A system, method, and non-transitory computer readable storage medium for privacy preserving routing of a data packet. The data packet may comprise a packet header and a data payload; the packet header comprising at least a homomorphically encrypted final destination address of a final destination device. An intermediate routing device may receive the data packet. At the intermediate routing device, in a non-TEE, homomorphic computations may be performed to determine a homomorphically encrypted address of a next intermediate routing device. At the intermediate routing device, in a TEE, one or more secret homomorphic decryption keys may be stored and used to decrypt the homomorphically encrypted address of the next address of the next intermediate routing device. The data packet may be transmitted to the decrypted address of the next intermediate routing device according to an updated packet header with the unencrypted address of the next intermediate routing device in the sequence.

A method for routing a packet in a segment routing network includes extracting a destination Internet Protocol (IP) address from an IP header of the packet received by a routing node wherein the destination IP address includes a network identifier, a node identifier, a function identifier, and an argument; determining whether the network identifier and the node identifier match a routing node identifier; when the network identifier and the node identifier match the routing node identifier, determining a function to be executed based on the function identifier and the argument; when the function to be executed is determined, updating the node identifier, the function identifier, and the argument according to a segment list included in a segment routing header of the packet; and routing the packet according to the updated node identifier, the updated function identifier, and the updated argument in the destination IP address.

A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

Aspects of data re-direction are described, which can include software-defined networking (SDN) data re-direction operations. Some aspects include data re-direction operations performed by one or more virtualized network functions. In some aspects, a network router decodes an indication of a handover of a user equipment (UE) from a first end point (EP) to a second EP, based on the indication, the router can update a relocation table including the UE identifier, an identifier of the first EP, and an identifier of the second EP. The router can receive a data packet for the UE, configured for transmission to the first EP, and modify the data packet, based on the relocation table, for rerouting to the second EP. In some aspects, the router can decode handover prediction information, including an indication of a predicted future geographic location of the UE, and update the relocation table based on the handover prediction information.

This application discloses a packet processing method that is applied to an EVPN, where the EVPN includes a first network device and a second network device. The method includes: receiving, by the first network device, a VXLAN packet sent by the second network device, where the VXLAN packet includes a path identifier and a service packet, the path identifier indicates a path from the first network device to a VNF device through an IPU, and the service packet includes a destination IP address; determining, by the first network device based on the path identifier, first routing information; and forwarding, by the first network device, the service packet to the VNF device via the IPU based on the first routing information and the destination IP address.

A communication device includes a processor. The processor updates, when a port which is received a packet is connected to a first path or a second path, an identifier assigned to the packet from a value according to the path to a first value or a second value. The processor learns a correspondence relationship between a destination address of the packet and a transmission port by flooding the packet, and determines the transmission port based on the correspondence relationship. The processor updates, when the transmission port is connected to the first path or the second path, the identifier assigned to the packet of which the transmission port is determined to a value according to the first path or the second path. The processor discards the packet of which the identifier is updated to the second value by the first process and the transmission port is connected to the second path.

A method implemented by a receiving host entity comprises transmitting, by a transmitter of the receiving host entity, an anonymized identifier of the receiving host entity, wherein the anonymized identifier is a temporary and recyclable identifier identifying the receiving host entity, and receiving, by a receiver of the receiving host entity, a data packet from a sending host entity, wherein the data packet includes the anonymized identifier.

Disclosed are systems and methods for securing a network including one or more network nodes connecting a plurality of network connected devices of the network. A method may include: receiving and temporarily storing a plurality of data packets in a shared buffer of a network node; receiving requests from a first processing engine and a second processing engine to access a temporarily stored data packet; generating a first pointer and a second pointer to the temporarily stored data packet, the second pointer being different from the first pointer while pointing to the same temporarily stored data packet; and enabling the first processing engine to use the generated first pointer to access the temporarily stored data packet and the second processing engine to use the generated second pointer to access the temporarily stored data packet.

A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.

Various implementations disclosed herein enable malleable routing for data packets. For example, in various implementations, a method of routing a type of data packets is performed by a device. In some implementations, the device includes a non-transitory memory and one or more processors coupled with the non-transitory memory. In some implementations, the method includes determining a routing criterion to transmit a set of data packets across a network. In some implementations, the method includes identifying network nodes and communication links in the network that satisfy the routing criterion. In some implementations, the method includes determining a route for the set of data packets through the network nodes and the communication links that satisfy the routing criterion. In some implementations, the method includes configuring the network nodes that are on the route with configuration information that allows the set of data packets to propagate along the route.