A method (100) for routing packets in a communication network (10) having a variable and predictable topology. The network includes a plurality of nodes, and each node can be connected, at least temporarily, to one or more other nodes in the network. The packets are transmitted from a source node (21) to a destination node (23). An orchestration entity (25) determines (101) a plurality of temporary paths (31) between the source node and the destination node for several successive time periods (Pi), the existence of a temporary path being guaranteed for the time period with which it is associated. The orchestration entity (25) generates (102) a table (T) of label stacks (LSi), in which table each label stack corresponds to the temporary path defined for one of the successive time periods, and each label (Lj, i) corresponds to a node of the temporary path.

In some examples, a network device of a network comprises a first component configured to store a plurality of next hop instructions corresponding to respective logical or physical network structures of the network. The network device also comprises a second component configured to send, to the first component, a message that identifies an association of the plurality of next hop instructions, wherein the first component is further configured to modify, in response to receiving the message, each of the plurality of next hop instructions.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.

Disclosed is an apparatus and method for segment routing using a remote forwarding adjacency identifier. In one embodiment, a first node in a network receives a packet, wherein the packet is received with a first segment-ID and another segment ID attached thereto. The first node detaches the first and the other segment IDs from the packet. Then the first node attaches a first label to the packet. Eventually, the first node forwards the packet with the attached first label directly to a second node in the network. In one embodiment, the other segment ID corresponds to a forwarding adjacency or tunnel label switched path between the first node and another node.

The objective of the invention is to enable sharing, between layers in a network in which the layers are used to perform communications, resource information and information required for using paths. A network control system includes: a lower layer information storage unit, a lower layer control information conversion unit, an upper layer information storage unit, an upper layer control information conversion unit, an integrated layer information storage unit and a layer integration unit. The layer integration unit integrates, as virtual links, the information of flows, which are representative of communications among terminals in the lower layer, with the network information of the upper layer, thereby constituting the network information of the integrated layer. Further, the layer integration unit performs reciprocal exchanges of network information among the integrated layer information storage unit, the lower layer information storage unit and the upper layer information storage unit, said reciprocal exchanges including a process of giving, as the attribute information of the ports of the upper layer, label information required for using the virtual link provided by the lower layer.

A method, performed in a network that includes a group of nodes, includes identifying a path through a set of the nodes, where each node, in the set of nodes, has a data plane and a control plane; establishing a control plane tunnel, associated with the path, within the control plane of the nodes in the set of nodes; establishing a data plane tunnel, associated with the path, within the data plane of the nodes in the set of nodes, where the data plane tunnel is associated with the control plane tunnel and established through the same set of nodes; and transmitting a control message through the control plane tunnel to change a state of the data plane tunnel.

The present disclosure discloses a routing path analysis method and device. The method includes a first step of determining a key node based on a label stack of segment routing of a data packet. The key node includes a diversion node, a next-hop working path node of the diversion node, and a next-hop protection path node of the diversion node. The diversion node is a crossed node of a working path and a protection path. The method further includes determining neighboring nodes of the key node as relevant nodes; querying for traffic information of the key node and traffic information of the relevant nodes; selecting, from the key node and the relevant nodes based on the traffic information, the nodes for the data packet to pass. The routing path of the data packet is determined based on the selected nodes.

In some examples, a controller for a network includes a path computation module that determines, for a plurality of LSPs or other flows having a common source, shortest paths of the network from the common source to respective destinations of the plurality of LSPs based at least on a minimum bandwidth. The path computation module further determines, after determining the shortest paths, a shortest path for the LSP of the plurality of LSPs as the shortest path of the shortest paths of the network from the common source to a destination for the LSP. A path provisioning module of the controller, after the path computation module determines the shortest path for the LSP and in response to the path computation modules routing the LSP to the shortest path for the LSP on a network model of the network, installs the LSP to the network as routed to the shortest path.

Techniques are described for providing node protection in a Source Packet Routing in Networking (SPRING) network. In some examples, a first network device, responsive to detecting a configuration request to provide node protection to a second network device that is adjacent to the first network device: generate at least one context table; configure at least one forwarding entry that indicates: a primary path between the first network device and a third network device, and a backup path, based at least in part on the at least one context table, between the first network device and the third network device that bypasses the second network device; while the second network device has not failed, forward network packets to the third network device using the primary path; and responsive to determining that the second network device has failed, forward network packets to the third network device using the backup path.