Abstract: Address resolution information acquisition (ARIA) for a computing device is described. In some examples, ARIA includes a computing device (e.g., an Internet of things (IoT) node, a gateway, a server) determining, without use of an address resolution protocol (ARP), address resolution information of one or more other computing devices (e.g., a IoT node, a gateway, a server). In one example, the computing device uses data flowing to or from its application layer, transport layer, or network layer to determine address resolution information of another computing device. The address resolution information can comprise one or more of a link layer address (e.g., a media access control (MAC) address) and an Internet layer address (e.g., an Internet protocol (IP) address). Usage of a cache for storing or deleting address resolution information can also be part of ARIA.

Abstract: Described in example embodiments herein are methods and systems for implementing sending packets from a first network node to a second network node. Packets belonging to the same session may be sent through the same or different tunnels. The second network node processes packets belonging to the same session using the same core. In accordance with an example embodiment, the first network node informs the second network code the core to process the packets. Optionally, selection of core at the second network node is assisted by a core identity created by the first network based on the session. The core identity may be stored in the header or payload of the packets. In an example embodiment, the second network determines the core for processing packet belonging to the same session.

Abstract: Methods and apparatus are disclosed herein for coordinating seamless service continuity to Edge Application Server (EAS) at relocation in a cellular communications system. In some embodiments, an Application Function (AF) sends to a Policy Control Function (PCF) a steering request comprising a keepExistingPSA indication that indicates that a current user plane (UP) path to a current Data Network Access Identifier (DNAI) and to an EAS should be maintained while a new path to a new DNAI and EAS is established. The PCF generates Policy and Charging Control (PCC) rules including the keepExistingPSA indication, and provides the PCC rules to a Session Management Function (SMF). The SMF determines, based on the keepExistingPSA indication, that simultaneous connectivity over the source PSA and the target PSA is to be provided, and configures the target PSA while maintaining the UP connectivity over the source PSA to the current DNAI and to the EAS.

Abstract: Some embodiments provide a method for configuring an edge computing device to implement a logical router belonging to a logical network. The method configures a datapath executing on the edge computing device to use a first routing table associated with the logical router for processing data messages routed to the logical router. The method configures a routing protocol application executing on the edge computing device to (i) use the first routing table for exchanging routes with a network external to the logical network and (ii) use a second routing table for exchanging routes with other edge computing devices that implement the logical router.

Abstract: A transmission pipe configuration method, including receiving a device address of a first network domain, a device address of a second network domain from, generating an identifier of a transmission pipe based on the device address of the first network domain and the device address of the second network domain, where the transmission pipe connects a first border transport device and a second border transport device, and sending to the first border transport device, the identifier of the transmission pipe and the device address that is of the second network domain and that corresponds to the transmission pipe. The identifier of the transmission pipe and the device address are used to generate a forwarding table of the first border transport device, the forwarding table indicating a forwarding relationship where service data is forwarded from the first network domain to the second network domain using the transmission pipe.

Abstract: A packet-filtering system described herein may be configured to filter packets with encrypted hostnames in accordance with one or packet-filtering rules. The packet-filtering system may resolve a plaintext hostname from ciphertext comprising an encrypted Server Name Indication (eSNI) value. The packet-filtering system may resolve the plaintext hostname using a plurality of techniques. Once the plaintext hostname is resolved, the packet-filtering system may then use the plaintext hostname to determine whether the packets are associated with one or more threat indicators. If the packet-filtering system determines that the packets are associated with one or more threat indicators, the packet-filtering system may apply a packet filtering operation associated with the packet-filtering rules to the packets.

Abstract: Aspects of the subject disclosure may include, for example, obtaining traffic that is conveyed at least in part within a private cloud network, based on the obtaining, identifying characteristics of the traffic, and based on the identifying of the characteristics of the traffic, causing at least one action to be performed within the private cloud network. Other embodiments are disclosed.

