Abstract: A new component is provided within a switch that ‘learns’ from the messages between the switch and the controller regarding how to behave like a controller under different network conditions and how to optimize the switch flow tables by implementing techniques like aggregation to save memory space, wherein the new component can act as a ‘proxy controller’ that resides within the switch. This new component can be activated when a specific trigger happens, wherein the trigger is programmable into the switch. After the trigger is active, the proxy/local controller starts undertaking some or all of the roles of the controller until the trigger is deactivated. Because different types of triggers can be programmed, the new component can have one or more of the control functions. The teaching of the new component (which can be a hardware chip or software) is performed outside the switch using machine-learning techniques (e.g. deep learning).

Abstract: When network function virtualization (NFV) is overlaid on top of a SDN, a convergence gateway mediates between the orchestrator and the SDN controller. The convergence gateway collects from the orchestrator the information on the location, capacity, status, and usage information of all virtualized functions that run on SDN's physical platforms, and passes that information to the controller. The controller decides to optimally route a data flow for service chaining by obeying traffic engineering and quality of service policies of that data flow, choosing from available virtualized functions along that route. An information model based approach is also presented for information sharing across the orchestrator, convergence gateway and controller.

Abstract: A novel technique is shown for throttling control traffic in a Software Defined Network (SDN) between a controller and network switches when the controller and/or one or more control channels are congested. In this technique, the controller's processing power and the limited control channel bandwidth are more efficiently managed by drastically cutting down the control traffic during times of congestion.

Abstract: A novel system and a new data communication method are invented in a software-defined (SDN) network to provide delivery of certain types of critical data flows with certain QoS and/or extra security requirements in a congested network. The method of invention allows such critical data not to traverse the data plane, as it normally would, but instead to go from the ingress switch directly to the egress switch, thereby always in two hops using the control channels. By shortcutting all other switches along the traditional data path computed by normal routing, it potentially provides guaranteed throughput, lower latency/jitter or higher level of security.

Abstract: An ingress forwarder receives the IP packet and strips off the entire packet header and replaces it with the simple flow header assigned by the controller, and looks up its flow-table to determine from which port to forward the packet. All other forwarders along the path up to the egress forwarder perform the forwarding action simply by inspecting the flow header. The egress forwarder, before forwarding to the egress port, replaces the flow header with the original layer-2/3/4 header. Doing so, the host behavior remains unchanged while the routing/forwarding within the cloud of SDN is performed based on only the flow header.

Abstract: The VNF hopping in a Software Defined Network (SDN) allows a traffic flow to change routes frequently amongst a chosen group of paths to obfuscate data paths or to meet specific performance requirements while satisfying the service chaining requirements by activating in real-time the same virtual functions on each chosen path. Using the VNF hopping method and additional capabilities built into an SDN controller and an orchestrator according to this invention, the controller determines multiple feasible routes for specific flows with desired service chaining functions and enables activation of those chained services, so that the active flow can randomly be assigned to different routes after a switch-over time period expires, or by a special randomization logic within the switch managed by the controller, or manually programmed by a system administrator.

Abstract: Virtual CPE (vCPE) of a plurality of enterprises is sliced according to each enterprise's user-group profiles. Several apparatuses are hosted by a service provider within a control center, which are remotely located: (a) to store different user-group profiles of each enterprise in a policy server, and (b) to remotely control the slicing of various components of the vCPE according to user-group profiles. Several interconnected components are also hosted by the enterprise as the vCPE including a local RAN and associated local core network, a network switch connecting a LAN and various WAN connections, virtualized network functions as well as the local core network, and a control agent apparatus that receives directives from the remote control center and applies these directives onto aforementioned enterprise apparatus components to achieve slicing. The vCPE is sliced per user-group, wherein each slice acts as a separate transport-technology-agnostic virtual network segment within the enterprise.

Abstract: The VNF hopping in a Software Defined Network (SDN) allows a traffic flow to change routes frequently amongst a chosen group of paths to obfuscate data paths or to meet specific performance requirements while satisfying the service chaining requirements by activating in real-time the same virtual functions on each chosen path. Using the VNF hopping method and additional capabilities built into an SDN controller and an orchestrator according to this invention, the controller determines multiple feasible routes for specific flows with desired service chaining functions and enables activation of those chained services, so that the active flow can randomly be assigned to different routes after a switch-over time period expires, or by a special randomization logic within the switch managed by the controller, or manually programmed by a system administrator.

Abstract: A novel technique is shown for throttling control traffic in a Software Defined Network (SDN) between a controller and network switches when the controller and/or one or more control channels are congested. In this technique, the controller's processing power and the limited control channel bandwidth are more efficiently managed by drastically cutting down the control traffic during times of congestion.

Abstract: When network function virtualization (NFV) is overlaid on top of a SDN, a convergence gateway mediates between the orchestrator and the SDN controller. The convergence gateway collects from the orchestrator the information on the location, capacity, status, and usage information of all virtualized functions that run on SDN's physical platforms, and passes that information to the controller. The controller decides to optimally route a data flow for service chaining by obeying traffic engineering and quality of service policies of that data flow, choosing from available virtualized functions along that route. An information model based approach is also presented for information sharing across the orchestrator, convergence gateway and controller.

