Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.

Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.

Abstract: A solution for firewall auto-learning in in zero trust environments, such as cloud environments, includes: based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application. Some examples include receiving a set of constraints, such as a selection from a set of preset constraints and/or a custom constraint. Some examples include retraining based at least on a second trigger event and/or learning rules for a second application.

Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.

Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.

Abstract: Techniques disclosed herein provide an approach for diagnosing problems in a network connection established between applications running on two endpoints. In one embodiment, upon identification of a potential issue in the network connection, a connection detector is triggered in one of the endpoints and requests a kernel of that endpoint to transmit an on-demand, non-invasive packet to the other endpoint. The connection detector then determines whether the application running on the other endpoint is available via the connection based on whether an acknowledgment packet is received from the other endpoint after the transmission of the non-invasive packet.

Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.

Abstract: Example methods are provided to influence path selection during a multipath connection between a first endpoint and a second endpoint. The method may comprise configuring, for a first subflow of a multipath connection, a first set of tuples and establishing, over a network interface of the first endpoint, the first subflow with the second endpoint. The method may further comprise configuring, for a second subflow of the multipath connection, a second set of tuples based a path selection algorithm learned by the first endpoint; and establishing the second subflow with the second endpoint. The method may further comprise sending first packets having the first set of tuples on the first subflow and second packets having the second set of tuples on the second subflow to the second endpoint via an intermediate device that uses the path selection algorithm.

Abstract: Example methods are provided for a first endpoint to transfer a first data set and a second data set to a second endpoint using a multipath connection. The method may comprise detecting the first data set and the second data set from an application executing on the first endpoint for transfer to the second endpoint. The method may comprise, in response to determination that in-order transfer is not required for the first data set and the second data set, establishing a first subflow of a multipath connection with the second endpoint to send the first data set and establishing a second subflow of the multipath connection to send the second data set. The method may further comprise sending the first data set on the first subflow and the second data set on the second subflow to the second endpoint.

Abstract: Example methods are provided to perform data transfer between a first endpoint and a second endpoint. The method may comprise detecting an elephant flow of data from an application executing on the first endpoint for transfer to the second endpoint; and splitting the elephant flow to obtain first packets and second packets. The first endpoint may have cognizance of a first path and a second path between a first network interface of the first endpoint and a second network interface of the second endpoint. The method may comprise establishing a first subflow and a second subflow of a multipath connection with the second endpoint; and sending, over the first network interface, the first packets on the first subflow and the second packets on the second subflow to the second network interface.

Abstract: Embodiments relate to classifying network streams and regulating behavior of the streams based on their respective classes. One technique for managing streams involves analyzing applications, obtaining indicia of features of the applications, and using those features to infer classes to which streams of the applications may be assigned. Another technique involves deploying beacon nodes at the edge of a network. The beacon nodes inform a stream manager about network conditions such as latencies with regard to network boundaries or regions. Another embodiment for facilitating management of streams involves a subscription service for UDP applications. A UDP application may subscribe to the service, which may be provided by an operating system hosting the application. Events are published to any subscribed UDP applications to inform the UDP applications of changes in networking conditions. The UDP applications, in turn, may adapt their internal transmission control logic.

Abstract: Some embodiments provide a method for reducing congestion in a network stack that includes a series of components that send data packets through the network stack to a network. At a first component of the network stack, the method receives a data packet from a second component of the network stack. The method identifies a usage indicator value for a flow to which the data packet belongs. The usage indicator value is based on a comparison of a size of the flow to a size of a queue for a third component of the network stack. The method determines whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value. The method sends the data packet to a next component of the network stack only when the usage indicator value is less than the threshold usage value.

Abstract: Techniques disclosed herein provide an approach for diagnosing problems in a network connection established between applications running on two endpoints. In one embodiment, upon identification of a potential issue in the network connection, a connection detector is triggered in one of the endpoints and requests a kernel of that endpoint to transmit an on-demand, non-invasive packet to the other endpoint. The connection detector then determines whether the application running on the other endpoint is available via the connection based on whether an acknowledgment packet is received from the other endpoint after the transmission of the non-invasive packet.

Abstract: Example methods are provided to perform data transfer between a first endpoint and a second endpoint. The method may comprise detecting an elephant flow of data from an application executing on the first endpoint for transfer to the second endpoint; and splitting the elephant flow to obtain first packets and second packets. The first endpoint may have cognizance of a first path and a second path between a first network interface of the first endpoint and a second network interface of the second endpoint. The method may comprise establishing a first subflow and a second subflow of a multipath connection with the second endpoint; and sending, over the first network interface, the first packets on the first subflow and the second packets on the second subflow to the second network interface.

Abstract: Example methods are provided for a first endpoint to transfer a first data set and a second data set to a second endpoint using a multipath connection. The method may comprise detecting the first data set and the second data set from an application executing on the first endpoint for transfer to the second endpoint. The method may comprise, in response to determination that in-order transfer is not required for the first data set and the second data set, establishing a first subflow of a multipath connection with the second endpoint to send the first data set and establishing a second subflow of the multipath connection to send the second data set. The method may further comprise sending the first data set on the first subflow and the second data set on the second subflow to the second endpoint.

Abstract: Example methods are provided to influence path selection during a multipath connection between a first endpoint and a second endpoint. The method may comprise configuring, for a first subflow of a multipath connection, a first set of tuples and establishing, over a network interface of the first endpoint, the first subflow with the second endpoint. The method may further comprise configuring, for a second subflow of the multipath connection, a second set of tuples based a path selection algorithm learned by the first endpoint; and establishing the second subflow with the second endpoint. The method may further comprise sending first packets having the first set of tuples on the first subflow and second packets having the second set of tuples on the second subflow to the second endpoint via an intermediate device that uses the path selection algorithm.

Abstract: An operating system implements classes of network streams. Applications assign their network streams to the classes. The operating system, in turn, regulates the streams according to which classes the streams are in. As conditions change, network resources may be made available or more fully utilized by regulating streams according to which classes they have been assigned to. Network resources may be made available, perhaps rapidly or preemptively, for streams in higher priority classes by restricting streams in lower priority classes.

Abstract: Some embodiments provide a method for reducing congestion in a network stack that includes a series of components that send data packets through the network stack to a network. At a first component of the network stack, the method receives a data packet from a second component of the network stack. The method identifies a usage indicator value for a flow to which the data packet belongs. The usage indicator value is based on a comparison of a size of the flow to a size of a queue for a third component of the network stack. The method determines whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value. The method sends the data packet to a next component of the network stack only when the usage indicator value is less than the threshold usage value.

Abstract: Some embodiments provide a method for reducing congestion in a network stack that includes a series of components that send data packets through the network stack to a network. At a first component of the network stack, the method receives a data packet from a second component of the network stack. The method identifies a usage indicator value for a flow to which the data packet belongs. The usage indicator value is based on a comparison of a size of the flow to a size of a queue for a third component of the network stack. The method determines whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value. The method sends the data packet to a next component of the network stack only when the usage indicator value is less than the threshold usage value.

Abstract: Some embodiments provide a method for reducing congestion in a network stack that includes a series of components that send data packets through the network stack to a network. At a first component of the network stack, the method receives a data packet from a second component of the network stack. The method identifies a usage indicator value for a flow to which the data packet belongs. The usage indicator value is based on a comparison of a size of the flow to a size of a queue for a third component of the network stack. The method determines whether to send the data packet based on a comparison of the usage indicator value to a threshold usage value. The method sends the data packet to a next component of the network stack only when the usage indicator value is less than the threshold usage value.