公开(公告)号：US08473620B2

公开(公告)日：2013-06-25

申请号：US12843754

申请日：2010-07-26

Applicant: Michael J. Demmer ,  Kand Ly ,  Nitin Gupta

Inventor： Michael J. Demmer ,  Kand Ly ,  Nitin Gupta

IPC: G06F15/16

CPC classification number: H04L67/14 ,  H04L29/12367 ,  H04L41/12 ,  H04L61/2514 ,  H04L67/2876 ,  H04L69/16 ,  H04L69/163 ,  H04L69/329 ,  H04L69/40

Abstract: Methods and apparatus are provided for intercepting a client-server communication connection in a computing environment. A first network intermediary configured to facilitate optimization of client-server transactions may be installed in a path of communications between the client and the server. A second network intermediary configured to cooperate with the first network intermediary is not in the path of communications between the client and the server. The first network intermediary intercepts a connection request from the client and forwards a modified request toward the server. A module within the server intercepts the connection request and redirects it to the second network intermediary. The client-server connection is thus split-terminated at the two network intermediaries, which establish cooperative sessions between themselves and with the client and with the server.

Abstract translation: 提供了用于在计算环境中拦截客户机 - 服务器通信连接的方法和装置。 配置为促进客户端 - 服务器事务的优化的第一网络中介可以安装在客户机和服务器之间的通信路径中。 配置为与第一网络中介进行协作的第二网络中介不在客户端和服务器之间的通信路径中。 第一个网络中介拦截来自客户端的连接请求，并向服务器转发修改的请求。 服务器内的一个模块拦截连接请求并将其重定向到第二个网络中介。 因此，客户机 - 服务器连接在两个网络中间件上分拆终止，这两个中间件在它们之间以及与客户端和服务器之间建立协作会话。

公开(公告)号：US08386637B2

公开(公告)日：2013-02-26

申请号：US13410032

申请日：2012-03-01

Applicant: Kand Ly ,  Joshua Tseng ,  Steve McCanne

Inventor： Kand Ly ,  Joshua Tseng ,  Steve McCanne

IPC: G06F15/173

CPC classification number: H04L67/14 ,  H04L67/2814 ,  H04L67/2876

Abstract: Two or more network traffic processors connected with the same LAN and WAN are identified as neighbors. Neighboring network traffic processors cooperate to overcome asymmetric routing, thereby ensuring that related sequences of network traffic are processed by the same network proxy. A network proxy can be included in a network traffic processor or as a standalone unit. A network traffic processor that intercepts a new connection initiation by a client assigns a network proxy to handle all messages associated with that connection. The network traffic processor conveys connection information to neighboring network traffic processors. The neighboring network traffic processors use the connection information to redirect network traffic associated with the connection to the assigned network proxy, thereby overcoming the effects of asymmetric routing. The assigned network proxy handles redirected network traffic in much the same way that it would handle network traffic received directly.

Abstract translation: 与同一LAN和WAN连接的两个或多个网络流量处理器被识别为邻居。 相邻的网络流量处理器合作克服非对称路由，从而确保相同的网络流量的相关序列被相同的网络代理处理。 网络代理可以包含在网络流量处理器中或独立的单元中。 拦截客户端的新连接启动的网络流量处理器分配网络代理来处理与该连接相关联的所有消息。 网络流量处理器将连接信息传递给相邻网络流量处理器。 相邻网络流量处理器使用连接信息将与连接相关联的网络流量重定向到所分配的网络代理，从而克服非对称路由的影响。 分配的网络代理以与处理直接接收的网络流量大致相同的方式处理重定向的网络流量。

公开(公告)号：US08380825B2

公开(公告)日：2013-02-19

申请号：US12825296

申请日：2010-06-28

Applicant: Kand Ly ,  Maksim Ioffe ,  Alfred Landrum ,  Mark Stuart Day

Inventor： Kand Ly ,  Maksim Ioffe ,  Alfred Landrum ,  Mark Stuart Day

IPC: G06F15/177

CPC classification number: H04L69/16 ,  H04L67/1002 ,  H04L67/1023 ,  H04L67/28 ,  H04L67/2876 ,  H04L67/288 ,  H04L69/163

Abstract: Network devices include proxies and where multiple proxies are present on a network, they can probe to determine the existence of other proxies. Where more than two proxies are present and thus different proxy pairings are possible, the proxies are programmed to determine which proxies should form a proxy pair. Marked probe packets are used by proxies to discover each other and probing is done such a connection can be eventually formed even if some probe packets fail due to the marking. Asymmetric routing can be detected and proxies configured for connection forwarding as necessary.

