公开(公告)号：US20230359478A1

公开(公告)日：2023-11-09

申请号：US18219217

申请日：2023-07-07

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund

IPC: G06F9/455 ,  G06F9/445

CPC classification number: G06F9/45558 ,  G06F9/45545 ,  G06F9/44505 ,  G06F2009/45579 ,  G06F2009/45595 ,  G06F2009/45562

Abstract: Some embodiments provide a method for performing services on a host computer that executes several machines in a datacenter. The method configures a first set of one or more service containers for a first machine executing on the host computer, and a second set of one or more service containers for a second machine executing on the host computer. Each configured service container performs a service operation (e.g., a middlebox service operation, such as firewall, load balancing, encryption, etc.) on data messages associated with a particular machine (e.g., on ingress and/or egress data messages to and/or from the particular machine). For each particular machine, the method also configures a module along the particular machine's datapath to identify a subset of service operations to perform on a set of data messages associated with the particular machine, and to direct the set of data messages to a set of service containers configured for the particular machine to perform the identified set of service operations on the set of data messages. In some embodiments, the first and second machines are part of one logical network or one virtual private cloud that is deployed over a common physical network in the datacenter.

公开(公告)号：US20230231905A1

公开(公告)日：2023-07-20

申请号：US18123314

申请日：2023-03-19

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L67/1027 ,  H04L47/125

CPC classification number: H04L67/1027 ,  H04L47/125

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US11663105B2

公开(公告)日：2023-05-30

申请号：US16569015

申请日：2019-09-12

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F9/44 ,  G06F11/30 ,  G06F40/205 ,  G06V10/94

CPC classification number: G06F11/3072 ,  G06F40/205 ,  G06V10/955

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US11606294B2

公开(公告)日：2023-03-14

申请号：US16931207

申请日：2020-07-16

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L45/741 ,  H04L61/256 ,  H04L12/66 ,  H04L41/0803 ,  H04L45/02 ,  H04L61/2517

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

公开(公告)号：US11601458B2

公开(公告)日：2023-03-07

申请号：US17062600

申请日：2020-10-04

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund ,  Kausum Kumar

IPC: H04L29/06 ,  H04L9/40 ,  G06K9/62

Abstract: The current document is directed to methods and systems that generate microsegmentation quotients for computational entities and components of a distributed-computer-system. In the described implementation, microsegmentation quotients are generated for each component, subsystem, or computational entity, collectively referred to as “system entities,” of a set of specified system-entity types within the distributed computer system. Microsegmentation quotients are generated for system entities at any of the various hierarchical levels within a distributed computer system, including for the entire distributed computer system. Microsegmentation quotients are generated by an iterative process that refines initial estimates of the microsegmentation quotients for system entities within the distributed computer system. Microsegmentation quotients are displayed, through system-management interfaces, to administration and management personnel and provided to automated administration-and-management-system tools and facilities in order to facilitate analysis and monitoring of distributed-computer-system security as well as to facilitate rapid and accurate detection and amelioration of security-related deficiencies and problems.

公开(公告)号：US20220109684A1

公开(公告)日：2022-04-07

申请号：US17062600

申请日：2020-10-04

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund ,  Kausum Kumar

IPC: H04L29/06 ,  G06K9/62

Abstract: The current document is directed to methods and systems that generate microsegmentation quotients for computational entities and components of a distributed-computer-system. In the described implementation, microsegmentation quotients are generated for each component, subsystem, or computational entity, collectively referred to as “system entities,” of a set of specified system-entity types within the distributed computer system. Microsegmentation quotients are generated for system entities at any of the various hierarchical levels within a distributed computer system, including for the entire distributed computer system. Microsegmentation quotients are generated by an iterative process that refines initial estimates of the microsegmentation quotients for system entities within the distributed computer system. Microsegmentation quotients are displayed, through system-management interfaces, to administration and management personnel and provided to automated administration-and-management-system tools and facilities in order to facilitate analysis and monitoring of distributed-computer-system security as well as to facilitate rapid and accurate detection and amelioration of security-related deficiencies and problems.

