WO2018167539A1 - Ipsec bypass in sdn network - Google Patents

Ipsec bypass in sdn network Download PDF

Info

Publication number
WO2018167539A1
WO2018167539A1 PCT/IB2017/051520 IB2017051520W WO2018167539A1 WO 2018167539 A1 WO2018167539 A1 WO 2018167539A1 IB 2017051520 W IB2017051520 W IB 2017051520W WO 2018167539 A1 WO2018167539 A1 WO 2018167539A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipsec
flow
security association
network
switch
Prior art date
Application number
PCT/IB2017/051520
Other languages
French (fr)
Inventor
Ashutosh Bisht
Riyazahmed D. TALIKOTI
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/IB2017/051520 priority Critical patent/WO2018167539A1/en
Publication of WO2018167539A1 publication Critical patent/WO2018167539A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Definitions

  • Embodiments of the invention relate to the field of computer networks, and more specifically, to allowing a flow to bypass an IPsec device in a software defined networking (SDN) network.
  • SDN software defined networking
  • SDN Software Defined Networking
  • the use of a split architecture network simplifies the network devices (e.g., switches) implementing the forwarding plane by shifting the intelligence of the network into one or more controllers that oversee the switches.
  • SDN facilitates rapid and open innovation at the network layer by providing a programmable network infrastructure.
  • VPN Virtual Private Network
  • IPsec Internet Protocol security
  • IPsec provides a set of security services for traffic at the Internet Protocol (IP) layer. For example, IPsec may provide confidentiality, data integrity, access control, and data source authentication for IP datagrams.
  • Cloud operating systems can be used to manage large pools of compute, storage, and networking resources throughout a datacenter. Cloud operating systems can be used to create a VPN setup between two sites. This feature is sometimes referred to as VPN as a service (VPNaaS). Configuring a VPN service between two sites typically involves the following operations at each site: creating an Internet Key Exchange (IKE) policy, creating an IPsec policy, creating a VPN service (in OpenStack this includes noting the "external router” and "subnet” associated with the external router), and adding a site connection (which binds the IKE policy, IPsec policy, and the VPN service).
  • IKE Internet Key Exchange
  • IPsec deployments typically rely on a single centralized physical VPN node to perform all of the IPsec related processing such as packet encryption and decryption.
  • This deployment model increases the latency of traffic since traffic needs to be steered through the centralized node.
  • this deployment model limits the scalability for providing IPsec services since the centralized node has a finite amount of computing resources to perform IPsec related processing.
  • a method is implemented by a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller.
  • the method includes obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
  • IP Internet Protocol
  • IPsec Internet Protocol
  • a network device is configured to function as a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller.
  • the network device includes a set of one or more processors and a non-transitory machine-readable storage medium having stored therein an IPsec device bypass component.
  • the IPsec device bypass component when executed by the set of one or more processors, causes the network device to obtain an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmit the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmit instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmit an indication to the IPsec device that the flow is to bypass the IPsec device.
  • a non-transitory machine-readable medium that has computer code stored therein, which when executed by a set of one or more processors of a network device functioning as a software defined networking (SDN) controller in an SDN network, causes the network device to perform operations for distributing Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller.
  • IP Internet Protocol
  • IPsec Internet Protocol security
  • the operations include obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
  • Fig. 1 is a block diagram of two datacenters that are communicatively coupled by an IPsec tunnel, according to some embodiments.
  • Fig. 2 is a diagram illustrating IKE communications between IPsec devices, according to some embodiments.
  • Fig. 3 is a diagram illustrating packet processing operations in a network before IPsec device bypass for a flow is configured, according to some embodiments.
  • Fig. 4 is a diagram illustrating operations for configuring IPsec device bypass for a flow in an SDN network, according to some embodiments.
  • Fig. 5A is a diagram illustrating outgoing packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
  • Fig. 5B is a diagram illustrating incoming packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
  • Fig. 6 is a diagram illustrating operations for handling termination of a flow, according to some embodiments.
  • Fig. 7 is a diagram illustrating operations for handling an update to an IPsec security association for a flow, according to some embodiments.
  • Fig. 8 is a diagram illustrating operations for handling deletion of an IPsec security association for a flow, according to some embodiments.
  • Fig. 9 is a flow diagram of a process performed by an SDN controller for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • Fig. 10 is a flow diagram of a process performed by an IPsec device for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • Fig. 11 is a flow diagram of a process performed by a switch for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • Figure 12A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some embodiments of the invention.
  • Figure 12B illustrates an exemplary way to implement a special-purpose network device according to some embodiments of the invention.
  • FIG. 12C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled according to some embodiments of the invention.
  • VNEs virtual network elements
  • Figure 12D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
  • NE network element
  • Figure 12E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments of the invention.
  • Figure 12F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments of the invention.
  • Figure 13 illustrates a general purpose control plane device with centralized control plane (CCP) software 1350), according to some embodiments of the invention.
  • CCP centralized control plane
  • IPsec Internet Protocol security
  • references in the specification to "one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • Bracketed text and blocks with dashed borders may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
  • Coupled is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other.
  • Connected is used to indicate the establishment of communication between two or more elements that are coupled with each other.
  • An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals).
  • machine-readable media also called computer-readable media
  • machine-readable storage media e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory
  • machine-readable transmission media also called a carrier
  • carrier e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, inf
  • an electronic device e.g., a computer
  • hardware and software such as a set of one or more processors (e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding) coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data.
  • processors e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding
  • an electronic device may include non-volatile memory containing the code since the non- volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower nonvolatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device.
  • Typical electronic devices also include a set or one or more physical network interface(s) (NI(s)) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices.
  • NI(s) physical network interface
  • a physical NI may comprise radio circuitry capable of receiving data from other electronic devices over a wireless connection and/or sending data out to other devices via a wireless connection.
  • This radio circuitry may include transmitter(s), receiver(s), and/or transceiver(s) suitable for radiofrequency communication.
  • the radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.). The radio signal may then be transmitted via antennas to the appropriate recipient(s).
  • the set of physical NI(s) may comprise network interface controller(s) (NICs), also known as a network interface card, network adapter, or local area network (LAN) adapter.
  • NICs network interface controller
  • the NIC(s) may facilitate in connecting the electronic device to other electronic devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC.
  • One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
  • a network device is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices).
  • Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).
  • FIG. 1 is a block diagram of two datacenters that are communicatively coupled by an IPsec tunnel, according to some embodiments.
  • Datacenter 11 OA includes a datacenter (DC) gateway 120A and a server 130A.
  • the server 130A may host a VM 140A and a virtual switch 150A.
  • the VM 140A is assigned an Internet Protocol (IP) address of 10.1.1.1.
  • IP Internet Protocol
  • the VM is communicatively coupled to the virtual switch 150A and the virtual switch 150A is communicatively coupled to the DC gateway 120A.
  • a VxLAN tunnel 160A is established between virtual switch 150A and DC gateway 120A to allow traffic from VMl to be sent out of datacenter 110A.
  • the VxLAN tunnel endpoints for VxLAN tunnel 160 A are VTEP- IP1 and VTEP-DC1.
  • Datacenter 110B has a similar configuration as datacenter 110A.
  • Datacenter 110B includes a datacenter (DC) gateway 120B and a server 130B.
  • the server 130B may host a VM 140B and a virtual switch 150B.
  • the VM 140B is assigned an IP address of 10.1.1.2.
  • the VM is communicatively coupled to the virtual switch 150B and the virtual switch 150B is communicatively coupled to the DC gateway 120A.
  • a VxLAN tunnel 160B is established between virtual switch 150B and DC gateway 120B to allow traffic from VM 140B to be sent out of datacenter HOB.
  • the VxLAN tunnel endpoints for VxLAN tunnel 160B are VTEP-IP2 and VTEP-DC2.
  • DC gateway 120A is communicatively coupled to DC gateway 120B (e.g., over a shared or public network).
  • An IPsec tunnel 170 is established between DC gateway 120A and DC gateway 120B to enable VM 140A and VM 140B to communicate over a Virtual Private Network (VPN).
  • the DC gateways 120 may use an Internet Key Exchange (IKE) protocol to negotiate IPsec security associations with each other for the flow between VM 140A and VM140B and other flows.
  • IKE Internet Key Exchange
  • a flow refers to a set of packets whose headers match a given pattern of values and/or bits.
  • an IPsec security association is a relationship between two or more entities that describes how the entities will use security services to communicate securely.
  • An IPsec security association for a flow thus describes how that flow will be protected.
  • Each DC gateway 120 maintains an IPsec security association for each flow that is to be protected by IPsec.
  • the configuration of the datacenters shown in Fig. 1 is provided by way of example and not intended to be limiting. It should be understood that, in different embodiments, the datacenters can have different configurations.
  • IKE is typically divided into two phases. In phase 1, IKE creates an authenticated and secure channel between the two IKE peers. In phase 2, IKE negotiates the IPsec security associations and generates the required key material for IPsec. Security services may be afforded to an IPsec security association by the use of Authentication Header (AH) or
  • AH Authentication Header
  • ESP Encapsulation Security Pay load
  • Fig. 2 is a diagram illustrating IKE communications between IPsec devices, according to some embodiments.
  • IKE performs mutual authentication between two parties and establishes an IKE security association.
  • the IKE security association may specify a set of cryptographic algorithms to be used to protect traffic and shared secret information that can be used to efficiently establish child security associations (also referred to herein as IPsec security associations) for ESP or AH.
  • IPsec security associations also referred to herein as IPsec security associations
  • a pre-shared-key can be used for authentication.
  • certificates and a Diffie-Hellman key exchange can be used to set up a shared session secret from which cryptographic keys are derived.
  • IKE communications typically consist of a pair of messages: a request and a response.
  • the pair is referred to as an "exchange”, and is sometimes referred to as a "request/response pair".
  • the first two exchanges of messages for establishing an IKE security association are called the IKE_SA_INIT exchange and the IKE_AUTH exchange.
  • Subsequent IKE exchanges may include an exchange called a CREATE_CHILD_SA exchange and an exchange called an INFORMATIONAL exchange.
  • the IKE_SA_INIT exchange includes an IKE_SA_INIT request 250 and an IKE_SA_INIT response 255.
  • the IKE_SA_INIT exchange negotiates security parameters for the IKE security association.
  • the IKE_AUTH exchange includes an IKE_AUTH request 260 and an IKE_AUTH response 265.
  • IKE_AUTH exchange transmits identities, proves knowledge of the secrets corresponding to the two identities, and sets up an IPsec security association.
  • the CREATE_CHLID_SA exchange creates child security associations (e.g., if multiple IPsec security associations are configured under the same IKE end points).
  • the INFORMATIONAL exchange deletes an IPsec security association, reports error conditions, or performs other housekeeping tasks.
  • IPsec deployments typically rely on a single centralized physical VPN node (e.g., DC gateway 120, which functions as an IPsec device 210) to perform all of the IPsec related processing such as packet encryption and decryption.
  • DC gateway 120 which functions as an IPsec device 210
  • This deployment model increases the latency of traffic since traffic needs to be steered through the centralized node. Also, this deployment model limits the scalability for providing IPsec services since the centralized node has a finite amount of computing resources to perform IPsec related processing.
  • Embodiments disclosed herein overcome some of the disadvantages of the
  • IPsec device bypass a software defined networking (SDN) network that allows IPsec processing to be distributed across one or more IPsec processing modules. This allows some flows to bypass the IPsec device 210 (sometimes referred to herein as IPsec device bypass).
  • IPsec device bypass a software defined networking
  • the SDN controller also transmits an instruction to the switch to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the IPsec processing module.
  • the SDN controller then transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device. In this way, IPsec processing for the flow is performed by the local IPsec processing module instead of the IPsec device 210, and the flow bypasses the IPsec device.
  • Other embodiments are described herein below.
  • Embodiments are based on the observation that once the IPsec device negotiates an IPsec security association for a flow, this IPsec security association is valid for a long period of time. Embodiments are further based on the observation that IPsec processing (e.g., packet encryption and decryption) need not be performed by the IPsec device itself, but can be offloaded to another entity (e.g., isolated software running on commercial off the shelf (COTS) hardware).
  • IPsec processing e.g., packet encryption and decryption
  • COTS commercial off the shelf
  • An advantage of the embodiments disclosed herein is that the computational load on the IPsec device 210 is reduced since IPsec processing can be distributed to one or more local IPsec processing modules. Another advantage of the embodiments disclosed herein is that IPsec processing scales better since more computational resources will be available for performing IPsec processing as the datacenter grows. Yet another advantage of the embodiments disclosed herein is that latency for traffic that requires IPsec processing is reduced and bandwidth to-and- from the IPsec device is reduced. Other advantages will be apparent from the disclosure provided herein.
  • Fig. 3 is a diagram illustrating packet processing operations in a network before IPsec device bypass for a flow is configured, according to some embodiments.
  • the network includes an SDN controller 320, a switch 330 that is managed by the SDN controller 320, and an IPsec device 210.
  • the SDN controller 320 manages the switch 330 over a southbound interface using OpenFlow or other type of southbound communications protocol.
  • the switch 330 is communicatively coupled to the IPsec device 210.
  • the IPsec device 210 is typically a device that implements IKE or a similar protocol to negotiate security associations for flows.
  • the switch 330 is a virtual switch 150 (e.g., an Open vSwitch).
  • the switch 330 is initially configured to forward packets belonging to the flow to the IPsec device 210 for IPsec processing (e.g., based on receiving traffic steering instructions 350 from SDN controller 320).
  • the switch 330 receives a packet belonging to the flow.
  • the switch 330 forwards the packet to the IPsec device 210 (e.g., according to traffic steering instructions 350).
  • the IPsec device 210 performs IPsec processing for the packet according to an IPsec security association for the flow.
  • the IPsec device 210 negotiates IPsec security associations for one or more flows with a peer IPsec device (e.g., using IKE).
  • the IPsec device 210 maintains an IPsec processing table that includes information regarding the negotiated IPsec security associations. Each entry in the IPsec processing table may identify the flow to be protected (e.g., encrypted/decrypted and authenticated), the security parameters, and key material.
  • the flow to be protected may be identified based on one or more attributes that identify the flow (e.g., source IP address, destination IP address, IPsec tunnel source, and IPsec tunnel destination).
  • the security parameters may indicate the security protocol to be used for encryption/decryption and authentication (e.g., AH or ESP).
  • the key material may indicate the security key material.
  • An exemplary IPsec processing table is shown in Table I.
  • the IPsec processing table includes columns for source, destination, security protocol, security parameters, key, tunnel source, and tunnel destination.
  • the source and destination column indicate the source and destination of the flow, respectively.
  • the security protocol column indicates the security protocol (e.g., AH or ESP).
  • the security parameters column indicates various security parameters (e.g., transport mode (e.g., transport or tunnel), encryption algorithm (e.g., Advanced Encryption Standard (AES)), and authentication algorithm (e.g., Hash-based Message Authentication Code MD5 (HMAC-MD5)).
  • the key column indicates the security key material (which is typically generated at runtime).
  • the tunnel source and tunnel destination column indicate the IPsec tunnel source and the IPsec tunnel destination, respectively.
  • the IPsec processing table is shown as including a single entry. It should be understood, however, that the IPsec processing table can include additional entries (e.g., for other flows).
  • Table I the entry in the IPsec processing table specifies an IPsec security association for a flow having source IP address of VM1-IP and destination IP address of VM2-IP.
  • the IPsec tunnel source is VTEP-IP1 and the IPsec tunnel destination is VTEP-IP2.
  • the security protocol is ESP.
  • the transport mode is tunnel, the encryption algorithm is AES, and the authentication algorithm is HMAC-MD5.
  • the security key material is "xxxxxx".
  • the IPsec processing table thus specifies how the IPsec device 210 should protect a particular flow.
  • the IPsec device 210 maintains a timeout timer for each flow that is to be protected with IPsec.
  • the IPsec device 210 may determine that a flow has timed out if the IPsec device does not receive a packet belonging to that flow for a period of time (e.g., for the length of the timeout timer). When the flow times out, the IPsec device 210 may delete the entry in the IPsec processing table corresponding to that flow.
  • the IPsec device 210 processes the packet according to the IPsec security association for the flow, at operation 4, the IPsec device 210 forwards the processed packet back to the switch 330. At operation 5, the switch 330 forwards the processed packet towards its destination.