Abstract translation: 网络设备包括代理，网络中存在多个代理，它们可以探测以确定其他代理的存在。 如果存在两个以上的代理，因此不同的代理配对是可能的，则代理被编程以确定哪些代理应当形成代理对。 代理使用标记的探测数据包来发现对方，并且探测完成，即使某些探测包由于标记失败，也可能最终形成这样的连接。 可以检测到非对称路由，并根据需要配置代理连接转发。

公开(公告)号：US20070283023A1

公开(公告)日：2007-12-06

申请号：US11755692

申请日：2007-05-30

Applicant: Kand Ly ,  Maksim Ioffe ,  Alfred Landrum ,  Mark Day

Inventor： Kand Ly ,  Maksim Ioffe ,  Alfred Landrum ,  Mark Day

IPC: G06F15/16

CPC classification number: H04L69/16 ,  H04L67/1002 ,  H04L67/1023 ,  H04L67/28 ,  H04L67/2876 ,  H04L67/288 ,  H04L69/163

Abstract: Network devices include proxies and where multiple proxies are present on a network, they can probe to determine the existence of other proxies. Where more than two proxies are present and thus different proxy pairings are possible, the proxies are programmed to determine which proxies should form a proxy pair. Marked probe packets are used by proxies to discover each other and probing is done such a connection can be eventually formed even if some probe packets fail due to the marking. Asymmetric routing can be detected and proxies configured for connection forwarding as necessary.

Abstract translation: 网络设备包括代理，网络中存在多个代理，它们可以探测以确定其他代理的存在。 如果存在两个以上的代理，因此不同的代理配对是可能的，则代理被编程以确定哪些代理应当形成代理对。 代理使用标记的探测数据包来发现对方，并且探测完成，即使某些探测包由于标记失败，也可能最终形成这样的连接。 可以检测到非对称路由，并根据需要配置代理连接转发。

公开(公告)号：US20100318665A1

公开(公告)日：2010-12-16

申请号：US12843754

申请日：2010-07-26

Applicant: Michael J. Demmer ,  Kand Ly ,  Nitin Gupta

Inventor： Michael J. Demmer ,  Kand Ly ,  Nitin Gupta

IPC: G06F15/16

CPC classification number: H04L67/14 ,  H04L29/12367 ,  H04L41/12 ,  H04L61/2514 ,  H04L67/2876 ,  H04L69/16 ,  H04L69/163 ,  H04L69/329 ,  H04L69/40

Abstract: Methods and apparatus are provided for intercepting a client-server communication connection in a computing environment. A first network intermediary configured to facilitate optimization of client-server transactions may be installed in a path of communications between the client and the server. A second network intermediary configured to cooperate with the first network intermediary is not in the path of communications between the client and the server. The first network intermediary intercepts a connection request from the client and forwards a modified request toward the server. A module within the server intercepts the connection request and redirects it to the second network intermediary. The client-server connection is thus split-terminated at the two network intermediaries, which establish cooperative sessions between themselves and with the client and with the server.

Abstract translation: 提供了用于在计算环境中拦截客户机 - 服务器通信连接的方法和装置。 配置为促进客户端 - 服务器事务的优化的第一网络中介可以安装在客户机和服务器之间的通信路径中。 配置为与第一网络中介进行协作的第二网络中介不在客户端和服务器之间的通信路径中。 第一个网络中介拦截来自客户端的连接请求，并向服务器转发修改的请求。 服务器内的一个模块拦截连接请求并将其重定向到第二个网络中介。 因此，客户机 - 服务器连接在两个网络中间件上分拆终止，这两个中间件在它们之间以及与客户端和服务器之间建立协作会话。

公开(公告)号：US20070283024A1

公开(公告)日：2007-12-06

申请号：US11683325

申请日：2007-03-07

Applicant: Alfred Landrum ,  Kand Ly ,  Steve McCanne

Inventor： Alfred Landrum ,  Kand Ly ,  Steve McCanne

IPC: G06F15/16

CPC classification number: H04L69/16 ,  H04L61/2528 ,  H04L61/2532 ,  H04L67/28 ,  H04L67/2876

Abstract: In address-manipulation enabled transaction accelerators, the transaction accelerators include outer-connection addressing information in packets emitted over an inner connection between transaction accelerators and inner-connection addressing information is added in packets sent over the inner connection. The inner-connection addressing information can be carried in TCP option fields, directly in other fields, or indirectly through data structures maintained by the endpoints processing the connection. Address information can be encoded into header fields originally intended for other purposes but that are unused or encoded into used fields, overlaid in combination with other data that is being carried in those used fields. The existence of inner-connection addressing information in a packet can be signaled by a flag in the packet, by a bit or other designated encoding. The flag can be in an unused header field or overlaid. Where replacement and option addition is needed, swappers and unswappers might be used.

