公开(公告)号：US20220021645A1

公开(公告)日：2022-01-20

申请号：US16931196

申请日：2020-07-16

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L29/12 ,  H04L12/66 ,  H04L12/741

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

公开(公告)号：US11108728B1

公开(公告)日：2021-08-31

申请号：US16938697

申请日：2020-07-24

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  W. Andrew Lambeth ,  Jayant Jain ,  Mani Kancherla

IPC: G06F15/16 ,  H04L29/12 ,  H04L29/06

Abstract: Some embodiments of the invention provide a method for implementing a logical network with one or more logical forwarding elements (LFEs), each with multiple logical ports. Each LFE in some embodiments is implemented by several physical forwarding elements (PFEs) operating on several devices. On a host computer executing a particular machine connected to a PFE implementing a particular LFE, the method identifies an address discovery message associating a particular network address (e.g., a layer 2 (L2) address or media access control (MAC) address) of the particular machine with a another network address (e.g., a layer 3 (L3) or an Internet Protocol (IP) address) of the particular machine. The method identifies an LFE logical port associated with the particular machine, stores in an encapsulation header an identifier that identifies this port, encapsulates the address discovery data message with this encapsulation header, and then forwards the encapsulated message to a set of one or more devices implementing the LFE. Each device in the set of devices extracts the logical port identifier from the encapsulation header and stores this logical port identifier for use in processing data messages associated with the particular machine.

公开(公告)号：US10944585B1

公开(公告)日：2021-03-09

申请号：US16570344

申请日：2019-09-13

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Ankur Dubey ,  Rajeev Nair

IPC: H04L12/28 ,  H04L12/721 ,  H04L12/851 ,  H04L12/741 ,  H04L29/12

Abstract: Embodiments described herein involve appliance migration. Embodiments include connecting, by a second appliance that is configured to perform a service, to a first uplink and a first downlink of a first appliance that is configured to perform the service. Embodiments include connecting, by the second appliance, to a first endpoint and a second endpoint to which the first appliance is connected. Embodiments include determining, by the second appliance, existing flows processed by the first appliance. Embodiments include processing, by the second appliance, a plurality of packets received via the first endpoint by: forwarding, by the second appliance, first packets of the plurality of packets that correspond to the existing flows to the first appliance; and performing, by the second appliance, the service for second packets of the plurality of packets that do not correspond to the existing flows.

公开(公告)号：US20230216829A1

公开(公告)日：2023-07-06

申请号：US17567823

申请日：2022-01-03

Applicant: VMware, Inc.

Inventor： Manish Jain ,  Mani Kancherla

IPC: H04L9/40

CPC classification number: H04L63/0245

Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy. In some embodiments, the data message is encrypted, the first firewall process cannot decrypt the data message, and the second firewall process performs a decryption operation (e.g., a TLS-based decryption operation) to decrypt the data message.

公开(公告)号：US11599395B2

公开(公告)日：2023-03-07

申请号：US16795376

申请日：2020-02-19

Applicant: VMware, Inc.

Inventor： Yong Wang ,  Mani Kancherla ,  Kevin Li ,  Sreeram Ravinoothala ,  Mochi Xue

IPC: G06F9/46 ,  G06F9/50 ,  G06F9/54

Abstract: Some embodiments provide a method for updating a core allocation among processes of a gateway datapath executing on a gateway computing device having multiple cores. The gateway datapath processes include a first set of data message processing processes to which a first set of the cores are allocated and a second set of processes to which a second set of the cores are allocated in a first core allocation. Based on data regarding usage of the cores, the method determines a second core allocation that allocates a third set of the cores to the first set of processes and a fourth set of the cores to the second set of processes. The method updates a load balancing operation to load balance received data messages over the third set of cores rather than the first set of cores. The method reallocates the cores from the first allocation to the second allocation.

公开(公告)号：US11451413B2

公开(公告)日：2022-09-20

申请号：US16941467

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/46 ,  H04L29/08 ,  H04L12/713 ,  H04L12/715 ,  H04L29/12 ,  H04L67/1001 ,  H04L45/586 ,  H04L69/08 ,  H04L61/251 ,  H04L12/66 ,  H04L45/02

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (AZ). The novel network architecture includes a set of route servers for receiving advertisements of network addresses as being available in the AZ from different routers in the AZ. The novel network architecture also includes multiple host computers that each execute a router that (i) identifies network addresses available on the host computer, (ii) sends advertisements of the identified network addresses to the set of route servers, and (iii) receives advertisements from the set of route servers regarding network addresses available on other host computers. The identified network addresses, in some embodiments, include at least one of network addresses associated with data compute nodes (DCNs) and network addresses associated with services available at the host computer. The route servers advertise the received network addresses to other routers in the AZ.

公开(公告)号：US20220038379A1

公开(公告)日：2022-02-03

申请号：US16941462

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/851 ,  H04L12/24 ,  H04L12/751 ,  H04L29/08 ,  H04L12/781 ,  H04L12/749

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (e.g., a datacenter providing a set of hardware resources). The novel network architecture, in some embodiments, also provides a set of distributed services at the edge of a virtual private cloud (VPC) implemented in the availability zone (e.g., using the hardware resources of a datacenter) at a set of host computers in the AZ. The novel network architecture includes a set of route servers for receiving advertisements of network addresses (e.g., internet protocol (IP) addresses) as being available in the availability zone (AZ) from different routers in the AZ. The route servers also advertise the received network addresses to other routers in the AZ. In some embodiments, the other routers include routers executing on host computers in the AZ and gateway devices of the availability zone.

公开(公告)号：US20220030060A1

公开(公告)日：2022-01-27

申请号：US16938733

申请日：2020-07-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L29/08 ,  H04L12/813 ,  H04L29/12 ,  H04L12/46 ,  H04L12/66

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US11611613B2

公开(公告)日：2023-03-21

申请号：US16938733

申请日：2020-07-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L67/1023 ,  H04L47/20 ,  H04L12/66 ,  H04L12/46 ,  H04L101/622

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US20220038310A1

公开(公告)日：2022-02-03

申请号：US16941473

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/46 ,  H04L29/12 ,  H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.