DURING SESSION INITIALIZATION

BACKGROUND The present invention, in some embodiments thereof, relates to network communications and, more specifically, but not exclusively, to systems and methods for transmission of packets between network nodes across a network.

Packets transmitted over a tunnel (which is established between two nodes over an existing network infrastructure) are encapsulated at the transmitting end, and de-encapsulated at the receiving end. Each packet being transmitted over the tunnel is encapsulated by adding additional data to the existing packet. The process of encapsulating and de-encapsulating each packet is computationally intensive and resource consuming. Exemplary encapsulating technologies for establishing tunnels between nodes include: Virtual Local Area Network (VLAN), Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), GENEVE Network Encapsulation Protocol, Stateless Transport Tunneling (STT), and Multiprotocol Label Switching (MPLS).

SUMMARY

It is an object of the present invention to provide an apparatus (network controller), a system, a computer program product, and a method for setting up a pseudo-tunnel between nodes .

The foregoing and other objects are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures. According to a first aspect, a network controller is configured to: provide to a first network interface associated with a first network node and to a second network interface associated with a second network node, provide a first mapping of a network address of the first network node to a network address of the first network interface, and a second mapping of a network address of the second network node to a network address of the second network interface; and instruct the first network interface and the second network interface to set up a tunnel over a network between the first network node and the second network node, by modifying the source network addresses and the destination network addresses stored in the header of each packet transmitted between the first network node and the second network node according to the first mapping and second mapping.

According to a second aspect, a method for setting up a tunnel over a network between a first network node and a second network node, comprising: providing to a first network interface associated with a first network node and to a second network interface associated with a second network node, providing a first mapping of a network address of the first network node to a network address of the first network interface, and a second mapping of a network address of the second network node to a network address of the second network interface; and instructing the first network interface and the second network interface to set up a tunnel over a network between the first network node and the second network node, by modifying the source network addresses and the destination network addresses stored in the header of each packet transmitted between the first network node and the second network node according to the first mapping and second mapping.

Modifying the existing data of the packet while maintaining the existing structure of the packet to transmit the packet over the pseudo-tunnel is more efficient (e.g., in terms of computational and/or network resources) in comparison to encapsulation and de-encapsulation processing of packets transmitted over standard tunnels, which is based on insertion of additional data into the packet.

The structure of the header of the packet remains static throughout the pseudo-tunnel session, enabling efficient modification of the data stored in the header. It is noted that in contrast to standard NAT methods that perform address translation only at a certain network interface independently of other network interfaces, the systems and/or methods (e.g., code instructions stored in a data storage device executable by one or more processors) described herein set up the pseudo-tunnel by defining the mappings at each network interface at end each of the pseudo-tunnel. In a first possible implementation of the network controller or the method according to the first or second aspects, the first mapping and the second mapping are transmitted as metadata.

In a second possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the modifying of the source network addresses and the destination network addresses stored in the header of each packet is performed according to a bidirectional network address translation, NAT, wherein the first mapping is used to perform source NAT, and the second mapping is used to perform destination NAT.

NAT is a computationally efficient method for mapping network addresses.

In a third possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, each packet is transmitted between the first network node and the second network node using the tunnel without tunnel encapsulation and de-encapsulation.

The packets transmitted using their existing structure have a reduced size in comparison to encapsulated packets transmitted over standard tunnels. Avoiding the encapsulation and/or de-encapsulation improves computational performance of the network devices transmitting the packets (e.g., improvement in processor utilization due to lower processor requirements to transmit the packets) and/or improves performance of the network transmitting the packets (e.g., lower bandwidth to transmit the packets without the extra encapsulation). Moreover, configuration of the pseudo-tunnel is simplified in comparison to configuration based on existing tunnel protocols that use encapsulation and de-encapsulation. Existing tunnel protocols do not necessarily need to be support to establish the pseudo-tunnel, improving interoperability.

In a fourth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first mapping and the second mapping are provided by an in-band transmission using: transmission control protocol, TCP, options in the SYN and SYN-ACK packets transmitted between the first network node and the second network node, or using initialization internet protocol, IP, packets transmitted between the first network node and the second network node.

Support of additional out-of-band protocols is not necessarily required.

In a fifth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first mapping and the second mapping are provided by an out-of-band transmission of packets relative to the in-band transmission of packets between the first network node and the second network node.

