Abstract: A method for operating a network includes implementing at least one service function chain (SFC) including several service functions (SFs) for providing traffic steering; encoding traffic steering information related to the at least one SFC; and using redundant information in an addressing scheme of network hosts for addressing the SFs.

Abstract: A method for handling packets in a network by means of forwarding tables includes providing a software switching layer for implementing a software forwarding table; providing a hardware switching layer for implementing at least one of exact matching forwarding tables and wildcard matching forwarding tables; and redistributing, by using a switch management component for controlling the software switching layer and the hardware switching layer, installed forwarding table entries (FTEs) matching a particular flow between the software switching layer and the hardware switching layer based on traffic characteristics of said flow.

Abstract: A method for establishing a TCP connection between a first end-point and a second end-point includes: establishing a first TCP connection between the first end-point and the second end-point; the second end-point dynamically deciding on redirecting the first TCP connection via a chain of proxies that interconnects the first end-point and the second end-point; based upon a case of a redirection decision by the second end-point occurring, the first end-point establishing a new TCP connection with the first proxy of the chain of proxies; and establishing a segmented TCP connection between the first end-point and the second end-point via the chain of proxies and transferring data between the first end-point and the second end-point through the chain of proxies.

Abstract: A stateful network packet processing system includes first and second stateful stages and a distribution mechanism. The first stateful stage includes a first state table and a first FSM table. The second stateful stage includes a second state table and a second FSM table. The distribution mechanism defines when a flow should be processed by either the first stateful stage or the second stateful stage or by a combination of the first stateful stage and the second stateful stage. At least one of the first or second FSM tables is extended with states and transitions that support the distribution mechanism.

Abstract: A method for transmitting, over a transport network, data belonging to a data flow includes creating a proxy network including a plurality of transport network proxies; defining a plurality of proxy pairs; defining a plurality of proxy pair links; determining, for each proxy pair link, a round trip time (RTT) of the respective proxy pair link; determining, using the determined RTTs of the plurality of proxy pair links, a list of one or more preferred paths for each proxy pair, each preferred path connecting, via one or more of the plurality of proxy pair links, one proxy of the respective proxy pair to the other proxy of the respective proxy pair; and transmitting, from an ingress proxy to an egress proxy, the data belonging to the data flow over a proxy pair path selected from the list of preferred proxy pair paths.

Abstract: A method for providing a guarantee of a network property includes receiving, from a network user, a signature and a request for the network property, wherein the request for the network property includes a public key of the network user; verifying that the signature received from the network user matches the public key of the network user; demonstrating the capability of providing the network property by determining policies to be installed on nodes of the network so as to enable the network property to be provided; generating, in response to the demonstrating the capability of providing the network property, a secure certificate that contains a secure acknowledgment (ACK) of a commitment to provide the network property; and providing the secure certificate to the network user as a guarantee of the network property.

Abstract: A method for forwarding data in form of flows in a software-defined network includes forwarding, if the data matches a present forwarding rule on a first forwarding element, the data with a time delay according to a time delay policy and generated by a delay entity such that a first number of first packets of the data is forwarded by the first forwarding element with a first forwarding time delay, and a second number of second packets of the data with a second forwarding time delay. The first forwarding time delay and the second forwarding time delay have a certain time difference from each other.

Abstract: A method for providing a guarantee of a network property includes receiving, from a network user, a signature and a request for the network property, wherein the request for the network property includes a public key of the network user; verifying that the signature received from the network user matches the public key of the network user; demonstrating the capability of providing the network property by determining policies to be installed on nodes of the network so as to enable the network property to be provided; generating, in response to the demonstrating the capability of providing the network property, a secure certificate that contains a secure acknowledgment (ACK) of a commitment to provide the network property; and providing the secure certificate to the network user as a guarantee of the network property.

Abstract: A method for operating a network includes implementing at least one service function chain (SFC) including several service functions (SFs) for providing traffic steering; encoding traffic steering information related to the at least one SFC; and using redundant information in an addressing scheme of network hosts for addressing the SFs.

Abstract: A method for operating a network in which a Software-Defined Networking (SDN) functionality between at least some of a plurality of elements of the network is realized by at least one controller. The method includes providing a secure proof of at least one network property. The secure proof of the at least one network property is provided by the SDN functionality.

Abstract: A method for handling subscribers' network traffic between a CPE (customer premises equipment) and a broadband access network includes establishing a subscriber session between the CPE and a BNG (broadband network gateway, an entity within the broadband access network), to set up a network route between the CPE and the BNG. Data transmitted within the subscriber session are encapsulated into protocol frames. A NCE (network control entity) acquires a state of the subscriber session and updates network policies in at least one network entity on the network route based on the state of the subscriber session. A DEM (dynamic encapsulation module) decides, based on a DEM configuration, whether data sent to the broadband access network are encapsulated data within the subscriber session or are non-encapsulated data outside the subscriber session. The data are transmitted on a part of the network route and are handled according to the network policies.

