Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: Security Association (SA) rekeying between two endpoints of a network, is achieved without resorting to a central entity and a separate key management protocol. A packet sent from a first peer to a second peer is modified to add extra data to signal the rekey procedure, and to include cryptographic material to provide a new common keying material, which will be used to create new SAs. Since the rekey procedure is a multi-stage procedure, the peers are assigned (initiator/responder) roles in order to transition from one stage to another. Rekeying may be initiated by a timer present at one of the peers. Embodiments allow network peers to autonomously rekey without the help of a central controller, and each peer can rekey with only N?1 of its peers.

Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: Disclosed methods and systems employ an agent to identify data paths between first and second networking devices, such that a data path connects an interface of the first networking device with an interface of the second networking device, each interface being uniquely identified by an associated Internet Protocol (IP) address. The agent establishes a secure connection as follows. First a connection is established between the first and second networking devices using respective first and second IP addresses. Next, security keys are negotiated to establish the secure connection, the security keys including encryption keys and decryption keys. Next, inbound and outbound security associations are established for each of the plurality of data paths, inbound and outbound security associations including IP addresses associated with respective data paths and respective decryption keys. Finally, the inbound and outbound security associations are established in a data plane of the first networking device.

Abstract: In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Abstract: In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Abstract: In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Abstract: A method for transmitting packets in a network is provided. The method includes determining that a first packet will be encrypted prior to transmitting the first packet to a network device. The first packet includes a first source address for the first packet. The method also includes generating a routing value based on the first source address. The routing value allows the network device to determine which of a plurality of processing cores will be used to process the first packet. The method further includes encrypting the first packet to generate an encrypted first packet. The method further includes encapsulating the encrypted first packet within a second packet. A payload of the second packet comprises the encrypted first packet and a packet header of the second packet includes the routing value. The method further includes transmitting the second packet to the network device.

Abstract: A method for transmitting packets in a network is provided. The method includes determining that a first packet will be encrypted prior to transmitting the first packet to a network device. The first packet includes a first source address for the first packet. The method also includes generating a routing value based on the first source address. The routing value allows the network device to determine which of a plurality of processing cores will be used to process the first packet. The method further includes encrypting the first packet to generate an encrypted first packet. The method further includes encapsulating the encrypted first packet within a second packet. A payload of the second packet comprises the encrypted first packet and a packet header of the second packet includes the routing value. The method further includes transmitting the second packet to the network device.