The out-of-band transmission is relatively simple, decentralized, and ad-hoc and/or dynamically adjustable.

In a sixth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first mapping and the second mapping are stored in an external database accessible by the first network interface and the second network interface over the network.

The external database may support a large number of client terminals, by centrally storing a mapping dataset that includes mappings for multiple client terminals and network interfaces, which may be used to centrally distribute mappings for establishment of pseudo- tunnels between any two client terminals. By centrally distributing the mappings using the external database, the client terminals and/or network interfaces participating in each end of the pseudo-tunnel may remain autonomous. The network interface at one end of the pseudo- tunnel does not necessarily need to provide the mappings to the network interface at the other end of the tunnel. Additional out-of-band protocols do not necessarily need to be supported when the external database provides the mappings. In a seventh possible implementation form of the network controller or the method according to the sixth implementation forms of the first or second aspects, the first network interface generates the first mapping and transmits the first mapping for storage by the external database, and the second network interface generates the second mapping and transmits the second mapping for storage by the external database. The network controller avoids locking issues that may result when two or more network interfaces attempt to access a common database storing the mappings, by distributing the mappings to the network interfaces. Latency in obtaining the mappings may be reduced by the network controller distributing the mappings to the network interfaces rather than the network interfaces attempting to obtain the mappings from a database.

In an eighth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first mapping and the second mapping are distributed to each of the first network interface and the second network interface. Locking issues that may result when two or more network interfaces attempt to access a common database storing the mappings are avoided by distributing the mappings to the network interfaces.

In a ninth possible implementation form of the network controller or the method according to the eighth implementation forms of the first or second aspects, the network controller is implemented as an external server that performs, and/or the method further comprises performing the distribution of the first mapping and the second mapping to each of the first network interface and the second network interface.

Latency in obtaining the mappings may be reduced by the network controller distributing the mappings to the network interfaces rather than the network interfaces attempting to obtain the mappings from a database.

In a tenth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first mapping and the second mapping are predefined before session setup based on a predefined network address scheme. The mappings are accessed before the setup of the pseudo-tunnel session. Management overhead is similar to common tunneling practice using encapsulation methods.

In an eleventh possible implementation form of the network controller or the method according to the tenth implementation forms of the first or second aspects, the predefined network address scheme is of a network segment behind each of the first network interface and the second network interface.

The network segment architecture provides more flexibility and/or increased network efficiency, since the network address (e.g., IP) the respective node is assigned does not belong directly to the underlying network used to establish the pseudo-tunnel, and therefore is less wasteful. The mapping of the network address (e.g., IP) of the nodes within the network segment may be passed to the other network interfaces for establishment of the pseudo-tunnel using existing routing protocols and/or methods, for example, static configuration, dynamic routing, route peering, and/or a controller. An underlying network address is not necessarily assigned to each pseudo-tunnel end point.

In a twelfth possible implementation form of the network controller or the method according to the eleventh implementation forms of the first or second aspects, the network segment behind each of the first network interface and the second network interface is not hidden by a NAT. In a thirteenth possible implementation form of the network controller or the method according to the first or second aspects as such or according to any of the preceding implementation forms of the first or second aspects, the first network interface and the second network interface are implemented as NAT routers.

In a fourteenth possible implementation form of the method according to the second aspect, a computer program stored on a computer readable medium runs the preceding method when executed by one or more processors of one or more computers.

Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention pertains. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments of the invention, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

Some embodiments of the invention are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments of the invention. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments of the invention may be practiced.

In the drawings:

FIG. 1 is a flowchart of a method that establishes a pseudo-tunnel between nodes, in accordance with some embodiments of the present invention;

FIG. 2 is a block diagram of components of a system that establishes a pseudo-tunnel between one node and another node over a network, in accordance with some embodiments of the present invention;

FIG. 3 is a schematic depicting dataflow between one node and another node over a pseudo-tunnel, in accordance with some embodiments of the present invention;

FIG. 4 is a dataflow diagram depicting the first mapping and the second mapping being provided by an in-band transmission based on the transmission control protocol (TCP), in accordance with some embodiments of the present invention;

FIG. 5 is a dataflow diagram depicting the first mapping and the second mapping provided by an out-of-band transmission of packets relative to the in-band transmission of packets between one node and another node, in accordance with some embodiments of the present invention;

