公开(公告)号：US20130301652A1

公开(公告)日：2013-11-14

申请号：US13528956

申请日：2012-06-21

申请人： Doron Oz ,  Rohit Uberoi ,  Dushyant Joshi ,  Senthil M. Sivakumar

发明人： Doron Oz ,  Rohit Uberoi ,  Dushyant Joshi ,  Senthil M. Sivakumar

IPC分类号： H04L29/00

CPC分类号： H04L67/10 ,  G06F9/5022 ,  G06F2209/5011 ,  G06F2209/5014 ,  H04L69/22

摘要： In one embodiment, excess committed network appliance resources are shared for providing services within a network appliance. One approach maintains service resources in a committed service resource pool and one or more other pools of service resources. Service resources are taken from a corresponding pool as needed. Service resources are reallocated to the committed resource pool as needed to ensure that service resources are available to service corresponding packet streams at their corresponding committed rate. Examples of such services provided by a network appliance include, but are not limited to, network address translation (NAT), firewall, Internet Protocol Security (IPsec), virtual private network (VPN), or deep packet inspection (DPI) services.

摘要翻译： 在一个实施例中，多余的承诺网络设备资源被共享以在网络设备内提供服务。 一种方法在服务资源池和一个或多个服务资源池中维护服务资源。 服务资源根据需要从相应的池中取出。 服务资源根据需要重新分配到承诺资源池，以确保服务资源可用于以相应的承诺速率对相应的数据包进行服务。 由网络设备提供的这种服务的示例包括但不限于网络地址转换（NAT），防火墙，因特网协议安全（IPsec），虚拟专用网（VPN）或深度分组检测（DPI）服务。

公开(公告)号：US20120027015A1

公开(公告)日：2012-02-02

申请号：US12844786

申请日：2010-07-27

申请人： John C. Carney ,  Timothy P. Donahue ,  Michael E. Lipman ,  David Delano Ward ,  Doron Oz

发明人： John C. Carney ,  Timothy P. Donahue ,  Michael E. Lipman ,  David Delano Ward ,  Doron Oz

IPC分类号： H04L12/56

CPC分类号： H04L29/12339 ,  H04L61/2503

摘要： A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

摘要翻译： 在分组交换设备中通过分组交换设备将分组交换设备应用于分组流的两个方向，通过将该第4层到第7层服务应用于需要从服务的应用共享的状态信息到一个方向 数据包在另一个方向上移动。 服务（例如防火墙，网络地址转换）可以由不共享存储器的不同处理复合体应用; 因此，在处理复合体之间传送状态信息。 当服务由单个处理复合体应用时，数据包可以被明确地定向到单个处理复合体。 分组交换系统中的业务的在线应用通常消除了通过分组交换系统将数据包的路径改变为通过专用应用服务器的路径的需要，并且可以消除对专用服务卡或刀片服务器的需要。

公开(公告)号：US07860959B1

公开(公告)日：2010-12-28

申请号：US10793195

申请日：2004-03-04

申请人： Danny Karpati ,  Roni Luxenberg ,  Doron Oz ,  David D. Ward

发明人： Danny Karpati ,  Roni Luxenberg ,  Doron Oz ,  David D. Ward

IPC分类号： G06F15/173

CPC分类号： H04L41/0863 ,  H04L41/0233 ,  H04L41/0859

摘要： A technique maintains configurations of an intermediate node in a version control system. Entities within the intermediate node are represented by objects. Each object is associated with a state. Each object is distinct from other objects in the intermediate node, thus enabling the state of an object to be changed, without affecting other objects. Versions of the objects' states are maintained in the version control system. The version control system is configured to maintain one or more versions of state associated with the objects. A configuration of the intermediate node is defined by labeling a version of objects saved in the version control system. A configuration is applied to the intermediate node by acquiring the states of objects associated with the configuration from the version control system and configuring the intermediate node's entities represented by the objects in accordance with the acquired states.

