Some embodiments of the invention provide a method for a first security controller that performs security operations on the packets that are transmitted within a network. The method of some embodiments receives a packet from a forwarding element in the network based on a decision made by a security agent that operates along with the forwarding element. When the first security controller stores a security rule for the packet, the method processes the packet according to the stored security rule. When the first security controller does not store a security rule for the packet, the method (i) determines that a second security controller stores a security rule for the packet based on a set of header values of the packet, and (ii) sends the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

Some embodiments of the invention provide a method for a first security controller that performs security operations on the packets that are transmitted within a network. The method of some embodiments receives a packet from a forwarding element in the network based on a decision made by a security agent that operates along with the forwarding element. When the first security controller stores a security rule for the packet, the method processes the packet according to the stored security rule. When the first security controller does not store a security rule for the packet, the method (i) determines that a second security controller stores a security rule for the packet based on a set of header values of the packet, and (ii) sends the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

A peripheral device coupled to a host includes a network interface, a packet processor, and a Data Processing Unit (DPU). The packet processor receives from a communication network, via the network interface, packets that originated from a source in an original order and received at the peripheral device in as order different from the original order. The packet processor splits the received packets into headers and payloads, sends the payloads for storage in a host memory and sends the headers without the payloads for storage in a DPU memory, and based on the headers produces a hint indicative of processing to be applied to the headers, by the DPU, for identifying the original order. Based on the hint, the DPU identifies the original order of the packets by applying the processing indicated by the hint to respective headers in the DPU memory, and notifies the host of the original order.

A peripheral device coupled to a host includes a network interface, a packet processor, and a Data Processing Unit (DPU). The packet processor receives from a communication network, via the network interface, packets that originated from a source in an original order and received at the peripheral device in as order different from the original order. The packet processor splits the received packets into headers and payloads, sends the payloads for storage in a host memory and sends the headers without the payloads for storage in a DPU memory, and based on the headers produces a hint indicative of processing to be applied to the headers, by the DPU, for identifying the original order. Based on the hint, the DPU identifies the original order of the packets by applying the processing indicated by the hint to respective headers in the DPU memory, and notifies the host of the original order.

A communication device includes a transmission unit and a processing unit. The transmission unit transmits a packet group including multiple packets. In a case in which the communication device itself is not trusted by a destination communication device to which to transmit the packet group, the processing unit performs a process of instructing each of multiple nodes of a management unit that registers and manages management information distributed among the multiple nodes to register header information as the management information, the header information being partial information of a header included in each packet of the packet group transmitted by the transmission unit.

A communication device includes a transmission unit and a processing unit. The transmission unit transmits a packet group including multiple packets. In a case in which the communication device itself is not trusted by a destination communication device to which to transmit the packet group, the processing unit performs a process of instructing each of multiple nodes of a management unit that registers and manages management information distributed among the multiple nodes to register header information as the management information, the header information being partial information of a header included in each packet of the packet group transmitted by the transmission unit.

The present specification discloses a data processing method, apparatus, medium and device. The method includes: receiving a QUIC data packet that is sent by a first device and that includes a CID; parsing the CID and determining a routing address based on a parsing result; and routing the received QUIC data packet to a second device based on the routing address, so the second device processes the QUIC data packet. When a data packet sent by a transmitting end device is received, a routing address of data transmission is determined by processing the received data packet, to quickly establish a data transmission channel between the transmitting end device and a receiving end device. As such, stored context information is not required, and connection errors caused by exceptions such as restarting and scaling in/out on a load balancer will not occur, thereby effectively improving processing efficiency of data transmission by using the QUIC protocol.

The present specification discloses a data processing method, apparatus, medium and device. The method includes: receiving a QUIC data packet that is sent by a first device and that includes a CID; parsing the CID and determining a routing address based on a parsing result; and routing the received QUIC data packet to a second device based on the routing address, so the second device processes the QUIC data packet. When a data packet sent by a transmitting end device is received, a routing address of data transmission is determined by processing the received data packet, to quickly establish a data transmission channel between the transmitting end device and a receiving end device. As such, stored context information is not required, and connection errors caused by exceptions such as restarting and scaling in/out on a load balancer will not occur, thereby effectively improving processing efficiency of data transmission by using the QUIC protocol.

An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.