公开(公告)号：US09201704B2

公开(公告)日：2015-12-01

申请号：US13440735

申请日：2012-04-05

申请人： David Wei-Shen Chang ,  Abhijit Patra ,  Nagaraj A. Bagepalli ,  Murali Anantha ,  Jason Zhen Zhang

发明人： David Wei-Shen Chang ,  Abhijit Patra ,  Nagaraj A. Bagepalli ,  Murali Anantha ,  Jason Zhen Zhang

IPC分类号： G06F15/16 ,  G06F15/177 ,  G06F9/50 ,  G06F9/455 ,  G06F9/48

CPC分类号： G06F9/5077 ,  G06F9/45558 ,  G06F9/4856 ,  G06F9/5072 ,  G06F2009/4557

摘要： A method includes managing a virtual machine (VM) in a cloud extension, where the VM is part of a distributed virtual switch (DVS) of an enterprise network, abstracting an interface that is transparent to a cloud infrastructure of the cloud extension, and intercepting network traffic from the VM, where the VM can communicate securely with the enterprise network. The cloud extension comprises a nested VM container (NVC) that includes an emulator configured to enable abstracting the interface, and dual transmission control protocol/Internet Protocol stacks for supporting a first routing domain for communication with the cloud extension, and a second routing domain for communication with the enterprise network. The NVC may be agnostic with respect to operating systems running on the VM. The method further includes migrating the VM from the enterprise network to the cloud extension through suitable methods.

摘要翻译： 一种方法包括管理云扩展中的虚拟机（VM），其中VM是企业网络的分布式虚拟交换机（DVS）的一部分，抽象出对云扩展的云基础架构透明的接口，并拦截 来自虚拟机的网络流量，VM可以与企业网络进行安全通信。 云扩展包括嵌套VM容器（NVC），其包括被配置为实现对接口进行抽象的仿真器，以及用于支持用于与云扩展通信的第一路由域的双传输控制协议/因特网协议栈，以及用于 与企业网络通信。 对于在VM上运行的操作系统，NVC可能是无关紧要的。 该方法还包括通过适当的方法将VM从企业网络迁移到云扩展。

公开(公告)号：US20130268588A1

公开(公告)日：2013-10-10

申请号：US13438861

申请日：2012-04-04

申请人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

发明人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

IPC分类号： G06F15/16

CPC分类号： G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L41/12 ,  H04L49/70 ,  H04L67/10

摘要： A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

摘要翻译： 将分布式虚拟交换机组件的位置感提供到服务提供方案中，以减少在混合云环境中跨网络进行策略评估时观察到的延迟。 第一虚拟网络中的管理应用订阅由第二虚拟网络提供的虚拟网络服务。 将第一消息发送到第二虚拟网络，第一消息包括被配置为启动第二虚拟网络中的虚拟交换机的信息，该第二虚拟网络切换第二虚拟网络中的一个或多个虚拟机的网络流量，所述虚拟机被配置为扩展由 第一个虚拟网络进入第二个虚拟网络。 第二消息被发送到第二虚拟网络，第二消息包括被配置为启动在第二虚拟网络中为一个或多个虚拟机提供网络业务服务的虚拟服务节点的信息。

公开(公告)号：US08516241B2

公开(公告)日：2013-08-20

申请号：US13180678

申请日：2011-07-12

申请人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

发明人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

IPC分类号： H04L1/14 ,  H04L29/08 ,  H04L29/02

CPC分类号： H04L63/0263 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L29/08927 ,  H04L29/08972 ,  H04L49/356 ,  H04L49/70 ,  H04L63/0218 ,  H04L63/0227

摘要： Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

公开(公告)号：US08094560B2

公开(公告)日：2012-01-10

申请号：US12123223

申请日：2008-05-19

申请人： Nagaraj Bagepalli ,  Abhijit Patra

发明人： Nagaraj Bagepalli ,  Abhijit Patra

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L45/42 ,  H04L45/38 ,  H04L49/1546 ,  H04L49/254 ,  H04L49/3063 ,  H04L49/351

摘要： Techniques for multi-stage multi-core processing of network packets are described herein. In one embodiment, work units are received within a network element, each work unit representing a packet of different flows to be processed in multiple processing stages. Each work unit is identified by a work unit identifier that uniquely identifies a flow in which the associated packet belongs and a processing stage that the associated packet is to be processed. The work units are then dispatched to multiple core logic, such that packets of different flows can be processed concurrently by multiple core logic and packets of an identical flow in different processing stages can be processed concurrently by multiple core logic, in order to determine whether the packets should be transmitted to one or more application servers of a datacenter. Other methods and apparatuses are also described.

