In exemplary embodiments of the present invention, a router determines whether or not to establish a stateful routing session based on the suitability of one or more candidate return path interfaces. This determination is typically made at the time a first packet for a new session arrives at the router on a given ingress interface. In some cases, the router may be configured to require that the ingress interface be used for the return path of the session, in which case the router may evaluate whether the ingress interface is suitable for the return path and may drop the session if the ingress interface is deemed by the router to be unsuitable for the return path. In other cases, the router may be configured to not require that the ingress interface be used for the return path, in which case the router may evaluate whether at least one interface is suitable for the return path and drop the session if no interface is deemed by the router to be suitable for the return path.

The present technology pertains to a group-based network policy using Segment Routing over an IPv6 dataplane (SRv6). After a source application sends a packet, an ingress node can receive the packet, and if the source node is capable, it can identify an application policy and apply it. The ingress node indicates that the policy has been applied by including policy bits in the packet encapsulation. When the packet is received by the egress node, it can determine whether the policy was already applied, and if so, the packet is forward to the destination application. If the egress node determines that the policy has not be applied the destination application can apply the policy. Both the ingress node and egress nodes can learn of source application groups, destination application groups, and applicable policies through communication with aspects of the segment routing fabric.

A method for anticipatory bidirectional packet steering involves receiving, by a first packet steering module of a network, a first encapsulated packet traveling in a forward traffic direction. The first encapsulated packet includes a first encapsulating data structure. The network includes two or more packet steering modules and two or more network nodes. Each of the packet steering modules includes a packet classifier module, a return path learning module, a flow policy table, and a replicated data structure (RDS). The return path learning module of the first packet steering module generates return traffic path information associated with the first encapsulated packet and based on the first encapsulating data structure. The first packet steering module updates the RDS using the return traffic path information and transmits the return traffic path information to one or more other packet steering modules.

A network device may receive a message. The network device may determine that the message includes return information indicating a path to an initial device that generated the message. The network device may modify the message by adding an upstream device identifier, wherein the upstream device identifier identifies a device from which the message is received. The network device may modify the message by adding an indication of whether the initial device is reachable by the network device using a segment identifier. The network device may provide the modified message to a downstream device.

A method for anticipatory bidirectional packet steering involves receiving, by a first packet steering module of a network, a first encapsulated packet traveling in a forward traffic direction. The first encapsulated packet includes a first encapsulating data structure. The network includes two or more packet steering modules and two or more network nodes. Each of the packet steering modules includes a packet classifier module, a return path learning module, a flow policy table, and a replicated data structure (RDS). The return path learning module of the first packet steering module generates return traffic path information associated with the first encapsulated packet and based on the first encapsulating data structure. The first packet steering module updates the RDS using the return traffic path information and transmits the return traffic path information to one or more other packet steering modules.

A receiving node receives a virtual LDP initialization (vInit) message from a first node, where the vinit message comprises a request to establish a vLDP session between a requesting node and a target node. If the receiving node does not own a destination address of the vinit message, the receiving node is determined to be a relay node. The relay node inserts a relay label into the vinit message, where the relay label is an outgoing label that the relay node uses to reach the first node, and forwards the vinit message toward the destination address. If the receiving node owns the destination address, the receiving node is determined to be the target node, which extracts a stack of relay labels from the vinit message. The relay labels are used to define a return path to the requesting node for messages transmitted over the vLDP session.

A network device selects a primary source for multicast traffic and a secondary source for the multicast traffic, where the multicast traffic is provided to endpoint devices communicating with a network, and where the primary source and the secondary source are redundant sources. The network device provides a first join request that includes information that causes a primary path to be provided from the primary source through the network. The network device provides a second join request that includes information that causes a secondary path to be provided from the secondary source through the network. The network device receives the multicast traffic from the primary source via the primary path and the secondary source via the secondary path, and provides the multicast traffic received from the primary source to the endpoint devices. The network device prevents the multicast traffic received from the secondary source from reaching the endpoint devices.

In an apparatus of a communication network first packets of a data flow in a first direction are acquired, each having a first service chain identifier identifying a first chain of services which have been applied to the first packets in the first direction of the data flow. The first service chain identifier represents a classification result of classification functions used for selecting the first chain of services. Based on the first service chain identifier, a packet filter is calculated, which is associated with a second chain of services to be applied to second packets of the data flow in a second direction of the data flow when the second packets enter the communication network in the second direction.

In service flow capability updating in a guaranteed bandwidth multicast network may be provided. First, a node may determine that a bandwidth requirement of a flow has changed to a new bandwidth value. Then, in response to determining that the bandwidth requirement of the flow has changed to the new bandwidth value, an ingress capacity value may be updated in an interface usage table for a Reverse Path Forwarding (RPF) interface corresponding to the flow. The RPF interface may be disposed on a network device. Next, in response to determining that the bandwidth requirement of the flow has changed to the new bandwidth value, an egress capacity value may be updated in the interface usage table for an Outgoing Interface (OIF) corresponding to the flow. The OIF may be disposed on the network device.

Disclosed herein are a stepping-stone detection apparatus and method. The stepping-stone detection apparatus includes a target connection information reception unit for receiving information about a target connection from an intrusion detection system (IDS), a fingerprint generation unit for generating a target connection fingerprint based on the information about the target connection, and generating one or more candidate connection fingerprints using information about one or more candidate connections corresponding to one or more flow information collectors, and a stepping-stone detection unit for detecting a stepping stone by comparing the target connection fingerprint, in which a maximum allowable delay time is reflected, with the candidate connection fingerprints.