FIG. 6 is a dataflow diagram depicting the process of distributing the first mapping and the second mapping that are stored in an external database 634, in accordance with some embodiments of the present invention;

FIG. 7 is a dataflow diagram depicting distribution of the first mapping and the second mapping by a network controller, in accordance with some embodiments of the present invention; FIG. 8 is a dataflow diagram depicting a predefinition of the first mapping and the second mapping, in accordance with some embodiments of the present invention;

FIG. 9 is a dataflow diagram depicting a network architecture where the predefined network address scheme is of a network segment behind the respective network interface, in accordance with some embodiments of the present invention; and

FIG. 10 is a schematic denoting a set-up used to experimentally measure performance of the pseudo-tunnel, in accordance with some embodiments of the present invention.

DETAILED DESCRIPTION The present invention, in some embodiments thereof, relates to network communications and, more specifically, but not exclusively, to systems and methods for transmission of packets between network nodes across a network.

As used herein, the term pseudo-tunnel means a communication session between two network nodes, in which contrary to a standard tunnel establishing by an existing encapsulating technology (e.g., VLAN, VXLAN, NVGRE, GENEVE, STT, MPLS), the packets are transmitted over the communication session without tunnel encapsulation and de-encapsulation performed on the packets to define the pseudo-tunnel. The term tunnel is sometimes used as a short version of pseudo-tunnel, unless the term tunnel is explicitly referred to as a standard tunnel set up using standard encapsulating methods. An aspect of some embodiments of the present invention relates to systems and/or methods (e.g., code instructions stored in a data storage device executable by one or more processors) that establish a pseudo-tunnel between two network nodes for communication across a network using respective network interfaces associated with each network node. Tunnel encapsulation and de-encapsulation (to define the pseudo-tunnel) is not performed on the packets. The packets are transmitted over the pseudo-tunnel according to the structure of the packet entering the pseudo-tunnel. The transmission of the packet over the pseudo-tunnel using the existing structure of the packet avoids the traditional encapsulation and de- encapsulation traditionally performed on packets transmitted over standard tunnels. The packets transmitted using their existing structure have a reduced size in comparison to encapsulated packets transmitted over standard tunnels. Avoiding the encapsulation and/or de- encapsulation improves computational performance of the network devices transmitting the packets (e.g., improvement in processor utilization due to lower processor requirements to transmit the packets) and/or improves performance of the network transmitting the packets (e.g., lower bandwidth to transmit the packets without the extra encapsulation). Moreover, configuration of the pseudo-tunnel is simplified in comparison to configuration based on existing tunnel protocols that use encapsulation and de-encapsulation. Existing tunnel protocols do not necessarily need to be support to establish the pseudo-tunnel, improving interoperability. Each network interface of each node stores mappings for both ends of the pseudo- tunnel, including its own mapping and the mapping of the network interface at the other end of the pseudo-tunnel. The pseudo-tunnel is established between network nodes, by providing to each network interface associated with each network node, a mapping of a network address of the respective network node to a network address of the associated network interface, and another mapping of a network address of the other network node to a network address of the other network interface associated with the other node. Each network interface is instructed to set up the pseudo-tunnel by modifying the source and destination network addresses stored in the header of each packet being transmitted over the pseudo-tunnel according to the mappings. Modifying the existing data of the packet while maintaining the existing structure of the packet to transmit the packet over the pseudo-tunnel is more efficient (e.g., in terms of computational and/or network resources) in comparison to encapsulation and de-encapsulation processing of packets transmitted over standard tunnels, which is based on insertion of additional data into the packet.

The mappings that define the pseudo-tunnel are provided to the network interfaces during session initialization of the pseudo-tunnel. The mappings may be implemented as metadata. Optionally, the mappings are provided out-of-band relative to the packets transmitted over the pseudo-tunnel (referred to herein as in-band). The mapping that defines the pseudo- tunnel may be passed once per pseudo-tunnel session, to establish the pseudo-tunnel session. The mapping that defines the pseudo-tunnel does not necessarily need to be provided again during the lifetime of the pseudo-tunnel session. The structure of the header of the packet remains static throughout the pseudo-tunnel session, enabling efficient modification of the data stored in the header. The packets with header modified according to the mapping are optionally processed using network address translation (NAT) methods that are based on in-place modification of the header of the packet rather than insertion of new data. The NAT method maps the new tunnel packet header to existing network infrastructure packet headers. Additional encapsulation and insertion of new data into the packet during the transmission path across the network over the pseudo-tunnel are avoided, improving computational and/or network efficiency in comparison to standard tunnel methods.