Abstract: A method for communicating between a first network and a second network is described. The method includes receiving, by a network device via a persistent control channel established between the network device and a server device connected to a first network, a first message that includes: (1) information indicating a tunneling protocol, and (2) information associated with a first tunneling payload. The persistent control channel is for communicating: (1) messages including control information, and (2) messages including tunneling payloads. The method also includes transmitting, by the network device to an endpoint device connected to a second network, a second message including the information associated with the first tunneling payload.

Abstract: Methods and systems for flexible nodal layer 3 overlay of layer 2 traffic is described. A network includes an access device for receiving layer 2 traffic from user devices, a packet inspection device for inspecting the layer 2 traffic, and a layer 3 tunnel instantiation device for encapsulating the layer 2 traffic into layer 3 traffic. The layer 3 tunnel instantiation device provides a first tunnel endpoint for a layer 3 tunnel, which is connected to a second tunnel endpoint instantiated at a network gateway. The layer 3 tunnel instantiation device establishes a moveable demarcation between a layer 2 domain and a layer 3 domain with respect to the packet inspection device, where the access device and the packet inspection device operate in the layer 2 domain. The layer 3 traffic is transmitted over the layer 3 tunnel.

Abstract: A system and method are provided in which a first MTU (maximum transmission unit) size is determined messages traveling in a first direction along a path. A second MTU size is determined for messages traveling in a second direction along the same path. Messages are sent in the first and second directions based on the first and second MTU size, respectively. In some embodiments, different sizes are chosen for the DL MTU and the UL MTU. In some embodiments, triggers are used to proactively change the MTU size with network conditions. In some embodiments, packet segmentation may be performed at the eNB/gNB. In some embodiments, mobility support is provided with packet segmentation. In some embodiments, dedicated bearers are pre-established that support specific MTU sizes. In some embodiments, the SDAP (service data adaptation protocol) may announce the MTU size to use for a given flow on the UL.

Abstract: A server fabric adapter (SFA) communication system is disclosed. In some embodiments, the SFA communication system comprises an SFA communicatively coupled to a plurality of controlling hosts, a plurality of endpoints, and a plurality of network ports. The SFA is configured to receive a network packet from a network port of the plurality of network ports; separate the network packet into different portions, each portion including a header or a payload; map each portion of the network packet to: (i) a controlling host of the plurality controlling hosts, the controlling host being designated as a destination controlling host, or (ii) an endpoint of the plurality of endpoints, the endpoint being designated as a destination endpoint; and forward a respective portion of the network packet to the destination controlling host or the destination endpoint.

Abstract: Disclosed herein are methods of forwarding data over an IP network. The methods may include receiving a packet from a source host connected to the IP network, identifying the IP address of a destination host designated in the packet, determining the location on the IP network where the destination host designated by the packet is connected, without reference to the MAC address specified in the packet, by using location-identification information stored on the IP network, and forwarding the packet to the location on the IP network where the destination host is connected without reference to the MAC address specified in the packet. Also disclosed herein are related network devices implementing such techniques and operations, as well as IP networks which include such network devices.

Abstract: There is provided a method performed by a session management function (SMF) node of a network for establishing a PFCP session. A plurality of service functions (SFs) are selected (102) to connect in a service function chain for handling the PFCP session. Each of the plurality of SFs is capable of activating a feature of the PFCP session and is supported by a user plane function (UPF) node. The selection is based on a load of each of the plurality of SFs. For each UPF node that supports one or more of the selected plurality of SFs, transmission of a request is initiated (104) to the UPF node to establish the PFCP session with the UPF node. The request comprises an indication of the one or more of the selected plurality of SFs that the UPF node supports.

Abstract: A border gateway receives a first overlay packet sent by a remote acceleration gateway, where a first service request packet is encapsulated in the first overlay packet, a source Internet Protocol (IP) address of the first service request packet is an IP address of a client, and a destination IP address is a public IP address associated with a virtual machine; the border gateway decapsulates the first overlay packet to obtain the first service request packet, encapsulates the first service request packet to generate a second overlay packet, and sends the second overlay packet to a virtual forwarding device, implementing transparent transmission of a source address of a service request packet.