Abstract: A method for monitoring a status in a form of presence and/or absence of a subscribed network entity in a network by a presence service, wherein the network is a software defined network having one or more forwarding elements being configurable for recognizing and applying one or more actions on packets being forwarded by the forwarding elements and one or more network entities, includes monitoring the status of the subscribed network entity. The monitoring the status of the subscribed network entity includes providing the presence service with a status update of the selected network entity only when at least one of the one or more forwarding elements, to which the selected network entity is directly connected, has detected a change in the presence status of the subscribed network entity; and dropping packets of the subscribed network entity destined for the presence service.

Abstract: A method of providing access control for a software defined network (SDN) controller includes establishing a cascaded flow of flow table entries by linking together flow table entries of flow tables that are installed at network resources and that apply to the same packets or network flows, analyzing the impact of configuration requests from one or more applications regarding the installation and/or removal of flow table entries on existing cascaded flows, and rejecting configuration requests if the installation and/or removal of flow table entries according to the configuration requests would destroy an existing cascaded flow. The SDN controller includes an interface for interacting with one or more applications that are installed to run at the control plane of the SDN atop the SDN controller.

Abstract: A method for handling packets in a network by means of forwarding tables includes providing a software switching layer for implementing a software forwarding table; providing a hardware switching layer for implementing at least one of exact matching forwarding tables and wildcard matching forwarding tables; and redistributing, by using a switch management component for controlling the software switching layer and the hardware switching layer, installed forwarding table entries (FTEs) matching a particular flow between the software switching layer and the hardware switching layer based on traffic characteristics of said flow.

Abstract: A method for mounting a device at a server in a network includes attaching the device at an anchor. A virtualized connection is set up between the anchor and the server based on a predefined anchor configuration, Temporary device information is encoded into a network flow generated by the device. It is attempted to mount the device is attempted at the server. Functions and/or data are provided to the mounted device by the server based on a successful mounting. Another server is selected for mounting the device based on an unsuccessful mounting. The network flow of the device is identified and redirected to the selected server by installing one or more forwarding rules on one or more forwarding elements of the software defined network using the temporary device information for identification of the network flow of the mounted device.

Abstract: A method for detecting interactions on a forwarding element in a network, the element adapted to forward data according to rules, a rule set installed on the element, and including a match set and corresponding action set, the match set including at least one match field and the action set including one or more actions wherein action to be performed when matching a match set includes determining one or more relations between match sets based on match field relations, determining one or more relations between action sets, determining one or more interactions between rules based on determined relations between match sets and action sets, each rule being tested against another rule for determining the interaction, and reducing the rule set to an actual rule set according to determined interactions so that the actual rule set includes only rules with no interactions among them.

Abstract: A method of providing access control for a software defined network (SDN) controller includes triggering, by the SDN controller upon receiving a trigger event from a data plane of the software defined network, one or more applications that are installed to run at a control plane of the software defined network atop the SDN controller to react to the trigger event, applying, by the SDN controller before triggering applications due to a trigger event, a conflict resolution scheme. The conflict resolution scheme includes defining flow spaces and assigning each flow space a priority, selecting from these flow spaces a single selected flow space that complies with a predetermined policy, determining, a single master application according to predefined criteria, and triggering, in addition to the master application, only those applications whose reactions to the trigger event do not conflict with the master application.

Abstract: A method for operating a network in which a Software-Defined Networking (SDN) functionality between at least some of a plurality of elements of the network is realized by at least one controller. The method includes providing a secure proof of at least one network property. The secure proof of the at least one network property is provided by the SDN functionality.

Abstract: A packet data network includes a flow-based programmable network device. The flow-based programmable network device includes a data plane having a plurality of input and output ports, a control interface and forwarding rules that map packets received on one of the input ports to one of the output ports based on a packet matching a rule in the forwarding rules. A controller entity is configured to program the flow-based programmable network device via the control interface. The flow-based programmable network device has a connection via the data plane to at least one delegated entity which is a network device configured to process network traffic on behalf of the flow-based programmable network device in a transparent manner from a perspective of the controller entity.

Abstract: A method for handling subscribers' network traffic between a CPE (customer premises equipment) and a broadband access network includes establishing a subscriber session between the CPE and a BNG (broadband network gateway, an entity within the broadband access network), to set up a network route between the CPE and the BNG. Data transmitted within the subscriber session are encapsulated into protocol frames. A NCE (network control entity) acquires a state of the subscriber session and updates network policies in at least one network entity on the network route based on the state of the subscriber session. A DEM (dynamic encapsulation module) decides, based on a DEM configuration, whether data sent to the broadband access network are encapsulated data within the subscriber session or are non-encapsulated data outside the subscriber session. The data are transmitted on a part of the network route and are handled according to the network policies.