  • Fig. 4 is a diagram illustrating operations for configuring IPsec device bypass for a flow in an SDN network, according to some embodiments.
  • the IPsec device 210 includes an IKE module 420 and a main IPsec processing module 410.
  • the IKE module may perform operations related to IKE protocol (e.g., IKEv2) such as negotiating an IPsec security association with a peer IPsec device.
  • the main IPsec processing module 410 may perform IPsec processing operations (e.g., packet encryption and decryption).
  • the IPsec device 210 is a DC gateway 120 in a datacenter 110.
  • the main IPsec processing module 410 of the IPsec device 210 performs IPsec processing for all flows that are to be protected with IPsec within its domain (e.g., flows between datacenter 110A and datacenter HOB).
  • embodiments may distribute the IPsec processing responsibilities to one or more local IPsec processing modules (e.g., local IPsec processing module 340), which allows a flow to bypass the IPsec device 210.
  • the IPsec device 210 negotiates the IPsec security association for the flow (e.g., using IKE)
  • the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 (e.g., transmits the IPsec security association for the flow directly to the SDN controller 320 or otherwise makes the IPsec security association for the flow available to the SDN controller 320).
  • the SDN controller 320 transmits the IPsec security association for the flow to the local IPsec processing module 340 to configure the local IPsec processing module 340 to perform IPsec processing for the flow according to the IPsec security association for the flow.
  • the local IPsec processing module 340 may be implemented as a software application on COTS hardware (e.g., using Network
  • the SDN controller 320 transmits instructions to the switch 330 to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the local IPsec processing module 340 (designated as "IPsec device bypass instructions").
  • IPsec device bypass instructions designated as "IPsec device bypass instructions”
  • the switch 330 transmits an indication to the SDN controller 320 that IPsec bypass for the flow has been configured (designated as "IPsec device bypass confirmation").
  • the SDN controller 320 transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device 210 (designated as "IPsec device bypass complete”).
  • IPsec device bypass confirmation an indication to the IPsec device 210 that the flow is to bypass the IPsec device 210
  • controller 320 may also transmit an indication of an identity of the switch 330 to the IPsec device 210.
  • the main IPsec processing module 410 of the IPsec device 210 disables timeout processing for the IPsec security association for the flow. This prevents the entry corresponding to the flow in the IPsec processing table from timing out prematurely while the flow bypasses the IPsec device 210.
  • the IPsec device 210 creates a mapping between the IPsec security association for the flow and the switch 330 (e.g., mapping between the Security Parameter Index (SPI) for the IPsec security association and the identity of the switch 330). This allows the IPsec device 210 to forward incoming encrypted packets (e.g., received from a peer IPsec device) to the correct switch 330 (e.g., based on the SPI carried in ESP header).
  • SPI Security Parameter Index
  • the local IPsec processing module 340 is "local" in the sense that it is in close proximity to the switch 330 and/or VM 140 that is the source or destination of the flow (e.g., closer to the switch 330 and/or VM 140 relative to the IPsec device 210).
  • the local IPsec processing module 340 and the switch 330 may be implemented on the same server 130.
  • the local IPsec processing module 340 and the switch 330 may be implemented on different servers 130 (e.g., local IPsec processing module 340 can be implemented as its own dedicated hardware device).
  • IPsec device bypass can be selectively configured for certain flows. For example, IPsec device bypass may be configured for a flow if the flow is an elephant flow (or is expected to be an elephant flow). Elephant flows are large flows with long durations (what is considered a large flow and a long duration can be defined by a network operator or other entity). In one embodiment, the IPsec device 210 provides an indication of the
  • IPsec device bypass may be configured for a flow if the flow has a high priority level (what is considered a high priority level can be defined by a network operator or other entity).
  • high priority flows are flows that require low latency (e.g., flows that carry voice data) or flows that belong to premium
  • the IPsec device 210 provides an indication of the priority level of the flow to the SDN controller 320 (e.g., together with the IPsec security association for the flow). Based on this indication, the SDN controller 320 can determine whether the flow should bypass the IPsec device 210 or not.
  • Fig. 5A is a diagram illustrating outgoing packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
  • the switch 330 may have been previously configured to stop forwarding packets belonging to the flow to the IPsec device 210 and start forwarding packets belonging to the flow to the local IPsec processing module 340 (e.g., based on receiving IPsec device bypass instructions 510).
  • the switch 330 receives a packet belonging to the flow.
  • the switch 330 forwards the packet to the local IPsec processing module 340 for IPsec processing.
  • the local IPsec processing module 340 processes the packet (e.g., according to the IPsec security association for the flow), at operation 3, the local IPsec processing module 340 forwards the processed packet back to the switch 330. At operation 4, the switch 330 forwards the processed packet towards its destination. As a result, the packet bypasses the IPsec device 210.
  • Fig. 5B is a diagram illustrating incoming packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
  • the IPsec device 210 may have previously created a mapping between an IPsec security association for the flow and the switch 330 (e.g., based on receiving an indication of an identity of the switch 330 from SDN controller 320).
  • the IPsec device 210 receives an encrypted packet (e.g., ESP packet).
  • the IPsec device 210 may determine that the encrypted packet is to be forwarded to the switch 330 based on the mapping between the IPsec security association for the flow and the switch 330 (e.g., based on SPI indicated in the ESP packet).
  • the IPsec device 210 forwards the encrypted packet to the switch 330.
  • the switch 330 forwards the encrypted packet to the local IPsec processing module 340 for IPsec processing.
  • the local IPsec processing module 340 processes the packet (e.g., decrypts the packet)
  • the local IPsec processing module 340 forwards the processed packet back to the switch 330.
  • the switch 330 forwards the processed packet towards its destination.
  • Fig. 6 is a diagram illustrating operations for handling termination of a flow, according to some embodiments.
  • the switch 330 transmits an indication to the SDN controller 320 that the flow has terminated.
  • the switch 330 may have determined that the flow has terminated based on a determination that the flow entry for the flow has timed out (e.g., due to no packets matching the flow entry for a period of time).
  • the SDN controller 320 transmits an instruction to the switch 330 to remove or undo configurations related to IPsec device bypass for the flow (designated as "remove IPsec device bypass").
  • the SDN controller 320 transmits an instruction to the local IPsec processing module 340 to remove or undo
  • the SDN controller 320 transmits an indication to the IPsec device 210 that the flow has been terminated (designated as "flow terminated").
  • the IKE module 420 of the IPsec device 210 may indicate to a peer IPsec device that the IPsec security association for the flow should be deleted.
  • the main IPsec processing module 410 of the IPsec device 210 deletes the IPsec security association for the flow (e.g., deletes the corresponding entry in the IPsec processing table).
  • Fig. 7 is a diagram illustrating operations for handling an update to an IPsec security association for a flow, according to some embodiments.
  • the IPsec security association can be updated at the IKE protocol level (e.g., rekey or re-authentication).
  • the IKE module 420 of the IPsec device 210 determines that the IPsec security association for the flow needs to be updated, at operation 1, the IKE module 420 provides an update to the IPsec security association for the flow (e.g., rekey) to the main IPsec processing module 410 of the IPsec device 210.
  • the IPsec device 210 provides the update to the IPsec security association for the flow to the SDN controller 320.
  • the SDN controller 320 transmits the update to the IPsec security association for the flow to the local IPsec processing module 340 to configure the local IPsec processing module 340 to perform IPsec processing for the flow according to the update to the IPsec security association for the flow.
  • Fig. 8 is a diagram illustrating operations for handling deletion of an IPsec security association for a flow, according to some embodiments.
  • the IKE module 420 of the IPsec device 210 provides an indication to the main IPsec processing module 410 of the IPsec device 210 to delete the IPsec security association for the flow.
  • the IPsec device 210 then provides an indication to the SDN controller 320 that the IPsec security association for the flow has been deleted (designated as "delete IPsec security association").
  • the SDN controller 320 transmits an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow (designated as "remove IPsec device bypass”).
  • the SDN controller 320 transmits an instruction to the local IPsec processing module 340 to remove or undo configurations related to the IPsec security association for the flow (designated as "remove configuration").
  • Fig. 9 is a flow diagram of a process performed by an SDN controller for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • the SDN controller 320 is communicatively coupled to a switch 330 and an IPsec device 210.
  • the SDN controller 320 manages the switch 330.
  • the SDN controller 320 and the switch 330 communicate using OpenFlow or other type of southbound communications protocol.
  • the process is initiated when the SDN controller 320 obtains an IPsec security association for a flow (block 910).
  • the IPsec security association for the flow may have been negotiated by the IPsec device 210.
  • the IPsec security association for the flow is obtained from the IPsec device 210.
  • the IPsec security association for the flow specifies one or more attributes that identify the flow.
  • the IPsec security association for the flow specifies a security protocol to be used for encryption/decryption and/or authentication, a key to be used for encryption, and one or more security parameters.
  • the SDN controller 320 transmits the IPsec security association for the flow to an IPsec processing module 340 that is local to the switch 330 (e.g., local IPsec processing module 340) to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow
  • the SDN controller 320 transmits instructions to the switch 330 to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the IPsec processing module (block 930).
  • the SDN controller 320 then transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device 210 (block 940).
  • the SDN controller 320 also transmits an indication of an identity of the switch 330 to the IPsec device 210 (block 950). This allows the IPsec device 210 to forward incoming encrypted packets (e.g., received from a peer IPsec device) to the correct switch 330 (e.g., based on the SPI carried in ESP header).
  • the SDN controller 320 receives an indication from the switch 330 that the flow has terminated. In response, the SDN controller 320 may transmit an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow and transmit instructions to the IPsec processing module 340 to remove configurations related to the IPsec security association for the flow. The SDN controller 320 may then transmit an indication to the IPsec device 210 that the flow has terminated.
  • the SDN controller 320 obtains an update to the IPsec security association for the flow.
  • the update to the IPsec security association for the flow is obtained from the IPsec device 210.
  • the SDN controller 320 may transmit the update to the IPsec security association for the flow to the IPsec processing module 340 to configure the IPsec processing module 340 to perform IPsec processing for packets belonging to the flow according to the update to the IPsec security association for the flow.
  • the SDN controller 320 obtains an indication that the IPsec security association for the flow has been deleted.
  • the indication that the IPsec security association for the flow has been deleted is obtained from the IPsec device 210.
  • the SDN controller 320 may transmit an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow and transmit an instruction to the IPsec processing module 340 to remove configurations related to the IPsec security association for the flow.
  • Fig. 10 is a flow diagram of a process performed by an IPsec device for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • the IPsec device 210 is communicatively coupled to an SDN controller 320.
  • the SDN controller 320 In one embodiment, the IPsec device 210 is communicatively coupled to an SDN controller 320.
  • the IPsec device 210 is a DC gateway 120 in a datacenter 110.
  • the process is initiated when the IPsec device 210 negotiates an IPsec security association for a flow with a peer IPsec device (block 1010).
  • the IPsec device 210 then provides the IPsec security association for the flow to the SDN controller 320 (block 1020).
  • the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 by transmitting the IPsec security association for the flow directly to the SDN controller 320.
  • the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 by storing/publishing the IPsec security association for the flow at a location that the SDN controller 320 can access.
  • the SDN controller 320 may then retrieve/pull the IPsec security association for the flow from that location (e.g., the location could be at the IPsec device 210 itself or at a separate
  • the IPsec device 210 may receive an indication from the SDN controller 320 that the flow is to bypass the IPsec device 210 and an indication of an identity of a switch 330 (e.g., that is to handle incoming encrypted packets) (block 1030).
  • the IPsec device 210 disables timeout processing for the IPsec security association for the flow (block 1040) and creates a mapping between the IPsec security association for the flow (e.g., SPI) and the switch 330 (e.g., switch ID) (block 1050).
  • the IPsec device 210 may receive an encrypted packet (e.g., from a peer IPsec device) (block 1060).
  • the encrypted packet may be encapsulated with a header that indicates the IPsec security association that was used to encrypt the packet (e.g., SPI).
  • the IPsec device 210 determines, based on the previously created mapping, the switch 330 that is mapped to the IPsec security association that was used to encrypt the encrypted packet
  • Fig. 11 is a flow diagram of a process performed by a switch for implementing IPsec device bypass in an SDN network, according to some embodiments.
  • the switch 330 is managed by an SDN controller 320 in the SDN network.
  • the SDN controller 320 and the switch 330 communicate using OpenFlow or other type of southbound communications protocol.
  • the process is initiated when the switch 330 receives instructions from an SDN controller 320 to stop forwarding packets belonging to the flow to an IPsec device 210 and to start forwarding packets belonging to the flow to an IPsec processing module 340 that is local to the switch 330 (block 1110).
  • the switch 330 may then configure its packet processing pipeline according to the instructions (e.g., flow modification messages) received from the SDN controller 320.
  • the switch 330 may then receive a packet belonging to the flow (block 1120).
  • the switch 330 forward the packet to the IPsec processing module according to the instructions received from the SDN controller 320 (block 1130).
  • the switch 330 may receive the packet from the IPsec processing module (after the packet has been processed by the IPsec processing module 340) (block 1140).
  • the switch 330 then forward the (processed) packet towards its destination (block 1150).
  • Figure 12A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some embodiments of the invention.
  • Figure 12A shows NDs 1200A-H, and their connectivity by way of lines between 1200A-1200B, 1200B-1200C, 1200C-1200D, 1200D-1200E, 1200E-1200F, 1200F-1200G, and 1200A-1200G, as well as between 1200H and each of 1200A, 1200C, 1200D, and 1200G.
  • These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link).
  • An additional line extending from
  • NDs 1200A, 1200E, and 1200F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs).
  • Two of the exemplary ND implementations in Figure 12A are: 1) a special-purpose network device 1202 that uses custom application-specific integrated-circuits (ASICs) and a special-purpose operating system (OS); and 2) a general purpose network device 1204 that uses common off-the-shelf (COTS) processors and a standard OS.
  • ASICs application-specific integrated-circuits
  • OS special-purpose operating system
  • COTS common off-the-shelf
  • the special-purpose network device 1202 includes networking hardware 1210 comprising a set of one or more processor(s) 1212, forwarding resource(s) 1214 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 1216 (through which network connections are made, such as those shown by the connectivity between NDs 1200A-H), as well as non-transitory machine readable storage media 1218 having stored therein networking software 1220.
  • the networking software 1220 may be executed by the networking hardware 1210 to instantiate a set of one or more networking software instance(s) 1222.
  • Each of the networking software instance(s) 1222, and that part of the networking hardware 1210 that executes that network software instance form a separate virtual network element 1230A-R.
  • Each of the virtual network element(s) (VNEs) 1230A-R includes a control communication and configuration module 1232A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 1234A-R, such that a given virtual network element
  • control communication and configuration module e.g., 1232A
  • set of one or more forwarding table(s) e.g., 1234A
  • Software 1220 can include code such as IPsec device bypass component 1225, which when executed by networking hardware 1210, causes the special-purpose network device 1202 to perform operations of one or more embodiments described herein above as part networking software instances 1222.
  • the special-purpose network device 1202 is often physically and/or logically considered to include: 1) a ND control plane 1224 (sometimes referred to as a control plane) comprising the processor(s) 1212 that execute the control communication and configuration module(s) 1232A-R; and 2) a ND forwarding plane 1226 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 1214 that utilize the forwarding table(s) 1234A-R and the physical NIs 1216.
  • a ND control plane 1224 (sometimes referred to as a control plane) comprising the processor(s) 1212 that execute the control communication and configuration module(s) 1232A-R
  • a ND forwarding plane 1226 sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 1214 that utilize the forwarding table(s) 1234A-R and the physical NIs 1216.
  • the ND is
  • processor(s) 1212 executing the control communication and configuration module(s) 1232A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 1234A-R, and the ND forwarding plane 1226 is responsible for receiving that data on the physical NIs 1216 and forwarding that data out the appropriate ones of the physical NIs 1216 based on the forwarding table(s) 1234A-R.
  • data e.g., packets
  • the ND forwarding plane 1226 is responsible for receiving that data on the physical NIs 1216 and forwarding that data out the appropriate ones of the physical NIs 1216 based on the forwarding table(s) 1234A-R.
  • Figure 12B illustrates an exemplary way to implement the special-purpose network device 1202 according to some embodiments of the invention.
  • Figure 12B shows a special- purpose network device including cards 1238 (typically hot pluggable). While in some embodiments the cards 1238 are of two types (one or more that operate as the ND forwarding plane 1226 (sometimes called line cards), and one or more that operate to implement the ND control plane 1224 (sometimes called control cards)), alternative embodiments may combine functionality onto a single card and/or include additional card types (e.g., one additional type of card is called a service card, resource card, or multi-application card).
