公开(公告)号：US20190075056A1

公开(公告)日：2019-03-07

申请号：US15697409

申请日：2017-09-06

Applicant: Nicira, Inc.

Inventor： Russell Lu ,  Xin Qi ,  Shadab Shah ,  Sunitha Krishna ,  Yangyang Zhu ,  Subrahmanyam Manuguri ,  Raju Koganty

IPC: H04L12/851 ,  H04L29/06 ,  H04L12/26

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

公开(公告)号：US20190058631A1

公开(公告)日：2019-02-21

申请号：US15677733

申请日：2017-08-15

Applicant: Nicira, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L12/24 ,  H04L12/863

Abstract: The technology disclosed herein enables a data plane of a packet handler in a host to be changed while minimizing disruption to the operation of guests that are associated therewith. In a particular embodiment, the method provides, in a control plane of the packet handler, extracting state information about states of the data plane and pausing network traffic to the data plane. After pausing the network traffic to the data plane, the method provides applying changes to components of the data plane. After applying changes to the components of the data plane, the method provides restoring the states to the data plane using the state information and resuming the network traffic to the data plane.

公开(公告)号：US20180123907A1

公开(公告)日：2018-05-03

申请号：US15366742

申请日：2016-12-01

Applicant: Nicira, Inc.

Inventor： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Raju Koganty ,  Anirban Sengupta

IPC: H04L12/24 ,  H04L12/911

CPC classification number: H04L43/16 ,  H04L41/0893 ,  H04L41/5016 ,  H04L43/045 ,  H04L43/0811 ,  H04L43/0876 ,  H04L43/50 ,  H04L47/745 ,  H04L47/822 ,  H04L47/828

Abstract: A method for managing service resources of a group of host machines is provided. Each host machine provides services for a corresponding set of data compute nodes (DCNs). The method receives service distribution configuration for a set of entities comprising at least one of a tenant, a service, and a provider. The method identifies a set of host machines on which a set of DCNs for the set of entities operate. The method determines an amount of resources to be assigned to each entity of the set of entities. The method communicates with the set of host machines to modify a set of resource pools available on each host machine.

公开(公告)号：US09503427B2

公开(公告)日：2016-11-22

申请号：US14231640

申请日：2014-03-31

Applicant: Nicira, Inc.

Inventor： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC: G06F12/08 ,  H04L29/06 ,  G06F9/455 ,  H04W4/06

CPC classification number: H04L63/0272 ,  G06F9/455 ,  G06F9/45533 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L63/0236 ,  H04L63/0254

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

Abstract translation: 对于执行一个或多个来宾虚拟机（GVM）的主机，一些实施例提供了一种新颖的虚拟化架构，用于在主机上利用防火墙服务虚拟机（SVM）来检查由GVM发送和/或接收的数据包。 在一些实施例中，GVM连接到在主机上执行的软件转发元件（例如，软件交换机），以连接到彼此以及在主机之外运行的其他设备。 除了将防火墙SVM连接到连接其GVM的主机的软件转发元件之外，一些实施例的虚拟化架构提供了SVM接口（SVMI），通过该SVM接口可以访问防火墙SVM以检查由/ GVMs。

公开(公告)号：US20230362130A1

公开(公告)日：2023-11-09

申请号：US18217666

申请日：2023-07-03

Applicant: Nicira, Inc.

Inventor： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC: H04L9/40 ,  G06F9/455 ,  H04L67/63

CPC classification number: H04L63/0218 ,  G06F9/45558 ,  H04L67/63 ,  G06F2009/45595

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

公开(公告)号：US11431677B2

公开(公告)日：2022-08-30

申请号：US15868789

申请日：2018-01-11

Applicant: NICIRA, INC.

Inventor： Sushruth Gopal ,  Jayant Jain ,  Subrahmanyam Manuguri ,  Anirban Sengupta ,  Deepa Kalani ,  Alok Tiagi ,  Sushil Singh

IPC: H04L9/40 ,  G06F9/455 ,  H04L69/22 ,  H04L69/329

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

公开(公告)号：US10938726B2

公开(公告)日：2021-03-02

申请号：US15697409

申请日：2017-09-06

Applicant: Nicira, Inc.

Inventor： Russell Lu ,  Xin Qi ,  Shadab Shah ,  Sunitha Krishna ,  Yangyang Zhu ,  Subrahmanyam Manuguri ,  Raju Koganty

IPC: H04L12/851 ,  H04L29/06 ,  H04L12/26

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

公开(公告)号：US10469450B2

公开(公告)日：2019-11-05

申请号：US14975573

申请日：2015-12-18

Applicant: Nicira, Inc.

Inventor： Srinivas Nimmagadda ,  Jayant Jain ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Alok S. Tiagi

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/62

Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

公开(公告)号：US10419321B2

公开(公告)日：2019-09-17

申请号：US15366742

申请日：2016-12-01

Applicant: Nicira, Inc.

Inventor： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Raju Koganty ,  Anirban Sengupta

IPC: H04L12/26 ,  H04L12/911 ,  H04L12/24

Abstract: A method for managing service resources of a group of host machines is provided. Each host machine provides services for a corresponding set of data compute nodes (DCNs). The method receives service distribution configuration for a set of entities comprising at least one of a tenant, a service, and a provider. The method identifies a set of host machines on which a set of DCNs for the set of entities operate. The method determines an amount of resources to be assigned to each entity of the set of entities. The method communicates with the set of host machines to modify a set of resource pools available on each host machine.

公开(公告)号：US20190253390A1

公开(公告)日：2019-08-15

申请号：US15897129

申请日：2018-02-14

Applicant: Nicira, Inc.

Inventor： Alok Tiagi ,  Jayant Jain ,  Sushruth Gopal ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (Li) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.