公开(公告)号：US20240267343A1

公开(公告)日：2024-08-08

申请号：US18435517

申请日：2024-02-07

Applicant: Barefoot Networks, Inc.

Inventor： Xiaozhou Li ,  Jeongkeun Lee ,  Changhoon Kim ,  John Nathan Foster

IPC: H04L49/00 ,  G06F3/06 ,  H04L45/00 ,  H04L45/74 ,  H04L45/745

CPC classification number: H04L49/3009 ,  G06F3/061 ,  G06F3/0649 ,  G06F3/067 ,  H04L45/54 ,  H04L45/742 ,  H04L45/745

Abstract: Some embodiments of the invention provide a forwarding element (e.g., a switch, a router, etc.) that has one or more data plane, message-processing pipelines with key-value processing circuits. The forwarding element's data plane key-value circuits allow the forwarding element to perform key-value services that would otherwise have to be performed by data compute nodes connected by the network fabric that includes the forwarding element. In some embodiments, the key-value (KV) services of the forwarding element and other similar forwarding elements supplement the key-value services of a distributed set of key-value servers by caching a subset of the most commonly used key-value pairs in the forwarding elements that connect the set of key-value servers with their client applications. In some embodiments, the key-value circuits of the forwarding element perform the key-value service operations at message-processing line rates at which the forwarding element forwards messages to the data compute nodes and/or to other network forwarding elements in the network fabric.

公开(公告)号：US11838318B2

公开(公告)日：2023-12-05

申请号：US17463346

申请日：2021-08-31

Applicant: Barefoot Networks, Inc.

Inventor： Shruthi Krishnan ,  Junggun Lee ,  Changhoon Kim

IPC: G06F21/00 ,  H04L9/40 ,  H04L1/1607 ,  H04L45/64 ,  H04L12/54

CPC classification number: H04L63/1458 ,  H04L1/1657 ,  H04L45/64 ,  H04L63/1425 ,  H04L12/56

Abstract: Some embodiments of the invention provide a data-plane forwarding circuit (data plane) that can be configured to provide protection from a SYN-flood denial of service attack by validating a source of a SYN data messages before allowing future messages to be forwarded to a protected server. To perform its forwarding operations, the data plane includes several data message processing stages that are configured to process the data tuples associated with the data messages received by the data plane. In some embodiments, parts of the data plane message-processing stages are also configured to operate as a connection-validation circuit that includes (1) a SYN-processing circuit to process SYN data messages received by the data plane, and (2) an ACK-processing circuit to process ACK data messages received by the data plane.

公开(公告)号：US11469973B2

公开(公告)日：2022-10-11

申请号：US17042058

申请日：2019-03-08

Applicant: Barefoot Networks, Inc.

Inventor： Georgios Nikolaidis ,  Jeongkeun Lee ,  Changhoon Kim

IPC: H04L43/026 ,  H04L47/32 ,  H04L41/142 ,  H04L45/16 ,  H04L45/00 ,  H04L45/64 ,  H04L45/7453 ,  H04L47/11 ,  H04L47/12 ,  H04L47/2441 ,  H04L47/2483 ,  H04L49/00 ,  H04L49/90 ,  H04L43/16

Abstract: Some embodiments of the invention provide a data-plane forwarding circuit (data plane) that can be configured to identify large data message flows that it processes for forwarding in a network. In this document, large data message flows are referred to as heavy hitter flows. To perform its forwarding operations, the data plane includes several data message processing stages that are configured to process the data tuples associated with the data messages received by the data plane. In some embodiments, parts of the data plane message-processing stages are also configured to implement a heavy hitter detection (HHD) circuit. The operations of the data plane's message processing stages are configured by a control plane of the data plane's forwarding element in some embodiments.

公开(公告)号：US11080252B1

公开(公告)日：2021-08-03

申请号：US16271669

申请日：2019-02-08

Applicant: Barefoot Networks, Inc.