  • additional card types e.g., one additional type of card is called a service card, resource card, or multi-application card.
  • a service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)).
  • Layer 4 to Layer 7 services e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)
  • GPRS General Pack
  • the general purpose network device 1204 includes hardware 1240 comprising a set of one or more processor(s) 1242 (which are often COTS processors) and physical NIs 1246, as well as non-transitory machine readable storage media 1248 having stored therein software 1250.
  • the processor(s) 1242 execute the software 1250 to instantiate one or more sets of one or more applications 1264A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization.
  • the virtualization layer 1254 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 1262A-R called software containers that may each be used to execute one (or more) of the sets of
  • the virtualization layer 1254 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 1264A-R is run on top of a guest operating system within an
  • instance 1262A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a "bare metal" host electronic device, or through para- virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes.
  • one, some or all of the applications are implemented as unikernel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including
  • unikernel can be implemented to run directly on hardware 1240, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container
  • embodiments can be implemented fully with unikernels running directly on a hypervisor represented by virtualization layer 1254, unikernels running within software containers represented by instances 1262A-R, or as a combination of unikernels and the above-described techniques (e.g., unikernels and virtual machines both run directly on a hypervisor, unikernels and sets of applications that are run in different software containers).
  • the instantiation of the one or more sets of one or more applications 1264A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 1252.
  • the virtual network element(s) 1260A-R perform similar functionality to the virtual network element(s) 1230A-R - e.g., similar to the control communication and configuration module(s) 1232A and forwarding table(s) 1234A (this virtualization of the hardware 1240 is sometimes referred to as network function virtualization (NFV)).
  • NFV network function virtualization
  • CPE customer premise equipment
  • each instance 1262A-R corresponding to one VNE 1260A-R
  • alternative embodiments may implement this correspondence at a finer level granularity (e.g., line card virtual machines virtualize line cards, control card virtual machine virtualize control cards, etc.); it should be understood that the techniques described herein with reference to a correspondence of instances 1262A-R to VNEs also apply to embodiments where such a finer level of granularity and/or unikernels are used.
  • the virtualization layer 1254 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch. Specifically, this virtual switch forwards traffic between instances 1262A-R and the physical NI(s) 1246, as well as optionally between the instances 1262A-R; in addition, this virtual switch may enforce network isolation between the VNEs 1260A-R that by policy are not permitted to communicate with each other (e.g., by honoring virtual local area networks (VLANs)).
  • VLANs virtual local area networks
  • Software 1250 can include code such as IPsec device bypass component 1263, which when executed by processor(s) 1242, cause the general purpose network device 1204 to perform operations of one or more embodiments descried herein above as part software instances 1262A-R.
  • code such as IPsec device bypass component 1263, which when executed by processor(s) 1242, cause the general purpose network device 1204 to perform operations of one or more embodiments descried herein above as part software instances 1262A-R.
  • the third exemplary ND implementation in Figure 12A is a hybrid network
  • a platform VM i.e., a VM that that implements the
  • functionality of the special-purpose network device 1202) could provide for para- virtualization to the networking hardware present in the hybrid network device 1206.
  • NE network element
  • each of the VNEs receives data on the physical NIs (e.g., 1216, 1246) and forwards that data out the appropriate ones of the physical NIs (e.g., 1216, 1246).
  • a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where "source port" and
  • FIG. 12C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention.
  • Figure 12C shows VNEs 1270A.1-1270A.P (and optionally VNEs 1270A.Q-1270A.R) implemented in ND 1200A and VNE 1270H.1 in ND 1200H.
  • VNEs 1270A.1-P are separate from each other in the sense that they can receive packets from outside ND 1200A and forward packets outside of ND 1200A;
  • VNE 1270A.1 is coupled with VNE 1270H.1, and thus they communicate packets between their respective NDs; VNE 1270A.2-1270A.3 may optionally forward packets between themselves without forwarding them outside of the ND 1200A; and VNE 1270A.P may optionally be the first in a chain of VNEs that includes VNE 1270A.Q followed by VNE 1270A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services). While Figure 12C illustrates various exemplary relationships between the VNEs, alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different VNEs).
  • the NDs of Figure 12A may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including
  • VOIP Voice Over Internet Protocol
  • terminals portable media players
  • GPS units portable media players
  • wearable devices gaming systems, set-top boxes, Internet enabled household appliances
  • the network may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services.
  • VPNs virtual private networks
  • Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., username/password accessed webpages providing email services), and/or corporate networks over VPNs.
  • end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers.
  • one or more of the electronic devices operating as the NDs in Figure 12A may also host one or more such servers (e.g., in the case of the general purpose network device 1204, one or more of the software instances 1262A-R may operate as servers; the same would be true for the hybrid network device 1206; in the case of the special-purpose network device 1202, one or more such servers could also be run on a virtualization layer executed by the processor(s) 1212); in which case the servers are said to be co-located with the VNEs of that ND.
  • the servers are said to be co-located with the VNEs of that ND.
  • a virtual network is a logical abstraction of a physical network (such as that in Figure 12A) that provides network services (e.g., L2 and/or L3 services).
  • a virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network).
  • IP Internet Protocol
  • a network virtualization edge sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network.
  • a virtual network instance is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND).
  • a virtual access point is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).
  • Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IP VPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)).
  • Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing).
  • quality of service capabilities e.g., traffic classification marking, traffic conditioning and scheduling
  • security capabilities e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements
  • management capabilities e.g., full detection and processing.
  • Fig. 12D illustrates a network with a single network element on each of the NDs of Figure 12A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
  • Figure 12D illustrates network elements
  • Figure 12D illustrates that the distributed approach 1272 distributes responsibility for generating the reachability and forwarding information across the NEs 1270A-H; in other words, the process of neighbor discovery and topology discovery is distributed.
  • the control communication and configuration module(s) 1232A-R of the ND control plane 1224 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RS VP-Traffic Engineering (TE): Extensions to RSVP for LSP Tunnels and Generalized Multi-Protocol Label Switching
  • Border Gateway Protocol BGP
  • IGP Interior Gateway Protocol
  • OSPF Open Shortest Path First
  • IS-IS Intermediate System to Intermediate System
  • RIP Routing Information Protocol
  • LDP Label Distribution Protocol
  • RSVP Resource Reservation Protocol
  • TE Extensions to RSVP for LSP Tunnels and Generalized Multi-Protocol Label Switching
  • the NEs 1270A-H e.g., the processor(s) 1212 executing the control communication and configuration module(s) 1232A-R
  • the NEs 1270A-H perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by
  • Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 1224.
  • the ND control plane 1224 programs the ND forwarding plane 1226 with information (e.g., adjacency and route information) based on the routing structure(s).
  • the ND control plane 1224 programs the adjacency and route information into one or more forwarding table(s) 1234A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 1226.
  • the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 1202, the same distributed
  • FIG. 12D illustrates that a centralized approach 1274 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination.
  • SDN software defined networking
  • the illustrated centralized approach 1274 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 1276 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized.
  • SDN software defined networking
  • the centralized control plane 1276 has a south bound interface 1282 with a data plane 1280 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 1270A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes).
  • the centralized control plane 1276 includes a network controller 1278, which includes a centralized reachability and forwarding information module 1279 that determines the reachability within the network and distributes the forwarding information to the NEs 1270A-H of the data plane 1280 over the south bound interface 1282 (which may use the OpenFlow protocol).
  • the network intelligence is centralized in the centralized control plane 1276 executing on electronic devices that are typically separate from the NDs.
  • the network controller 1278 may include an IPsec device bypass component 1281 that when executed by the network controller 1278, causes the network controller 1278 to perform operations of one or more embodiments described herein above.
  • each of the control communication and configuration module(s) 1232A-R of the ND control plane 1224 typically include a control agent that provides the VNE side of the south bound interface 1282.
  • the ND control plane 1224 (the processor(s) 1212 executing the control communication and configuration module(s) 1232A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 1276 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 1279 (it should be understood that in some embodiments of the invention, the control communication and configuration module(s) 1232A-R, in addition to communicating with the centralized control plane 1276, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 1274, but may also be considered a hybrid approach).
  • data e.g., packets
  • the control agent communicating with the centralized control plane 1276 to receive the forwarding
  • the same centralized approach 1274 can be implemented with the general purpose network device 1204 (e.g., each of the VNE 1260A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 1276 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 1279; it should be understood that in some embodiments of the invention, the VNEs 1260A-R, in addition to communicating with the centralized control plane 1276, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 1206.
  • the general purpose network device 1204 e.g., each of the VNE 1260A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for
  • NFV is able to support SDN by providing an infrastructure upon which the SDN software can be run
  • NFV and SDN both aim to make use of commodity server hardware and physical switches.
  • Figure 12D also shows that the centralized control plane 1276 has a north bound interface 1284 to an application layer 1286, in which resides application(s) 1288.
  • the centralized control plane 1276 has the ability to form virtual networks 1292 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 1270A-H of the data plane 1280 being the underlay network)) for the application(s) 1288.
  • virtual networks 1292 sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 1270A-H of the data plane 1280 being the underlay network)
  • the centralized control plane 1276 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND
  • Figure 12D shows the distributed approach 1272 separate from the centralized approach 1274
  • the effort of network control may be distributed differently or the two combined in certain embodiments of the invention.
  • embodiments may generally use the centralized approach (SDN) 1274, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree.
  • SDN centralized approach
  • Such embodiments are generally considered to fall under the centralized approach 1274, but may also be considered a hybrid approach.
  • Figure 12D illustrates the simple case where each of the NDs 1200A-H implements a single NE 1270A-H
  • the network control approaches described with reference to Figure 12D also work for networks where one or more of the NDs 1200A-H implement multiple VNEs (e.g., VNEs 1230A-R, VNEs 1260A-R, those in the hybrid network device 1206).
  • the network controller 1278 may also emulate the implementation of multiple VNEs in a single ND.
  • the network controller 1278 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 1292 (all in the same one of the virtual network(s) 1292, each in different ones of the virtual network(s) 1292, or some combination).
  • the network controller 1278 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 1276 to present different VNEs in the virtual network(s) 1292 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
  • Figures 12E and 12F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 1278 may present as part of different ones of the virtual networks 1292.
  • Figure 12E illustrates the simple case of where each of the NDs 1200A- H implements a single NE 1270A-H (see Figure 12D), but the centralized control plane 1276 has abstracted multiple of the NEs in different NDs (the NEs 1270A-C and G-H) into (to represent) a single NE 12701 in one of the virtual network(s) 1292 of Figure 12D, according to some embodiments of the invention.
  • Figure 12E shows that in this virtual network, the
  • NE 12701 is coupled to NE 1270D and 1270F, which are both still coupled to NE 1270E.
  • Figure 12F illustrates a case where multiple VNEs (VNE 1270A.1 and VNE 1270H.1) are implemented on different NDs (ND 1200 A and ND 1200H) and are coupled to each other, and where the centralized control plane 1276 has abstracted these multiple VNEs such that they appear as a single VNE 1270T within one of the virtual networks 1292 of Figure 12D, according to some embodiments of the invention.
  • the abstraction of a NE or VNE can span multiple NDs.
  • the electronic device(s) running the centralized control plane 1276 may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include processor(s), a set or one or more physical NIs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software.
  • Figure 13 illustrates, a general purpose control plane device 1304 including hardware 1340 comprising a set of one or more processor(s) 1342 (which are often COTS processors) and physical NIs 1346, as well as non-transitory machine readable storage media 1348 having stored therein centralized control plane (CCP) software 1350 and an IPsec device bypass component 1351.
  • processor(s) 1342 which are often COTS processors
  • NIs 1346 physical NIs 1346
  • CCP centralized control plane
  • the processor(s) 1342 typically execute software to instantiate a virtualization layer 1354 (e.g., in one embodiment the virtualization layer 1354 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 1362A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more
  • a virtualization layer 1354 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 1362A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more
  • the virtualization layer 1354 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 1362A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ;
  • an application is implemented as a unikernel, which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application, and the unikernel can run directly on hardware 1340, directly on a hypervisor represented by virtualization layer 1354 (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container represented by one of instances 1362A-R).
  • LibOS library operating system
  • CCP instance 1376A an instance of the CCP software 1350 (illustrated as CCP instance 1376A) is executed (e.g., within the instance 1362A) on the virtualization layer 1354.
  • CCP instance 1376A is executed, as a unikernel or on top of a host operating system, on the "bare metal" general purpose control plane device 1304. The instantiation of the CCP instance 1376A, as well as the virtualization layer 1354 and
  • instances 1362A-R if implemented, are collectively referred to as software instance(s) 1352.
  • the CCP instance 1376A includes a network controller instance 1378.
  • the network controller instance 1378 includes a centralized reachability and forwarding information module instance 1379 (which is a middleware layer providing the context of the network controller 1278 to the operating system and communicating with the various NEs), and an CCP application layer 1380 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces).
  • this CCP application layer 1380 within the centralized control plane 1276 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.
  • the IPsec device bypass component 1351 can be executed by hardware 1340 to perform operations of one or more embodiments described herein above as part of software instances 1352.
  • the centralized control plane 1276 transmits relevant messages to the data plane 1280 based on CCP application layer 1380 calculations and middleware layer mapping for each flow.
  • a flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers.
  • Different NDs/NEs/VNEs of the data plane 1280 may receive different messages, and thus different forwarding information.
  • the data plane 1280 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.
  • Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets.
  • the model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address).
  • MAC media access control
  • Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched).
  • Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet.
  • TCP transmission control protocol
  • an unknown packet for example, a "missed packet” or a "match- miss” as used in OpenFlow parlance
  • the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 1276.
  • the centralized control plane 1276 will then program forwarding table entries into the data plane 1280 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 1280 by the centralized control plane 1276, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.
  • a network interface may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI.
  • a virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface).
  • a NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address).
  • a loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a
  • IP addresses of that ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.
  • An embodiment of the invention may be an article of manufacture in which a non- transitory machine-readable medium (such as microelectronic memory) has stored thereon instructions which program one or more data processing components (generically referred to here as a "processor") to perform the operations described above.
  • a non- transitory machine-readable medium such as microelectronic memory
  • program one or more data processing components (generically referred to here as a "processor") to perform the operations described above.
  • some of these operations might be performed by specific hardware components that contain hardwired logic (e.g., dedicated digital filter blocks and state machines). Those operations might alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method is implemented by a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller. The method includes obtaining an IPsec security association for a flow that was negotiated by the IPsec device, transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow, transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.