It is noted that in contrast to standard NAT methods that perform address translation only at a certain network interface independently of other network interfaces, the systems and/or methods (e.g., code instructions stored in a data storage device executable by one or more processors) described herein set up the pseudo-tunnel by defining the mappings at each network interface at the end of each of the pseudo-tunnel.

Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.

The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

Reference is now made to FIG. 1, which is a flowchart of a method that establishes a pseudo-tunnel between nodes, in accordance with some embodiments of the present invention. Reference is also made to FIG. 2, which is a block diagram of components of a system 200 that establishes a pseudo-tunnel 202 between a node 204 and a node 206 over a network 208, in accordance with some embodiments of the present invention.

Each node 204 206 may be implemented, for example, as a single computing device (e.g., client terminal), a group of computing devices arranged in parallel, and/or another network. Exemplary nodes 204 206 include: a network server, a web server, a computing cloud, a local server, a remote server, a client terminal, a mobile device, a stationary device, a server, a smartphone, a laptop, a tablet computer, a wearable computing device, a glasses computing device, a watch computing device, and a desktop computer. Each node 204 206 includes and/or is in communication with a respective network interface 210 212 that establish pseudo-tunnel 202 using the mappings described herein. Network interfaces 210 212 provide network connectivity between respective nodes 204 206 and network 208.

Each node 204 206 is associated with a respective network address 204A 206A, optionally, an internet protocol (IP) address of a local area network (LAN) defined by an IP space that is different than the IP space of network 208. Each network interface 210 212 is associated with a respective network address 21 OA 212A, optionally an IP address defined by the IP space of network 208.

Each of network interfaces 210 212 may be implemented for example, as one of a NAT router, a router, a NAT gateway, a gateway, and a virtual interface implemented in software. Network interfaces 210 212 may be integrated within respective nodes 204 206, for example, as a network interface card, and/or implemented as software. Network interfaces 210 212 may be implemented as external devices connected to respective nodes 204 206, for example, using cables, using a wireless connection, which may be a direct connection or a network connection. Each network interface 210 212 includes a respective processor(s) 214 216 that executes code instructions stored in a respective memory 218 220. Processor(s) 214 216 may be implemented as, for example, as central processing unit(s) (CPU), graphics processing unit(s) (GPU), field programmable gate array(s) (FPGA), digital signal processor(s) (DSP), application specific integrated circuit(s) (ASIC), customized circuit(s), processors for interfacing with other units, and/or specialized hardware accelerators. Processor(s) 214 216 may be implemented as a single processor, a multi-core processor, and/or a cluster of processors arranged for parallel processing (which may include homogenous and/or heterogeneous processor architectures). It is noted that processor(s) 214 216 may be designed to implement in hardware one or more features stored as code instructions.

Memory 218 220 may be implemented as, for example, a hard drive, a random access memory (RAM), read-only memory (ROM), an optical drive, and/or other storage devices.

Each network interface 210 212 may include a respective data storage device 222 224 that stores data, for example, a random access memory (RAM), read-only memory (ROM), and/or a storage device, for example, non-volatile memory, magnetic media, semiconductor memory devices, hard drive, removable storage, optical media (e.g., DVD, CD-ROM), a remote storage server, and a computing cloud.

The respective mapping 226 228 used to establish the pseudo-tunnel (as described herein) may be stored in respective memory 218 220 and/or in data storage device 222 224.

Each network interface 210 212 may be in communication with a respective user interface 230 232 that presents data to a user and/or includes a mechanism for entry of data, for example, one or more of: a touch-screen, a display, a keyboard, a mouse, voice activated software, and a microphone. User interfaces 230 232 may be used to manually configure the mappings for establishment of the pseudo-tunnel.

Network 208 may be implemented, for example, as one or more of: the internet, a local area network, a metropolitan area network, a wide area network, a virtual private network, a cellular network, a wireless network, and the internet. Network 208 may be implemented using one or more protocols and/or network architectures.