Abstract: A routing system can provide a Dynamic-Hybrid Forwarding Information Base (DHFIB). A control component of the routing system can build a routing table that includes routing information (e.g., prefixes, addresses, etc.) for use by a first routing component. The routing table can be ordered or ranked based on traffic information from the first routing component. Then, the control component can create the DHFIB from the routing table, wherein the DHFIB is a portion of the routing table and related to the first routing component. As such, the portion of the routing table selected for the DHFIB can be the set of prefixes in the routing table that represent the most frequently routed or most important prefixes in the routing table. Finally, the control component can forward the DHFIB to the first routing component to allow the routing component to route communications.

Abstract: A method for transferring a message in a communications network for communication between a road user and at least one further road user. The road user and the further road user each include an evaluation unit for transferring messages via the communications network. The method includes: receiving a first message in the evaluation unit, the first message including message segments, each including a priority value; determining an instantaneous capacity utilization of the communications network; filtering message segments to be transferred out of the first message, based on the priority values and the instantaneous capacity utilization of the communications network; and generating a second message including the message segments to be transferred, and sending the second message via the communications network.

Abstract: A network device comprises a receive processor configured to generate respective packet descriptors that include i) respective header information extracted from headers of packets received via a plurality of network interfaces, the packets also including trailers, and ii) respective trailer information extracted from the trailers of the packets. A packet processor is configured to process the header information and the trailer information in the packet descriptors to determine actions to be performed on the packets, including determining network interfaces via which at least some packets are to be transmitted by the network device. A transmit processor is configured to transmit the at least some packets via the plurality of network interfaces in accordance with the determining of network interfaces by the packet processor.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Systems and methods are described for electronically transmitting adaptively collapsible data across a network, whereby a baseline hierarchy of relationships based on precedence is generated for a set of data fields for data generated at an electrical system, and selecting one or more data fields for inclusion in a transmission package based on the hierarchy of relationships and a configurable condition, the configurable condition serving to potentially collapse (or deprecate) a data field, setting a status subfield to indicate inclusion or exclusion of the data field in a payload region of the transmission package and, when a particular data field is to be omitted, including only the status subfield for that data field and omitting the data corresponding to the data field.

Abstract: In some implementations, a first network device may encode Internet Protocol version 4 (IPv4) network layer reachability information (NLRI) using Internet Protocol version 6 (IPv6) next hop encoding to generate encoded IPv4 NLRI. The first network device may include information indicating border gateway protocol (BGP) labeled unicast (BGP-LU) in the encoded IPv4 NLRI. The first network device may advertise the encoded IPv4 NLRI. The first network device may establish a communication session with a second network device, wherein the communication session is established via an IPv6 core network. The first network device may forward, via the communication session, one or more IPv4 packets using the encoded IPv4 NLRI.

Abstract: Methods and apparatus are provided for routing Flex Ethernet (FlexE) data in a network. In an example aspect, a method comprises receiving data on a first FlexE physical layer (PHY) group, determining, from first FlexE overhead on the first FlexE PHY group, that data in one or more time slots on the first FlexE PHY group is associated with a predetermined path in the network, determining a second FlexE PHY group for the data in the one or more time slots based on at least a portion of the predetermined path in the network, and sending the data on the second FlexE PHY group.

Abstract: The technology described herein is directed towards automatic virtual subnet delegation. An automated process scans the subnets of a virtual network and builds a tree of the IP space, including allocated and unused space designations. User-defined parameters and organization policy data are used to determine the number of IP addresses needed for an application or the like. By traversing the tree of existing IP space, the technology described herein finds and places a new subnet, such as to ensure a high utilization of the overall IP space or based on an alternative type-of-fit criterion. When the virtual subnet space is created in the cloud, a public cloud-specific subnet identifier is returned to the user to utilize in deploying the application. Another use of the technology described herein is to track and optimize IP space allocation for existing virtual networks in the public cloud, including to identify underutilized and/or improperly-sized subnets.