Description

IPSEC BYPASS IN SDN NETWORK
TECHNICAL FIELD
[0001] Embodiments of the invention relate to the field of computer networks, and more specifically, to allowing a flow to bypass an IPsec device in a software defined networking (SDN) network.
BACKGROUND
[0002] Software Defined Networking (SDN) is an approach to computer networking that employs a split architecture network in which the forwarding plane (or data plane) is decoupled from the control plane. The use of a split architecture network simplifies the network devices (e.g., switches) implementing the forwarding plane by shifting the intelligence of the network into one or more controllers that oversee the switches. SDN facilitates rapid and open innovation at the network layer by providing a programmable network infrastructure.
[0003] Virtual Private Network (VPN) is a technology that extends a private network across a public network such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network. VPNs are typically implemented using tunneling protocols and other technologies that allow for secure transmission of data over a shared or public network. Internet Protocol security (IPsec) is one example of a VPN technology. IPsec provides a set of security services for traffic at the Internet Protocol (IP) layer. For example, IPsec may provide confidentiality, data integrity, access control, and data source authentication for IP datagrams.
[0004] Cloud operating systems (e.g., OpenStack) can be used to manage large pools of compute, storage, and networking resources throughout a datacenter. Cloud operating systems can be used to create a VPN setup between two sites. This feature is sometimes referred to as VPN as a service (VPNaaS). Configuring a VPN service between two sites typically involves the following operations at each site: creating an Internet Key Exchange (IKE) policy, creating an IPsec policy, creating a VPN service (in OpenStack this includes noting the "external router" and "subnet" associated with the external router), and adding a site connection (which binds the IKE policy, IPsec policy, and the VPN service). Current IPsec deployments typically rely on a single centralized physical VPN node to perform all of the IPsec related processing such as packet encryption and decryption. This deployment model increases the latency of traffic since traffic needs to be steered through the centralized node. Also, this deployment model limits the scalability for providing IPsec services since the centralized node has a finite amount of computing resources to perform IPsec related processing.
SUMMARY
[0005] A method is implemented by a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller. The method includes obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
[0006] A network device is configured to function as a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller. The network device includes a set of one or more processors and a non-transitory machine-readable storage medium having stored therein an IPsec device bypass component. The IPsec device bypass component, when executed by the set of one or more processors, causes the network device to obtain an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmit the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmit instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmit an indication to the IPsec device that the flow is to bypass the IPsec device.
[0007] A non-transitory machine-readable medium that has computer code stored therein, which when executed by a set of one or more processors of a network device functioning as a software defined networking (SDN) controller in an SDN network, causes the network device to perform operations for distributing Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller. The operations include obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:
[0009] Fig. 1 is a block diagram of two datacenters that are communicatively coupled by an IPsec tunnel, according to some embodiments.
[0010] Fig. 2 is a diagram illustrating IKE communications between IPsec devices, according to some embodiments.
[0011] Fig. 3 is a diagram illustrating packet processing operations in a network before IPsec device bypass for a flow is configured, according to some embodiments.
[0012] Fig. 4 is a diagram illustrating operations for configuring IPsec device bypass for a flow in an SDN network, according to some embodiments.
[0013] Fig. 5A is a diagram illustrating outgoing packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
[0014] Fig. 5B is a diagram illustrating incoming packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments.
[0015] Fig. 6 is a diagram illustrating operations for handling termination of a flow, according to some embodiments.
[0016] Fig. 7 is a diagram illustrating operations for handling an update to an IPsec security association for a flow, according to some embodiments.
[0017] Fig. 8 is a diagram illustrating operations for handling deletion of an IPsec security association for a flow, according to some embodiments.
[0018] Fig. 9 is a flow diagram of a process performed by an SDN controller for implementing IPsec device bypass in an SDN network, according to some embodiments.
[0019] Fig. 10 is a flow diagram of a process performed by an IPsec device for implementing IPsec device bypass in an SDN network, according to some embodiments. [0020] Fig. 11 is a flow diagram of a process performed by a switch for implementing IPsec device bypass in an SDN network, according to some embodiments.
[0021] Figure 12A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some embodiments of the invention.
[0022] Figure 12B illustrates an exemplary way to implement a special-purpose network device according to some embodiments of the invention.
[0023] Figure 12C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled according to some embodiments of the invention.
[0024] Figure 12D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
[0025] Figure 12E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments of the invention.
[0026] Figure 12F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments of the invention.
[0027] Figure 13 illustrates a general purpose control plane device with centralized control plane (CCP) software 1350), according to some embodiments of the invention.
DETAILED DESCRIPTION
[0028] The following description describes methods and apparatuses that allow a flow to bypass an Internet Protocol security (IPsec) device. In the following description, numerous specific details such as logic implementations, opcodes, means to specify operands, resource partitioning/sharing/duplication implementations, types and interrelationships of system components, and logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation .
[0029] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
[0030] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
[0031] In the following description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. "Coupled" is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other. "Connected" is used to indicate the establishment of communication between two or more elements that are coupled with each other.
[0032] An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals). Thus, an electronic device (e.g., a computer) includes hardware and software, such as a set of one or more processors (e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding) coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data. For instance, an electronic device may include non-volatile memory containing the code since the non- volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower nonvolatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device. Typical electronic devices also include a set or one or more physical network interface(s) (NI(s)) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices. For example, the set of physical NIs (or the set of physical NI(s) in combination with the set of processors executing code) may perform any formatting, coding, or translating to allow the electronic device to send and receive data whether over a wired and/or a wireless connection. In some embodiments, a physical NI may comprise radio circuitry capable of receiving data from other electronic devices over a wireless connection and/or sending data out to other devices via a wireless connection. This radio circuitry may include transmitter(s), receiver(s), and/or transceiver(s) suitable for radiofrequency communication. The radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.). The radio signal may then be transmitted via antennas to the appropriate recipient(s). In some embodiments, the set of physical NI(s) may comprise network interface controller(s) (NICs), also known as a network interface card, network adapter, or local area network (LAN) adapter. The NIC(s) may facilitate in connecting the electronic device to other electronic devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC. One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
[0033] A network device (ND) is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).
[0034] Fig. 1 is a block diagram of two datacenters that are communicatively coupled by an IPsec tunnel, according to some embodiments. Datacenter 11 OA includes a datacenter (DC) gateway 120A and a server 130A. The server 130A may host a VM 140A and a virtual switch 150A. In this example, the VM 140A is assigned an Internet Protocol (IP) address of 10.1.1.1. The VM is communicatively coupled to the virtual switch 150A and the virtual switch 150A is communicatively coupled to the DC gateway 120A. A VxLAN tunnel 160A is established between virtual switch 150A and DC gateway 120A to allow traffic from VMl to be sent out of datacenter 110A. The VxLAN tunnel endpoints for VxLAN tunnel 160 A are VTEP- IP1 and VTEP-DC1.
[0035] Datacenter 110B has a similar configuration as datacenter 110A. Datacenter 110B includes a datacenter (DC) gateway 120B and a server 130B. The server 130B may host a VM 140B and a virtual switch 150B. In this example, the VM 140B is assigned an IP address of 10.1.1.2. The VM is communicatively coupled to the virtual switch 150B and the virtual switch 150B is communicatively coupled to the DC gateway 120A. A VxLAN tunnel 160B is established between virtual switch 150B and DC gateway 120B to allow traffic from VM 140B to be sent out of datacenter HOB. The VxLAN tunnel endpoints for VxLAN tunnel 160B are VTEP-IP2 and VTEP-DC2.
[0036] DC gateway 120A is communicatively coupled to DC gateway 120B (e.g., over a shared or public network). An IPsec tunnel 170 is established between DC gateway 120A and DC gateway 120B to enable VM 140A and VM 140B to communicate over a Virtual Private Network (VPN). The DC gateways 120 may use an Internet Key Exchange (IKE) protocol to negotiate IPsec security associations with each other for the flow between VM 140A and VM140B and other flows. As used herein, a flow refers to a set of packets whose headers match a given pattern of values and/or bits. As used herein, an IPsec security association is a relationship between two or more entities that describes how the entities will use security services to communicate securely. An IPsec security association for a flow thus describes how that flow will be protected. Each DC gateway 120 maintains an IPsec security association for each flow that is to be protected by IPsec. The configuration of the datacenters shown in Fig. 1 is provided by way of example and not intended to be limiting. It should be understood that, in different embodiments, the datacenters can have different configurations.
[0037] IKE is typically divided into two phases. In phase 1, IKE creates an authenticated and secure channel between the two IKE peers. In phase 2, IKE negotiates the IPsec security associations and generates the required key material for IPsec. Security services may be afforded to an IPsec security association by the use of Authentication Header (AH) or
Encapsulation Security Pay load (ESP).
[0038] Fig. 2 is a diagram illustrating IKE communications between IPsec devices, according to some embodiments. IKE performs mutual authentication between two parties and establishes an IKE security association. The IKE security association may specify a set of cryptographic algorithms to be used to protect traffic and shared secret information that can be used to efficiently establish child security associations (also referred to herein as IPsec security associations) for ESP or AH. In one embodiment, a pre-shared-key can be used for authentication. In another embodiment, certificates and a Diffie-Hellman key exchange can be used to set up a shared session secret from which cryptographic keys are derived.
[0039] IKE communications typically consist of a pair of messages: a request and a response. The pair is referred to as an "exchange", and is sometimes referred to as a "request/response pair". As shown in the diagram, the first two exchanges of messages for establishing an IKE security association are called the IKE_SA_INIT exchange and the IKE_AUTH exchange. Subsequent IKE exchanges may include an exchange called a CREATE_CHILD_SA exchange and an exchange called an INFORMATIONAL exchange. The IKE_SA_INIT exchange includes an IKE_SA_INIT request 250 and an IKE_SA_INIT response 255. The IKE_SA_INIT exchange negotiates security parameters for the IKE security association. The IKE_AUTH exchange includes an IKE_AUTH request 260 and an IKE_AUTH response 265. The
IKE_AUTH exchange transmits identities, proves knowledge of the secrets corresponding to the two identities, and sets up an IPsec security association. The CREATE_CHLID_SA exchange creates child security associations (e.g., if multiple IPsec security associations are configured under the same IKE end points). The INFORMATIONAL exchange deletes an IPsec security association, reports error conditions, or performs other housekeeping tasks.
[0040] Conventional IPsec deployments typically rely on a single centralized physical VPN node (e.g., DC gateway 120, which functions as an IPsec device 210) to perform all of the IPsec related processing such as packet encryption and decryption. This deployment model increases the latency of traffic since traffic needs to be steered through the centralized node. Also, this deployment model limits the scalability for providing IPsec services since the centralized node has a finite amount of computing resources to perform IPsec related processing.
[0041] Embodiments disclosed herein overcome some of the disadvantages of the
conventional techniques by providing a technique in a software defined networking (SDN) network that allows IPsec processing to be distributed across one or more IPsec processing modules. This allows some flows to bypass the IPsec device 210 (sometimes referred to herein as IPsec device bypass). According to some embodiments, once an IPsec device 210 negotiates an IPsec security association for a flow, the IPsec device 210 makes the IPsec security association for the flow available to an SDN controller. The SDN controller obtains the IPsec security association for the flow and transmits the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow. The SDN controller also transmits an instruction to the switch to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the IPsec processing module. The SDN controller then transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device. In this way, IPsec processing for the flow is performed by the local IPsec processing module instead of the IPsec device 210, and the flow bypasses the IPsec device. Other embodiments are described herein below.
[0042] Embodiments are based on the observation that once the IPsec device negotiates an IPsec security association for a flow, this IPsec security association is valid for a long period of time. Embodiments are further based on the observation that IPsec processing (e.g., packet encryption and decryption) need not be performed by the IPsec device itself, but can be offloaded to another entity (e.g., isolated software running on commercial off the shelf (COTS) hardware).
[0043] An advantage of the embodiments disclosed herein is that the computational load on the IPsec device 210 is reduced since IPsec processing can be distributed to one or more local IPsec processing modules. Another advantage of the embodiments disclosed herein is that IPsec processing scales better since more computational resources will be available for performing IPsec processing as the datacenter grows. Yet another advantage of the embodiments disclosed herein is that latency for traffic that requires IPsec processing is reduced and bandwidth to-and- from the IPsec device is reduced. Other advantages will be apparent from the disclosure provided herein.
