公开(公告)号：US11436111B2

公开(公告)日：2022-09-06

申请号：US16592613

申请日：2019-10-03

Applicant: Cisco Technology, Inc.

Inventor： Pierre Pfister ,  Ian James Wells ,  Kyle Andrew Donald Mestery ,  William Mark Townsley ,  Yoann Desmouceaux ,  Guillaume Ruty ,  Aloys Augustin

IPC: G06F11/20 ,  G06F9/455 ,  H04L61/2503 ,  H04L61/58

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers. Additionally, the NAT servers may implement failover solutions for dynamically allocated routable address/port pairs assigned to new sessions by assigning new outbound address/port pairs when a session starts and broadcasting pairing information.

公开(公告)号：US20220070154A1

公开(公告)日：2022-03-03

申请号：US17002170

申请日：2020-08-25

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells ,  Grzegorz Boguslaw Duraj

IPC: H04L29/06 ,  H04L12/46

Abstract: Techniques and mechanisms to reduce double encryption of packets that are transmitted using encrypted tunnels. The techniques described herein include determining that portions of the packets are already encrypted, identifying portions of the packets that are unencrypted, and selectively encrypting the portions of the packets that are unencrypted prior to transmission through the encrypted tunnel. In this way, potentially private or sensitive data in the packets that is unencrypted, such as information in the packet headers, will be encrypted using the encryption protocol of the encrypted tunnel, but the data of the packets that is already encrypted, such as the payload, may avoid unnecessary double encryption. By reducing (or eliminating) the amount of data in data packets that is double encrypted, the amount of time taken by computing devices, and computing resources consumed, to encrypted traffic for encrypted tunnels may be reduced.

公开(公告)号：US20210359954A1

公开(公告)日：2021-11-18

申请号：US16875524

申请日：2020-05-15

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Andree Toonk ,  Rahim Lalani ,  Ian James Wells

IPC: H04L12/911 ,  H04L12/927 ,  H04L12/717 ,  H04L29/06 ,  H04L29/08

Abstract: Techniques for load balancing communication sessions in a networked computing environment are described herein. The techniques may include establishing a first communication session between a client device and a first computing resource of a networked computing environment. Additionally, the techniques may include storing, in a data store, data indicating that the first communication session is associated with the first computing resource. The techniques may further include receiving, at a second computing resource of the networked computing environment, traffic associated with a second communication session that was sent by the client device, and based at least in part on accessing the data stored in the data store, establishing a traffic redirect such that the traffic and additional traffic associated with the second communication session is sent from the second computing resource to the first computing resource.

公开(公告)号：US10915307B2

公开(公告)日：2021-02-09

申请号：US15902604

申请日：2018-02-22

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Santosh Ramrao Patil ,  Christopher Metz ,  Durgaprasad Sukhadeo Pawar ,  Avaneesh Anandrao Kadam ,  Vikram Prasad Munishwar

IPC: G06F9/44 ,  G06F8/61 ,  G06F8/70 ,  G06F8/35 ,  G06F8/36 ,  G06F9/445

Abstract: In one embodiment, a server generates expected levels of capability associated with possible combinations of settings for first and second adjustable parameters for an aspect of a software image feature. The server receives an indication of a desired level of capability for the aspect of the software image feature and, based on the indication, identifies a particular expected level of capability associated with a particular possible combination of the settings for the first and second adjustable parameters. The particular expected level of capability is closer to a desired level of capability for an aspect of a software image feature than the other expected levels of capability associated with the possible combinations of the settings for the first and second adjustable parameters. The server produces a software image that includes the particular possible combination of the settings for the first and second adjustable parameters.

公开(公告)号：US10911332B2

公开(公告)日：2021-02-02

申请号：US16221857

申请日：2018-12-17

Applicant: Cisco Technology, Inc.

Inventor： Robert Edgar Barton ,  Jerome Henry ,  Matthew William Gillies ,  Ian James Wells

IPC: G06F15/173 ,  H04L12/24 ,  H04L12/911 ,  H04L29/08 ,  H04L12/851 ,  H04L12/859

Abstract: A cloud orchestration platform obtains from a policy controller, application flow requirements for an application to be deployed in a container network that includes a plurality of microservices. The cloud orchestration platform determines a path through at least a subset of the plurality of microservices based on the application flow requirements, and computes information describing compute resources for workloads associated with the path through the plurality of microservices needed to support the application flow requirements. The cloud orchestration platform creates and/or reserves the workloads among the plurality of microservices. The cloud orchestration platform communicates scheduling requirements to a scheduling driver function associated with the plurality of microservices, the scheduling deriver function using the scheduling requirements to coordinate scheduling of workloads based on the path. The cloud orchestration platform directs traffic associated with the application into the container network.

公开(公告)号：US12236229B2

公开(公告)日：2025-02-25

申请号：US18114708

申请日：2023-02-27

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells ,  Grzegorz Boguslaw Duraj

IPC: G06F9/44 ,  G06F8/65 ,  H04L67/52

Abstract: This disclosure describes techniques and mechanisms for using a domain-specific language (DSL) to express and compile serverless network functions, and optimizing the deployment location for the serverless network functions on network devices. In some examples, the serverless network functions may be expressed entirely in the DSL (e.g., via a text-based editor, a graphics-based editor, etc.), where the DSL is a computer language specialized to a particular domain, such as a network function domain. In additional examples, the serverless network functions may be expressed and compiled using a DSL in combination with a general-purpose language (GSL). Once the serverless network function have been expressed and/or compiled, the techniques of this disclosure further include determining an optimized network component on which the serverless network function is to execute, and deploying the serverless function to the optimized network component.

公开(公告)号：US12184661B2

公开(公告)日：2024-12-31

申请号：US17183900

申请日：2021-02-24

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells

IPC: H04L9/40 ,  H04L41/0894 ,  H04L67/14

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

公开(公告)号：US12095665B2

公开(公告)日：2024-09-17

申请号：US17572320

申请日：2022-01-10

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla ,  Ian James Wells

IPC: H04L45/74 ,  H04L69/165

CPC classification number: H04L45/74 ,  H04L69/165

Abstract: Techniques for Network Address Translation (NAT)-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.

公开(公告)号：US12021754B2

公开(公告)日：2024-06-25

申请号：US17183977

申请日：2021-02-24

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Kyle Andrew Donald Mestery

IPC: H04L47/2441 ,  H04L47/10 ,  H04L47/193 ,  H04L47/32 ,  H04L67/133

CPC classification number: H04L47/2441 ,  H04L47/193 ,  H04L47/29 ,  H04L47/32 ,  H04L67/133

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

公开(公告)号：US11822443B2

公开(公告)日：2023-11-21

申请号：US17902677

申请日：2022-09-02

Applicant: Cisco Technology, Inc.

Inventor： Pierre Pfister ,  Ian James Wells ,  Kyle Andrew Donald Mestery ,  William Mark Townsley ,  Yoann Desmouceaux ,  Guillaume Ruty ,  Aloys Augustin

IPC: G06F11/20 ,  G06F9/455 ,  H04L61/2503 ,  H04L61/58 ,  H04L101/00

CPC classification number: G06F11/2033 ,  G06F9/45558 ,  H04L61/2503 ,  G06F2009/45595 ,  G06F2201/85 ,  H04L61/58 ,  H04L2101/00

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers. Additionally, the NAT servers may implement failover solutions for dynamically allocated routeable address/port pairs assigned to new sessions by assigning new outbound address/port pairs when a session starts and broadcasting pairing information.