A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Embodiments of apparatus and method for data plane management are disclosed. In one example, an apparatus for communication both uplink and downlink can include a plurality of downlink clusters, each downlink cluster including a downlink cluster processor configured to process three or more downlink data layers. The apparatus can also include a plurality of uplink clusters, each uplink cluster including an uplink cluster processor configured to process three or more uplink data layers. The apparatus can further include a controller configured to scale the plurality of downlink clusters and configured to scale the plurality of uplink clusters. Scaling the plurality of downlink clusters and the plurality of uplink clusters can include activating or deactivating one or more clusters of the plurality of downlink clusters, the plurality of uplink clusters, or both the plurality of downlink clusters and the plurality of uplink clusters.

Technology described herein can globally perform management of security tokens of plural nodes of a multi-node system. In an embodiment, a system can comprise an interconnected group of server nodes, and an administrator node communicatively connected to the interconnected group of server nodes and comprising a processor, and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise selecting a server node of the interconnected group of server nodes as a leader server node, resulting in a selection of the leader server node, in response, receiving, by the administrator node from the leader server node, a request for a new security token, and sending, to the leader server node, the new security token, and broadcasting, by the leader server node across a link layer discovery (LLDP) network, the new security token to additional nodes of the interconnected group of nodes.

Technology described herein can globally perform management of security tokens of plural nodes of a multi-node system. In an embodiment, a system can comprise an interconnected group of server nodes, and an administrator node communicatively connected to the interconnected group of server nodes and comprising a processor, and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise selecting a server node of the interconnected group of server nodes as a leader server node, resulting in a selection of the leader server node, in response, receiving, by the administrator node from the leader server node, a request for a new security token, and sending, to the leader server node, the new security token, and broadcasting, by the leader server node across a link layer discovery (LLDP) network, the new security token to additional nodes of the interconnected group of nodes.

A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.

Systems and methods for altering the character of data originating from a Virtual Private Network (VPN) are provided. First data is received from the VPN by a first network interface. The first data comprises a first plurality of packets. A message is generated by combining the first plurality of packets. Second data is generated by segmenting the message into a second plurality of packets. A third plurality of packets in the second plurality of packets is equal to the network maximum transfer unit allowed by the Internet and the last packet in the second plurality of packets is less than the network maximum transfer unit allowed by the Internet. The second data is forwarded to the second network interface. The second network interface sends the data to a web server.

Systems and methods for altering the character of data originating from a Virtual Private Network (VPN) are provided. First data is received from the VPN by a first network interface. The first data comprises a first plurality of packets. A message is generated by combining the first plurality of packets. Second data is generated by segmenting the message into a second plurality of packets. A third plurality of packets in the second plurality of packets is equal to the network maximum transfer unit allowed by the Internet and the last packet in the second plurality of packets is less than the network maximum transfer unit allowed by the Internet. The second data is forwarded to the second network interface. The second network interface sends the data to a web server.