Optionally, a mapping database 234 storing mappings (e.g., mapping 226 228) is accessible to network interfaces 210 212. Mapping database 234 may be stored, for example, on a storage server, a computing cloud, and a web server. Mappings 226 228 stored by mapping database 234 are provided to network interfaces 210 212 as described herein.

Optionally, a control server 236 distributes mappings 226 228 to network interfaces 210 212, as described herein. Control server 236 may locally store the mappings, and/or obtain the mappings from another storage location (e.g., from mapping database 234). Control server 236 may distribute mappings 226 228 to network interfaces 210 212 over network 208. Reference is now made to FIG. 3, which is a schematic depicting dataflow between a node 304 and a node 306 over a pseudo-tunnel 302, in accordance with some embodiments of the present invention. Pseudo-tunnel 302 is established over existing network infrastructure 308 by a NAT router 310 associated with node 304 and a NAT router 312 associated with node 306. Packets tunneled through pseudo-tunnel 302 are transmitted by network 308 between NAT router 310 and NAT router 312.

The acts of the method described with reference to FIG. 1 are performed by a controller that instructs distribution of mappings 226 228 to network interfaces 210 212 to establish the pseudo-tunnel between node 204 and node 206. The controller may be implemented as another external device, integrated and/or installed within existing component(s) of system 200, and/or as code executed by processor(s) of existing component(s) of system 200. The controller may be implemented as one or more of: control server 236, mapping database 234, network interface 210, network interface 212, and/or another computing device for example, a network administration server. Referring now back to FIG. 1, at 102, instructions to establish the pseudo-tunnel are received by the controller. For example, an administrator may define pseudo-tunnels using the network administration server to connect networks served by nodes, or a user of a client terminal may use a graphical user interface (GUI) or other interface provided by the controller to establish the pseudo-tunnel between the client terminal of the user and a remote client terminal at a remote node.

At 104, controller provides, to network interface 210 associated with network node 204 and to network interface 212 associated with network node 206, a first mapping of network address 204A of network node 204 to network address 21 OA of network interface 210, and a second mapping of network address 206A of the network node 206 to network address 212A of network interface 212. The first and second mappings are stored by network interface 210 as mapping 226, optionally in memory 218 and/or data storage device 222. The first and second mappings are stored by network interface 212 as mapping 228, optionally in memory 220 and/or data storage device 224.

The first mapping and the second mapping are optionally transmitted as metadata, and/or using other formats as described herein. Optionally, the mapping is defined based on network defined NAT method. The modification of the source and destination network addresses stored in the header of each packet is performed according to a bidirectional NAT. For a packet being transmitted from node 204 to node 206, the first mapping is used to perform source NAT, and the second mapping is used to perform destination NAT. For a packet being transmitted from node 206 to node 204, the second mapping is used to perform source NAT, and the first mapping is used to perform destination NAT.

Reference is now made to FIGs. 4-9, which are dataflow diagrams depicting different possible implementations for the controller to distribute the first mapping and the second mapping, in accordance with some embodiments of the present invention. FIGs. 4-9 describe dataflow between a node 404 associated with a network interface 410 (optionally implemented as a NAT router) and another node 406 associated with a network interface 412 (optionally implemented as a NAT router). Elements 404 410 406 and 412 correspond to elements 204 210 206 and 212 described with reference to FIG. 2. One or more methods may be implemented simultaneously, for example, for the same pseudo-tunnel, or for different pseudo-tunnels. The mappings stored by respective network interfaces are used independently to set up pseudo- tunnels.

Reference is now made to FIG. 4, which is a dataflow diagram depicting the first mapping and the second mapping being provided by an in-band transmission based on the transmission control protocol (TCP), in accordance with some embodiments of the present invention. The first and second mappings are distributed as options in the SYN and SYN-ACK packets transmitted between the node 404 and node 406. Alternatively or additionally, the first mapping and the second mapping are transmitted using initialization internet protocol (IP) packets transmitted between the node 404 and node 406. Alternatively or additionally, the first and second mappings are transmitted as a special header shimmed before the original initial packet (e.g., network services header (NSH)). It is noted that the modification is performed for the first set of packets, but not performed for the bulk of the connection. The method described with reference to FIG. 4 does not necessarily require support of additional out-of-band protocols. Reference is now made to FIG. 5, which is a dataflow diagram depicting the first mapping and the second mapping provided by an out-of-band transmission of packets relative to the in-band transmission of packets between network node 404 and network node 406, in accordance with some embodiments of the present invention. The out-of-band packets may be based on, for example, internet control message protocol (ICMP), and/or user datagram protocol (UDP). Replies may be transmitted in response to the out-of-band packets, for example, indicating that the information delivered by the out-of-band packets was received, and/or indicating an error (e.g., unknown pseudo-tunnel). The original connection remains unmodified except for the NAT. The distribution described with reference to FIG. 5 is relatively simple, decentralized, and ad-hoc and/or dynamically adjustable.