公开(公告)号：US09742682B2

公开(公告)日：2017-08-22

申请号：US14205121

申请日：2014-03-11

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Weiqing Wu

IPC: H04L12/863 ,  H04L12/805 ,  H04L12/911

CPC classification number: H04L47/621 ,  H04L47/36 ,  H04L47/82

Abstract: A network interface controller (NIC) that includes a set of receive NIC queues capable of performing large receive offload (LRO) operations by aggregating incoming receive packets is provided. Each NIC queue turns on or off its LRO operation based a set of LRO enabling rules or parameters, whereby only packets that meet the set of rules or parameters will be aggregated in the NIC queue. Each NIC queue is controlled by its own set of LRO enabling rules such that the LRO operations of the different NIC queues can be individually controlled.

公开(公告)号：US09384033B2

公开(公告)日：2016-07-05

申请号：US14205143

申请日：2014-03-11

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Weiqing Wu

IPC: G06F9/455 ,  G06F15/173 ,  H04L12/931

CPC classification number: G06F9/45558 ,  G06F2009/45595 ,  H04L49/70

Abstract: A network interface controller (NIC) that includes a set of receive NIC queues capable of performing large receive offload (LRO) operations by aggregating incoming receive packets is provided. Each NIC queue turns on or off its LRO operation based a set of LRO enabling rules or parameters, whereby only packets that meet the set of rules or parameters will be aggregated in the NIC queue. Each NIC queue is controlled by its own set of LRO enabling rules such that the LRO operations of the different NIC queues can be individually controlled.

Abstract translation: 提供了一种网络接口控制器（NIC），其包括能够通过聚合传入的接收分组来执行大的接收卸载（LRO）操作的一组接收NIC队列。 每个NIC队列基于一组LRO使能规则或参数来打开或关闭其LRO操作，从而只有满足规则或参数集合的数据包将被聚合在NIC队列中。 每个NIC队列由其自己的一组LRO启用规则控制，使得可以单独控制不同NIC队列的LRO操作。

公开(公告)号：US20160191396A1

公开(公告)日：2016-06-30

申请号：US14968890

申请日：2015-12-14

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Debashis Basak ,  Serge Maskalik ,  Weiqing Wu ,  Aravind Srinivasan ,  Todd Sabin

IPC: H04L12/813

CPC classification number: H04L47/20 ,  H04L61/2514 ,  H04L63/0218 ,  H04L63/0263 ,  H04L67/1002

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract translation: 本文的公开内容描述了用于分布式策略实施的网络的边缘设备。 在操作期间，边缘设备接收用于出站业务流的初始分组，并且识别由初始分组触发的策略。 边缘设备执行反向查找以识别先前由初始分组穿过的中间节点和与所识别的中间节点处的初始分组相关联的业务参数。 边缘设备根据中间节点的流量参数转换策略，并将转换的策略转发到中间节点，从而便于中间节点将策略应用于业务流。

公开(公告)号：US09225647B2

公开(公告)日：2015-12-29

申请号：US13764341

申请日：2013-02-11

Applicant: VMware, Inc.

Inventor： Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L12/26 ,  H04L12/801 ,  H04L29/06 ,  H04L12/803

CPC classification number: H04L43/028 ,  H04L41/12 ,  H04L47/12 ,  H04L47/125 ,  H04L47/20 ,  H04L63/20

Abstract: Exemplary methods, apparatuses, and systems receive a copy of or make a copy of one or more packets of a flow of packets between a source and a destination. While or after the one or more packets are forwarded to the destination, the content of the one or more packets is compared to a policy to determine if the flow of packets triggers a policy response. A map of devices within a datacenter cluster of devices is maintained and used to select one or more available devices when packet inspection is distributed.

Abstract translation: 示例性方法，装置和系统在源和目的地之间接收一组或多个分组流的分组的副本。 在将一个或多个分组转发到目的地之后或之后，将一个或多个分组的内容与策略进行比较以确定分组的流是否触发策略响应。 维护数据中心集群设备中的设备的映射，并用于在分发数据包检查时选择一个或多个可用设备。