Inventor： Patrick Bosshart ,  Changhoon Kim

IPC: G06F12/00 ,  G06F16/22 ,  G06F3/06

Abstract: Some embodiments of the invention provide novel methods for storing data in a hash-addressed memory and retrieving stored data from the hash-addressed memory. In some embodiments, the method receives a search key and a data tuple. The method then uses a first hash function to generate a first hash value from the search key, and then uses this first hash value to identify an address in the hash-addressed memory. The method also uses a second hash function to generate a second hash value, and then stores this second hash value along with the data tuple in the memory at the address specified by the first hash value. To retrieve data from the hash-addressed memory, the method of some embodiments receives a search key. The method then uses the first hash function to generate a first hash value from the search key, and then uses this first hash value to identify an address in the hash-addressed memory. At the identified address, the hash-addressed memory stores a second hash value and a data tuple. The method retrieves a second hash value from the memory at the identified address, and compares this second hash value with a third hash value that the method generates from the search key by using the second hash function. When the second and third hash values match, the method retrieves the data tuple that the memory stores at the identified address.

公开(公告)号：US11076026B1

公开(公告)日：2021-07-27

申请号：US16048760

申请日：2018-07-30

Applicant: Barefoot Networks, Inc.

Inventor： Steven Licking ,  Chaitanya Kodeboyina ,  Julianne Zhu ,  Changhoon Kim

IPC: H04L12/70 ,  H04L29/06 ,  H04L12/741 ,  H04L12/26 ,  H04L12/935 ,  H04L12/743

Abstract: A method of generating packets in the data plane of a forwarding element is provided. The method selects a configuration set from a plurality of configuration sets of based on a triggering event. The method generates a set of packets using a packet template that corresponds to the selected configuration set. The method sets values of a plurality of the packet fields to identify different information such as the destination of packets. The method places the generated set of packets into an ingress pipeline of the forwarding element.

公开(公告)号：US10949199B1

公开(公告)日：2021-03-16

申请号：US15836528

申请日：2017-12-08

Applicant: Barefoot Networks, Inc.

Inventor： Xiaozhou Li ,  Jeongkeun Lee ,  Srivathsa Dhruvanarayan ,  Anurag Agrawal ,  Changhoon Kim ,  Alain Loge

IPC: H04L12/66 ,  G06F9/30 ,  G06F9/38 ,  G06F9/28 ,  H04W8/30 ,  H04L12/743

Abstract: Some embodiments provide a method for a network forwarding integrated circuit (IC). The method receives packet data with an instruction to copy a portion of the packet data to a temporary storage of the network forwarding IC. The portion is larger than a maximum entry size of the temporary storage. The method generates a header for each of multiple packet data sections for storage in entries of the temporary storage, with each packet data section including a sub-portion of the packet data portion. The method sends the packet data sections with the generated headers to the temporary storage for storage in multiple separate temporary storage entries.

公开(公告)号：US10826815B2

公开(公告)日：2020-11-03

申请号：US15948990

申请日：2018-04-09

Applicant: Barefoot Networks, Inc.

Inventor： Changhoon Kim ,  Jeongkeun Lee ,  Milad Sharif ,  Robert Soule

IPC: H04L12/751 ,  H04L12/721 ,  H04L12/24 ,  H04L12/741 ,  H04L12/26 ,  H04L29/06 ,  H04L12/773 ,  H04L9/06

Abstract: Some embodiments provide a method for a forwarding element (FE) operating in a network of FEs. The method receives a data message with an access control list (ACL) rule and a first digest for the ACL rule appended to the data message. The ACL rule specifies that the packet is allowed to be sent through the network. The method verifies the ACL rule by computing a second digest from the ACL rule using a secret key and comparing the first digest to the second digest. The method determines whether the packet matches the ACL rule by comparing values in headers of the data message to values specified in the ACL rule. The method only forwards the data message if the ACL rule is verified and the packet matches the ACL rule.

公开(公告)号：US20190182154A1

公开(公告)日：2019-06-13

申请号：US15948990

申请日：2018-04-09

Applicant: Barefoot Networks, Inc.

Inventor： Changhoon Kim ,  Jeongkeun Lee ,  Milad Sharif ,  Robert Soule

IPC: H04L12/741 ,  H04L29/06

Abstract: Some embodiments provide a method for a forwarding element (FE) operating in a network of FEs. The method receives a data message with an access control list (ACL) rule and a first digest for the ACL rule appended to the data message. The ACL rule specifies that the packet is allowed to be sent through the network. The method verifies the ACL rule by computing a second digest from the ACL rule using a secret key and comparing the first digest to the second digest. The method determines whether the packet matches the ACL rule by comparing values in headers of the data message to values specified in the ACL rule. The method only forwards the data message if the ACL rule is verified and the packet matches the ACL rule.

