Abstract: A system for efficiently determining a set of next-hop switches from a switch is provided. During operation, the system can determine the plurality of next-hop switches for an Internet Protocol (IP) address prefix. The system can then store, in an entry of a forwarding data structure of the switch, a list of identifying information indicating the plurality of next-hop switches corresponding to the IP address prefix. The identifying information for the plurality of next-hop switches can be stored in the list in an order of preference for forwarding traffic matching the IP address prefix. Upon receiving a packet with a destination IP address matching the IP address prefix, the system can select the entry from the forwarding data structure for determining a next-hop switch for forwarding the packet. The system can then determine the next-hop switch for the packet from the entry based on the order of preference.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: A first ingress interface on a switch receives a first control packet for establishing a Transmission Control Protocol (TCP) session and selects a first engine running on a first line card in the switch. A second ingress interface receives a second control packet and selects the same first engine. Data associated with the TCP session received by the first or second ingress interface subsequent to establishing the TCP session is to be forwarded to the first engine. The first ingress interface receives a third control packet and sends, to the selected first engine, a notification indicating the TCP session which is to be tracked. The first or second ingress interface receives a fourth packet with a payload associated with the TCP session and forwards, to the selected first engine, a copy of the fourth packet, thereby facilitating a plurality of engine instances to support application identification.

Abstract: A system for layer-2 path tracing is provided. During operation, the system can send, from an originating device, a layer-2 trace packet with a packet type in a layer-2 header of the layer-2 trace packet. The packet type can indicate the trace packet to be a tracing packet. The system can then receive a layer-2 response packet from a respective participating device, which supports layer-2 path tracing, on a path to a target device of the trace packet. Subsequently, the system can obtain, from a payload of the response packet, trace information of a forward path to the participating device traversed by the trace packet and a reverse path from the participating device traversed by the response packet. The trace information can identify one or more layer-2 devices along the forward and reverse paths, and include one or more layer-2 identifiers corresponding to the identified one or more layer-2 devices.

Abstract: A first ingress interface on a switch receives a first control packet for establishing a Transmission Control Protocol (TCP) session and selects a first engine running on a first line card in the switch. A second ingress interface receives a second control packet and selects the same first engine. Data associated with the TCP session received by the first or second ingress interface subsequent to establishing the TCP session is to be forwarded to the first engine. The first ingress interface receives a third control packet and sends, to the selected first engine, a notification indicating the TCP session which is to be tracked. The first or second ingress interface receives a fourth packet with a payload associated with the TCP session and forwards, to the selected first engine, a copy of the fourth packet, thereby facilitating a plurality of engine instances to support application identification.

Abstract: Embodiments of the present disclosure include a method for token-position handling comprising: processing a first sequence of tokens to produce a second sequence of tokens, wherein the second sequence of tokens has a smaller number of tokens than the first sequence of tokens; masking at least some tokens in the second sequence to produce masked tokens; moving the masked tokens to the beginning of the second sequence to produce a third sequence; encoding tokens in the third sequence into a set of numeric vectors in a first array; and processing the first array in a transformer neural network to determine correlations among the third sequence, the processing the first array producing a second array.

Abstract: Techniques for training neural networks are provided. According to one set of embodiments, a first array is processed in a spreading component to produce a second array, where a first dimension of the first array corresponds to at least one sequence of approximately orthogonal numeric vectors representing tokens, and where the spreading component combines values along the first dimension. The second array is processed in a transformer neural network to determine correlations between the sequence, which produces a third array. One or more batches of the third array are processed in a de-spreading component to produce a fourth array.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: Techniques for training neural networks are provided. According to one set of embodiments, a first array is processed in a spreading component to produce a second array, where a first dimension of the first array corresponds to at least one sequence of approximately orthogonal numeric vectors representing tokens, and where the spreading component combines values along the first dimension. The second array is processed in a transformer neural network to determine correlations between the sequence, which produces a third array. One or more batches of the third array are processed in a de-spreading component to produce a fourth array.

Abstract: Embodiments of the present disclosure include a method for token-position handling comprising: processing a first sequence of tokens to produce a second sequence of tokens, wherein the second sequence of tokens has a smaller number of tokens than the first sequence of tokens; masking at least some tokens in the second sequence to produce masked tokens; moving the masked tokens to the beginning of the second sequence to produce a third sequence; encoding tokens in the third sequence into a set of numeric vectors in a first array; and processing the first array in a transformer neural network to determine correlations among the third sequence, the processing the first array producing a second array.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: Reduced precision computer number formats inherently limit the quantity of discrete numeric values that can be represented. Therefore, the solution values of an arithmetic function, for each numeric value that is individually and uniquely expressible utilizing such a reduced precision computer number format, can be precomputed since the quantity of unique solution values can be limited to a quantity that can be conveniently stored, such as in an array. Subsequently, rather than computing the solution value of such an arithmetic function, for a given input value, the precomputed array can be referenced and a solution value corresponding to the given input value can be read from the array. Reading numeric values from an array can be substantially faster than computing solution values of a computationally-expensive arithmetic function.

Abstract: Reduced precision computer number formats inherently limit the quantity of discrete numeric values that can be represented. Therefore, the solution values of an arithmetic function, for each numeric value that is individually and uniquely expressible utilizing such a reduced precision computer number format, can be precomputed since the quantity of unique solution values can be limited to a quantity that can be conveniently stored, such as in an array. Subsequently, rather than computing the solution value of such an arithmetic function, for a given input value, the precomputed array can be referenced and a solution value corresponding to the given input value can be read from the array. Reading numeric values from an array can be substantially faster than computing solution values of a computationally-expensive arithmetic function.

Abstract: An apparatus, in one embodiment, includes an edge adaptor module, a storage device, and an encapsulation module. The edge adaptor module maintains a membership in a fabric switch. A fabric switch includes a plurality of switches and operates as a single switch. The storage device stores a first table comprising a first mapping between a first edge identifier and a switch identifier. The first edge identifier is associated with the edge adaptor module and the switch identifier is associated with a local switch. This local switch is a member of the fabric switch. The storage device also stores a second table comprising a second mapping between the first edge identifier and a media access control (MAC) address of a local device. During operation, the encapsulation module encapsulates a packet in a fabric encapsulation with the first edge identifier as the ingress switch identifier of the encapsulation header.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.