Abstract: A method includes receiving, by a network node, a first data packet from a client, wherein the first data packet includes an identifier of a service. The method further includes obtaining, by the network node, flow affinity attribute information of the service based on the identifier of the service, wherein the flow affinity attribute information of the service includes a flow affinity type of the service and a flow affinity timeout time of the service. The method further includes establishing, by the network node, a flow entry based on the flow affinity attribute information of the service in response to the first data packet being a 1st data packet in a data flow, wherein the flow entry is useable to forward a subsequent data packet in the data flow.

Abstract: Provided are a service flow transmission method and apparatus, a device, and a storage medium. The service flow transmission method includes: acquiring service flows; and performing transmission via different FlexE outgoing interfaces according to priorities of the service flows. By means of determining priorities of service flows, and performing transmission via different FlexE outgoing interfaces according to the priorities of the service flows, mutual interference between service flows can be prevented.

Abstract: A network device includes at least one port and a processor for use in a network for communicating a packet. The processor is configured to obtain a packet header for a packet and perform telemetry using postcard and/or passport approaches. The processor uses a repurposed field in the packet header to indicate telemetry is to be performed on the packet.

Abstract: An information processing apparatus with a plurality of network interfaces is provided. The information processing apparatus comprises at least one memory that stores a set of instructions, and at least one processor that executes the instructions to control to receive a request via one of the plurality of networks, generate a response to a source of the received request, the response indicating the source of the request set as a destination address and a destination address of the request set as a source address, and in a case where the network interface having received the request is different from a network interface determined to be used for communication with a destination identified by the destination address set in the generated response, prevent the response from the different network interface.

Abstract: In general, this disclosure describes techniques for leveraging a containerized routing protocol process to implement virtual private networks using routing protocols. In an example, a system comprises a container orchestration system for a cluster of computing devices, the cluster of computing devices including a computing device, wherein the container orchestration system is configured to: deploy a containerized application to a compute node; and in response to deploying the containerized application to the compute node, configure in the compute node a virtual routing and forwarding (VRF) instance to implement a virtual private network (VPN) for the containerized application.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: Techniques are disclosed for session-based load-balancing of network traffic to network service instances. In one example, a network device receives a first packet of a forward packet flow from a network service instance of a plurality of network service instances after application of a network service. The first packet specifies a Media Access Control (MAC) address of the network service instance as a source MAC address. The network device defines a session comprising the forward packet flow and a reverse packet flow and stores an association between the session and the MAC address of the network service instance. The network device determines that a second packet received from a destination device is associated with the reverse packet flow of the session. The network device forwards the second packet to the same network service instance based on the association between the session and the MAC address of the network service instance.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: Some embodiments of the invention provide a forwarding element (e.g., a switch, a router, etc.) that has one or more data plane, message-processing pipelines with key-value processing circuits. The forwarding element's data plane key-value circuits allow the forwarding element to perform key-value services that would otherwise have to be performed by data compute nodes connected by the network fabric that includes the forwarding element. In some embodiments, the key-value (KV) services of the forwarding element and other similar forwarding elements supplement the key-value services of a distributed set of key-value servers by caching a subset of the most commonly used key-value pairs in the forwarding elements that connect the set of key-value servers with their client applications.

Abstract: A system and method for dynamically generating a data processing pipeline. A processor receives data including one or more data types from a data source. A set of sub-pipelines are created based on the one or more data types, wherein each sub-pipeline of the set of sub-pipelines includes one or more processing layers. Further, the one or more data types and volume of data assigned to each processing layer of the one or more processing layers is determined. Subsequently, the resource allocation to the one or more processing layers is done dynamically based on the one or more data types, the data source, and the volume of the data.