Reference is now made to FIG. 6, which is a dataflow diagram depicting the process of distributing the first mapping and the second mapping that are stored in an external database 634 (e.g., server, corresponding to mapping database 234 of FIG. 2) accessible by network interface 410 and network interface 412, in accordance with some embodiments of the present invention. The first mapping and second mapping may be distributed from external database 634 to network interfaces 410 and 412 using a publish-subscribe mechanism, and/or directly accessed from database 634 by network interfaces 410 and 412. Optionally, network interface 410 generates the first mapping and transmits the first mapping for storage by external database 634. Network interface 412 generates the second mapping and transmits the second mapping for storage by external database 634. Network interfaces 410 and 412 may cache the first and second mapping obtained from database 634 in respective memories 218 220 to improve performance. External database 634 may support a large number of client terminals, by centrally storing a mapping dataset that includes mappings for multiple client terminals and network interfaces, which may be used to centrally distribute mappings for establishment of pseudo-tunnels between any two client terminals. By centrally distributing the mappings using database 634, the client terminals and/or network interfaces participating in each end of the pseudo-tunnel may remain autonomous. The network interface at one end of the pseudo-tunnel does not necessarily need to provide the mappings to the network interface at the other end of the tunnel. Additional out-of-band protocols do not necessarily need to be supported when external database 634 provides the mappings.

Reference is now made to FIG. 7, which is a dataflow diagram depicting distribution of the first mapping and the second mapping to network interface 410 and network interface 412 by a network controller 736 (corresponding to control server 236 of FIG. 2), in accordance with some embodiments of the present invention. Network controller 736 is implemented as an external server that performs the distribution of the first mapping and the second mapping to network interface 410 and network interface 412. The network controller avoids locking issues that may result when two or more network interfaces attempt to access a common database storing the mappings, by distributing the mappings to the network interfaces. Latency in obtaining the mappings may be reduced by the network controller distributing the mappings to the network interfaces rather than the network interfaces attempting to obtain the mappings from a database.

Reference is now made to FIG. 8, which is a dataflow diagram depicting a predefinition of the first mapping and the second mapping, in accordance with some embodiments of the present invention. Each node 404 406 is assigned an address (optionally IP address) based on the predefined network address scheme. The first mapping and the second mapping are predefined before setup of the session of the pseudo-tunnel based on a predefined network address scheme. The mappings may be distributed during network and/or node set-up, before the nodes attempt communication using the pseudo-tunnel. The mappings are accessed before the setup of the pseudo-tunnel session. Management overhead is similar to common tunneling practice using encapsulation methods.

Reference is now made to FIG. 9, which is a dataflow diagram depicting a network architecture where the predefined network address scheme (described with reference to FIG. 8) is of a network segment behind network interface 410 and network interface 412, in accordance with some embodiments of the present invention. Nodes 404 and 406 are assigned a network (e.g., IP) address in a network segment behind respective network interfaces 410 412. Routers 902 904 are located outside the network segment, and are assigned IP addresses based on a different network address scheme than that used for the network segment. The network segment behind each of network interface 410 and network interface 412 is not hidden by a NAT. Each node 404 406 is assigned a predefined address (e.g., IP) according to its respective location within the network topology of the respective network segment. The network segment architecture provides more flexibility and/or increased network efficiency, since the network address (e.g., IP) the respective node is assigned does not belong directly to the underlying network used to establish the pseudo-tunnel, and therefore is less wasteful. The mapping of the network address (e.g., IP) of the nodes within the network segment may be passed to the other network interfaces for establishment of the pseudo-tunnel using existing routing protocols and/or methods, for example, static configuration, dynamic routing, route peering, and/or a controller. An underlying network address is not necessarily assigned to each pseudo-tunnel end point.