Abstract: Sensitive data is sent through insecure network regions across different software defined networks (SDNs) over an encrypted path without requiring encryption applications at the source or destination hosts. One or more special-purpose encryptors are strategically placed within each SDN, which can act as an encryptor or decryptor, of both the data packet content and the header. Using the controller and a special encryption service application, the encrypted IP packets are forwarded from an encryptor, closest to the source, towards a decryptor, closest to the destination, utilizing a tagging method. Each encryptor has a static and globally unique tag. Each controller advertises to other controllers its encryptor information: IP of the encryptor, the IP block of the users the encryptor is responsible for and the unique encryptor tag(s). Each forwarder along the flow path is instructed by its respective controller how to forward packets towards the destination according to the tag.

Abstract: When network function virtualization (NFV) is overlaid on top of a SDN, a convergence gateway mediates between the NFV orchestrator and the SDN controller. The convergence gateway collects from the orchestrator the information on the workload and up/down status of virtualized network functions that run on SDN's physical resources, and passes such information to the controller. The controller then makes an intelligent decision regarding optimally routing data flows for service chaining, choosing from many available virtualized functions along the data path. Reciprocally, the convergence gateway collects, from the controller, the network congestion and available capacity information on all physical and virtualized network resources of the SDN, and feeds that information to the orchestrator. Accordingly, the orchestrator decides on where and when to activate/deactivate/capacitate virtual functions to best serve a service request.

Abstract: A system and method that rely on a centralized and trusted control mechanism for a software-defined network (SDN) to dynamically assign routes between two end points, and to simultaneously change their real IP addresses to fake IP addresses to establish short-lived obfuscated communications paths with a goal of preserving anonymity. The SDN controller determines the short-lived routes from a feasible route-set and new fake IP addresses from a reserved address pool for the source and destination hosts. It provisions only the switches along the route with rules so that a switch can forward packets of the data flow to another switch without needing to know the actual IP addresses of the communicating endpoints, and hence, providing strict anonymity even when the switches are compromised.

Abstract: An ingress forwarder receives the IP packet and strips off the entire packet header and replaces it with the simple flow header assigned by the controller, and looks up its flow-table to determine from which port to forward the packet. All other forwarders along the path up to the egress forwarder perform the forwarding action simply by inspecting the flow header. The egress forwarder, before forwarding to the egress port, replaces the flow header with the original layer-2/3/4 header. Doing so, the host behavior remains unchanged while the routing/forwarding within the cloud of SDN is performed based on only the flow header.

Abstract: Random route hopping in a Software Defined Network (SDN) allows traffic flows to change routes frequently to obfuscate data paths or to meet specific performance requirements. Using the route hopping method and additional capabilities built into an SDN controller according to this invention, the controller determines multiple feasible routes for specific flows, called jumper flows, so that the active flow can randomly be assigned to different routes after a switch-over time period expires, or by a special randomization logic within the switch managed by the controller, or manually programmed by a system administrator.

Abstract: Controller(s) in a software defined network (SDN) are able to determine a control path towards each network switch by performing a switch-originated discovery and using an in-band control network that is an overlay on the data network. A topology tree is maintained, where each controller being the root of the tree, and where messages from the root to any switch may pass through neighboring switches to reach that switch (and vice-versa). Each switch in the SDN attempts to connect to the controller when it does not have a readily configured control connection towards the controller. Once the controller learns about the presence of a new switch and at least one or more paths to reach that switch through a novel discovery process, it can select, adjust and even optimize the control path's route towards that switch.

Abstract: Controller(s) can determine a control path towards each network switch using a novel controller-originated discovery process based on an in-band control network that is an overlay on the data network. The controller attempts to connect to each switch when it does not have a readily configured control connection towards the switch. Once the controller learns about the presence of a new switch and at least one or more paths to reach that switch through aforementioned discovery process, it can select, adjust and even optimize the control path's route towards that switch. During the controller-originated control network discovery process, the controller also learns about the to connectivity between all switches. Thereby, as a by-product of the discovery process, it uncovers the entire data network topology in parallel.

Abstract: Sensitive data is sent through insecure network regions across different software defined networks (SDNs) over an encrypted path without requiring encryption applications at the source or destination hosts. One or more special-purpose encryptors are strategically placed within each SDN, which can act as an encryptor or decryptor, of both the data packet content and the header. Using the controller and a special encryption service application, the encrypted IP packets are forwarded from an encryptor, closest to the source, towards a decryptor, closest to the destination, utilizing a tagging method. Each encryptor has a static and globally unique tag. Each controller advertises to other controllers its encryptor information: IP of the encryptor, the IP block of the users the encryptor is responsible for and the unique encryptor tag(s). Each forwarder along the flow path is instructed by its respective controller how to forward packets towards the destination according to the tag.

Abstract: A novel system and a new data communication method are invented in a software-defined (SDN) network to provide delivery of certain types of critical data flows with certain QoS and/or extra security requirements in a congested network. The method of invention allows such critical data not to traverse the data plane, as it normally would, but instead to go from the ingress switch directly to the egress switch, thereby always in two hops using the control channels. By shortcutting all other switches along the traditional data path computed by normal routing, it potentially provides guaranteed throughput, lower latency/jitter or higher level of security.

Abstract: A system and method that rely on a centralized and trusted control mechanism for a software-defined network (SDN) to dynamically assign routes between two end points, and to simultaneously change their real IP addresses to fake IP addresses to establish short-lived obfuscated communications paths with a goal of preserving anonymity. The SDN controller determines the short-lived routes from a feasible route-set and new fake IP addresses from a reserved address pool for the source and destination hosts. It provisions only the switches along the route with rules so that a switch can forward packets of the data flow to another switch without needing to know the actual IP addresses of the communicating endpoints, and hence, providing strict anonymity even when the switches are compromised.