Some embodiments provide a method for handling failure at one of several peer centralized components of a logical router. At a first one of the peer centralized components of the logical router, the method detects that a second one of the peer centralized components has failed. In response to the detection, the method automatically identifies a network layer address of the failed second peer. The method assumes responsibility for data traffic to the failed peer by broadcasting a message on a logical switch that connects all of the peer centralized components and a distributed component of the logical router. The message instructs recipients to associate the identified network layer address with a data link layer address of the first peer centralized component.

A method and network interface card providing central processor unit efficient storing of data. The NIC receives request for registering a memory address range in the NIC, the request comprising a rewrite protection granularity for the memory address range. When receiving data from a client process, subsequent to registering of said memory address range, said data having an address within the memory address range, the NIC determines whether the rewrite protection granularity of the NIC is reached, when receiving said data. In the event that the rewrite protection granularity is reached, the NIC inactivates the memory address range according to said reached rewrite protection granularity. The auto-inactivated memory address range also provides a rewrite protection of data when storing data. Remote logging or monitoring of data is also enabled, wherein the logging or monitoring may be regarded to become server-less.

Embodiments of hybrid network processing load distribution in a computing device are disclosed therein. In one embodiment, a method includes receiving, at a main processor, an indication from the network interface controller to perform network processing operations for first and second packets in a queue of a virtual port of the network interface controller, and in response to receiving the request, assigning multiple cores for performing the network processing operations for the first and second packets, respectively. The method also includes performing the network processing operations at the multiple cores to effect processing and transmission of the first and second packets to first and second applications, respectively, both the first and second applications executing in a virtual machine hosted on the computing device.

Communication apparatus includes a host interface and a network interface, which receives from a packet communication network at least one packet stream including a sequence of data packets, which include headers containing respective sequence numbers and data payloads containing slices of the data segment having a predefined, fixed size per slice. Packet processing circuitry is configured to receive the data packets from the network interface, and to map the data payloads of the data packets in the at least one packet stream, using a linear mapping of the sequence numbers, to respective addresses in the buffer.

[Problem] To allocate IFs to be used in accordance with buffers such that no packet loss occurs in a case in which the transfer apparatus that performs packet transfer includes as many buffers with grouped interfaces (IFs) mounted in units of groups thereon as the number of groups. [Solving Means] A packet transfer apparatus 10C has a plurality of buffers 11a to 11n mounting IFs in units of groups and performs, when the traffic amount at the time of packet transfer of the IFs of each of the buffers exceeds maximum transfer capacity of the IFs, buffering packets corresponding to the exceeding traffic amount in the buffers. An IF allocation unit 23 included in the transfer apparatus 10C selects, in a case in which IF groups with no occurrence of any loss indicating packet discarding are present at the time of the packet transfer in the IFs for a unit time from among all the IF groups, an IF group with a longest non-occurrence time of the buffering from among the IF groups with no occurrence of any loss and performs IF allocation of allocating traffic of packets to the IFs in the selected IF groups.

Examples described herein relate to a network interface device that includes circuitry to track one or more gaps in received packet sequence numbers using data and circuitry to indicate to a sender of packets non-delivered packets to identify a range of delivered packets. In some examples, the data identifies delivered packets and undelivered packets for one or more connections. In some examples, to indicate to a sender of packets non-delivered packets to identify a range of delivered packets, the circuitry is to provide negative acknowledgement sequence range indicating a start and end of non-delivered packets.

Systems and methods for providing an integrated or Smart NIC-based hardware accelerator for a network security device to facilitate identification and mitigation of DoS attacks is provided. According to one embodiment, a processor of a network security device receives an application layer protocol request from a client, directed to a domain hosted by various servers and protected by the network security device. The application layer protocol request is parsed to extract a domain name and a path string. The hardware acceleration sub-system updates rate-based counters based on the application layer protocol request by performing a longest prefix match on the domain name and the path string. When a rate threshold associated with the rate-based counters is exceeded, a challenge message is created and transmitted to the client, having embedded therein the application layer protocol request; otherwise the application layer protocol request is allowed to pass through the network security device.

Described are programmable IO devices configured to perform operations. These operations comprise: determining a set of range-based elements for a network; sorting the set of range-based elements according to a global order among the range-based elements; generating an interval table from the sorted range-based elements; generating an interval binary search tree from the interval table; propagating data stored in subtrees of interior stages of the interval binary search tree to subtrees of a last stage of the interval binary search tree such that the interior stages do not comprise data; converting the interval binary search tree to a Pensando Tree; compressing multiple levels of the Pensando Tree into cache-lines; and assembling the cache-lines in the memory unit such that each stage can compute an address of a next-cache line to be fetched by a next stage.

A flow table management system can include a hardware memory module communicatively coupled to a network interface card. The hardware memory module is configured to store a flow table including a plurality of network flow entries. The network interface card further includes a flow table age cache configured to store a set of recently active network flows and a flow table management module configured to manage a duration for which respective network flow entries in the flow table stored in the hardware memory module remain in the flow table using the flow table age cache. In some implementations, age information about each respective flow in the flow table is stored in the hardware memory module in an age state table that is separate from the flow table.

Some embodiments of the invention provide a novel method of performing network slice-based operations on a data message at a hardware forwarding element (HFE) in a network. For a received data message flow, the method has the HFE identify a network slice associated with the received data message flow. This network slice in some embodiments is associated with a set of operations to be performed on the data message by several network elements, including one or more machines executing on one or more computers in the network. Once the network slice is identified, the method has the HFE process the data message flow based on a rule that applies to data messages associated with the identified slice.