[0044] Fig. 3 is a diagram illustrating packet processing operations in a network before IPsec device bypass for a flow is configured, according to some embodiments. The network includes an SDN controller 320, a switch 330 that is managed by the SDN controller 320, and an IPsec device 210. In one embodiment, the SDN controller 320 manages the switch 330 over a southbound interface using OpenFlow or other type of southbound communications protocol. The switch 330 is communicatively coupled to the IPsec device 210. The IPsec device 210 is typically a device that implements IKE or a similar protocol to negotiate security associations for flows. In one embodiment, the switch 330 is a virtual switch 150 (e.g., an Open vSwitch).
[0045] Packet processing operations in the network before IPsec device bypass for the flow is configured will now be described with reference to the diagram. The switch 330 is initially configured to forward packets belonging to the flow to the IPsec device 210 for IPsec processing (e.g., based on receiving traffic steering instructions 350 from SDN controller 320). At operation 1, the switch 330 receives a packet belonging to the flow. At operation 2, the switch 330 forwards the packet to the IPsec device 210 (e.g., according to traffic steering instructions 350).
[0046] At operation 3, the IPsec device 210 performs IPsec processing for the packet according to an IPsec security association for the flow. In one embodiment, the IPsec device 210 negotiates IPsec security associations for one or more flows with a peer IPsec device (e.g., using IKE). In one embodiment, the IPsec device 210 maintains an IPsec processing table that includes information regarding the negotiated IPsec security associations. Each entry in the IPsec processing table may identify the flow to be protected (e.g., encrypted/decrypted and authenticated), the security parameters, and key material. The flow to be protected may be identified based on one or more attributes that identify the flow (e.g., source IP address, destination IP address, IPsec tunnel source, and IPsec tunnel destination). The security parameters may indicate the security protocol to be used for encryption/decryption and authentication (e.g., AH or ESP). The key material may indicate the security key material. An exemplary IPsec processing table is shown in Table I.
Figure imgf000012_0001
Table I
[0047] As shown in Table I, the IPsec processing table includes columns for source, destination, security protocol, security parameters, key, tunnel source, and tunnel destination. The source and destination column indicate the source and destination of the flow, respectively. The security protocol column indicates the security protocol (e.g., AH or ESP). The security parameters column indicates various security parameters (e.g., transport mode (e.g., transport or tunnel), encryption algorithm (e.g., Advanced Encryption Standard (AES)), and authentication algorithm (e.g., Hash-based Message Authentication Code MD5 (HMAC-MD5)). The key column indicates the security key material (which is typically generated at runtime). The tunnel source and tunnel destination column indicate the IPsec tunnel source and the IPsec tunnel destination, respectively.
[0048] For sake of simplicity and clarity, the IPsec processing table is shown as including a single entry. It should be understood, however, that the IPsec processing table can include additional entries (e.g., for other flows). As shown in Table I, the entry in the IPsec processing table specifies an IPsec security association for a flow having source IP address of VM1-IP and destination IP address of VM2-IP. The IPsec tunnel source is VTEP-IP1 and the IPsec tunnel destination is VTEP-IP2. The security protocol is ESP. The transport mode is tunnel, the encryption algorithm is AES, and the authentication algorithm is HMAC-MD5. The security key material is "xxxxxx". The IPsec processing table thus specifies how the IPsec device 210 should protect a particular flow. [0049] In one embodiment, the IPsec device 210 maintains a timeout timer for each flow that is to be protected with IPsec. The IPsec device 210 may determine that a flow has timed out if the IPsec device does not receive a packet belonging to that flow for a period of time (e.g., for the length of the timeout timer). When the flow times out, the IPsec device 210 may delete the entry in the IPsec processing table corresponding to that flow.
[0050] After the IPsec device 210 processes the packet according to the IPsec security association for the flow, at operation 4, the IPsec device 210 forwards the processed packet back to the switch 330. At operation 5, the switch 330 forwards the processed packet towards its destination.
[0051] Fig. 4 is a diagram illustrating operations for configuring IPsec device bypass for a flow in an SDN network, according to some embodiments. As shown in the diagram, in one embodiment, the IPsec device 210 includes an IKE module 420 and a main IPsec processing module 410. The IKE module may perform operations related to IKE protocol (e.g., IKEv2) such as negotiating an IPsec security association with a peer IPsec device. The main IPsec processing module 410 may perform IPsec processing operations (e.g., packet encryption and decryption). In one embodiment, the IPsec device 210 is a DC gateway 120 in a datacenter 110. Conventionally, the main IPsec processing module 410 of the IPsec device 210 performs IPsec processing for all flows that are to be protected with IPsec within its domain (e.g., flows between datacenter 110A and datacenter HOB). However, as will be described in additional detail below, embodiments may distribute the IPsec processing responsibilities to one or more local IPsec processing modules (e.g., local IPsec processing module 340), which allows a flow to bypass the IPsec device 210.
[0052] At operation 1, once the IPsec device 210 negotiates the IPsec security association for the flow (e.g., using IKE), the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 (e.g., transmits the IPsec security association for the flow directly to the SDN controller 320 or otherwise makes the IPsec security association for the flow available to the SDN controller 320). At operation 2, the SDN controller 320 transmits the IPsec security association for the flow to the local IPsec processing module 340 to configure the local IPsec processing module 340 to perform IPsec processing for the flow according to the IPsec security association for the flow. In one embodiment, the local IPsec processing module 340 may be implemented as a software application on COTS hardware (e.g., using Network
Function Virtualization (NFV) techniques). At operation 3, the SDN controller 320 transmits instructions to the switch 330 to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the local IPsec processing module 340 (designated as "IPsec device bypass instructions"). At operation 4, once the switch 330 configures IPsec device bypass for the flow, the switch 330 transmits an indication to the SDN controller 320 that IPsec bypass for the flow has been configured (designated as "IPsec device bypass confirmation"). At operation 5, the SDN controller 320 transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device 210 (designated as "IPsec device bypass complete"). As part of operation 5 or as part of a separate operation, the SDN
controller 320 may also transmit an indication of an identity of the switch 330 to the IPsec device 210. At operation 6, the main IPsec processing module 410 of the IPsec device 210 disables timeout processing for the IPsec security association for the flow. This prevents the entry corresponding to the flow in the IPsec processing table from timing out prematurely while the flow bypasses the IPsec device 210. At operation 7, the IPsec device 210 creates a mapping between the IPsec security association for the flow and the switch 330 (e.g., mapping between the Security Parameter Index (SPI) for the IPsec security association and the identity of the switch 330). This allows the IPsec device 210 to forward incoming encrypted packets (e.g., received from a peer IPsec device) to the correct switch 330 (e.g., based on the SPI carried in ESP header).
[0053] The local IPsec processing module 340 is "local" in the sense that it is in close proximity to the switch 330 and/or VM 140 that is the source or destination of the flow (e.g., closer to the switch 330 and/or VM 140 relative to the IPsec device 210). For example, as shown in the diagram, the local IPsec processing module 340 and the switch 330 may be implemented on the same server 130. However, it should be understood that in other embodiments, the local IPsec processing module 340 and the switch 330 may be implemented on different servers 130 (e.g., local IPsec processing module 340 can be implemented as its own dedicated hardware device).
[0054] In one embodiment, IPsec device bypass can be selectively configured for certain flows. For example, IPsec device bypass may be configured for a flow if the flow is an elephant flow (or is expected to be an elephant flow). Elephant flows are large flows with long durations (what is considered a large flow and a long duration can be defined by a network operator or other entity). In one embodiment, the IPsec device 210 provides an indication of the
approximate size and duration of the flow to the SDN controller 320 (e.g., together with the IPsec security association for the flow). For example, the IPsec device 210 may provide an indication to the SDN controller 320 of whether the flow is an elephant flow or not. Based on this indication, the SDN controller 320 can determine whether the flow should bypass the IPsec device 210 or not. Similarly, in one embodiment, IPsec device bypass may be configured for a flow if the flow has a high priority level (what is considered a high priority level can be defined by a network operator or other entity). In one embodiment, high priority flows are flows that require low latency (e.g., flows that carry voice data) or flows that belong to premium
customers. In one embodiment, the IPsec device 210 provides an indication of the priority level of the flow to the SDN controller 320 (e.g., together with the IPsec security association for the flow). Based on this indication, the SDN controller 320 can determine whether the flow should bypass the IPsec device 210 or not.
[0055] Fig. 5A is a diagram illustrating outgoing packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments. The switch 330 may have been previously configured to stop forwarding packets belonging to the flow to the IPsec device 210 and start forwarding packets belonging to the flow to the local IPsec processing module 340 (e.g., based on receiving IPsec device bypass instructions 510). At operation 1, the switch 330 receives a packet belonging to the flow. At operation 2, the switch 330 forwards the packet to the local IPsec processing module 340 for IPsec processing. Once the local IPsec processing module 340 processes the packet (e.g., according to the IPsec security association for the flow), at operation 3, the local IPsec processing module 340 forwards the processed packet back to the switch 330. At operation 4, the switch 330 forwards the processed packet towards its destination. As a result, the packet bypasses the IPsec device 210.
[0056] Fig. 5B is a diagram illustrating incoming packet processing operations in a network after IPsec device bypass for a flow has been configured, according to some embodiments. The IPsec device 210 may have previously created a mapping between an IPsec security association for the flow and the switch 330 (e.g., based on receiving an indication of an identity of the switch 330 from SDN controller 320). At operation 1, the IPsec device 210 receives an encrypted packet (e.g., ESP packet). The IPsec device 210 may determine that the encrypted packet is to be forwarded to the switch 330 based on the mapping between the IPsec security association for the flow and the switch 330 (e.g., based on SPI indicated in the ESP packet). At operation 2, the IPsec device 210 forwards the encrypted packet to the switch 330. At operation 3, the switch 330 forwards the encrypted packet to the local IPsec processing module 340 for IPsec processing. Once the local IPsec processing module 340 processes the packet (e.g., decrypts the packet), at operation 4, the local IPsec processing module 340 forwards the processed packet back to the switch 330. At operation 5, the switch 330 forwards the processed packet towards its destination.
[0057] Fig. 6 is a diagram illustrating operations for handling termination of a flow, according to some embodiments. At operation 1, the switch 330 transmits an indication to the SDN controller 320 that the flow has terminated. The switch 330 may have determined that the flow has terminated based on a determination that the flow entry for the flow has timed out (e.g., due to no packets matching the flow entry for a period of time). In response to receiving the indication that the flow has terminated, at operation 2, the SDN controller 320 transmits an instruction to the switch 330 to remove or undo configurations related to IPsec device bypass for the flow (designated as "remove IPsec device bypass"). At operation 3, the SDN controller 320 transmits an instruction to the local IPsec processing module 340 to remove or undo
configurations related to the IPsec security association for the flow. At operation 4, the SDN controller 320 transmits an indication to the IPsec device 210 that the flow has been terminated (designated as "flow terminated"). In response, the IKE module 420 of the IPsec device 210 may indicate to a peer IPsec device that the IPsec security association for the flow should be deleted. At operation 5, the main IPsec processing module 410 of the IPsec device 210 deletes the IPsec security association for the flow (e.g., deletes the corresponding entry in the IPsec processing table).
[0058] Fig. 7 is a diagram illustrating operations for handling an update to an IPsec security association for a flow, according to some embodiments. Once an IPsec security association is negotiated, the IPsec security association can be updated at the IKE protocol level (e.g., rekey or re-authentication). If the IKE module 420 of the IPsec device 210 determines that the IPsec security association for the flow needs to be updated, at operation 1, the IKE module 420 provides an update to the IPsec security association for the flow (e.g., rekey) to the main IPsec processing module 410 of the IPsec device 210. Also, at operation 2, the IPsec device 210 provides the update to the IPsec security association for the flow to the SDN controller 320. At operation 3, the SDN controller 320 transmits the update to the IPsec security association for the flow to the local IPsec processing module 340 to configure the local IPsec processing module 340 to perform IPsec processing for the flow according to the update to the IPsec security association for the flow.
[0059] Fig. 8 is a diagram illustrating operations for handling deletion of an IPsec security association for a flow, according to some embodiments. When the IPsec device 210 receives an indication from a peer IPsec device that an IPsec security association for a flow should be deleted, at operation 1, the IKE module 420 of the IPsec device 210 provides an indication to the main IPsec processing module 410 of the IPsec device 210 to delete the IPsec security association for the flow. The IPsec device 210 then provides an indication to the SDN controller 320 that the IPsec security association for the flow has been deleted (designated as "delete IPsec security association"). At operation 3, the SDN controller 320 transmits an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow (designated as "remove IPsec device bypass"). At operation 4, the SDN controller 320 transmits an instruction to the local IPsec processing module 340 to remove or undo configurations related to the IPsec security association for the flow (designated as "remove configuration").
[0060] Fig. 9 is a flow diagram of a process performed by an SDN controller for implementing IPsec device bypass in an SDN network, according to some embodiments. In one embodiment, the SDN controller 320 is communicatively coupled to a switch 330 and an IPsec device 210. In one embodiment, the SDN controller 320 manages the switch 330. In one embodiment, the SDN controller 320 and the switch 330 communicate using OpenFlow or other type of southbound communications protocol. The operations in this and other flow diagrams will be described with reference to the exemplary embodiments of the other figures. However, it should be understood that the operations of the flow diagrams can be performed by embodiments of the invention other than those discussed with reference to the other figures, and the embodiments of the invention discussed with reference to these other figures can perform operations different than those discussed with reference to the flow diagrams.