公开(公告)号：US09529531B2

公开(公告)日：2016-12-27

申请号：US14507811

申请日：2014-10-06

Applicant: Barefoot Networks, Inc.

Inventor： Patrick Bosshart ,  Changhoon Kim

IPC: G06F12/00 ,  G06F3/06

CPC classification number: G06F3/0604 ,  G06F3/064 ,  G06F3/0659 ,  G06F3/0673 ,  G06F17/30097 ,  G06F17/30949

Abstract: Some embodiments of the invention provide novel methods for storing data in a hash-addressed memory and retrieving stored data from the hash-addressed memory. In some embodiments, the method receives a search key and a data tuple. The method then uses a first hash function to generate a first hash value from the search key, and then uses this first hash value to identify an address in the hash-addressed memory. The method also uses a second hash function to generate a second hash value, and then stores this second hash value along with the data tuple in the memory at the address specified by the first hash value. To retrieve data from the hash-addressed memory, the method of some embodiments receives a search key. The method then uses the first hash function to generate a first hash value from the search key, and then uses this first hash value to identify an address in the hash-addressed memory. At the identified address, the hash-addressed memory stores a second hash value and a data tuple. The method retrieves a second hash value from the memory at the identified address, and compares this second hash value with a third hash value that the method generates from the search key by using the second hash function. When the second and third hash values match, the method retrieves the data tuple that the memory stores at the identified address.

Abstract translation: 本发明的一些实施例提供了用于将数据存储在散列寻址存储器中并从散列寻址存储器检索存储的数据的新颖方法。 在一些实施例中，该方法接收搜索关键字和数据元组。 然后，该方法使用第一散列函数从搜索关键字生成第一散列值，然后使用该第一散列值来识别散列寻址存储器中的地址。 该方法还使用第二散列函数来生成第二散列值，然后将该第二散列值与数据元组一起存储在由第一散列值指定的地址的存储器中。 为了从散列寻址存储器检索数据，一些实施例的方法接收搜索关键字。 该方法然后使用第一散列函数从搜索关键字生成第一散列值，然后使用该第一散列值来识别散列寻址存储器中的地址。 在所识别的地址处，散列寻址存储器存储第二哈希值和数据元组。 该方法从所识别的地址的存储器中检索第二散列值，并且通过使用第二散列函数将该第二散列值与方法从搜索关键字产生的第三散列值进行比较。 当第二和第三散列值匹配时，该方法检索存储器在所识别的地址处存储的数据元组。

公开(公告)号：US20160099872A1

公开(公告)日：2016-04-07

申请号：US14507814

申请日：2014-10-06

Applicant: Barefoot Networks, Inc.

Inventor： Changhoon Kim ,  Patrick Bosshart

IPC: H04L12/803 ,  H04L12/931 ,  H04L12/743

CPC classification number: H04L47/125 ,  H04L45/7453 ,  H04L49/10 ,  H04L49/354 ,  H04L61/20 ,  H04L61/2521

Abstract: Some embodiments of the invention provide a load balancer for distributing packet flows that are addressed to a group of data compute nodes (DCNs) amongst the DCNs of the group. In some embodiments, the load balancer includes a connection data storage comprising several different destination network address translation (DNAT) tables. Each particular DNAT table is defined at a particular instance in time and stores the identity of a plurality DCNs that are part of the group at the particular instance in time. Each time a DCN is added to the group, the load balancer of some embodiments creates a new DNAT table in the connection data storage for processing new packet flows, while using previously created DNAT tables to process packets that are part of previously processed packet flows.

Abstract translation: 本发明的一些实施例提供一种用于分发分组流的负载平衡器，所述分组流被寻址到组中的DCN之间的一组数据计算节点（DCN）。 在一些实施例中，负载平衡器包括包括若干不同目的地网络地址转换（DNAT）表的连接数据存储。 每个特定的DNAT表在时间上在特定的实例中被定义，并且在特定的时间点存储作为组的一部分的多个DCN的身份。 每当将DCN添加到组中时，一些实施例的负载平衡器在连接数据存储器中创建新的DNAT表，用于处理新的分组流，同时使用先前创建的DNAT表来处理作为先前处理的分组流的一部分的分组。