公开(公告)号：US11956213B2

公开(公告)日：2024-04-09

申请号：US17747969

申请日：2022-05-18

Applicant: VMware LLC

Inventor： Deepika Kunal Solanki ,  Yong Wang

IPC: H04L29/06 ,  H04L9/40 ,  H04L12/46

CPC classification number: H04L63/0263 ,  H04L12/4633 ,  H04L63/029 ,  H04L63/061

Abstract: Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method is performed at a gateway device. The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device. The method matches the data message to a firewall rule that maps to a particular secure tunnel used by the secure interface, with multiple different firewall rules mapping to multiple different secure tunnels used by the secure interface. The method encapsulates the data message with a header that comprises an indicator value specifying the particular secure tunnel and forwards the encapsulated data message to a destination interface.

公开(公告)号：US11936562B2

公开(公告)日：2024-03-19

申请号：US16039946

申请日：2018-07-19

Applicant: VMware LLC

Inventor： Boon Seong Ang ,  Yong Wang ,  Guolin Yang ,  Craige Wenyi Jiang

IPC: H04L47/125 ,  G06F9/455 ,  H04L45/64 ,  H04L61/256

CPC classification number: H04L47/125 ,  G06F9/45558 ,  H04L45/64 ,  H04L61/256 ,  G06F2009/45595

Abstract: A method to offload network function packet processing from a virtual machine onto an offload destination is disclosed. In an embodiment, a method comprises: defining an application programing interface (“API”) for capturing, in a packet processor offload, a network function packet processing for a data flow by specifying how to perform the network function packet processing on data packets that belong to the data flow. Based on capabilities of the packet processor offload and available resources, a packet processing offload destination is selected. Based at least on the API, the packet processor offload for the packet processing offload destination is generated. The packet processor offload is downloaded to the packet processing offload destination to configure the packet processing offload destination to provide the network function packet processing on the data packets that belong to the data flow. The packet processing offload destination is a PNIC or a hypervisor.

公开(公告)号：US11902264B2

公开(公告)日：2024-02-13

申请号：US17016596

申请日：2020-09-10

Applicant: VMware LLC

Inventor： Yong Wang ,  Todd Sabin ,  Weiqing Wu ,  Awan Kumar Sharma ,  Jia Yu

IPC: H04L9/40 ,  H04L43/0829 ,  H04L43/0864 ,  H04L61/2592 ,  H04L61/2578 ,  H04L61/2517 ,  H04L61/2514 ,  H04L101/663

CPC classification number: H04L63/0485 ,  H04L43/0829 ,  H04L43/0864 ,  H04L61/2514 ,  H04L61/2517 ,  H04L61/2578 ,  H04L61/2592 ,  H04L63/029 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/164 ,  H04L63/18 ,  H04L63/061 ,  H04L2101/663

Abstract: A method for selecting between a plurality of paths for sending an encrypted packet from a source endpoint to a destination endpoint is provided. The method selects a first path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint, each of the plurality of paths associated with a different one of a plurality of source ports, the encrypted packet being encrypted based on a security association established between the source endpoint and the destination endpoint in accordance with an IPSec protocol. The method further encapsulates, based on the SA having NAT-T enabled, the encrypted packet with a UDP header having a first source port associated with the first path. The method then transmits the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path.

公开(公告)号：US20250080630A1

公开(公告)日：2025-03-06

申请号：US18239921

申请日：2023-08-30

Applicant: VMware LLC

Inventor： Abhishek Goliya ,  Yu Ying ,  Yong Wang

IPC: H04L69/22 ,  H04L45/76 ,  H04L69/321

Abstract: Some embodiments provide a method for configuring a logical router implemented in a Kubernetes cluster. The method receives configuration data specifying a service rule for the logical router. The service rule requires processing of L5-L7 headers of data messages sent to the logical router. Based on the service rule, the method defines (i) a redirection rule specifying a set of data messages to which the service rule applies based on L2-L4 header values and (ii) an L5-L7 processing rule for application of the service rule. the method provides the redirection rule to a first set of Pods in the cluster and the L5-L7 processing rule to a second set of Pods in the cluster.

公开(公告)号：US20250080411A1

公开(公告)日：2025-03-06

申请号：US18752352

申请日：2024-06-24

Applicant: VMware LLC

Inventor： Abhishek Goliya ,  Yu Ying ,  Yong Wang

IPC: H04L41/0803 ,  H04L41/0893

Abstract: Some embodiments provide a method for configuring logical routers of a logical network. The logical routers are implemented in a Kubernetes cluster as a first set of Pods that each perform logical forwarding operations for the logical routers and a second set of Pods that each perform L7 service operations for a respective logical router. From a Kubernetes control plane component, the method receives a notification that the first set requires scaling to include an additional Pod. The first-set Pods process data messages between the logical network and external networks. Within the network management system, the method defines at least one new interface for processing data messages between the logical network and external networks. The method configures the at least one interface on the additional Pod to communicate with external physical routers to receive traffic from the external networks and send traffic to the external networks.

