公开(公告)号：US20200186429A1

公开(公告)日：2020-06-11

申请号：US16721274

申请日：2019-12-19

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/24 ,  H04L12/813 ,  H04L12/851

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.

公开(公告)号：US20180077037A1

公开(公告)日：2018-03-15

申请号：US15261701

申请日：2016-09-09

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Sujata Banerjee ,  Joon-Myung Kang

IPC: H04L12/26 ,  H04L29/06 ,  H04L29/12 ,  H04L12/803 ,  H04L29/08 ,  H04L12/66 ,  G06F17/30

CPC classification number: H04L43/0817 ,  G06F16/951 ,  H04L12/66 ,  H04L41/024 ,  H04L41/0866 ,  H04L43/18 ,  H04L61/2514

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

公开(公告)号：US20170318097A1

公开(公告)日：2017-11-02

申请号：US15142141

申请日：2016-04-29

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Julie Ward Drew ,  Freddy Chua ,  Ying Zhang ,  Puneet Sharma ,  Bernardo Huberman

IPC: H04L29/08 ,  H04L12/24 ,  H04L12/911

CPC classification number: H04L67/16 ,  H04L41/0806 ,  H04L41/145 ,  H04L45/64 ,  H04L47/783 ,  H04L67/10 ,  H04L67/2833

Abstract: Example implementations relate to virtualized network function (VNF) placements. For example, VNF placements may include generating an initial mapping of a plurality of VNFs among a plurality of nodes of a network infrastructure, wherein the initial VNF mapping distributes each of a plurality of service chains associated with the plurality of VNFs to different top-of-rack switches. VNF placement may include generating an alternate VNF mapping of the plurality of VNFs among a portion of the plurality of nodes, wherein the alternate VNF mapping corresponds to a metric associated with node resource utilization and a particular amount of servers utilized by distributing the plurality of service chains according to the alternate VNF mapping. VNF placement may include placing the plurality of VNFs according to a selected placement from the initial VNF mapping and the alternate VNF mapping.

公开(公告)号：US11095518B2

公开(公告)日：2021-08-17

申请号：US16721274

申请日：2019-12-19

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/26 ,  H04L12/46 ,  H04L12/801 ,  H04L12/24 ,  H04L12/813 ,  H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.

公开(公告)号：US20200084152A1

公开(公告)日：2020-03-12

申请号：US16685877

申请日：2019-11-15

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Ying Zhang ,  Wenfei Wu ,  Sujata Banerjee

IPC: H04L12/851 ,  H04L12/26 ,  H04L12/24

Abstract: In some implementations, a method includes conducting, by a network device, a query associated with a network function chain comprising a plurality of switches and middleboxes to verify whether a service performed by the network function chain complies with a Service Level Agreement (SLA); computing, by the network device, based on a result of the query, a difference in metric value between an actual performance metric of a packet passing through a path in the network function chain and an expected performance metric of the packet passing through the path; deriving, by the network device, a probability of SLA violation associated with the path based on the difference in metric value; and selectively monitoring, by the network device, a network of network function chains by monitoring the path for passive performance measurements based on the probability of SLA violation.

公开(公告)号：US20180123930A1

公开(公告)日：2018-05-03

申请号：US15336517

申请日：2016-10-27

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Ying Zhang ,  Wenfei Wu ,  Sujata Banerjee

IPC: H04L12/26 ,  H04L12/851

CPC classification number: H04L47/2425 ,  H04L41/5009 ,  H04L41/5038 ,  H04L43/08 ,  H04L43/10 ,  H04L45/123

Abstract: In some implementations, a method includes conducting, by a network device, a query associated with a network function chain comprising a plurality of switches and middleboxes to verify whether a service performed by the network function chain complies with a Service Level Agreement (SLA); computing, by the network device, based on a result of the query, a difference in metric value between an actual performance metric of a packet passing through a path in the network function chain and an expected performance metric of the packet passing through the path; deriving, by the network device, a probability of SLA violation associated with the path based on the difference in metric value; and selectively monitoring, by the network device, a network of network function chains by monitoring the path for passive performance measurements based on the probability of SLA violation.

公开(公告)号：US10958547B2

公开(公告)日：2021-03-23

申请号：US15261701

申请日：2016-09-09

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Sujata Banerjee ,  Joon-Myung Kang

IPC: G06F16/00 ,  H04L12/26 ,  H04L12/66 ,  G06F16/951 ,  H04L29/12 ,  H04L12/24

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

公开(公告)号：US10812342B2

公开(公告)日：2020-10-20

申请号：US15581826

申请日：2017-04-28

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Joon Myung Kang ,  Anubhavnidhi Abhashkumar ,  Sujata Banerjee ,  Ying Zhang ,  Wenfei Wu

IPC: H04L12/24 ,  H04L12/26 ,  G06F8/65 ,  H04L29/06 ,  G06F8/10

Abstract: Example method includes: receiving, by a network device in a network, a first network policy and a second network policy configured by a network administrator, wherein the first network policy comprises a first metric and the second network policy comprises a second and different metric; detecting, by the network device, a conflict between the first network policy and the second network policy; determining, by the network device, a relationship between the first metric and the second metric; modifying, by the network device, at least one of the first network policy and the second network policy to resolve the conflict based on the relationship between the first metric and the second metric; and combining, by the network device, the first network policy and the second network policy to generate a composite network policy that is represented on a single policy graph.

公开(公告)号：US10567384B2

公开(公告)日：2020-02-18

申请号：US15686552

申请日：2017-08-25

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Joon-Myung Kang ,  Mario Antonio Sanchez ,  Ying Zhang ,  Anu Mercian ,  Raphael Amorim Dantas Leite ,  Sujata Banerjee

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/60 ,  H04L12/26

Abstract: Example method includes: receiving, by a network device, a plurality of input policy graphs and a composed policy graph associated with the input policy graphs; dividing the composed policy graph into a plurality of sub-graphs, each sub-graph comprising a plurality of edges and a plurality of source nodes and destination nodes that the edges are connected to; selecting a first subset of sub-graphs that include, as a source node, a disjoint part of an original source EPG for each input policy graph; identifying a second subset within the first subset of sub-graphs that include, as a destination node, a disjoint part of an original destination EPG for the each input policy graph; and verifying whether connectivity in the composed policy graph reflects a corresponding policy in the plurality of input policy graphs for each sub-graph in the second subset.

公开(公告)号：US10541873B2

公开(公告)日：2020-01-21

申请号：US15775378

申请日：2015-11-20

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/24 ,  H04L12/813 ,  H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.