公开(公告)号：US12107827B2

公开(公告)日：2024-10-01

申请号：US18326745

申请日：2023-05-31

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Igor Postelnik ,  Michael John Vanderwater ,  Adam Simon Chalmers ,  Nuno Miguel Lourenço Diegues ,  Arég Harutyunyan ,  Erich Alfred Heine

IPC: H04L9/40 ,  H04L12/46 ,  H04L67/10

CPC classification number: H04L63/0236 ,  H04L12/4633 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/0485 ,  H04L67/10

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.

公开(公告)号：US12107768B2

公开(公告)日：2024-10-01

申请号：US18333297

申请日：2023-06-12

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Erich Alfred Heine ,  Yan Zhai

IPC: H04L47/36 ,  H04L12/46

CPC classification number: H04L47/36 ,  H04L12/4633 ,  H04L2212/00

Abstract: A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.

公开(公告)号：US11863655B2

公开(公告)日：2024-01-02

申请号：US17978782

申请日：2022-11-01

Applicant: CLOUDFLARE, INC.

Inventor： Michael John Vanderwater ,  Nicholas Alexander Wondra

IPC: H04L69/08 ,  H04L69/329 ,  H04L69/163 ,  H04W88/06 ,  H04L67/56

CPC classification number: H04L69/329 ,  H04L67/56 ,  H04L69/08 ,  H04L69/163 ,  H04W88/06

Abstract: A first transport protocol connection is established between a first proxy network element and a second proxy network element. The first proxy network element receives from a first Border Gateway Protocol (BGP) client, first BGP data destined to a second BGP client that is connected to the second proxy network element. The first BGP data is transmitted to the second proxy network element through the first transport protocol connection for delivery to the second BGP client. The first proxy network element receives second BGP data destined to the second BGP client. Responsive to determining that the first transport protocol connection is down, the first proxy network element stores the second BGP data and establishes a second transport protocol connection to the second proxy network element. The second BGP data is transmitted to the second proxy network element through the second transport protocol connection.

公开(公告)号：US11677717B2

公开(公告)日：2023-06-13

申请号：US17700058

申请日：2022-03-21

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Igor Postelnik ,  Michael John Vanderwater ,  Adam Simon Chalmers ,  Nuno Miguel Lourenço Diegues ,  Arég Harutyunyan ,  Erich Alfred Heine

IPC: H04L9/40 ,  H04L12/46 ,  H04L67/10

CPC classification number: H04L63/0236 ,  H04L12/4633 ,  H04L63/029 ,  H04L63/0272 ,  H04L63/0485 ,  H04L67/10

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.

公开(公告)号：US20230124628A1

公开(公告)日：2023-04-20

申请号：US18067713

申请日：2022-12-18

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Achiel Paul van der Mandele ,  Alexander Forster ,  Eric Reeves ,  Joaquin Madruga ,  Rustam Xing Lalkaka ,  Marek Przemyslaw Majkowski

IPC: H04L12/46

Abstract: A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.

公开(公告)号：US20230074300A1

公开(公告)日：2023-03-09

申请号：US17977391

申请日：2022-10-31

Applicant: CLOUDFLARE, INC.

Inventor： Michael John Vanderwater ,  Adam Simon Chalmers ,  Nuno Miguel Lourenço Diegues ,  Arég Harutyunyan ,  Erich Alfred Heine ,  Nicholas Alexander Wondra

IPC: H04L9/40 ,  H04L12/46 ,  H04L67/10

Abstract: An IPsec tunnel request for establishing an IPsec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPsec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.

公开(公告)号：US11128491B2

公开(公告)日：2021-09-21

申请号：US16993181

申请日：2020-08-13

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Achiel Paul van der Mandele ,  Alexander Forster ,  Eric Reeves ,  Joaquin Madruga ,  Rustam Xing Lalkaka ,  Marek Przemyslaw Majkowski

IPC: G06F15/16 ,  H04L12/46 ,  H04L29/12

Abstract: A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.