摘要翻译： 本文描述了用于网络分组的多阶段多核处理的技术。 在一个实施例中，工作单元被接收在网络元件内，每个工作单元表示将在多个处理阶段中处理的不同流的分组。 每个工作单元由唯一地标识相关联的分组所属的流程的工作单元标识符和相关联的分组被处理的处理阶段来标识。 然后将工作单元分配到多个核心逻辑，使得可以通过多个核心逻辑并行地处理不同流的分组，并且可以通过多个核心逻辑并行处理不同处理阶段中的相同流的分组，以便确定是否 应将数据包传输到数据中心的一个或多个应用程序服务器。 还描述了其它方法和装置。

公开(公告)号：US07623468B2

公开(公告)日：2009-11-24

申请号：US10927290

申请日：2004-08-25

申请人： Rina Panigrahy ,  Jackie Liu ,  Daniel Yu-Kwong Ng ,  Sanjay Jain ,  Nagaraj A. Bagepalli ,  Abhijit Patra

发明人： Rina Panigrahy ,  Jackie Liu ,  Daniel Yu-Kwong Ng ,  Sanjay Jain ,  Nagaraj A. Bagepalli ,  Abhijit Patra

IPC分类号： H04L12/56

CPC分类号： H04L63/0254 ,  H04L63/1408 ,  H04L69/22

摘要： The present invention provides a packet processing device and method. A parsing processor provides instruction-driven content inspection of network packets at 10-Gbps and above with a parsing engine that executes parsing instructions. A flow state unit maintains statefulness of packet flows to allow content inspection across several related network packets. A state-graph unit traces state-graph nodes to keyword indications and/or parsing instructions. The parsing instructions can be derived from a high-level application to emulate user-friendly parsing logic. The parsing processor sends parsed packets to a network processor unit for further processing.

公开(公告)号：US20090288135A1

公开(公告)日：2009-11-19

申请号：US12123219

申请日：2008-05-19

申请人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

发明人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

IPC分类号： G06F17/00

CPC分类号： H04L63/0263 ,  H04L63/20

摘要： Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.

摘要翻译： 本文描述了用于构建和管理用于访问数据中心的资源的网络策略的技术。 在一个实施例中，事件被捕获在与访问数据中心的某些资源的某些活动有关的网络元件内，其中网络元件作为到数据中心的应用服务网关操作。 基于从捕获的事件提取的属性来设置新的规则/策略，其中属性包括用户属性，环境属性和资源属性中的至少一个。 在实时网络流量条件下对新规则/策略进行仿真，生成仿真结果。 如果模拟结果满足预定条件，则新规则/策略被提交，其中新的规则/策略在网络元素内被强制以确定特定客户端是否有资格访问数据中心的特定资源。 还描述了其它方法和装置。

公开(公告)号：US07430208B1

公开(公告)日：2008-09-30

申请号：US10940098

申请日：2004-09-14

申请人： Abhijit Patra ,  Samar Sharma

发明人： Abhijit Patra ,  Samar Sharma

IPC分类号： H04L12/28

CPC分类号： H04L49/253 ,  H04L49/203 ,  H04L49/309 ,  H04L49/606

摘要： An apparatus and method of using same for associating a tag with each packet in an ATM switch to eliminate the need for an OVC table, thus saving both egress processing time and memory resources. The tag includes both a type of switching identifier and a per-logical-interface or per-external-VC information field. A packet received by the egress packet processing engine has associated with it (by the control plane) a frame control word containing a new cell header (NCH) corresponding to the OVC on which the packet was received from the fabric. This NCH contains the tag used to expedite egress processing. In one embodiment of the present invention, the tag value is provided in two fields, a tag type and a tag parameter. The tag type represents a code for different data path applications. The tag parameter takes on multiple values based on the tag type. The present invention efficiently uses the OVC to NCH mapping to map many OVCs to a small set of tags coded within the switch's NCH so that, rather than having to do an extra look-up in the egress engine in a large and non-scaleable OVC table, the egress engine has only to look in a small, fully-scaleable tag table. In fact, in one embodiment, no egress look-up is required at all.

摘要翻译： 一种用于将标签与ATM交换机中的每个分组关联以消除对OVC表的需要的装置和方法，从而节省了出口处理时间和存储资源。 该标签包括一种类型的交换标识符和每个逻辑接口或每个外部VC信息字段。 由出口分组处理引擎接收到的分组已经通过控制平面与控制平面相关联，该帧控制字包含与从组织接收分组的OVC对应的新信元报头（NCH）。 该NCH包含用于加速出口处理的标签。 在本发明的一个实施例中，标签值被提供在两个字段中，标签类型和标签参数。 标签类型代表不同数据路径应用程序的代码。 标签参数根据标签类型占用多个值。 本发明有效地使用OVC到NCH映射以将许多OVC映射到在交换机的NCH内编码的一小组标签，使得不必在大型和不可扩展的OVC中对出口引擎进行额外的查找 表格中，出口引擎只能查看一个小型，完全可扩展的标签表。 实际上，在一个实施例中，根本不需要出口查找。

