公开(公告)号：US10887282B1

公开(公告)日：2021-01-05

申请号：US16166030

申请日：2018-10-19

Applicant: Juniper Networks, Inc.

Inventor： Sreekanth Rupavatharam ,  Prashant Singh ,  Hariprasad Shanmugam

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26 ,  G06F16/22

Abstract: Filter synchronization across a restart of a firewall filter application for converting filter information for filters into corresponding iptables filter table rules, is ensured by (1) computing a hash value for filter information derived from a filter using the filter or information derived from the filter, (2) determining an iptables filter table rule using the filter information for the filter, (3) associating the hash value with the corresponding iptables filter table rule, and (4) adding the determined iptables filter table rule and the hash value to iptables filter table rules in a Linux kernel. When a restart of the firewall filter application is detected, (1) a current instance of filter information derived from a current instance of the filter is obtained, (2) a hash value for the current instance of filter information is computed using the current instance of the filter or information derived from the current instance of the filter, (3) the hash value for the filter information is obtained from the iptables rules, and (4) whether the hash value for the current instance of the filter information is the same as the hash value for the filter information is determined. If it is determined that the hash value for the current instance of the filter information is not the same as the hash value for the filter information, then (1) a new iptables rule for the current instance of the filter information is determined, and (2) the iptables filter rule and the hash value in the iptables rules is replaced with the new iptables rule and the hash value for the current instance of the filter information.

公开(公告)号：US10798059B1

公开(公告)日：2020-10-06

申请号：US15726718

申请日：2017-10-06

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin MacNeil

IPC: H04L29/06 ,  H04L29/08

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses systems, and methods are also disclosed.

公开(公告)号：US09781058B1

公开(公告)日：2017-10-03

申请号：US15018669

申请日：2016-02-08

Applicant: Juniper Networks, Inc.

Inventor： Meher Aditya Kumar Addepalli ,  Prashant Singh

IPC: H04L1/00 ,  H04L12/26 ,  H04L12/911 ,  H04L12/801 ,  H04L29/08

CPC classification number: H04L47/826 ,  H04L43/06 ,  H04L43/0811 ,  H04L43/0847 ,  H04L43/0864 ,  H04L43/103 ,  H04L47/11 ,  H04L47/12 ,  H04L67/142

Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.

公开(公告)号：US08953460B1

公开(公告)日：2015-02-10

申请号：US13731993

申请日：2012-12-31

Applicant: Juniper Networks, Inc.

Inventor： Meher Aditya Kumar Addepalli ,  Prashant Singh

IPC: H04L12/26

CPC classification number: H04L43/10 ,  H04L41/0677 ,  H04L41/12 ,  H04L43/08 ,  H04L43/0811 ,  H04L45/20 ,  H04L45/74 ,  H04L47/17 ,  H04L47/28 ,  H04L47/31

Abstract: In general, techniques are described to dynamically refresh a timer for a communication session provided by a bidirectional forwarding detection (BFD) protocol. The techniques potentially mitigate network load by reducing the number of BFD packets required to maintain a BFD communication session. An example network device includes a memory, programmable processor(s), a network interface, and a control unit configured to establish a BFD communication session between the network device and a peer network device that is communicatively coupled to the network device via the network interface, determine whether a packet associated with a communication session other than the BFD communication session is a relevant packet to the BFD communication session, and in response to determining that the packet is the relevant packet, refresh a timer that executes on the network device and is associated with the BFD communication session.

Abstract translation: 通常，描述了用于动态刷新由双向转发检测（BFD）协议提供的通信会话的定时器的技术。 这些技术可以通过减少维护BFD通信会话所需的BFD报文数量来减轻网络负载。 示例性网络设备包括存储器，可编程处理器，网络接口和控制单元，其被配置为在网络设备和经由网络接口​​通信地耦合到网络设备的对等网络设备之间建立BFD通信会话 确定与BFD通信会话以外的通信会话相关联的分组是否是与BFD通信会话相关的分组，并且响应于确定分组是相关分组，刷新在网络设备上执行的定时器，并且 与BFD通信会话相关联。

公开(公告)号：US11374842B1

公开(公告)日：2022-06-28

申请号：US16940422

申请日：2020-07-28

Applicant: Juniper Networks, inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam

IPC: H04L43/10 ,  H04L43/0829 ,  G06F11/36 ,  H04L9/40 ,  G06F8/65

Abstract: A disclosed method may include (1) determining that a packet traversing a network device has been selected for conditional tracing by (A) comparing a characteristic of the packet against a firewall rule that calls for all packets exhibiting the characteristic to be conditionally debugged while traversing the network device and (B) determining, based at least in part on the comparison, that the firewall rule applies to the packet due at least in part to the packet exhibiting the characteristic, (2) tracing a journey of the packet within the network device in response to the determination by collecting information about the packet's journey through a network stack of the network device, and then (3) performing at least one action on the network device based at least in part on the information collected about the packet's journey through the network stack. Various other systems, methods, and computer-readable media are also disclosed.

