Techniques are described to provide multipath mobility via Domain Name System-as-an-Authoritative Source (DNS-AS) techniques. In one example, a method includes obtaining, by a multipath policy decision element, a plurality of multipath policy recommendations for an application, wherein the plurality of multipath policy recommendations are obtained from one or more multipath policy recommendation elements; combining the plurality of multipath policy recommendations to generate a policy enforcement decision, wherein the policy enforcement decision identifies, at least in part, one or more network paths that are to be utilized for one or more packet flows associated with the application, wherein each of the one or more network paths is associated with an access type; and enforcing the policy enforcement decision for one or more packet flows associated with the application.

A transmitter device of a bus-based communication system may add one or more padding bits, associated with providing traffic flow confidentiality for communication of a payload on a communication bus, either to the payload on a transport layer, or to one or more first frames on a data link layer. The one or more first frames may include a transport layer payload associated with the payload. The transmitter device may transmit one or more second frames, including a data link layer payload associated with the one or more first frames, on the communication bus. A receiver device of the bus-based communication system may receive the one or more second frames on the communication bus. The receiver device may process the one or more padding bits from either the one or more first frames on the data link layer, or from the payload on the transport layer.

A transmitter device of a bus-based communication system may add one or more padding bits, associated with providing traffic flow confidentiality for communication of a payload on a communication bus, either to the payload on a transport layer, or to one or more first frames on a data link layer. The one or more first frames may include a transport layer payload associated with the payload. The transmitter device may transmit one or more second frames, including a data link layer payload associated with the one or more first frames, on the communication bus. A receiver device of the bus-based communication system may receive the one or more second frames on the communication bus. The receiver device may process the one or more padding bits from either the one or more first frames on the data link layer, or from the payload on the transport layer.

An IPsec tunnel request for establishing an IPsec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPsec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.

Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

In an approach to efficient concurrent TLS data streams, a parent connection is established by performing a normal TLS handshake. A concurrent mode of operation is negotiated, where one or more child connections are established without using the TLS handshake. The one or more child connections are associated to the parent connection. Child application traffic secrets are derived for each child connection of the one or more child connections from application traffic secrets of the parent.

A proxy server can be configured to manage flow between terminated transport layer connections despite incongruous network conditions. The proxy server is programmed to dynamically adjust window size of one transport layer connection in the pair of proxy terminated connections to accommodate the other connection. After detecting a network condition related to one of the connections, the proxy server determines a drain rate of the transmit buffer of the transport layer connection corresponding to the impacting network condition. The proxy server then adjusts the transport layer window size for the other connection of the connection pair based on the determined drain rate.

A proxy server can be configured to manage flow between terminated transport layer connections despite incongruous network conditions. The proxy server is programmed to dynamically adjust window size of one transport layer connection in the pair of proxy terminated connections to accommodate the other connection. After detecting a network condition related to one of the connections, the proxy server determines a drain rate of the transmit buffer of the transport layer connection corresponding to the impacting network condition. The proxy server then adjusts the transport layer window size for the other connection of the connection pair based on the determined drain rate.

Various example embodiments for supporting link-state flooding for a routing protocol based on use of a transport layer protocol are presented. Various example embodiments for supporting link-state flooding for a routing protocol based on use of a transport layer protocol may be configured to support use of routing protocol messages of the routing protocol to support establishment of transport layer connections of a transport layer protocol (e.g., use of adjacency messages of the routing protocol for identifying routers configured to support use of transport layer connections for supporting link-state flooding). Various example embodiments for supporting link-state flooding for a routing protocol based on use of a transport layer protocol may be configured to support use of transport layer connections to support communication of routing protocol messages of the routing protocol (e.g., adjacency messages, link-state messages for flooding of link-state information, or the like, as well as various combinations thereof).