A Self-Describing Packet block (SDPB) is defined that allows concurrent processing of various fixed headers in a packet block defined to take advantage of multiple cores in a networking node forwarding path architecture. SPDB allows concurrent processing of various pieces of header data, metadata, and conditional commands carried in the same data packet by checking a serialization flag set upon creation of the data packet, without needing to serialize the processing or even parsing of the packet. When one or h more commands in one or more sub-blocks may be processed concurrently, the one or more commands are distributed to multiple processing resources for processing the commands in parallel. This architecture allows multiple unique functionalities each with their own separate outcome (execution of commands, doing service chaining, performing telemetry, allows virtualization and path steering) to be performed concurrently with simplified packet architecture without incurring additional encapsulation overhead.

Systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

Aspects of the embodiments are directed to systems, apparatuses and methods performed at a network element. Embodiments include receiving a packet; identifying a hop number for the network element; identifying a unique identifier for the network element; determining a path identifier based on the hop number and the unique identifier; augmenting the packet metadata with the path identifier; and transmitting the packet to a next network element.

This application provides a segment routing method and apparatus. The method includes: An ingress routing device receives a packet sent by a terminal device; and obtains a functional program corresponding to the packet of the terminal device. The functional program is used to indicate one or more sequential computing processing steps/instructions, service processing steps/instructions, or network processing steps/instructions, the functional program includes one or more sequentially placed function identifiers FID, and each FID is used to represent one computing processing step/instruction, service processing step/instruction, or network processing step/instruction.

For traffic exiting a logical network through a particular VTI, some embodiments perform a service classification operation for different data messages to identify different VTIs that connect the edge forwarding element to a service node to provide services required by the data messages. Each data message, in some embodiments, is then forwarded to the identified VTI to receive the required service. The identified VTI does not perform a service classification operation. The service node then returns the serviced data message to the edge forwarding element. In some embodiments, the identified VTI is not configured to perform the service classification operation and is instead configured to mark all traffic directed to the edge forwarding element as having been serviced. The marked serviced data message is received at the edge forwarding element and forwarded to a destination of the data message through the particular VTI.

Some embodiments facilitate the provision of a service reachable at a virtual internet protocol (VIP) address. The VIP address is used by clients to access a set of service nodes in the logical network. Facilitating the provision of the service, in some embodiments, includes returning a serviced data message to a load balancer that selected a service node to provide the service for the load balancer to track the state of the connection using the service logical forwarding element. To use the service logical forwarding element, some embodiments configure an egress datapath of the service nodes to intercept the serviced data message before being forwarded to a logical forwarding element in the datapath from the client to the service node, and determine if the serviced data message requires routing by the routing service provided as a service by the edge forwarding element.

Some embodiments provide novel methods for providing different types of services for a logical network associated with an edge forwarding element acting between the logical network and an external network. The edge forwarding element receives data messages for forwarding and performs a service classification operation to select a set of services of a particular type for the data message. The particular type of service is one of multiple types of services that use different transport mechanisms to forward the data to a set of service nodes (e.g., service virtual machines, or service appliances, etc.) that provide the service. The edge forwarding element receives the data message after the selected set of services has been performed and performs a forwarding operation to forward the data message. In some embodiments, the method is also performed by edge forwarding elements that are at the edges of logical network segments within the logical network.

Systems and methods are disclosed for configuring a communications network. In disclosed embodiments, a set of permissible service link decompositions and a set of basic service links may be obtained for the communications network. A spanning subset of service links for the communications may be generated. Generation of the spanning subset may include selecting a decomposition of a first service link from a set of permissible service link decompositions; updating the set of permissible service link decompositions based on the selected decomposition; and updating the set of basic service links using the updated set of permissible service link decompositions. In some embodiments, obtaining the set of permissible service link decompositions can include generating a set of permissible service link decompositions by traversing decomposition graphs generated for each of the service links. In some embodiments, the communications network can be configured to satisfy network demands using the spanning subset.

A mechanism is disclosed for implementing conditional commands carried by network data packets. A data flow including a data packet is received. The data packet includes a conditional command. A condition and a command are obtained from the conditional command. The mechanism determines that the condition is satisfied. Based on the determination that the condition is satisfied, the command is executed to alter handling of the data flow, alter handling of the data packet, or alter a context for the data flow.

A novel method for fully utilizing the multicast or broadcast capability of a physical network is provided. The method identifies segments of the network within which broadcast traffic, multicast traffic, or traffic to unknown recipients (BUM traffic) is allowed or enabled. The identified segment encompasses parts of the network that the BUM traffic is able reach while excluding parts of the network nodes that the BUM traffic is unable to reach. Each identified segment includes network nodes that are interconnected by physical network hardware that supports BUM traffic. The method identifies multiple BUM traffic segments in a given network that each supports its own BUM traffic. The different BUM traffic segments are interconnected by physical network hardware that does not support BUM network traffic. Each identified segment is assigned an identifier that uniquely distinguishes the identified segment from other identified segments.