A computer network domain consists of multiple networks with each network consisting multiple personal computers, servers, mobile devices and laptops. Network infrastructure devices such as switches, routers in the network are used to connect different kinds of computers within each network and also to connect networks together. In addition to connectivity related network infrastructure devices, there are different types of network infrastructure devices. Some of these network devices include ‘Network security devices’ that are used to protect the network resources from computer attacks, malware and viruses, toad balancing devices' that are used to distribute the traffic across multiple computer servers and network edge devices which do network address translation while connecting to the Internet. These devices process the TCP/IP traffic based on its functionality. To improve the speed of the packet processing, the processing is divided into two planes—Control plane and Data plane. Control plane processes the new TCP/IP connection by processing the first packet. Further packets of the connection are processed by Data plane. Traditionally, control plane, as part of the first packet processing, creates the connection and synchronizes the flow with the Data plane so that Data plane processes further packets of that flow without sending them to control plane. Since control plane requires access to user defined policy rules, traditionally it is implemented in general purpose processors. Since data plane requires to process large number of packets, data planes are normally implemented in FPGA, ASIC, dedicated processor or sometimes in the same processor as control plane as a high priority process.
Network infrastructure devices based on its function create the flows by referring to user defined rules. The Control plane, once it determines the flow can be offloaded to data plane, sends the flow information to the data plane by sending command to the data plane. Data plane maintains the flows in its table and processes further incoming packets by matching to the right flow, make updates to the packet as per the flow information and send the packet out without sending the packets to control plane. Packets which do not match to any existing flow would normally sent to the control plane. When the flow is no longer required, control plane deletes the flow from its local memory and sends a ‘Delete’ command to the data plane to remove the flow from data plane. Control plane has multiple mechanisms to determine the flow is no longer required, one popular mechanism being inactivity on the flow. If there are no packets seen on a flow for a certain period of time, flow is considered inactive and the flow is removed from both control plane and data plane. Since the control plane does not see the packets of the flow once the flow is created in data plane, the control plane might mistakenly delete the flow by falsely determining that there is inactivity on the flow. To ensure that the flow is not deleted prematurely, control plane applications periodically query the data plane for each flow to find out whether there is any activity on the flows. For simple applications implemented in Control Plane/Data Plane model, three commands are traditionally used—Create flow, Delete flow and Query flow. As an example, Network security devices such as firewall creates the flow upon first packet when the access rules permit the traffic. Control plane, upon creating the flow, sends a command to data plane to create the flow. Then onwards, any packets that have come into the system, data plane processes the packets without sending them to control plane. Data plane maintains the timestamp of the last packet in its flow. Control plane queries (by sending query command) the data plane to get the last packet's timestamp and uses this information on whether to keep the flow or delete the flow. If inactivity is determined, the control plane sends the ‘delete’ command to delete the flow in Data plane in addition to deleting the flow from its own table.
Packet processing by Data plane uses not only application specific information from the flow, it also uses information to route the packet out. After modifying the packet as per the flow information, it uses egress port information and the L2 header to be put in the packet for packets to get routed to the right network element in egress network. Hence, Control plane not only creates the flow for specific application such as firewall, Load balancing, Network Address Translation, but it also pushes information related to the L2 header. Since the L2 header information might change during the life of flow and also since the L2 header information may be same for multiple flows, L2 header information is traditionally pushed to the data plane using separate commands such as Create L2 Header, Modify L2 Header, and Delete L2 Header. As known by those skilled in the art, The Data Link Layer is Layer 2 (L2) of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model.
Network devices connect to networks using multiple L2 protocols—Ethernet, PPPoE, PPTP, L2TP, Frame Relay, MPLS and many more. Each L2 protocol is itself is a complex protocol. To enable synchronization of L2 header information to the Data plane requires modification of multiple L2 protocol stacks in the control plane. This can become very complex for multiple reasons, a primary reason being the complexity in modifying every L2 protocol stack.
As part of first packet processing, different modules of the Control plane pushes the state information (flow, L2 header information) to the Data plane. Traditionally, the Control plane ensures that the multiple states required for packet processing are created atomically in the data plane so that data plane processing can occur smoothly. However, using traditional techniques to synchronize the multiple states is complex and challenging, which may lead to errors in the data.