Abstract: Aspects of the disclosure provide for a proxyless NAT infrastructure with dynamic port allocation. A proxyless NAT infrastructure is configured to perform NAT between a network of virtual machines (VMs) and a device external to the network, without a device, such as a NAT server or a router, acting as a proxy. A system can include a control plane for provisioning VMs of a network, including configuring each VM to perform NAT and initially assigning a number of ports for communicating with other devices. The control plane maintains a feedback loop-receiving data characterizing port usage and network traffic at ports allocated to the various VMs and scaling the port allocation for each VM based on the received data. The control plane can allocate additional ports as determined to be needed by a VM, and later retrieve the ports to be reused for other VMs.

Abstract: Methods, systems, and apparatus include computer programs encoded on a computer-readable storage medium for firewall policies with improved efficiency. A policy can be defined that specifies a set of firewall rules, where the set of firewall rules provides a respective firewall rule for each layer of a plurality of layers within a hierarchical structure of a network, the network including a plurality of elements. Determining, for a first element within the network, a position within a first layer of the hierarchical structure. In response to receiving a data transmission request to or from the first element, applying the set of firewall rules in accordance with the first layer of the hierarchical structure, where applying the set of firewall rules comprises sequentially applying each respective firewall rule at each layer from an upper layer within the network to the first layer within the network.

Abstract: Aspects of the disclosure provide for a proxyless NAT infrastructure with dynamic port allocation. A proxyless NAT infrastructure is configured to perform NAT between a network of virtual machines (VMs) and a device external to the network, without a device, such as a NAT server or a router, acting as a proxy. A system can include a control plane for provisioning VMs of a network, including configuring each VM to perform NAT and initially assigning a number of ports for communicating with other devices. The control plane maintains a feedback loop—receiving data characterizing port usage and network traffic at ports allocated to the various VMs and scaling the port allocation for each VM based on the received data. The control plane can allocate additional ports as determined to be needed by a VM, and later retrieve the ports to be reused for other VMs.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: A method is disclosed for transmitting system management requests to computer systems along a network path using a network control protocol, such as RSVP. For example, an originating node may send a single system management request along a path to a destination node using a network control protocol. Each computer system along the network path may analyze the network control protocol message to determine whether the message contains a system management request. If a system management request is found in the message, the computer system may perform the system management function identified in the request, and respond to it.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: A method is disclosed for transmitting system management requests to computer systems along a network path using a network control protocol, such as RSVP. For example, an originating node may send a single system management request along a path to a destination node using a network control protocol. Each computer system along the network path may analyze the network control protocol message to determine whether the message contains a system management request. If a system management request is found in the message, the computer system may perform the system management function identified in the request, and respond to it.

Abstract: A method is disclosed for transmitting system management requests to computer systems along a network path using a network control protocol, such as RSVP. For example, an originating node may send a single system management request along a path to a destination node using a network control protocol. Each computer system along the network path may analyze the network control protocol message to determine whether the message contains a system management request. If a system management request is found in the message, the computer system may perform the system management function identified in the request, and respond to it.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.

Abstract: In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Abstract: A method is disclosed for transmitting system management requests to computer systems along a network path using a network control protocol, such as RSVP. For example, an originating node may send a single system management request along a path to a destination node using a network control protocol. Each computer system along the network path may analyze the network control protocol message to determine whether the message contains a system management request. If a system management request is found in the message, the computer system may perform the system management function identified in the request, and respond to it.

Abstract: A network infrastructure element such as a router or switch performs transparent and optimized validation of XML schemas of XML payloads received in the network element. The network element comprises logic for receiving and storing one or more validation scope rules that define a portion of an extensible markup language (XML) schema for validation; receiving and storing the XML schema; receiving over the network an application-layer message comprising one or more of the packets; identifying a particular XML element in an XML payload of the application-layer message, wherein the particular XML element is within the portion of the XML schema defined in the one or more validation scope rules; determining whether the particular XML element conforms to the XML schema; and performing a responsive action based on whether the particular XML element conforms to the XML schema.

Abstract: User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.

Abstract: A network infrastructure element such as a router or switch performs transparent and optimized validation of XML schemas of XML payloads received in the network element. The network element comprises logic for receiving and storing one or more validation scope rules that define a portion of an extensible markup language (XML) schema for validation; receiving and storing the XML schema; receiving over the network an application-layer message comprising one or more of the packets; identifying a particular XML element in an XML payload of the application-layer message, wherein the particular XML element is within the portion of the XML schema defined in the one or more validation scope rules; determining whether the particular XML element conforms to the XML schema; and performing a responsive action based on whether the particular XML element conforms to the XML schema.