Abstract translation: 在启用地址处理的事务加速器中，事务加速器包括在事务加速器之间的内部连接上发送的分组中的外部连接寻址信息，并且内部连接寻址信息被添加到通过内部连接发送的分组中。 内部连接寻址信息可以在TCP选项字段中直接在其他字段中承载，也可以通过处理连接的端点维护的数据结构进行间接传输。 地址信息可以被编码为原始用于其他目的的标题字段，但是未被使用或编码为使用字段的报头字段，与在这些字段中携带的其他数据相结合。 分组中的内部连接寻址信息的存在可以通过分组中的标志，位或其他指定的编码来发出信号。 标志可以在未使用的标题字段中或覆盖。 在需要替换和选项的情况下，可能会使用swappers和unswappers。

公开(公告)号：US08938553B2

公开(公告)日：2015-01-20

申请号：US13436873

申请日：2012-03-31

Applicant: Kand Ly ,  Michael J. Demmer ,  Steven McCanne ,  Alfred Landrum

Inventor： Kand Ly ,  Michael J. Demmer ,  Steven McCanne ,  Alfred Landrum

IPC: G06F15/16 ,  H04L12/24 ,  H04L29/12 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L41/00 ,  H04L41/0663 ,  H04L43/10 ,  H04L61/2514 ,  H04L61/2567 ,  H04L61/2589 ,  H04L67/146 ,  H04L67/147 ,  H04L67/16 ,  H04L67/28 ,  H04L67/2804 ,  H04L67/2819 ,  H04L67/2842

Abstract: Proxy devices associate their direct connection with a client/server connection passing through one or more NAT devices. First proxy device receives a network connection request from a client. First proxy device stores connection information in association with a connection identifier. Connection information may reflect the usage of NAT devices between the two proxy devices. First proxy device sends a connection response including the connection identifier to the client. Second proxy device sends a direct connection request to first proxy device to establish a direct connection. Direct connection request includes the connection identifier, which is used by first proxy device to associate the direct connection with stored connection information. First proxy device may use the connection information to direct network traffic received via this direct connection to the correct destination and to divert network traffic from the server to the client through the direct connection and first and second proxy devices.

Abstract translation: 代理设备将其直接连接与通过一个或多个NAT设备的客户端/服务器连接相关联。 第一代理设备从客户端接收网络连接请求。 第一代理设备存储与连接标识符相关联的连接信息。 连接信息可能反映NAT设备在两个代理设备之间的使用情况。 第一代理设备向客户端发送包括连接标识符的连接响应。 第二代理设备向第一代理设备发送直接连接请求以建立直接连接。 直接连接请求包括连接标识符，第一代理设备使用该标识符将直接连接与存储的连接信息相关联。 第一代理设备可以使用连接信息将通过该直接连接接收的网络流量定向到正确的目的地，并且通过直接连接和第一和第二代理设备将网络流量从服务器转移到客户端。

公开(公告)号：US08843636B1

公开(公告)日：2014-09-23

申请号：US13341825

申请日：2011-12-30

Applicant: David Tze-Si Wu ,  John S. Cho ,  Kand Ly

Inventor： David Tze-Si Wu ,  John S. Cho ,  Kand Ly

IPC: G06F15/16

CPC classification number: H04L69/04 ,  H04L67/2847

Abstract: Digital certificates are distributed to WAN optimization modules in organization and content delivery networks to securely optimize network traffic. The content delivery network identifies edge WAN optimization modules for use with each combination of organizations and their cloud services and distributes digital certificates accordingly. Peering digital certificates for establishing inner connections between organization and edge WAN optimization modules are exchanged via one or more management portals. Shadow digital certificates for establishing outer connections between WAN optimization modules and clients are generated in the form of certificate signing requests. Configuration information identifies any additional cloud services associated with a given cloud service and generate corresponding additional certificate signing requests. Certificate signing requests are digitally signed by a certificate signing authority associated with the organization and then returned via the one or more management portals to the allocated edge WAN optimization modules. Digital certificates may be rotated for security purposes.

