Search

US-12627558-B2 - Heterogeneous network services using platform-agnostic extensions

US12627558B2US 12627558 B2US12627558 B2US 12627558B2US-12627558-B2

Abstract

Disclosed are systems, apparatuses, methods, and computer-readable media for heterogenous network services using platform agnostic extensions. A method includes: instantiating a first service having a first data plane control point; instantiating a second service configured to access the first control point in a data plane; receiving a first packet at the first service in a network path; providing at least one of the first packet and first metadata associated with the first packet to the second service to analyze or process the first packet and the first metadata in conjunction with the first service; processing at least one of the first packet or the first metadata in the second service based on external bytecode and generating at least second metadata based on the processing; receiving second metadata to the first service; and processing the first packet or a second packet.

Inventors

  • Jayaraman Iyer
  • Zhong Wang
  • Bhaswati Deka Talukdar
  • Pradheep Shrinivasan
  • Samir Dilipkumar Saklikar

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260512
Application Date
20231208

Claims (20)

  1. 1 . A method comprising: instantiating a first service having a first data plane control point; instantiating a second service configured to access the first data plane control point in a data plane, the second service being provided based on instructions by an external bytecode; receiving a first packet at the first service in a network path; providing at least one of the first packet and first metadata associated with the first packet to the second service to analyze or process the first packet and the first metadata in conjunction with the first service; processing at least one of the first packet or the first metadata in the second service based on the external bytecode and generating second metadata based on the processing; receiving the second metadata to the first service; and processing the first packet or a second packet in the first service according to the second metadata, wherein the second service comprises a runtime engine that executes the external bytecode in a virtual machine and exposes, a plurality of host interfaces including a first interface for controlling network requests associated with the first service, a second interface controlling network protocols associated with the data plane, and a third interface controlling network routing functions.
  2. 2 . The method of claim 1 , further comprising: at least partially processing the first packet in the first service, wherein the first metadata is extracted from the first packet or generated during the processing of the first packet; when a trigger is identified based on the first data plane control point, providing the first packet and the first metadata to the second service; and receiving the second packet from the second service.
  3. 3 . The method of claim 1 , wherein the processing of the first packet comprises at least one of: dropping the first packet to prevent further transmission of the first packet; inspecting and filtering data within the first packet to generate the second packet; modifying headers within the first packet to generate the second packet; performing a control plane function based on headers or data within the first packet; controlling a session with a counterpart device through a network; controlling at least one network protocol in the data plane; and controlling network routing functions.
  4. 4 . The method of claim 1 , further comprising: instantiating a third service having at least one data plane control point; instantiating a fourth service configured to access a second data plane control point, the fourth service being provided based on instructions by a second external bytecode; receiving the first packet or the second packet from the first service after being processed according to the second metadata; and processing the first packet or the second packet in the third service according to third metadata generated by the fourth service.
  5. 5 . The method of claim 1 , wherein a runtime engine is configured to verify a cryptographic signature of the external bytecode prior to execution, maintain a revocation list of disallowed modules, and deny execution of unsigned or revoked modules.
  6. 6 . The method of claim 5 , wherein the external bytecode comprises webassembly instructions conforming to a Proxy-Wasm compatible interface.
  7. 7 . The method of claim 5 , wherein the runtime engine comprises the first interface, the second interface, and the third interface are invocable exclusively via a defined application binary interface (ABI) that restricts the module to pre-authorized host calls.
  8. 8 . A computing system comprising: a storage configured to store instructions; and a processor configured to execute the instructions and cause the processor to: instantiate a first service having a first data plane control point; instantiate a second service configured to access the first data plane control point in a data plane, the second service being provided based on instructions by an external bytecode; receive a first packet at the first service in a network path; provide at least one of the first packet and first metadata associated with the first packet to the second service to analyze or process the first packet and the first metadata in conjunction with the first service; process at least one of the first packet or the first metadata in the second service based on the external bytecode and generating at least second metadata based on the processing; receive second metadata to the first service; and process the first packet or a second packet in the first service according to the second metadata, wherein the second service comprises a runtime engine that executes the external bytecode in a virtual machine and exposes, a plurality of host interfaces including a first interface for controlling network requests associated with the first service, a second interface controlling network protocols associated with the data plane, and a third interface controlling network routing functions.
  9. 9 . The computing system of claim 8 , wherein the processor is configured to execute the instructions and cause the processor to: at least partially process the first packet in the first service, wherein the first metadata is extracted from the first packet or generated during the processing of the first packet; when a trigger is identified based on the first data plane control point, provide the first packet and the first metadata to the second service; and receive the second packet from the second service.
  10. 10 . The computing system of claim 8 , wherein, when the processor processes the first packet or the second packet, the processor is configured to execute the instructions and cause the processor to: drop the first packet to prevent further transmission of the first packet; inspect and filtering data within the first packet to generate the second packet; modify headers within the first packet to generate the second packet; perform a control plane function based on headers or data within the first packet; control a session with a counterpart device through a network; control at least one network protocol in the data plane; or control network routing functions.
  11. 11 . The computing system of claim 8 , wherein the processor is configured to execute the instructions and cause the processor to: instantiate a third service having at least one data plane control point; instantiate a fourth service configured to access a second data plane control point, the fourth service being provided based on instructions by a second external bytecode; receive the first packet or the second packet from the first service after being processed according to the second metadata; and process the first packet or the second packet in the third service according to third metadata generated by the fourth service.
  12. 12 . The computing system of claim 8 , wherein a runtime engine is configured to verify a cryptographic signature of the external bytecode prior to execution, maintain a revocation list of disallowed modules, and deny execution of unsigned or revoked modules.
  13. 13 . The computing system of claim 12 , wherein the external bytecode comprises webassembly instructions conforming to a Proxy-Wasm compatible interface.
  14. 14 . The computing system of claim 12 , wherein the first interface, the second interface, and the third interface are invocable exclusively via a defined application binary interface (ABI) that restricts the module to pre-authorized host calls.
  15. 15 . An integrated circuit comprising instructions comprising a programmable circuit in the integrated circuit and configured to: instantiate a first service having a first data plane control point; instantiate a second service configured to access the first data plane control point in a data plane, the second service being provided based on instructions by an external bytecode; receive a first packet at the first service in a network path; provide at least one of the first packet and first metadata associated with the first packet to the second service to analyze or process the first packet and the first metadata in conjunction with the first service; process at least one of the first packet or the first metadata in the second service based on the external bytecode and generating at least second metadata based on the processing; receive second metadata to the first service; and process the first packet or a second packet in the first service according to the second metadata, wherein the second service comprises a runtime engine that executes the external bytecode in a virtual machine and exposes, a plurality of host interfaces including a first interface for controlling network requests associated with the first service, a second interface controlling network protocols associated with the data plane, and a third interface controlling network routing functions.
  16. 16 . The integrated circuit of claim 15 , wherein the integrated circuit further comprises instructions that, when executed by the programmable circuit, cause the integrated circuit to: at least partially process the first packet in the first service, wherein the first metadata is extracted from the first packet or generated during the processing of the first packet; when a trigger is identified based on the first data plane control point, provide the first packet and the first metadata to the second service; and receive the second packet from the second service.
  17. 17 . The integrated circuit of claim 15 , wherein the integrated circuit further comprises instructions that, when executed by the programmable circuit to process of the first packet, cause the integrated circuit to: drop the first packet to prevent further transmission of the first packet; inspect and filtering data within the first packet to generate the second packet; modify headers within the first packet to generate the second packet; perform a control plane function based on headers or data within the first packet; control a session with a counterpart device through a network; control at least one network protocol in the data plane; or control network routing functions.
  18. 18 . The integrated circuit of claim 15 , wherein the integrated circuit further comprises instructions that, when executed by the programmable circuit in the integrated circuit, cause the integrated circuit to: instantiate a third service having at least one data plane control point; instantiate a fourth service configured to access a second data plane control point, the fourth service being provided based on instructions by the external bytecode; receive the first packet or the second packet from the first service after being processed according to the second metadata; and process the first packet or the second packet in the third service according to third metadata generated by the fourth service.
  19. 19 . The integrated circuit of claim 15 , wherein a runtime engine executing in the programmable circuit is configured to verify a cryptographic signature of the external bytecode prior to execution, maintain a revocation list of disallowed modules, and deny execution of unsigned or revoked modules.
  20. 20 . The integrated circuit of claim 19 , wherein the external bytecode comprises webassembly instructions conforming to a Proxy-Wasm compatible interface.