At 106, pseudo-tunnel 202 is established over network 208 connecting node 204 with node 206 using respective network interfaces 210 and 212. The source and destination network addresses stored in the header of each packet transmitted over pseudo-tunnel 202 between node 204 and node 206 is modified according to the first mapping and second mapping. Packets transmitted over pseudo-tunnel 202 are transmitted without additional encapsulation and de- encapsulation associated with the pseudo-tunnel.

At 108, the pseudo-tunnel connection may be terminated, for example, by the user, automatically by a network administration server, and/or by one or both of the nodes. The pseudo-tunnel connection may be terminated based on instructions to discontinue modification of the packet header according to the first mapping and second mapping.

Various implementations and aspects of the systems and/or methods delineated hereinabove and as claimed in the claims section below find experimental support in the following examples.

EXAMPLES

Reference is now made to the following examples, which together with the above descriptions illustrate some implementations of the systems and/or methods described herein in a non limiting fashion.

Reference is now made to FIG. 10, which is a schematic denoting a set-up used to experimentally measure performance of the pseudo-tunnel, in accordance with some embodiments of the present invention. The experiment was performed by transmission of packets (also referred to as traffic) from one node to another node under different experiments setups. Traffic was generated using the iperO tool to take up all available bandwidth.

The set-up included two servers 1002 1004 located on a common physical network 1006. Each server 1002 1004 had a respective OpenVSwitch (OVS) 1008 1010 and a respective Namespace 1012 1014 installed thereon. OVS 1008 1010 is an available production-quality open-source implementation of a distributed virtual multilayer switch. Each Namespace 1012 1014 emulated a node.

Three experiments were conducted using the set-up, to collect data for comparison. The first experiment measured performance of the pseudo-tunnel described herein. The second experiment measured a base-line (bare metal test). The third experiment measured performance of a standard tunnel established using VXLAN.

For the first experiment, the pseudo-tunnel 1016 was established between the nodes emulated by namespaces 1012 1014. The pseudo-tunnel was created based on the implementation described with reference to FIG. 5. OpenVSwitch 1008 1010 was used to perform the mapping. An OpenVSwitch controller was used by each respective serer to generate the out-of-band packet used to transmit the mapping information to the other server. A common controller was used to receive the out-of-band packet, and install the new mapping.

For the second experiment, to test the base-line (Bare Metal test 1018), servers 1002 1004 were installed on the common network 1006. The direct connection was tested. The servers communicated directly, not using OpenVSwitch 1008 1010 and namespace 1012 1014.

For the third experiment, to test the performance of the tunnel established using VXLAN, jumbo frames were transmitted, and increasing TX (transmit) queue length was used.

The test results were as follows:

* TCP (Transmission Control Protocol) throughput for the second experiment (base metal test) was 12.5 Gigabit (Gbit) per second.

* TCP throughput for the first experiment (transmission over the pseudo-tunnel) was 11.8 Gbit/second. The throughput of the pseudo-tunnel was 94.4% of the bare metal test.

* For the third experiment (transmission over the tunnel established using VXLAN) the throughput was 82-84% of the bare metal test. In conclusion, the experimentally measured performance of the pseudo-tunnel over the tunnel established using VXLAN is over 10%>.

Other systems, methods, features, and advantages of the present disclosure will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims.

The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

It is expected that during the life of a patent maturing from this application many relevant network interfaces will be developed and the scope of the term network interface is intended to include all such new technologies a priori.

As used herein the term "about" refers to ± 10 %.

The terms "comprises", "comprising", "includes", "including", "having" and their conjugates mean "including but not limited to". This term encompasses the terms "consisting of and "consisting essentially of.

The phrase "consisting essentially of means that the composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.

As used herein, the singular form "a", "an" and "the" include plural references unless the context clearly dictates otherwise. For example, the term "a compound" or "at least one compound" may include a plurality of compounds, including mixtures thereof.

The word "exemplary" is used herein to mean "serving as an example, instance or illustration". Any embodiment described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments. The word "optionally" is used herein to mean "is provided in some embodiments and not provided in other embodiments". Any particular embodiment of the invention may include a plurality of "optional" features unless such features conflict.

Throughout this application, various embodiments of this invention may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.

Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases "ranging/ranges between" a first indicate number and a second indicate number and "ranging/ranges from" a first indicate number "to" a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.

It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.

All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting.