Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.

Abstract: A system is provided to support a serverless environment and quickly generate containers to handle requests. The system includes a first network node, a container orchestration system, and a serving node. The first network node receives an initial packet of a request from a host and sends a notification to a container orchestration system. The notification includes header information from the initial packet and signals the reception of the initial packet of the request. The container orchestration system creates one or more new containers in response to the notification based on the header information of the initial packet. The serving node instantiates the new containers, receives the request from the host, and processes the request from the host with the new containers.

Abstract: Presented herein are techniques for establishing VPN services. According to example embodiments, an initial VPN message configured to establish a VPN session between the initiating device and a responding device is received at a VPN node. The initial VPN message is received from an initiating device. Data indicative of the initiating device and data indicative of the responding device is extracted from the initial VPN message. A VPN namespace is established to facilitate the VPN session between the initiating device and the responding device based on the data indicative of the initiating device and the data indicative of the responding device. One or more messages comprising data indicative of the VPN session are transmitted to a database.

Abstract: Techniques are described to provide a peephole optimization for processing traffic for lightweight protocols at lower layers by executing them inside a virtual switch rather than using the network stack of a host node. In one example, a method includes determining by forwarding logic of a virtual switch that a received packet is associated with a query for one of domain information or address information. Based on such a determination, the virtual switch determines whether the query is contained within a single Ethernet frame and is answerable. Based on a positive determination for both, the virtual switch determines whether a response to the query can be transmitted in a single packet within a single Ethernet frame. Based on a positive determination of a single packet response, a response packet for the query is formed and injected into the forwarding logic for the virtual switch for transmitting to a destination.

Abstract: A first request for a loopback address is obtained at a first device. The loopback address is associated with a service provided by a second device, and is obtained via a first interface of the second device. The loopback address is provided to the second device via the first interface. A second request for the loopback address associated with the service provided by the second device is obtained at the first device via a second interface of the second device. The loopback address is provided to the second device via the second interface. A first route to the service utilizing the loopback address and the first interface is programmed at the first device. A second route to the service utilizing the loopback address and the second interface is also programmed at the first device.

Abstract: Methods are provided for decentralized key negotiation. One method includes initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic. The method further includes obtaining, by the first IKE node from a key value store, information about the IPSec communication session and performing, by the first IKE node, at least a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session.

Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: A system is provided to support a serverless environment and quickly generate containers to handle requests. The system includes a first network node, a container orchestration system, and a serving node. The first network node receives an initial packet of a request from a host and sends a notification to a container orchestration system. The notification includes header information from the initial packet and signals the reception of the initial packet of the request. The container orchestration system creates one or more new containers in response to the notification based on the header information of the initial packet. The serving node instantiates the new containers, receives the request from the host, and processes the request from the host with the new containers.

Abstract: In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM.

Abstract: In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM.