Systems and methods are provided for management of network segments that cross geographic regions and/or other types of network divisions in a cloud-based network environment. Gateway may manage traffic across regions using routing metadata that includes a segment identifier. The gateways may also signal their routes across regions based on segment data, and implement the signaled routes using segment-based routing policies. Route selection may be performed using optimization data.

This application provides a packet verification method, and the method includes: A first network device receives a BIER packet, where packet header information of the BIER packet includes a first keyed-hash message authentication code HMAC, and the first HMAC is used to verify whether the BIER packet is a valid BIER packet; determines a second HMAC based on a first key and first information in the packet header information, where the first information is used to indicate forwarding information of the BIER packet; determines whether the first HMAC is the same as the second HMAC; and when determining that the first HMAC is different from the second HMAC, determines that the BIER packet is an invalid BIER packet.

Various example embodiments relate generally to supporting flow-specific fast rerouting of source routed packets in communication networks. Various example embodiments for supporting flow-specific fast rerouting of source routed packets may be configured to support flow-specific fast rerouting of source routed packets based on use of various source routing protocols which may be based on various underlying communication protocols. Various example embodiments for supporting flow-specific fast rerouting of source routed packets in communication networks may be configured to support flow-specific fast rerouting of source routed packets by supporting use of a source routed packet including a payload and a header where the header encodes a set of hops of a primary path for the source routed packet and where the header also encodes a set of hops of a protection path configured to protect one of the hops of the primary path for the source routed packet.

Methods and systems are described for compressing a tree structure associating network packet signatures with network packet metadata, the tree structure comprising a plurality of non-leaf nodes of single bit test nodes and a plurality of leaf nodes comprising network packet metadata, the method comprising determining whether the sub-portion of the tree structure is to be compressed. If determination is made that the sub-portion of the tree structure is to be compressed, generating a compressed node data structure, the compressed node data structure comprising a path of the sub-portion of the tree structure, the path comprising a sequence of bits formed by a concatenation of the single bits associated with each one of the consecutive non-leaf nodes of the sub-portion of the tree structure, the number of bits of the sequence being equal or greater than the compression threshold.

A method is applied to a ring link, where the ring link includes a first node, a second node, a third node, and a fourth node in sequence. According to the method, the first node receives first traffic, where the first node is a source node that sends the first traffic on the ring link; and the first node sends the first traffic to the third node, where two reachable paths with equal hop counts are included from the first node to the third node, the first node sends the first traffic to the third node on a preset first transmission path, the first transmission path passes through the second node, and the first transmission path is one of the two reachable paths with equal hop counts. This method can reduce computing load of nodes while implementing non-blocking switching of traffic between the nodes.

In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Methods and apparatuses for enabling multi-host multipath secure transport with Quick User Datagram Protocol (UDP) Connections (QUIC) are described herein. A method performed by a client endpoint may involve sending, to a network node, a request to establish a QUIC connection with a destination endpoint, the request to establish the QUIC connection including a flow identifier (ID). The method may involve receiving, from the network node, a response including an indication that the request to establish the QUIC connection with the destination endpoint is accepted. The method may involve encapsulating inner QUIC packetized data within outer QUIC packetized data, the inner QUIC packetized data including the flow ID. The method may involve sending, to the network node, the outer QUIC packetized data for forwarding toward the destination endpoint based on the flow ID.

The present disclosure relates to methods and apparatuses for processing a control packet in a collective communication system, where the collective communication system includes a switch network and multiple computing nodes, and the switch network includes a first switch. In one example method, the first switch forwards a query packet transmitted by a source node to a destination node, where the query packet is generated by the source node based on a context of the collective communication system. Then, the first switch forwards a notification packet transmitted by the destination node to the source node, where the notification packet carries an in-network computing capability of the switch network.

A bit index explicit replication (BIER) operations, administration, and maintenance (OAM) detection method includes a bit forwarding ingress router (BFIR) obtaining a detection request packet based on a first BIER OAM packet, and sending the detection request packet to at least one bit forwarding egress router BFER. The detection request packet includes a first packet and a first packet header. The first packet is a packet obtained by encapsulating the first BIER OAM packet. The first packet header includes a bit string, and the bit string indicates the at least one bit forwarding egress router BFER that is to be measured.

Techniques are disclosed for providing high performant packets processing capabilities in a virtualized cloud environment that enhance the scalability and high availability of the packets processing infrastructure. In certain embodiments disclosed herein, the VNICs functionality performed by network virtualization devices (NVDs) is offloaded from the NVDs to a fleet of computers, referred to as VNIC-as-a-Service System (or VNICaaS system). VNICaaS system is configured to provide Virtual Network Interface Cards (VNICs)-related functionality or service for multiple compute instances belonging to multiple tenants or customers of the CSPI. The VNICaaS system is capable of hosting multiple VNICs to process and transmit traffic in a distributed virtualized cloud networks environment. A single VNIC executed by the VNICaaS system can be used to process packets received from multiple compute instances.