Some embodiments provide a novel method for performing network address translation to share a limited number of external source network addresses among a large number of connections. Instead of allocating an external source network address for an egressing packet just based on its internal source network address, the method of some embodiments allocates the external source network address based on the egressing packet's source network address and destination network address. This allows a limited number of external source network addresses to be re-used for different destination network address. For instance, in some embodiments, the method's network address allocation scheme allows the same 64K (e.g., 2{circumflex over ( )}16) external source ports to be used for 64K connections for each destination network address.

Systems, methods, architectures, mechanisms or apparatus for routing packets between source and destination endpoints associated with different autonomous systems without requiring public advertising of the addresses of the source and destination endpoints to other autonomous systems (ASN).

The subject matter disclosed herein relates to a frame switch of an AFDX network in which the data acquisition application is decentralized. When the switch has to acquire the data transmitted on a virtual link, the switching table contains, apart from the input port and the output port (s) taken by this link, an ID representing the MAC address of the switch. The frames of this link are then not only switched but also transmitted to the network interface of the switch and processed by a dedicated application (DDA), hosted inside the switch. This application can be interrogated by a remote server and transfer the data that it has stored locally.

A communication control method executed by a computer including generating, for each of a plurality of tenants, a plurality of virtual interfaces on a first virtual machine, the first virtual machine executing an application for the plurality of tenants, applying, to the first virtual machine, a first conversion rule in which an IP address of a transmission source of a packet output from the application is converted to one of a plurality of virtual IP addresses allocated for a virtual interface corresponding to one of the plurality of tenants, generating a plurality of gateways on a second virtual machine, applying, to the first virtual machine, routing information so as transmit the packet addressed to the transmission destination to the second virtual machine, and applying, to the second virtual machine, a distribution rule in which the packet is distributed to one of the plurality of gateways.

A particular network controller receives a first set of inputs from the first controller and a second set of inputs from the second controller. The particular controller then starts to compute a set of outputs using the first set of inputs. After a failure of the first controller, the particular controller receives a third set of inputs from the second controller. The third set of inputs and the first or second set of inputs makes up a group of inputs for being processed together and separately from another group of inputs. The particular controller then receives an indicator from the second controller, which indicates that all inputs of the group of inputs have arrived at the particular controller. After receiving the indicator and after computing the set of outputs completely, the particular controller sends the set of outputs to a fourth controller or to a managed forwarding element.

A switch device for relaying data in an on-vehicle network, being equipped with a switch section and a processing section for performing the relay processing via the switch section, wherein, in the case that a plurality of frames to be subjected to the relay processing is present in the processing section, the processing section performs adjustment processing so that the output rates of the respective frames to the switch section in the case that the transmission source addresses of the respective frames are different are made smaller than the output rate in the case that the transmission source addresses of the respective frames are the same.

Techniques to facilitate verification of in-situ network telemetry data of data packet of data traffic of packet-switched networks are described herein. A technique described herein includes a network node obtaining a data packet of data traffic of a packet-switched network. The data packet includes an in-situ network telemetry block. The network node obtains telemetry data and cryptographic key. The cryptographic key confidentially identifies the network node. The node encrypts at least a portion of the telemetry data based on the cryptographic key to produce signed telemetry data and updates telemetry-data entry of the in-situ network telemetry block. The telemetry data and signed telemetry data is inserted into the telemetry-data entry. The node forwards the data packet with the updated telemetry-data entry to another network node of the packet-switched network.

Techniques for leveraging MLD capabilities at edge nodes of network fabrics to receive SNMAs from silent hosts, and creating unicast addresses from the SNMAs for the silent nodes that are used as secondary matches in a network overlay if primary unicast address lookups fail. The edge nodes described herein may act as snoopers of MLD reports in order to identify the SNMAs of the silent hosts. The edge nodes then forge unicast addresses for the silent hosts that match with the least three bytes of the SNMAs. The forged unicast addresses are presented as unicast MAC/IP mappings in the fabric overlay. In situations where a primary IP address lookup fails, the look-up device performs a secondary lookup for a mapped address that has the last three bytes of the IP address. If a mapping is found, the lookup is sent as a unicast message to the matching MAC address.

A device receives capability information associated with a next hop device of a wireless local area network (WLAN). The device also determines, based on the capability information, whether the next hop device is capable of implementing security for traffic, where the security includes a media access control (MAC) security standard and a layer 2 link security standard. The device further creates, via the MAC security standard, a secure channel with the next hop device when the next hop device is capable of providing security for traffic.

In some embodiments, a method receives a packet for a flow from a first application in a first workload to a second application in a second workload. The packet includes an inner header that includes layer 4 information for the first application. The method determines if a setting indicates an outer source port in an outer header should be generated using layer 4 information from the inner header. The setting is based on an analysis of packet types in the flow to determine if fragmented packets are sent. When the setting indicates the outer source port in the outer header should be generated using layer 4 information from the inner header, the method generates the outer source port using the layer 4 information for the first application from the inner header. The packet is encapsulated using the outer header, wherein the outer header includes the outer source port.