公开(公告)号：US11770389B2

公开(公告)日：2023-09-26

申请号：US17012235

申请日：2020-09-04

Applicant: VMWARE, INC.

Inventor： Sourabh Bhattacharya ,  Yong Wang ,  Awan Kumar Sharma ,  Bhargav Puvvada ,  Mayur Katke

IPC: H04L9/40 ,  H04L47/125 ,  H04L9/08

CPC classification number: H04L63/1416 ,  H04L9/0891 ,  H04L47/125 ,  H04L63/029 ,  H04L63/0485 ,  H04L63/20

Abstract: Certain embodiments described herein are relate to a method for dynamically rekeying a security association. The method includes establishing, by a destination tunnel endpoint (TEP), an in-bound security association with a source TEP, with a first security parameter index (SPI) value, for encrypting data packets communicated between the source TEP and the destination TEP. The method further includes rekeying, by the destination TEP, the in-bound security association, the rekeying including generating a second SPI value for replacing the first SPI value based on a trigger event relating to at least one of a real-time security score of the in-bound security association, a number of security associations assigned to a compute resource that the in-bound security resource is assigned to, an amount of load managed by the compute resource that the in-bound security resource is assigned to, and an indication received from an administrator.

公开(公告)号：US20230118718A1

公开(公告)日：2023-04-20

申请号：US17962419

申请日：2022-10-07

Applicant: VMware, Inc.

Inventor： Deepika Kunal Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method for establishing a virtual private network (VPN) session between a first gateway router located at a first site and a second gateway router located at a second site. The VPN session for exchanging packets along multiple paths between the first and second sites. The method is performed at the second gateway router located at the second site. The method determines whether any intermediate network address translation (NAT) device processes packets on the multiple paths between the first and second sites during the VPN session. Upon determining that no NAT device processes packets on the multiple paths between the first and second sites, the method builds a source port pool at the second site for sending probe packets during the VPN session (1) to identify the multiple paths and (2) to collect metrics associated with each of the identified paths. Upon determining that a NAT device processes packets on the multiple paths between the first and second sites, the method uses destination port identifiers used in probe packets sent by the first gateway at the first site as source port identifiers for sending probe packets during the VPN session (1) to identify the multiple paths and (2) to collect metrics associated with each of the identified paths.

公开(公告)号：US20230036071A1

公开(公告)日：2023-02-02

申请号：US17507822

申请日：2021-10-22

Applicant: VMWARE, INC.

Inventor： ABHISHEK GOLIYA ,  Yong Wang ,  Awan Kumar Sharma

IPC: H04L29/06 ,  H04L12/46 ,  H04L12/66 ,  H04L29/12 ,  H04L9/06

Abstract: Described herein are systems, methods, and software to select edge gateways for communications based on exchanged hash information. In one implementation, a first gateway may receive hash information associated with second gateways, wherein the hash information is used to select a gateway of the second gateways to communicate a packet. The first gateway further receives a packet. hashes addressing in the packet to select a destination gateway of the second gateways for the packet. The first gateway further encapsulates the packet and communicates the encapsulated packet to the selected destination gateway.

公开(公告)号：US20230024885A1

公开(公告)日：2023-01-26

申请号：US17502081

申请日：2021-10-15

Applicant: VMWARE, INC.

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Xinhua Hong ,  Abhishek Goliya

IPC: H04L12/747 ,  H04L12/66 ,  H04L12/46

Abstract: Described herein are systems, methods, and software to manage the selection of an edge gateway or edge for processing a packet. In one implementation, a first edge may receive a packet and hash addressing information in the packet to select a second edge to process the packet. The first edge may further forward the packet to the second edge, permitting the second edge to process the packet. Once processed, the second edge may forward the packet to a destination host computing system and notify the host computing system to use the second edge for response packets directed at a source internet protocol (IP) address in the packet.

公开(公告)号：US20220394017A1

公开(公告)日：2022-12-08

申请号：US17570366

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray ,  Sourabh Bhattacharya

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method that receives an encapsulated packet for a virtual private network (VPN) session. The encapsulated packet incluides (i) a set of flow identifiers of a network traffic flow that includes a user datagram protocol (UDP) port number and (ii) a payload encrypted according to a security association (SA). The method hashes the set of flow identifiers of the network traffic flow to select a processor core from a plurality of processor cores. The method uses the selected processor core to decrypt the payload in the encapsulated packet according to the SA.

公开(公告)号：US20220393981A1

公开(公告)日：2022-12-08

申请号：US17570362

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray ,  Sourabh Bhattacharya

IPC: H04L47/10 ,  H04L47/80 ,  H04L12/46

Abstract: Some embodiments provide a method that assigns, at a VPN client, a QoS class to each path of multiple paths based on performance metrics for paths. The paths are available for use by a VPN client to reach a VPN server. The method identifies a QoS class for a packet. The method selects a path based on the identified QoS class of the packet and the QoS class assigned to each path. The method transmits the packet using the selected path.