Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: A packet can be sent on a VLAN from a first machine that has a first address on the VLAN to a second machine that has a second address on the VLAN and that is located at a remote location associated with a remote location identifier. A network appliance can use the second address to determine the remote location identifier, can encapsulate the packet in a local segment packet that includes a local VNID and the remote location identifier; and can send the local segment packet to a local router. The local router can use the remote location identifier and the local VNID to determine a remote router and a remote VNID, can encapsulate the packet in an outer packet, which can be a VxLAN packet, that includes the remote VNID, and can send the outer packet to the remote router.

Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: Described are platforms, systems, and methods for actuating transmission control protocol/Internet protocol (TCP/IP) through a method comprises: identifying a computer workload during a handshake process for establishing a network connection with a remote host; configuring, based on the computer workload, one or more TCP/IP parameters of the network connection; and completing the handshake process to establish the network connection with the remote host.

Abstract: A packet can be sent on a VLAN from a first machine that has a first address on the VLAN to a second machine that has a second address on the VLAN and that is located at a remote location associated with a remote location identifier. A network appliance can use the second address to determine the remote location identifier, can encapsulate the packet in a local segment packet that includes a local VNID and the remote location identifier; and can send the local segment packet to a local router. The local router can use the remote location identifier and the local VNID to determine a remote router and a remote VNID, can encapsulate the packet in an outer packet, which can be a VxLAN packet, that includes the remote VNID, and can send the outer packet to the remote router.

Abstract: Described are platforms, systems, and methods for providing an in-line, transparent Transmission Control Protocol (TCP)/Transport Layer Security (TLS) proxy. In one aspect, a programmable input output (IO) device comprises at least one advanced reduced instruction set computer (RISC) machine (ARM) core communicably coupled to at least one central processing unit (CPU) core of a host device; a programmable P4 pipeline comprising a cryptographic offload subsystem; and a memory unit. The programmable IO device executing instruction stored on the memory unit comprising: establishing a session for an incoming TCP connection received from a remote host via the at least one ARM core; processing data packets received from the remote host via the programmable P4 pipeline; decrypting the received data packets via the cryptographic offload subsystem; and providing the decrypted data packets to the host device.

Abstract: A network appliance can queue a first packet and a second packet of a network traffic flow in an input queue of a match-action pipeline. The match-action pipeline can be implemented via a packet processing circuit of the network appliance and can be configured to process a plurality of network traffic flows. Submitting the first packet to the match-action pipeline can cause a first flow miss. The second packet can be moved to a burst queue of the network appliance and a match-action configuration can be generated based on the first packet. The second packet can be moved from the burst queue to the input queue after the match-action pipeline is configured with the match-action configuration. The match-action pipeline can then process the second packet.

Abstract: A network appliance can queue a first packet and a second packet of a network traffic flow in an input queue of a match-action pipeline. The match-action pipeline can be implemented via a packet processing circuit of the network appliance and can be configured to process a plurality of network traffic flows. Submitting the first packet to the match-action pipeline can cause a first flow miss. The second packet can be moved to a burst queue of the network appliance and a match-action configuration can be generated based on the first packet. The second packet can be moved from the burst queue to the input queue after the match-action pipeline is configured with the match-action configuration. The match-action pipeline can then process the second packet.

Abstract: Described are platforms, systems, and methods for actuating transmission control protocol/Internet protocol (TCP/IP) through a method comprises: identifying a computer workload during a handshake process for establishing a network connection with a remote host; configuring, based on the computer workload, one or more TCP/IP parameters of the network connection; and completing the handshake process to establish the network connection with the remote host.

Abstract: Described are platforms, systems, and methods for providing an in-line, transparent Transmission Control Protocol (TCP)/Transport Layer Security (TLS) proxy. In one aspect, a programmable input output (IO) device comprises at least one advanced reduced instruction set computer (RISC) machine (ARM) core communicably coupled to at least one central processing unit (CPU) core of a host device; a programmable P4 pipeline comprising a cryptographic offload subsystem; and a memory unit. The programmable IO device executing instruction stored on the memory unit comprising: establishing a session for an incoming TCP connection received from a remote host via the at least one ARM core; processing data packets received from the remote host via the programmable P4 pipeline; decrypting the received data packets via the cryptographic offload subsystem; and providing the decrypted data packets to the host device.

Abstract: A fraud detection system that applies scoring models to process transactions by scoring them and sidelines potential fraudulent transactions is provided. Those transactions which are flagged by this first process are then further processed to reduce false positives by scoring them via a second model. Those meeting a predetermined threshold score are then sidelined for further review. This iterative process recalibrates the parameters underlying the scores over time. These parameters are fed into an algorithmic model. Those transactions sidelined after undergoing the aforementioned models are then autonomously processed by a similarity matching algorithm. In such cases, where a transaction has been manually cleared as a false positive previously, similar transactions are given the benefit of the prior clearance. Less benefit is accorded to similar transactions with the passage of time. The fraud detection system predicts the probability of high risk fraudulent transactions.

Abstract: Embodiments provide techniques for optimizing paths in a network environment with a virtual network device that includes a first physical network device and a second physical network device, connected using a virtual network device layer link. Embodiments receive a first data packet belonging to a first data flow, at the first physical network device, from the second physical network device, over the virtual network device layer link. An adjacent network device from which the second physical network device received the first data packet is determined. Embodiments also determine one or more links connecting the first physical network device and the adjacent network device. A network message is transmitted to the adjacent network device, where the adjacent network device is configured to transmit subsequent data packets from the first data flow to the virtual network device, using only the determined one or more links, responsive to receiving the network message.

Abstract: Embodiments provide techniques for optimizing paths in a network environment with a virtual network device that includes a first physical network device and a second physical network device, connected using a virtual network device layer link. Embodiments receive a first data packet belonging to a first data flow, at the first physical network device, from the second physical network device, over the virtual network device layer link. An adjacent network device from which the second physical network device received the first data packet is determined. Embodiments also determine one or more links connecting the first physical network device and the adjacent network device. A network message is transmitted to the adjacent network device, where the adjacent network device is configured to transmit subsequent data packets from the first data flow to the virtual network device, using only the determined one or more links, responsive to receiving the network message.