Description

TECHNICAL FIELD The disclosure relates generally to communication networks and, more specifically but not exclusively, to systems and techniques for heterogenous network services using platform-agnostic extensions. DESCRIPTION OF THE RELATED TECHNOLOGY Maintaining different network devices in a heterogeneous environment presents several significant challenges for network administrators and IT teams. First and foremost, one of the central difficulties is managing the diversity of device types and manufacturers. In such an environment, there might be a mix of routers, switches, firewalls, load balancers, and other network appliances, each with its own unique operating system, configuration methods, and management tools. This results in a steep learning curve for network administrators who must become proficient in managing a variety of devices, often requiring separate training and expertise for each type. This complexity increases the time required to troubleshoot and maintain the network and increases the likelihood of configuration errors, security vulnerabilities, and inconsistent performance across the network. The complexity also increases security risks. Different devices may have varying degrees of compatibility with network management and security protocols, making it difficult to establish standardized policies and configurations. As a result, administrators may struggle to maintain a uniform security posture and operational efficiency across the entire network. It becomes an ongoing task to bridge the gap between devices, leading to complexities in ensuring consistent access control, traffic routing, and network performance. This can further expose the network to security risks and increase the potential for operational bottlenecks and outages, as administrators must navigate the intricacies of integrating disparate devices to work together seamlessly. BRIEF DESCRIPTION OF THE DRAWINGS In order to describe the manner in which the above-recited and other advantages and features of the disclosure may be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which: FIG. 1 is a conceptual network diagram that illustrates various services and operations for controlling and monitoring network operations in accordance with some aspects of the disclosure; FIG. 2 is an illustration of a network path associated with different requests and the different services associated with different services in accordance with some aspects of the disclosure; FIG. 3 is a conceptual diagram illustrating a network including one or more services configured to execute a bytecode-based extension for implementing heterogeneous network services using platform-agnostic extensions in accordance with some aspects of the disclosure; FIG. 4 illustrates a block diagram of a runtime engine 400 that is configured to interface with one or more external services in accordance with some aspects of the disclosure; FIG. 5 is a conceptual example of implementing a network including one or more services configured to execute a bytecode-based extension at different layers in accordance with some aspects of the disclosure; FIG. 6 is a flowchart of a process for configuring bytecode-based extensions in accordance with some aspects of the disclosure; FIG. 7 is a conceptual example of a network function having multiple control points for implementing bytecode-based extensions in accordance with some aspects of the disclosure; FIG. 8 illustrates an example method for implementing heterogeneous network services using platform-agnostic extensions in accordance with some aspects of the disclosure; FIG. 9 illustrates a block diagram of an SoC used in a network device to perform various functions in hardware in accordance with various aspects of the disclosure; and FIG. 10 shows an example of a computing system, which may be for example any computing device that may implement components of the system. DETAILED DESCRIPTION Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure. Thus, the following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of the disclosure. However, in certain instances, well-known or conventional details are n