Abstract translation: 数字证书分发到组织和内容传送网络中的WAN优化模块，以安全地优化网络流量。 内容传送网络识别边缘WAN优化模块，用于组织的每个组合及其云服务，并相应地分发数字证书。 通过一个或多个管理门户交换用于建立组织和边缘WAN优化模块之间内部连接的数字证书。 用于在WAN优化模块和客户端之间建立外部连接的影子数字证书以证书签名请求的形式生成。 配置信息标识与给定云服务相关联的任何其他云服务，并生成相应的其他证书签名请求。 证书签名请求由与组织相关联的证书签发机构进行数字签名，然后通过一个或多个管理门户返回到分配的边缘WAN优化模块。 为了安全起见，数字证书可以旋转。

公开(公告)号：US08516158B1

公开(公告)日：2013-08-20

申请号：US13249201

申请日：2011-09-29

Applicant: David Tze-Si Wu ,  John S. Cho ,  Kand Ly

Inventor： David Tze-Si Wu ,  John S. Cho ,  Kand Ly

IPC: G06F15/16

CPC classification number: H04L69/04 ,  H04L67/2847

Abstract: WAN optimization devices and content delivery networks together optimize network traffic on both private networks and public WANs such as the internet. A WAN optimization device intercepts and optimizes network traffic from clients within a private network. The WAN optimization device communicates this first optimized network traffic to the nearest edge computer in the content delivery network via a public WAN, such as the internet. This edge computer further optimizes the network traffic and communicates the doubly optimized network traffic via the content delivery network to a second edge computer nearest to the network traffic destination. The second edge computer converts the doubly optimized network traffic back to its original format and communicates the reconstructed network traffic from the second edge computer to the destination via a public WAN. Licensing and configuration portals configure WAN optimization devices for specific network protocols, types of network traffic, applications, and/or cloud services.

Abstract translation: WAN优化设备和内容传送网络一起优化了私有网络和公共WAN（如互联网）上的网络流量。 WAN优化设备拦截并优化来自私有网络内客户端的网络流量。 WAN优化设备经由诸如因特网的公共WAN将该第一优化网络流量传送到内容传送网络中的最近边缘计算机。 该边缘计算机进一步优化网络流量，并将经双向优化的网络流量通过内容传送网络传送到最靠近网络流量目的地的第二边缘计算机。 第二边缘计算机将双重优化的网络业务转换回其原始格式，并通过公共WAN将重建的网络流量从第二边缘计算机传送到目的地。 许可和配置门户为特定网络协议，网络流量类型，应用程序和/或云服务配置WAN优化设备。

公开(公告)号：US08447802B2

公开(公告)日：2013-05-21

申请号：US11683325

申请日：2007-03-07

Applicant: Alfred Landrum ,  Kand Ly ,  Steve McCanne

Inventor： Alfred Landrum ,  Kand Ly ,  Steve McCanne

IPC: G06F15/16

CPC classification number: H04L69/16 ,  H04L61/2528 ,  H04L61/2532 ,  H04L67/28 ,  H04L67/2876

Abstract: In address-manipulation enabled transaction accelerators, the transaction accelerators include outer-connection addressing information in packets emitted over an inner connection between transaction accelerators and inner-connection addressing information is added in packets sent over the inner connection. The inner-connection addressing information can be carried in TCP option fields, directly in other fields, or indirectly through data structures maintained by the endpoints processing the connection. Address information can be encoded into header fields originally intended for other purposes but that are unused or encoded into used fields, overlaid in combination with other data that is being carried in those used fields. The existence of inner-connection addressing information in a packet can be signaled by a flag in the packet, by a bit or other designated encoding. The flag can be in an unused header field or overlaid. Where replacement and option addition is needed, swappers and unswappers might be used.

Abstract translation: 在启用地址处理的事务加速器中，事务加速器包括在事务加速器之间的内部连接上发送的分组中的外部连接寻址信息，并且内部连接寻址信息被添加到通过内部连接发送的分组中。 内部连接寻址信息可以在TCP选项字段中直接在其他字段中承载，也可以通过处理连接的端点维护的数据结构进行间接传输。 地址信息可以被编码为原始用于其他目的的标题字段，但是未被使用或编码为使用字段的报头字段，与在这些字段中携带的其他数据相结合。 分组中的内部连接寻址信息的存在可以通过分组中的标志，位或其他指定的编码来发出信号。 标志可以在未使用的标题字段中或覆盖。 在需要替换和选项的情况下，可能会使用swappers和unswappers。