[0061] In one embodiment, the process is initiated when the SDN controller 320 obtains an IPsec security association for a flow (block 910). The IPsec security association for the flow may have been negotiated by the IPsec device 210. In one embodiment, the IPsec security association for the flow is obtained from the IPsec device 210. In one embodiment, the IPsec security association for the flow specifies one or more attributes that identify the flow. In one embodiment, the IPsec security association for the flow specifies a security protocol to be used for encryption/decryption and/or authentication, a key to be used for encryption, and one or more security parameters. The SDN controller 320 transmits the IPsec security association for the flow to an IPsec processing module 340 that is local to the switch 330 (e.g., local IPsec processing module 340) to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow
(block 920). The SDN controller 320 transmits instructions to the switch 330 to stop forwarding packets belonging to the flow to the IPsec device 210 and to start forwarding packets belonging to the flow to the IPsec processing module (block 930). The SDN controller 320 then transmits an indication to the IPsec device 210 that the flow is to bypass the IPsec device 210 (block 940). In one embodiment, the SDN controller 320 also transmits an indication of an identity of the switch 330 to the IPsec device 210 (block 950). This allows the IPsec device 210 to forward incoming encrypted packets (e.g., received from a peer IPsec device) to the correct switch 330 (e.g., based on the SPI carried in ESP header).
[0062] In one embodiment, the SDN controller 320 receives an indication from the switch 330 that the flow has terminated. In response, the SDN controller 320 may transmit an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow and transmit instructions to the IPsec processing module 340 to remove configurations related to the IPsec security association for the flow. The SDN controller 320 may then transmit an indication to the IPsec device 210 that the flow has terminated.
[0063] In one embodiment, the SDN controller 320 obtains an update to the IPsec security association for the flow. In one embodiment, the update to the IPsec security association for the flow is obtained from the IPsec device 210. In response to obtaining the update to the IPsec security association for the flow, the SDN controller 320 may transmit the update to the IPsec security association for the flow to the IPsec processing module 340 to configure the IPsec processing module 340 to perform IPsec processing for packets belonging to the flow according to the update to the IPsec security association for the flow.
[0064] In one embodiment, the SDN controller 320 obtains an indication that the IPsec security association for the flow has been deleted. In one embodiment, the indication that the IPsec security association for the flow has been deleted is obtained from the IPsec device 210. In response to obtaining the indication the indication that the IPsec security association for the flow has been deleted, the SDN controller 320 may transmit an instruction to the switch 330 to remove configurations related to IPsec device bypass for the flow and transmit an instruction to the IPsec processing module 340 to remove configurations related to the IPsec security association for the flow.
[0065] Fig. 10 is a flow diagram of a process performed by an IPsec device for implementing IPsec device bypass in an SDN network, according to some embodiments. In one embodiment, the IPsec device 210 is communicatively coupled to an SDN controller 320. In one
embodiment, the IPsec device 210 is a DC gateway 120 in a datacenter 110.
[0066] In one embodiment, the process is initiated when the IPsec device 210 negotiates an IPsec security association for a flow with a peer IPsec device (block 1010). The IPsec device 210 then provides the IPsec security association for the flow to the SDN controller 320 (block 1020). In one embodiment, the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 by transmitting the IPsec security association for the flow directly to the SDN controller 320. In another embodiment, the IPsec device 210 provides the IPsec security association for the flow to the SDN controller 320 by storing/publishing the IPsec security association for the flow at a location that the SDN controller 320 can access. The SDN controller 320 may then retrieve/pull the IPsec security association for the flow from that location (e.g., the location could be at the IPsec device 210 itself or at a separate
database/server). Subsequently, the IPsec device 210 may receive an indication from the SDN controller 320 that the flow is to bypass the IPsec device 210 and an indication of an identity of a switch 330 (e.g., that is to handle incoming encrypted packets) (block 1030). In response, the IPsec device 210 disables timeout processing for the IPsec security association for the flow (block 1040) and creates a mapping between the IPsec security association for the flow (e.g., SPI) and the switch 330 (e.g., switch ID) (block 1050).
[0067] Subsequently, the IPsec device 210 may receive an encrypted packet (e.g., from a peer IPsec device) (block 1060). The encrypted packet may be encapsulated with a header that indicates the IPsec security association that was used to encrypt the packet (e.g., SPI). The IPsec device 210 determines, based on the previously created mapping, the switch 330 that is mapped to the IPsec security association that was used to encrypt the encrypted packet
(block 1070) and forwards the encrypted packet to the switch 330 (block 1080).
[0068] Fig. 11 is a flow diagram of a process performed by a switch for implementing IPsec device bypass in an SDN network, according to some embodiments. In one embodiment, the switch 330 is managed by an SDN controller 320 in the SDN network. In one embodiment, the SDN controller 320 and the switch 330 communicate using OpenFlow or other type of southbound communications protocol.
[0069] In one embodiment, the process is initiated when the switch 330 receives instructions from an SDN controller 320 to stop forwarding packets belonging to the flow to an IPsec device 210 and to start forwarding packets belonging to the flow to an IPsec processing module 340 that is local to the switch 330 (block 1110). The switch 330 may then configure its packet processing pipeline according to the instructions (e.g., flow modification messages) received from the SDN controller 320. The switch 330 may then receive a packet belonging to the flow (block 1120). The switch 330 forward the packet to the IPsec processing module according to the instructions received from the SDN controller 320 (block 1130). Subsequently, the switch 330 may receive the packet from the IPsec processing module (after the packet has been processed by the IPsec processing module 340) (block 1140). The switch 330 then forward the (processed) packet towards its destination (block 1150).
[0070] Figure 12A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some embodiments of the invention. Figure 12A shows NDs 1200A-H, and their connectivity by way of lines between 1200A-1200B, 1200B-1200C, 1200C-1200D, 1200D-1200E, 1200E-1200F, 1200F-1200G, and 1200A-1200G, as well as between 1200H and each of 1200A, 1200C, 1200D, and 1200G. These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link). An additional line extending from
NDs 1200A, 1200E, and 1200F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs). [0071] Two of the exemplary ND implementations in Figure 12A are: 1) a special-purpose network device 1202 that uses custom application-specific integrated-circuits (ASICs) and a special-purpose operating system (OS); and 2) a general purpose network device 1204 that uses common off-the-shelf (COTS) processors and a standard OS.
[0072] The special-purpose network device 1202 includes networking hardware 1210 comprising a set of one or more processor(s) 1212, forwarding resource(s) 1214 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 1216 (through which network connections are made, such as those shown by the connectivity between NDs 1200A-H), as well as non-transitory machine readable storage media 1218 having stored therein networking software 1220. During operation, the networking software 1220 may be executed by the networking hardware 1210 to instantiate a set of one or more networking software instance(s) 1222. Each of the networking software instance(s) 1222, and that part of the networking hardware 1210 that executes that network software instance (be it hardware dedicated to that networking software instance and/or time slices of hardware temporally shared by that networking software instance with others of the networking software instance(s) 1222), form a separate virtual network element 1230A-R. Each of the virtual network element(s) (VNEs) 1230A-R includes a control communication and configuration module 1232A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 1234A-R, such that a given virtual network element
(e.g., 1230A) includes the control communication and configuration module (e.g., 1232A), a set of one or more forwarding table(s) (e.g., 1234A), and that portion of the networking
hardware 1210 that executes the virtual network element (e.g., 1230A).
[0073] Software 1220 can include code such as IPsec device bypass component 1225, which when executed by networking hardware 1210, causes the special-purpose network device 1202 to perform operations of one or more embodiments described herein above as part networking software instances 1222.
[0074] The special-purpose network device 1202 is often physically and/or logically considered to include: 1) a ND control plane 1224 (sometimes referred to as a control plane) comprising the processor(s) 1212 that execute the control communication and configuration module(s) 1232A-R; and 2) a ND forwarding plane 1226 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 1214 that utilize the forwarding table(s) 1234A-R and the physical NIs 1216. By way of example, where the ND is a router (or is implementing routing functionality), the ND control plane 1224 (the
processor(s) 1212 executing the control communication and configuration module(s) 1232A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 1234A-R, and the ND forwarding plane 1226 is responsible for receiving that data on the physical NIs 1216 and forwarding that data out the appropriate ones of the physical NIs 1216 based on the forwarding table(s) 1234A-R.
[0075] Figure 12B illustrates an exemplary way to implement the special-purpose network device 1202 according to some embodiments of the invention. Figure 12B shows a special- purpose network device including cards 1238 (typically hot pluggable). While in some embodiments the cards 1238 are of two types (one or more that operate as the ND forwarding plane 1226 (sometimes called line cards), and one or more that operate to implement the ND control plane 1224 (sometimes called control cards)), alternative embodiments may combine functionality onto a single card and/or include additional card types (e.g., one additional type of card is called a service card, resource card, or multi-application card). A service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)). By way of example, a service card may be used to terminate IPsec tunnels and execute the attendant authentication and encryption algorithms. These cards are coupled together through one or more interconnect mechanisms illustrated as backplane 1236 (e.g., a first full mesh coupling the line cards and a second full mesh coupling all of the cards).
[0076] Returning to Figure 12A, the general purpose network device 1204 includes hardware 1240 comprising a set of one or more processor(s) 1242 (which are often COTS processors) and physical NIs 1246, as well as non-transitory machine readable storage media 1248 having stored therein software 1250. During operation, the processor(s) 1242 execute the software 1250 to instantiate one or more sets of one or more applications 1264A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization. For example, in one such alternative embodiment the virtualization layer 1254 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 1262A-R called software containers that may each be used to execute one (or more) of the sets of
applications 1264A-R; where the multiple software containers (also called virtualization engines, virtual private servers, or jails) are user spaces (typically a virtual memory space) that are separate from each other and separate from the kernel space in which the operating system is run; and where the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes. In another such alternative embodiment the virtualization layer 1254 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 1264A-R is run on top of a guest operating system within an
instance 1262A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a "bare metal" host electronic device, or through para- virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes. In yet other alternative embodiments, one, some or all of the applications are implemented as unikernel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including
drivers/libraries of OS services) that provide the particular OS services needed by the
application. As a unikernel can be implemented to run directly on hardware 1240, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container, embodiments can be implemented fully with unikernels running directly on a hypervisor represented by virtualization layer 1254, unikernels running within software containers represented by instances 1262A-R, or as a combination of unikernels and the above-described techniques (e.g., unikernels and virtual machines both run directly on a hypervisor, unikernels and sets of applications that are run in different software containers).
[0077] The instantiation of the one or more sets of one or more applications 1264A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 1252. Each set of applications 1264A-R, corresponding virtualization construct (e.g., instance 1262A-R) if implemented, and that part of the hardware 1240 that executes them (be it hardware dedicated to that execution and/or time slices of hardware temporally shared), forms a separate virtual network element(s) 1260A-R.
[0078] The virtual network element(s) 1260A-R perform similar functionality to the virtual network element(s) 1230A-R - e.g., similar to the control communication and configuration module(s) 1232A and forwarding table(s) 1234A (this virtualization of the hardware 1240 is sometimes referred to as network function virtualization (NFV)). Thus, NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which could be located in Data centers, NDs, and customer premise equipment (CPE). While embodiments of the invention are illustrated with each instance 1262A-R corresponding to one VNE 1260A-R, alternative embodiments may implement this correspondence at a finer level granularity (e.g., line card virtual machines virtualize line cards, control card virtual machine virtualize control cards, etc.); it should be understood that the techniques described herein with reference to a correspondence of instances 1262A-R to VNEs also apply to embodiments where such a finer level of granularity and/or unikernels are used.
[0079] In certain embodiments, the virtualization layer 1254 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch. Specifically, this virtual switch forwards traffic between instances 1262A-R and the physical NI(s) 1246, as well as optionally between the instances 1262A-R; in addition, this virtual switch may enforce network isolation between the VNEs 1260A-R that by policy are not permitted to communicate with each other (e.g., by honoring virtual local area networks (VLANs)).
[0080] Software 1250 can include code such as IPsec device bypass component 1263, which when executed by processor(s) 1242, cause the general purpose network device 1204 to perform operations of one or more embodiments descried herein above as part software instances 1262A-R.
[0081] The third exemplary ND implementation in Figure 12A is a hybrid network
device 1206, which includes both custom ASICs/special-purpose OS and COTS
processors/standard OS in a single ND or a single card within an ND. In certain embodiments of such a hybrid network device, a platform VM (i.e., a VM that that implements the
functionality of the special-purpose network device 1202) could provide for para- virtualization to the networking hardware present in the hybrid network device 1206.
[0082] Regardless of the above exemplary implementations of an ND, when a single one of multiple VNEs implemented by an ND is being considered (e.g., only one of the VNEs is part of a given virtual network) or where only a single VNE is currently being implemented by an ND, the shortened term network element (NE) is sometimes used to refer to that VNE. Also in all of the above exemplary implementations, each of the VNEs (e.g., VNE(s) 1230A-R, VNEs 1260A- R, and those in the hybrid network device 1206) receives data on the physical NIs (e.g., 1216, 1246) and forwards that data out the appropriate ones of the physical NIs (e.g., 1216, 1246). For example, a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where "source port" and
