Invention Title:

NAMESPACES FOR PROTECTED MULTI-TENANT PACKET PROCESSING PIPELINES

Publication number:

US20250279950

Publication date:

2025-09-04

Section:

Electricity

Class:

H04L43/10

Inventors:

Matthew Ian Ronald WILLIAMS 🇬🇧 London, United Kingdom

Christopher Neil SWINDLE 🇬🇧 Biggleswade, United Kingdom

Michael Jeffrey EVANS 🇬🇧 Harpenden, United Kingdom

Alan David ELDER 🇬🇧 Welwyn Garden City, United Kingdom

Assignee:

Microsoft Technology Licensing, LLC 🇺🇸 Redmond, WA, United States

Applicant:

Microsoft Technology Licensing, LLC 🇺🇸 Redmond, WA, United States

Smart overview of the Invention

The patent application describes a system for processing data packets in a multi-stage pipeline within a software-defined networking (SDN) environment. This system uses a directed graph of objects to represent processing stages and packet flows. Instead of employing a single global namespace, multiple unique namespaces are used as containers associated with groups of graph objects. This approach allows for isolation in programming, ensuring that each namespace encapsulates its programming within a predefined scope and provides public interfaces for interaction with other namespaces.

Namespace Isolation

Namespaces play a crucial role in providing security and isolation within the pipeline. Users program graph objects through assigned interfaces to these namespaces, limiting access to authorized parts of the pipeline. By enforcing isolation among groups of graph objects, the system protects against security vulnerabilities. The separation of namespaces is maintained only during the programming phase; at runtime, all namespace programming is mapped into a single executable graph in the data plane, optimizing packet flow and reducing latency.

Graph Objects and Match-Action Classifiers

The programmable graph objects include nodes and edges representing match-action classifiers and packet flow matches, respectively. The match-action classifiers use rules to process packets by matching criteria in packet headers and applying actions such as discarding, modifying, or forwarding packets. The programming of these classifiers is bound to their associated namespace, ensuring that each namespace's processing logic remains isolated and secure.

Multi-Tenant Support

The system supports multi-tenant environments by distributing programming interfaces to namespaces among different tenants. Cross-tenant programming is facilitated through application programming interfaces (APIs) defined by the namespaces while maintaining security and protection. This setup allows different tenants to share infrastructure while ensuring their operations remain isolated and secure.

Implementation and Performance

By using separate namespaces for programming and converting them into a single executable data plane at runtime, the system enhances packet processing pipeline performance. It minimizes latency and processing overhead typically associated with conventional service chaining methods. This architecture is particularly beneficial in multi-tenant SDN platforms where shared infrastructure needs to support distinct tenant domains securely and efficiently.