress peering segment. In another embodiment, an egress border router shares its BGP egress peering segments, and receives a flow to segment route. The egress border router may determine, from a segment route contained within the flow, to which particular egress peering segment of the border router to segment route the flow, and forwards the flow out of the domain via the particular egress peering segment.

Abstract: In one embodiment, a validation server in a computer network determines that an edge router of the computer network has blocked access to a desired server address based on the edge router not having authentication information for the desired server address. In response, the server creates a white-listing policy to temporarily allow access to the desired server address at the edge router, and sends the white-listing policy to the edge router. The validation server may then proceed with performing server fetching operations to the desired server address from the validation server while the white-listing policy is in effect, and instructs the edge device to remove the white-listing policy once the server fetching operations are completed.

Abstract: In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

Abstract: In one embodiment, a router located at an exit edge of an autonomous system (AS) receives a data packet in a data plane, and determines a destination of the data packet and an associated AS-path information to the destination. The router may then insert the AS-path information into the data packet, and forwards the data packet with the AS-path information toward the destination, such that a receiving device in a destination AS can validate whether the data packet was routed through a path that was secure from a control plane perspective based on a collection of one or more insertions of AS-path information.

Abstract: In one embodiment, a router may store a “neighbor table” for storing the router's Border Gateway Protocol (BGP) neighbors. Each neighbor corresponds to a virtual routing and forwarding (VRF) instance and associated VRF identifier (ID), and the neighbor table indexes the BGP neighbors according to their respective VRF ID. In response to initiating a BGP update generation for a BGP table having BGP network entries, each entry having an associated VRF ID that indicates to which VRF instance the BGP entry is to be advertised, a single lookup operation for each BGP entry is performed into the neighbor table based on the corresponding VRF ID of each BGP entry to determine a corresponding VRF update group of indexed BGP neighbors to which each BGP entry is to be advertised. Accordingly, a shared BGP update may be generated for each VRF update group for the initiated BGP update generation.

Abstract: In an embodiment, a method is provided at which it is used in a device. In this method, a logical identifier assigned to the device is identified and additionally, a mesh group identifier identifying a mesh group is identified. The logical identifier and the mesh group identifier are encoded in a routing message, which is used in an inter-domain routing protocol, and this routing message is transmitted to a reflector device in communication with the device. The reflector device is configured to transmit the routing message to a remote device included in the computer network.

Abstract: In one embodiment, a router selects a particular peer from an original update group used with an Exterior Gateway Protocol (EGP) such as Border Gateway Protocol (BGP). The original update group includes a plurality of peers of the router that share a same outbound policy and that receive common update messages, from the router, of routing table information. The router determines that the particular peer is a potential slow peer based on a first type of indicia, wherein a slow peer is a peer that cannot keep up with a rate at which the router generates update messages over a prolonged period of time. The router confirms that one or more second types of indicia are consistent with the particular peer being a slow peer. In response to the confirmation, the router determines that the particular peer is a slow peer.