Abstract: Ghost routing is a network verification technique that uses a portion of a production network itself to verify the impact of potential network changes. Ghost routing logically partitions the production network into a main network and a ghost network. The main network handles live traffic while the ghost network handles traffic generated for diagnostic purposes. The ghost network may have a network topology identical to the production network and may use the same hardware and software as the production network. An operator may implement a network configuration change on the ghost network and then use verification tools to verify that the network configuration change on the ghost network does not result in bugs. Verifying on the ghost network may not affect the main network. If the network operator verifies the network configuration change on the ghost network, the network operator may implement the network configuration change on the main network.

Abstract: A control device may communicate messages with devices in a network through a parent device, and receive messages from auxiliary parent devices. The control device may store a respective communication metric associated with each of the parent device and the one or more auxiliary parent devices. The control device may set an auxiliary parent device of the one or more auxiliary parent devices as the parent device of the control device, e.g., when a respective communication metric of the auxiliary parent device determined to be set as the parent device indicates a stronger communication link than the parent device. The control device may determine that the respective communication metric of the auxiliary parent device indicates a stronger potential communication link than the parent device when the average received signal strength indicator of auxiliary parent device is greater than the average received signal strength indicator of the parent device.

Abstract: According to implementations of the subject matter described herein, there is proposed a solution for supporting communications for an FPGA device. In an implementation, the FPGA device includes an application module and protocol stack modules. The protocol stack modules are operable to access target devices based on different communication protocols via a physical interface. The FPGA device further includes a universal access module operable to receive, from the application module, first data and a first identity of a first target device, the first target device acting as a destination of the first data, and transmit, based on the first identity and predetermined first routing information, the first data to a first protocol stack module accessible to the first target device via the physical interface. By introducing the universal access module, it is possible to provide unified and direct communications for the application module.

Abstract: Some embodiments of the invention provide a method for configuring a physical network card or physical network controller (pNIC) to provide flow processing offload (FPO) for a host computer connected to the pNIC. The host computers host a set of compute nodes in a virtual network. The set of compute nodes are each associated with a set of interfaces that are each assigned a locally-unique virtual port identifier (VPID) by a flow processing and action generator. The pNIC includes a set of interfaces that are assigned physical port identifiers (PPIDs) by the pNIC. The method includes providing the pNIC with a set of mappings between VPIDs and PPIDs. The method also includes sending updates to the mappings as compute nodes migrate, connect to different interfaces of the pNIC, are assigned different VPIDs, etc.

Abstract: A system and associated methods document and visualize complicated networks having circuits and circuit paths. The relationships between the circuits also are provided. The data regarding the circuits is preprocessed to be stored in a network resource database. When a network diagram is generated, the network resource database is queried to obtain the data and determine the different segments, devices, and relationships to model the network circuit. An intermediate table is generated to provide additional processing of queries back to the network resource database.

Abstract: Implementations of the present disclosure relate to a communication method, a communication device, and a network device. The method includes: a first device compressing an Ethernet frame; and the first device sending the compressed Ethernet frame to a second device. The communication method, the communication device and the network device proposed in the implementations of the present disclosure can be used to achieve the transmission of an Ethernet frame.

Abstract: Systems and methods for improving network element security. The methods comprise: obtaining a transport frame by the network element; analyzing, by the network element, the transport frame to determine whether or not any vulnerable overhead field values in at least one of a header of a mapping layer frame and a header of a transport layer frame have values other than expected values; modifying, by the network element, at least one reserved target field value in the transport frame when a determination is made that the at least one vulnerable overhead field value has a value other than the expected value; and communicating, by the network element, the transport frame with the modified at least one reserved target value over a network.