公开(公告)号：US07111162B1

公开(公告)日：2006-09-19

申请号：US09954330

申请日：2001-09-10

申请人： Nagaraj Bagepalli ,  Abhijit Patra

发明人： Nagaraj Bagepalli ,  Abhijit Patra

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/166 ,  H04L63/0428 ,  H04L63/0471 ,  H04L67/1002 ,  H04L67/1023 ,  H04L67/1034

摘要： A load-balancing approach for scaling Secure Sockets Layer (SSL) performance is disclosed. During a handshake phase of establishing a SSL connection among a client and server, a processor card identifier value, processor identifier value, and session index value are encoded in a session identifier value that is sent to a client. When the client subsequently resumes the SSL session, it provides the session identifier value, and the encoded values are used for routing the session to an SSL processor that has the negotiated security parameters for the session. In one embodiment, a load balancer distributes the SSL sessions across multiple SSL termination engines that actually carry out SSL processing, based on the card identifier value and the processor identifier. If one of the SSL termination engine cards fails, the load balancer card routes all sessions destined for the failed card to other cards that are operating. The SSL processor that receives such session data determines that it does not have a session table entry matching the session identifier, creates a new session identifier and gives the new session identifier to the client.

摘要翻译： 披露了一种用于缩放安全套接字层（SSL）性能的负载平衡方法。 在建立客户端和服务器之间的SSL连接的握手阶段期间，处理器卡标识符值，处理器标识符值和会话索引值被编码在发送给客户端的会话标识符值中。 当客户端随后恢复SSL会话时，它提供会话标识符值，并且编码值用于将会话路由到具有会话的协商安全参数的SSL处理器。 在一个实施例中，负载平衡器基于卡标识符值和处理器标识符，将SSL会话跨越实际进行SSL处理的多个SSL终端引擎。 如果其中一个SSL终端引擎卡出现故障，则负载平衡器卡将发往故障卡的所有会话路由到正在运行的其他卡。 接收这种会话数据的SSL处理器确定它没有与会话标识符匹配的会话表项，创建一个新的会话标识符，并向客户端提供新的会话标识符。

公开(公告)号：US08667556B2

公开(公告)日：2014-03-04

申请号：US12123219

申请日：2008-05-19

申请人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

发明人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

IPC分类号： H04L29/06

CPC分类号： H04L63/0263 ,  H04L63/20

摘要： Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.

摘要翻译： 本文描述了用于构建和管理用于访问数据中心的资源的网络策略的技术。 在一个实施例中，事件被捕获在与访问数据中心的某些资源的某些活动有关的网络元件内，其中网络元件作为到数据中心的应用服务网关操作。 基于从捕获的事件提取的属性来设置新的规则/策略，其中属性包括用户属性，环境属性和资源属性中的至少一个。 在实时网络流量条件下对新规则/策略进行仿真，生成仿真结果。 如果模拟结果满足预定条件，则新规则/策略被提交，其中新的规则/策略在网络元素内被强制以确定特定客户端是否有资格访问数据中心的特定资源。 还描述了其它方法和装置。

公开(公告)号：US20130297769A1

公开(公告)日：2013-11-07

申请号：US13462200

申请日：2012-05-02

申请人： David Wei-Shen Chang ,  Abhijit Patra ,  Nagaraj A. Bagepalli

发明人： David Wei-Shen Chang ,  Abhijit Patra ,  Nagaraj A. Bagepalli

IPC分类号： G06F15/173

CPC分类号： G06F9/5077 ,  G06F9/445 ,  G06F9/45558 ,  G06F17/50 ,  G06F2009/4557 ,  H04L41/145 ,  H04L67/34 ,  H04L67/38

摘要： A method includes simulating network resources of a portion of a cloud in a simulated cloud within a enterprise network, the cloud being communicable with the enterprise network over a first communication channel, which may be external to the enterprise network. The method can also include simulating network behavior of the first communication channel in a second communication channel within the enterprise network, and validating application performance in the simulated cloud. Simulating network resources includes providing a cloud resources abstraction layer in the enterprise network, and allocating enterprise network resources in the enterprise network to the simulated cloud by the cloud resources abstraction layer. The method further includes adding a virtual network service appliance to the simulated cloud, and determining a change to a network topology of the enterprise network to accommodate the virtual appliance without materially impacting application performance.

摘要翻译： 一种方法包括模拟企业网络内的模拟云中的云的一部分的网络资源，云可以通过可能在企业网络外部的第一通信信道与企业网络通信。 该方法还可以包括在企业网络内的第二通信信道中模拟第一通信信道的网络行为，以及验证模拟云中的应用性能。 模拟网络资源包括在企业网络中提供云资源抽象层，并通过云资源抽象层将企业网络中的企业网络资源分配给模拟云。 该方法还包括将虚拟网络服务设备添加到模拟云中，以及确定对企业网络的网络拓扑的改变以适应虚拟设备，而不会对应用程序性能造成重大影响。