| CPC H04L 63/1458 (2013.01) [H04L 1/1657 (2013.01); H04L 45/64 (2013.01); H04L 63/1425 (2013.01); H04L 12/56 (2013.01)] | 20 Claims |
|
1. A data-plane circuit for use in a network forwarding element, the data-plane circuit being for forwarding data messages within a network, the data-plane circuit comprising:
a plurality of ports to receive and transmit data messages; and
a plurality of programmable message processing stages, comprising hardware, to process data tuples associated with the received data messages,
a first set of message processing stages programmed to implement a connection-validation circuit to validate source internet protocol (IP) addresses of a set of received data messages, while a second set of programmable message processing stages is programmed to perform data message forwarding operations in order to forward the data messages within the network;
wherein:
the first set of programmable message processing stages are to implement connection validation operations of the connection-validation circuit based, at least in part, upon a source-IP-based whitelist;
the whitelist is for use in determining message generation and message forwarding; and
after receiving a synchronization (SYN) data message for a destination compute node from a source compute node, the connection validation operations comprise consulting the source-IP-based whitelist to determine whether the whitelist indicates that a SYN data message should be forwarded to the destination compute node or whether the whitelist indicates that a SYN-acknowledgment (ACK) data message should be generated by the connection-validation circuit.
|