"destination port" refer herein to protocol ports, as opposed to physical ports of a ND), transport protocol (e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), and differentiated services code point (DSCP) values. [0083] Figure 12C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention. Figure 12C shows VNEs 1270A.1-1270A.P (and optionally VNEs 1270A.Q-1270A.R) implemented in ND 1200A and VNE 1270H.1 in ND 1200H. In Figure 12C, VNEs 1270A.1-P are separate from each other in the sense that they can receive packets from outside ND 1200A and forward packets outside of ND 1200A;
VNE 1270A.1 is coupled with VNE 1270H.1, and thus they communicate packets between their respective NDs; VNE 1270A.2-1270A.3 may optionally forward packets between themselves without forwarding them outside of the ND 1200A; and VNE 1270A.P may optionally be the first in a chain of VNEs that includes VNE 1270A.Q followed by VNE 1270A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services). While Figure 12C illustrates various exemplary relationships between the VNEs, alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different VNEs).
[0084] The NDs of Figure 12A, for example, may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including
workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet enabled household appliances) may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services. Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., username/password accessed webpages providing email services), and/or corporate networks over VPNs. For instance, end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers. However, through compute and storage virtualization, one or more of the electronic devices operating as the NDs in Figure 12A may also host one or more such servers (e.g., in the case of the general purpose network device 1204, one or more of the software instances 1262A-R may operate as servers; the same would be true for the hybrid network device 1206; in the case of the special-purpose network device 1202, one or more such servers could also be run on a virtualization layer executed by the processor(s) 1212); in which case the servers are said to be co-located with the VNEs of that ND.
[0085] A virtual network is a logical abstraction of a physical network (such as that in Figure 12A) that provides network services (e.g., L2 and/or L3 services). A virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network).
[0086] A network virtualization edge (NVE) sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network. A virtual network instance (VNI) is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND). A virtual access point (VAP) is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).
[0087] Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IP VPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)). Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing). [0088] Fig. 12D illustrates a network with a single network element on each of the NDs of Figure 12A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention. Specifically, Figure 12D illustrates network elements
(NEs) 1270A-H with the same connectivity as the NDs 1200A-H of Figure 12A.
[0089] Figure 12D illustrates that the distributed approach 1272 distributes responsibility for generating the reachability and forwarding information across the NEs 1270A-H; in other words, the process of neighbor discovery and topology discovery is distributed.
[0090] For example, where the special-purpose network device 1202 is used, the control communication and configuration module(s) 1232A-R of the ND control plane 1224 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RS VP-Traffic Engineering (TE): Extensions to RSVP for LSP Tunnels and Generalized Multi-Protocol Label Switching
(GMPLS) Signaling RSVP-TE)) that communicate with other NEs to exchange routes, and then selects those routes based on one or more routing metrics. Thus, the NEs 1270A-H (e.g., the processor(s) 1212 executing the control communication and configuration module(s) 1232A-R) perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by
distributively determining the reachability within the network and calculating their respective forwarding information. Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 1224. The ND control plane 1224 programs the ND forwarding plane 1226 with information (e.g., adjacency and route information) based on the routing structure(s). For example, the ND control plane 1224 programs the adjacency and route information into one or more forwarding table(s) 1234A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 1226. For layer 2 forwarding, the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 1202, the same distributed
approach 1272 can be implemented on the general purpose network device 1204 and the hybrid network device 1206. [0091] Figure 12D illustrates that a centralized approach 1274 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination. The illustrated centralized approach 1274 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 1276 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized. The centralized control plane 1276 has a south bound interface 1282 with a data plane 1280 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 1270A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes). The centralized control plane 1276 includes a network controller 1278, which includes a centralized reachability and forwarding information module 1279 that determines the reachability within the network and distributes the forwarding information to the NEs 1270A-H of the data plane 1280 over the south bound interface 1282 (which may use the OpenFlow protocol). Thus, the network intelligence is centralized in the centralized control plane 1276 executing on electronic devices that are typically separate from the NDs. In one embodiment, the network controller 1278 may include an IPsec device bypass component 1281 that when executed by the network controller 1278, causes the network controller 1278 to perform operations of one or more embodiments described herein above.
[0092] For example, where the special-purpose network device 1202 is used in the data plane 1280, each of the control communication and configuration module(s) 1232A-R of the ND control plane 1224 typically include a control agent that provides the VNE side of the south bound interface 1282. In this case, the ND control plane 1224 (the processor(s) 1212 executing the control communication and configuration module(s) 1232A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 1276 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 1279 (it should be understood that in some embodiments of the invention, the control communication and configuration module(s) 1232A-R, in addition to communicating with the centralized control plane 1276, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 1274, but may also be considered a hybrid approach).
[0093] While the above example uses the special-purpose network device 1202, the same centralized approach 1274 can be implemented with the general purpose network device 1204 (e.g., each of the VNE 1260A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 1276 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 1279; it should be understood that in some embodiments of the invention, the VNEs 1260A-R, in addition to communicating with the centralized control plane 1276, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 1206. In fact, the use of SDN techniques can enhance the NFV techniques typically used in the general purpose network device 1204 or hybrid network device 1206 implementations as NFV is able to support SDN by providing an infrastructure upon which the SDN software can be run, and NFV and SDN both aim to make use of commodity server hardware and physical switches.
[0094] Figure 12D also shows that the centralized control plane 1276 has a north bound interface 1284 to an application layer 1286, in which resides application(s) 1288. The centralized control plane 1276 has the ability to form virtual networks 1292 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 1270A-H of the data plane 1280 being the underlay network)) for the application(s) 1288. Thus, the centralized control plane 1276 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND
component) failure, addition, or removal).
[0095] While Figure 12D shows the distributed approach 1272 separate from the centralized approach 1274, the effort of network control may be distributed differently or the two combined in certain embodiments of the invention. For example: 1) embodiments may generally use the centralized approach (SDN) 1274, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree. Such embodiments are generally considered to fall under the centralized approach 1274, but may also be considered a hybrid approach.
[0096] While Figure 12D illustrates the simple case where each of the NDs 1200A-H implements a single NE 1270A-H, it should be understood that the network control approaches described with reference to Figure 12D also work for networks where one or more of the NDs 1200A-H implement multiple VNEs (e.g., VNEs 1230A-R, VNEs 1260A-R, those in the hybrid network device 1206). Alternatively or in addition, the network controller 1278 may also emulate the implementation of multiple VNEs in a single ND. Specifically, instead of (or in addition to) implementing multiple VNEs in a single ND, the network controller 1278 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 1292 (all in the same one of the virtual network(s) 1292, each in different ones of the virtual network(s) 1292, or some combination). For example, the network controller 1278 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 1276 to present different VNEs in the virtual network(s) 1292 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
[0097] On the other hand, Figures 12E and 12F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 1278 may present as part of different ones of the virtual networks 1292. Figure 12E illustrates the simple case of where each of the NDs 1200A- H implements a single NE 1270A-H (see Figure 12D), but the centralized control plane 1276 has abstracted multiple of the NEs in different NDs (the NEs 1270A-C and G-H) into (to represent) a single NE 12701 in one of the virtual network(s) 1292 of Figure 12D, according to some embodiments of the invention. Figure 12E shows that in this virtual network, the
NE 12701 is coupled to NE 1270D and 1270F, which are both still coupled to NE 1270E.
[0098] Figure 12F illustrates a case where multiple VNEs (VNE 1270A.1 and VNE 1270H.1) are implemented on different NDs (ND 1200 A and ND 1200H) and are coupled to each other, and where the centralized control plane 1276 has abstracted these multiple VNEs such that they appear as a single VNE 1270T within one of the virtual networks 1292 of Figure 12D, according to some embodiments of the invention. Thus, the abstraction of a NE or VNE can span multiple NDs.
[0099] While some embodiments of the invention implement the centralized control plane 1276 as a single entity (e.g., a single instance of software running on a single electronic device), alternative embodiments may spread the functionality across multiple entities for redundancy and/or scalability purposes (e.g., multiple instances of software running on different electronic devices).
[00100] Similar to the network device implementations, the electronic device(s) running the centralized control plane 1276, and thus the network controller 1278 including the centralized reachability and forwarding information module 1279, may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include processor(s), a set or one or more physical NIs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software. For instance, Figure 13 illustrates, a general purpose control plane device 1304 including hardware 1340 comprising a set of one or more processor(s) 1342 (which are often COTS processors) and physical NIs 1346, as well as non-transitory machine readable storage media 1348 having stored therein centralized control plane (CCP) software 1350 and an IPsec device bypass component 1351.
[00101] In embodiments that use compute virtualization, the processor(s) 1342 typically execute software to instantiate a virtualization layer 1354 (e.g., in one embodiment the virtualization layer 1354 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 1362A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more
applications; in another embodiment the virtualization layer 1354 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 1362A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ; in another embodiment, an application is implemented as a unikernel, which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application, and the unikernel can run directly on hardware 1340, directly on a hypervisor represented by virtualization layer 1354 (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container represented by one of instances 1362A-R). Again, in embodiments where compute virtualization is used, during operation an instance of the CCP software 1350 (illustrated as CCP instance 1376A) is executed (e.g., within the instance 1362A) on the virtualization layer 1354. In embodiments where compute virtualization is not used, the CCP instance 1376A is executed, as a unikernel or on top of a host operating system, on the "bare metal" general purpose control plane device 1304. The instantiation of the CCP instance 1376A, as well as the virtualization layer 1354 and
instances 1362A-R if implemented, are collectively referred to as software instance(s) 1352.
[00102] In some embodiments, the CCP instance 1376A includes a network controller instance 1378. The network controller instance 1378 includes a centralized reachability and forwarding information module instance 1379 (which is a middleware layer providing the context of the network controller 1278 to the operating system and communicating with the various NEs), and an CCP application layer 1380 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces). At a more abstract level, this CCP application layer 1380 within the centralized control plane 1276 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.
[00103] The IPsec device bypass component 1351 can be executed by hardware 1340 to perform operations of one or more embodiments described herein above as part of software instances 1352.
[00104] The centralized control plane 1276 transmits relevant messages to the data plane 1280 based on CCP application layer 1380 calculations and middleware layer mapping for each flow. A flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers. Different NDs/NEs/VNEs of the data plane 1280 may receive different messages, and thus different forwarding information. The data plane 1280 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.
[00105] Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets. The model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address). [00106] Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched). Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet. Thus, a forwarding table entry for IPv4/IPv6 packets with a particular transmission control protocol (TCP) destination port could contain an action specifying that these packets should be dropped.
[00107] Making forwarding decisions and performing actions occurs, based upon the forwarding table entry identified during packet classification, by executing the set of actions identified in the matched forwarding table entry on the packet.
[00108] However, when an unknown packet (for example, a "missed packet" or a "match- miss" as used in OpenFlow parlance) arrives at the data plane 1280, the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 1276. The centralized control plane 1276 will then program forwarding table entries into the data plane 1280 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 1280 by the centralized control plane 1276, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.
[00109] A network interface (NI) may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI. A virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface). A NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address). A loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a
NE/VNE (physical or virtual) often used for management purposes; where such an IP address is referred to as the nodal loopback address. The IP address(es) assigned to the NI(s) of a ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.
[00110] An embodiment of the invention may be an article of manufacture in which a non- transitory machine-readable medium (such as microelectronic memory) has stored thereon instructions which program one or more data processing components (generically referred to here as a "processor") to perform the operations described above. In other embodiments, some of these operations might be performed by specific hardware components that contain hardwired logic (e.g., dedicated digital filter blocks and state machines). Those operations might alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components.
[00111] While the flow diagrams in the figures show a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).
[00112] While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting.