公开(公告)号：US10797983B1

公开(公告)日：2020-10-06

申请号：US16000483

申请日：2018-06-05

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam

IPC: H04L12/26 ,  G06F8/65 ,  G06F11/36 ,  H04L29/06

Abstract: A disclosed method may include (1) determining that a packet traversing a network device has been selected for conditional tracing by (A) comparing a characteristic of the packet against a firewall rule that calls for all packets exhibiting the characteristic to be conditionally debugged while traversing the network device and (B) determining, based at least in part on the comparison, that the firewall rule applies to the packet due at least in part to the packet exhibiting the characteristic, (2) tracing a journey of the packet within the network device in response to the determination by collecting information about the packet's journey through a network stack of the network device, and then (3) performing at least one action on the network device based at least in part on the information collected about the packet's journey through the network stack. Various other systems, methods, and computer-readable media are also disclosed.

公开(公告)号：US09258234B1

公开(公告)日：2016-02-09

申请号：US13730737

申请日：2012-12-28

Applicant: Juniper Networks, Inc.

Inventor： Meher Aditya Kumar Addepalli ,  Prashant Singh

IPC: H04L12/50 ,  H04L12/801 ,  H04L12/26

CPC classification number: H04L47/826 ,  H04L43/06 ,  H04L43/0811 ,  H04L43/0847 ,  H04L43/0864 ,  H04L43/103 ,  H04L47/11 ,  H04L47/12 ,  H04L67/142

Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.

Abstract translation: 通常，描述了根据双向转发检测（BFD）协议来动态地调整由定时器定义的会话检测时间的技术。 该技术利用现有的硬件和BFD软件基础设施。 示例性网络设备包括存储器，可编程处理器和被配置为执行定时器的控制单元，接收由所述BFD协议提供的一个或多个分组，基于所接收的一个或多个分组来检测相关联的拥塞状况 具有通过网络设备耦合到网络的链路，基于检测到的拥塞状况来调整由定时器定义的会话检测时间，以及响应于在该会话内接收由BFD协议提供的分组的故障 由定时器定义的检测时间，检测与链路相关的故障。

公开(公告)号：US10594618B1

公开(公告)日：2020-03-17

申请号：US15615016

申请日：2017-06-06

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin C. MacNeil

IPC: H04L12/805 ,  H04L12/861 ,  H04L12/935 ,  H04L29/06 ,  H04L12/879 ,  H04L12/841

Abstract: The disclosed apparatus may include (1) a physical routing engine that comprises (A) a socket-intercept layer, stored in kernel space, that (I) intercepts a packet that is destined for a remote device and (II) queries, in response to intercepting the packet in kernel space, a routing daemon in user space for an MTU value of an egress interface that is to forward the packet from the network device to the remote device and (B) a tunnel driver, stored in kernel space, that fragments the packet into segments whose respective sizes each comply with the MTU value of the egress interface and (2) a physical packet forwarding engine that forwards the segments of the packet to the remote device by way of the egress interface. Various other apparatuses, systems, and methods are also disclosed.

公开(公告)号：US09923835B1

公开(公告)日：2018-03-20

申请号：US14862797

申请日：2015-09-23

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sairam Neelam

IPC: H04L12/805 ,  H04L29/06

CPC classification number: H04L47/365 ,  H04L69/22

Abstract: Techniques include quickly establishing a maximum transmission unit (MTU) for a network path, such as a network tunnel. In one example, data representative of the MTU is included in a header of a packet. If the MTU indicated in the packet is larger than a downstream network interface of a network device, the network device updates the data of the header to indicate the MTU of the downstream network interface, and an egress network device sends the packet back to an ingress network device. In another example, network devices fragment packets, if necessary, such that the fragments satisfy the MTU of the downstream network interface. The egress network device then determines the MTU for the path based on a largest received fragment, reassembles the fragments into a single packet, and returns the reassembled packet to the ingress network device. The packets may comprise echo packets of generic routing encapsulation (GRE).

公开(公告)号：US20170195209A1

公开(公告)日：2017-07-06

申请号：US14984926

申请日：2015-12-30

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sairam Neelam

IPC: H04L12/751 ,  H04L12/24

CPC classification number: H04L45/026 ,  H04L41/5003 ,  H04L43/10 ,  H04L45/28 ,  H04L47/2466 ,  H04L67/145 ,  H04L67/322 ,  H04L69/28

Abstract: Techniques are described to reduce false alarms in network devices utilizing keepalive messaging schemes. In order to potentially avoid false alarms, a transmitting network device adjusts quality of service QOS/TOS settings in keep-alive probe packets that are sent later in a current detection interval such that the keep-alive probe packets have escalating priorities. In addition, for keep-alive probe packets that are sent later in the current detection interval, the network device may also insert host-level preferential indicator within each of the packets to request preferential treatment at both itself and the peer network device.