Abstract: A BIER packet forwarding method is applied to a packet sending node and includes: setting node information of a BIER forwarding neighboring node in a BIFT forwarding entry; in a case of determining according to the node information that the BIER forwarding neighboring node has a capability of processing a target packet format, encapsulating a BIER packet according to the target packet format; and sending an encapsulated BIER packet to the BIER forwarding neighboring node.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Abstract: A first network device associated with a network may establish an Internet protocol version 6 Multiprotocol BGP session with a second network device associated with the network. The first network device and second network device are both capable of forwarding both IPv4 and IPv6 packets with only an IPv6 address configured on the interface of both the first network device and second network device. The first network device may exchange Multiprotocol Reachability capability with second network device for corresponding 2-tuple Address Family Identifier/Subsequent Address Family Identifier. The first network device may advertise Internet protocol version 4 network layer reachability information and may advertise Internet protocol version 6 network layer reachability information with IPv6 extended next hop encoding using Internet Assigned Numbering Authority assigned capability code value 5 to second network device.

Abstract: Described are methods and devices for communication between local networks and global networks. In some examples, a method comprises storing mapping data for multiple hosts in a global network and in a local network. The method further comprises receiving a first data packet from one of the multiple hosts in the local network. The first data packet comprises a first source address being the local network address of the host in the local network, a first destination address being the local network address of the host in the global network and payload data. The method further comprises determining, based on the mapping data, the global network address of the host in the local network and a global network address of the host in the global network, and sending a second data packet over the global network.

Abstract: a content addressable memory circuit is provided that includes a memory array that includes multiple memory devices that include memory locations that share a memory address and are coupled for simultaneous access. Hash logic is operative to use modulo math to determine a memory address based upon non-X values within an IP address key. Memory controller logic is operative to cause a memory device in the memory array to store the received IP address key in a memory location at the determined memory address, in a format that includes a field-size value indicative of a number of non-X values within a received IP address key and that includes non-X values within the received IP address key.

Abstract: This application provides a packet processing method and a network device. A third network device is multi-homed to a first network device and a second network device, the first network device is configured with a first physical MAC address and a virtual MAC address, the second network device is configured with a second physical MAC address and the virtual MAC address, and the virtual MAC address is used to forward a user data packet to a network side. The method includes: a first network device receives a protocol packet from a third network device, where the protocol packet includes the second physical MAC address; and the first network device forwards the protocol packet to the second network device based on the second physical MAC address. Thus, the protocol packet can be normally forwarded without special configuration on a server, so that a cumbersome configuration process is avoided.

Abstract: A network device may establish, via a routing protocol daemon (RPD) of the network device, border gateway protocol (BGP) sockets with peer network devices and may establish a socket between the RPD and a periodic packet management daemon (PPMD) of the network device. The network device may provide file descriptors of the BGP sockets from the RPD to the PPMD, via the socket, and may provide, from the RPD and via the BGP sockets, non-keep alive protocol data units (PDUs) to the peer network devices. The network device may provide, from the PPMD and via the BGP sockets, keep alive PDUs to the peer network devices.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.

Abstract: Route tables may be associated with ingress traffic for logically isolated networks. A routing device at the edge of a logically isolated network may receive a route to include in a route table that is associated with ingress traffic to the logically isolated network, where the ingress traffic is destined for a block of public or private IP addresses. The route instructs the edge routing device to forward such ingress traffic to a network interface of a network appliance hosted in the logically isolated network. Network packets received at the edge routing device may have a destination of one or more public or private IP addresses in the block of public/private IP addresses. The edge routing device may identify the route in the route table that forwards the ingress network traffic destined for the block of public or private IP addresses to the network interface for the network appliance.

Abstract: Techniques are described for dynamically computing a segment routing policy for a segment routing for traffic engineering (SR-TE) path. For example, in a discontinuous SR network in which SR islands (e.g., groups of neighboring routers that are enabled for segment routing) are separated by one or more routers not enabled for segment routing, instead of returning a failure because one or more routers along a path are not enabled for SR, an ingress router may generate an SR-TE operations, administrations, and management (OAM) Multi-Protocol Label Switching (MPLS) traceroute packet send the packet to a first border router of the RSVP-enabled devices along a computed path to trigger the creation of a resource reservation Label Switched Path (LSP) through the RSVP-enabled devices. In this way, segment routed LSP may be established to tunnel through the resource reservation LSP for a SR-TE path used in an SR-TE policy.

Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.