公开(公告)号：US20250028628A1

公开(公告)日：2025-01-23

申请号：US18225027

申请日：2023-07-21

Applicant: VMware LLC

Inventor： Yu Ying ,  Hayden Kevin Fowler ,  Sreeram Kumar Ravinoothala ,  Di Wang ,  Yong Wang

IPC: G06F11/36 ,  G06F11/07

Abstract: Some embodiments provide a method for monitoring a first service that executes in a Pod on a node of a Kubernetes deployment. At a second service executing on the node, the method monitors a storage of the node that stores core dump files to detect when a core dump file pertaining to the first service is written to the storage. Upon detection of the core dump file being written to the storage, the method automatically (i) generates an image of the first service based on data in the core dump file and (ii) instantiates a new container on the node to analyze the generated image in order to debug the first service.

公开(公告)号：US12192051B2

公开(公告)日：2025-01-07

申请号：US17384206

申请日：2021-07-23

Applicant: VMware LLC

Inventor： Yong Wang ,  Cheng-Chun Tu ,  Sreeram Kumar Ravinoothala ,  Yu Ying

IPC: H04L41/0816

Abstract: Some embodiments of the invention provide a method for implementing an edge device that handles data traffic between a logical network and an external network. The method monitors resource usage of a node pool that includes multiple nodes that each executes a respective set of pods. Each of the pods is for performing a respective set of data message processing operations for at least one of multiple logical routers. The method determines that a particular node in the node pool has insufficient resources for the particular node's respective set of pods to adequately perform their respective sets of data message processing operations. Based on the determination, the method automatically provides additional resources to the node pool by instantiating at least one additional node in the node pool.

公开(公告)号：US12088512B2

公开(公告)日：2024-09-10

申请号：US17208608

申请日：2021-03-22

Applicant: VMware LLC

Inventor： Jia Yu ,  Yong Wang ,  Xinhua Hong ,  Wenyi Jiang ,  Guolin Yang ,  Dexiang Wang

IPC: H04L49/9057 ,  H04L12/66 ,  H04L45/64 ,  H04L69/166 ,  H04L69/22

CPC classification number: H04L49/9057 ,  H04L12/66 ,  H04L45/64 ,  H04L69/166 ,  H04L69/22 ,  H04L2212/00

Abstract: In some embodiments, a method fragments a first packet into a plurality of fragments when a length of an encapsulated first packet is larger than a maximum transmission unit size. For each fragment in the plurality of fragments, fragmentation information is generated. The method encapsulates each fragment in the plurality of fragments with an outer header to form a plurality of encapsulated packets. The respective fragmentation information for each fragment is inserted in a portion of the outer header that is processed by endpoints of an overlay tunnel and not processed by a device along a path of the overlay tunnel. The plurality of encapsulated packets are sent via the overlay tunnel.

公开(公告)号：US20250106141A1

公开(公告)日：2025-03-27

申请号：US18648171

申请日：2024-04-26

Applicant: VMware LLC

Inventor： Minjal Agarwal ,  Yong Wang ,  Abhishek Goliya ,  Kai-Wei Fan

IPC: H04L45/12 ,  H04L43/10 ,  H04L45/24

Abstract: Some embodiments provide a method for controlling flow processing by an edge cluster including a first edge machine set operating in a first location set of a public cloud and a second edge machine set operating in a second location set of the public cloud. A controller set configures first and second managed forwarding element (MFE) sets operating in the first and second location sets respectively, with first and second forwarding rule sets to respectively forward first and second flows sets to the first and second edge machine sets for performing services. The first forwarding rule set specifies a first network address set for the first edge machine set, and the second forwarding rule set specifies a second network address set for the second edge machine set. The controller set monitors each edge machine to determine whether it is available to perform the services.

公开(公告)号：US20250036437A1

公开(公告)日：2025-01-30

申请号：US18225554

申请日：2023-07-24

Applicant: VMware, LLC

Inventor： Yu Ying ,  Pankaj Gupta ,  Kai-Wei Fan ,  Stephen Tan ,  Sreeram Kumar Ravinoothala ,  Yong Wang

IPC: G06F9/455

Abstract: Some embodiments provide a method for configuring a first Pod in a container cluster to perform layer 7 (L7) services for a logical router. At a second Pod that performs logical forwarding operations for the logical router, the method receives configuration data for the logical router from a network management system that defines a logical network for which the logical router routes data messages and performs L7 services. The method provides a set of Pod definition data to a cluster controller to create the first Pod. After creation of the first Pod, the method provides to the first Pod (i) networking information to enable a connection between the first and second Pods and (ii) configuration data defining the L7 services for the first Pod to perform the L7 services on data traffic sent from the second Pod to the first Pod.