Claims

CLAIMS What is claimed is:
1. A method implemented by a software defined networking (SDN) controller in an SDN
network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller, the method comprising:
obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device;
transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform
IPsec processing for packets belonging to the flow according to the IPsec security association for the flow;
transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the
IPsec processing module; and
transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
2. The method of claim 1, further comprising:
transmitting an indication of an identity of the switch to the IPsec device to cause the IPsec device to create a mapping between the IPsec security association for the flow and the switch.
3. The method of claim 1, wherein the IPsec security association for the flow is obtained from the IPsec device.
4. The method of claim 1, wherein the IPsec security association for the flow specifies one or more attributes that identify the flow.
5. The method of claim 1, wherein the IPsec security association for the flow specifies a
security protocol to be used for encryption, a key to be used for encryption, and one or more security parameters.
6. The method of claim 1, further comprising:
receiving an indication from the switch that the flow has terminated; transmitting an instruction to the switch to remove configurations related to IPsec device bypass for the flow;
transmitting instructions to the IPsec processing module to remove configurations related to the IPsec security association for the flow; and
transmitting an indication to the IPsec device that the flow has terminated.
7. The method of claim 1, further comprising:
obtaining an update to the IPsec security association for the flow; and
transmitting the update to the IPsec security association for the flow to the IPsec
processing module to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the update to the IPsec security association for the flow.
8. The method of claim 1, further comprising:
obtaining an indication that the IPsec security association for the flow has been deleted; transmitting an instruction to the switch to remove configurations related to IPsec device bypass for the flow; and
transmitting an instruction to the IPsec processing module to remove configurations related to the IPsec security association for the flow.
9. A network device configured to function as a software defined networking (SDN) controller in an SDN network to distribute Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller, the network device comprising:
a set of one or more processors; and
a non-transitory machine-readable storage medium having stored therein an IPsec device bypass component, which when executed by the set of one or more processors, causes the network device to obtain an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device, transmit the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow, transmit instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module, and transmit an indication to the IPsec device that the flow is to bypass the IPsec device.
10. The network device of claim 9, wherein the IPsec security association for the flow is
obtained from the IPsec device.
11. The network device of claim 9, wherein the IPsec security association for the flow specifies one or more attributes that identify the flow.
12. The network device of claim 9, wherein the IPsec security association for the flow specifies a security protocol to be used for encryption, a key to be used for encryption, and one or more security parameters.
13. The network device of claim 9, wherein the IPsec device bypass component, when executed by the set of one or more processors, further causes the network device to receive an indication from the switch that the flow has terminated, transmit an instruction to the switch to remove configurations related to IPsec device bypass for the flow, transmit instructions to the IPsec processing module to remove configurations related to the IPsec security association for the flow, and transmit an indication to the IPsec device that the flow has terminated.
14. The network device of claim 9, wherein the IPsec device bypass component, when executed by the set of one or more processors, further causes the network device to obtain an update to the IPsec security association for the flow and transmit the update to the IPsec security association for the flow to the IPsec processing module to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the update to the IPsec security association for the flow.
15. A non-transitory machine-readable medium having computer code stored therein, which when executed by a set of one or more processors of a network device functioning as a software defined networking (SDN) controller in an SDN network, causes the network device to perform operations for distributing Internet Protocol (IP) security (IPsec) processing from an IPsec device to one or more IPsec processing modules that are local to switches managed by the SDN controller, the operations comprising:
obtaining an IPsec security association for a flow, wherein the IPsec security association for the flow was negotiated by the IPsec device; transmitting the IPsec security association for the flow to an IPsec processing module that is local to a switch to configure the IPsec processing module to perform IPsec processing for packets belonging to the flow according to the IPsec security association for the flow;
transmitting instructions to the switch to stop forwarding packets belonging to the flow to the IPsec device and to start forwarding packets belonging to the flow to the IPsec processing module; and
transmitting an indication to the IPsec device that the flow is to bypass the IPsec device.
16. The non-transitory machine-readable medium of claim 15, wherein the IPsec security
association for the flow is obtained from the IPsec device.
17. The non-transitory machine-readable medium of claim 15, wherein the IPsec security
association for the flow specifies one or more attributes that identify the flow.
18. The non-transitory machine-readable medium of claim 15, wherein the IPsec security
association for the flow specifies a security protocol to be used for encryption, a key to be used for encryption, and one or more security parameters.
19. The non-transitory machine-readable medium of claim 15, wherein the computer code, when executed by the set of one or more processors of the network device, causes the network device to perform further operations comprising:
receiving an indication from the switch that the flow has terminated;
transmitting an instruction to the switch to remove configurations related to IPsec device bypass for the flow;
transmitting instructions to the IPsec processing module to remove configurations related to the IPsec security association for the flow; and
transmitting an indication to the IPsec device that the flow has terminated.
20. The non-transitory machine-readable medium of claim 15, wherein the computer code, when executed by the set of one or more processors of the network device, causes the network device to perform further operations comprising:
obtaining an indication that the IPsec security association for the flow has been deleted; transmitting an instruction to the switch to remove configurations related to IPsec device bypass for the flow; and transmitting an instruction to the IPsec processing module to remove configurations related to the IPsec security association for the flow.
PCT/IB2017/051520 2017-03-16 2017-03-16 Ipsec bypass in sdn network WO2018167539A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2017/051520 WO2018167539A1 (en) 2017-03-16 2017-03-16 Ipsec bypass in sdn network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2017/051520 WO2018167539A1 (en) 2017-03-16 2017-03-16 Ipsec bypass in sdn network

Publications (1)

Publication Number Publication Date
WO2018167539A1 true WO2018167539A1 (en) 2018-09-20

Family

ID=58448583

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2017/051520 WO2018167539A1 (en) 2017-03-16 2017-03-16 Ipsec bypass in sdn network

Country Status (1)

Country Link
WO (1) WO2018167539A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021048734A1 (en) * 2019-09-11 2021-03-18 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
US11201749B2 (en) 2019-09-11 2021-12-14 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
CN113852552A (en) * 2021-09-23 2021-12-28 网络通信与安全紫金山实验室 Network communication method, system and storage medium
CN115941389A (en) * 2022-11-15 2023-04-07 中电信量子科技有限公司 Method for realizing IPSec VPN two-layer networking and IPSec VPN gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8191134B1 (en) * 2008-09-29 2012-05-29 Sonicwall, Inc. Lockless distributed IPsec processing
US20160043996A1 (en) * 2013-03-15 2016-02-11 Hewlett-Packard Development Company, L.P. Secure path determination between devices
US20160105401A1 (en) * 2014-10-10 2016-04-14 Jyothi Vemulapalli System and method for internet protocol security processing
KR101686995B1 (en) * 2015-07-08 2016-12-16 주식회사 케이티 IPSec VPN Apparatus and system for using software defined network and network function virtualization and method thereof broadcasting

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8191134B1 (en) * 2008-09-29 2012-05-29 Sonicwall, Inc. Lockless distributed IPsec processing
US20160043996A1 (en) * 2013-03-15 2016-02-11 Hewlett-Packard Development Company, L.P. Secure path determination between devices
US20160105401A1 (en) * 2014-10-10 2016-04-14 Jyothi Vemulapalli System and method for internet protocol security processing
KR101686995B1 (en) * 2015-07-08 2016-12-16 주식회사 케이티 IPSec VPN Apparatus and system for using software defined network and network function virtualization and method thereof broadcasting

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021048734A1 (en) * 2019-09-11 2021-03-18 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
US11201749B2 (en) 2019-09-11 2021-12-14 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
US11206144B2 (en) 2019-09-11 2021-12-21 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
CN114402564A (en) * 2019-09-11 2022-04-26 国际商业机器公司 Establishing security associations and authentications to secure communications between initiators and responders
GB2603667A (en) * 2019-09-11 2022-08-10 Ibm Establishing a security association and authentication to secure communication between an initiator and a responder
GB2603667B (en) * 2019-09-11 2023-11-22 Ibm Establishing a security association and authentication to secure communication between an initiator and a responder
CN114402564B (en) * 2019-09-11 2024-04-26 国际商业机器公司 Establishing security association and authentication to secure communications between an initiator and a responder
CN113852552A (en) * 2021-09-23 2021-12-28 网络通信与安全紫金山实验室 Network communication method, system and storage medium
CN113852552B (en) * 2021-09-23 2023-04-18 网络通信与安全紫金山实验室 Network communication method, system and storage medium
CN115941389A (en) * 2022-11-15 2023-04-07 中电信量子科技有限公司 Method for realizing IPSec VPN two-layer networking and IPSec VPN gateway

Similar Documents

Publication Publication Date Title
US11665089B2 (en) Mechanism for hitless resynchronization during SDN controller upgrades between incompatible versions
US10673753B2 (en) Using border gateway protocol to expose maximum segment identifier depth to an external application
US11444864B2 (en) Optimized datapath troubleshooting with trace policy engine
EP3378205B1 (en) Service based intelligent packet-in buffering mechanism for openflow switches by having variable buffer timeouts
EP3391588B1 (en) Openflow configured horizontally split hybrid sdn nodes
EP3504848B1 (en) Improving service function chain, sfc, proxy performance in software defined networking, sdn, networks
US9509599B2 (en) Self-bootstrapping BFD session over MPLS LSP
US11115328B2 (en) Efficient troubleshooting in openflow switches
US11968082B2 (en) Robust node failure detection mechanism for SDN controller cluster
US11362925B2 (en) Optimizing service node monitoring in SDN
US20160315866A1 (en) Service based intelligent packet-in mechanism for openflow switches
US10616361B2 (en) Service aware switch-over of TCP-flows
KR102066978B1 (en) Method and apparatus for data plane for monitoring differentiated service code point (DSCP) and explicit congestion notification (ECN)
US20170149659A1 (en) Mechanism to improve control channel efficiency by distributing packet-ins in an openflow network
WO2018042230A1 (en) Configurable selective packet-in mechanism for openflow switches
WO2018167539A1 (en) Ipsec bypass in sdn network
US20220311703A1 (en) Controller watch port for robust software defined networking (sdn) system operation
US11876881B2 (en) Mechanism to enable third party services and applications discovery in distributed edge computing environment
US11757853B2 (en) Method for restricting access to a management interface using standard management protocols and software
WO2018015792A1 (en) User data isolation in software defined networking (sdn) controller
WO2018051172A1 (en) Service function classifier bypass in software defined networking (sdn) networks
US11218406B2 (en) Optimized datapath troubleshooting
WO2017187222A1 (en) Robust method of distributing packet-ins in a software defined networking (sdn) network
WO2023012502A1 (en) Securing multi-path tcp (mptcp) with wireguard protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17714295

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17714295

Country of ref document: EP

Kind code of ref document: A1