摘要翻译： 技术维护版本控制系统中的中间节点的配置。 中间节点内的实体由对象表示。 每个对象都与一个状态相关联。 每个对象与中间节点中的其他对象不同，因此能够改变对象的状态，而不影响其他对象。 在版本控制系统中维护对象状态的版本。 版本控制系统被配置为维护与对象相关联的状态的一个或多个版本。 通过标记版本控制系统中保存的对象的版本来定义中间节点的配置。 通过从版本控制系统获取与配置相关联的对象的状态并且根据所获取的状态来配置由对象表示的中间节点的实体，将配置应用于中间节点。

公开(公告)号：US07787478B2

公开(公告)日：2010-08-31

申请号：US11370294

申请日：2006-03-07

申请人： Michel Khouderchah ,  Chandrasekar Krishnamurthy ,  Doron Oz

发明人： Michel Khouderchah ,  Chandrasekar Krishnamurthy ,  Doron Oz

IPC分类号： H04L12/28

CPC分类号： H04L45/00 ,  H04L12/4641 ,  H04L12/4645

摘要： Methods and devices for managing traffic at a session border controller (SBC) are described. A signal portion of traffic en route from a source in a virtual private network (VPN) to a destination is received. The signal portion has embedded therein an identifier that uniquely identifies the VPN. The identifier is accessed to determine whether the destination is also in the VPN. A decision whether to direct a media portion of the traffic to an SBC is made depending on whether or not the destination is outside of the VPN.

摘要翻译： 描述用于在会话边界控制器（SBC）处管理流量的方法和设备。 接收从虚拟专用网络（VPN）中的源路由到目的地的业务的信号部分。 信号部分嵌入了唯一标识VPN的标识符。 访问该标识符以确定目的地是否也在VPN中。 根据目的地是否在VPN之外，决定是否将业务的媒体部分引导到SBC。

公开(公告)号：US07787462B2

公开(公告)日：2010-08-31

申请号：US11368923

申请日：2006-03-06

申请人： Sarel Altshuler ,  Nisim Levi ,  Nir Ben-Dvora ,  Doron Oz

发明人： Sarel Altshuler ,  Nisim Levi ,  Nir Ben-Dvora ,  Doron Oz

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L49/10 ,  H04L49/25 ,  H04L69/22

摘要： Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for applying features to packets in an order specified by a selected feature order template. By providing multiple feature order templates, a network device manufacturer can provide the user of the network device the ability to select among a variety of orders in which features are applied, while limiting the possible selectable orderings such as to those capable by the hardware and software of the network device, and/or to a subset of orderings thereof which has been thoroughly tested. Some devices further allow a user to define new feature order templates via a user interface.

摘要翻译： 通过提供多个特征订单模板，网络设备制造商可以向网络设备的用户提供在应用特征的各种顺序中进行选择的能力，同时限制可能的可选订单，例如由硬件和软件 的网络设备，和/或已被彻底测试的其一部分的命令。 一些设备还允许用户经由用户界面定义新的特征订单模板。

公开(公告)号：US07099287B1

公开(公告)日：2006-08-29

申请号：US09799755

申请日：2001-03-06

申请人： Doron Oz ,  Eldad Bar-Eli ,  Moti Haimovsky

发明人： Doron Oz ,  Eldad Bar-Eli ,  Moti Haimovsky

IPC分类号： H04L12/28

CPC分类号： H04L12/437 ,  H04J3/1611 ,  H04J2203/0039 ,  H04J2203/0041 ,  H04J2203/0042 ,  H04L12/42 ,  H04L12/44 ,  H04L41/12 ,  H04L43/0811

摘要： A novel and useful mechanism for detecting the nodes connected to a network device and for creating a ring network from the nodes detected thereby. The invention simplifies insertion, removal and modification of nodes in the ring by detecting and reconfiguring the ring without requiring intervention by a user. Identification information messages generated by network devices and sent out on all links and received over a plurality of ports are used in identifying and determining the connectivity and topology of the network devices. The resulting topology information is stored in a node database. The contents of the node database are then used to generate one or more ring networks, wherein each ring generated corresponds to a unique line speed. The connectivity of the one or more rings generated is stored in a ring database and the rings configured therefrom.

摘要翻译： 一种新颖有用的机制，用于检测连接到网络设备的节点并用于从由此检测到的节点创建环网。 本发明通过检测和重新配置环而简化了环中节点的插入，移除和修改，而不需要用户干预。 由网络设备产生并在所有链路上发送并通过多个端口接收的识别信息消息用于识别和确定网络设备的连接性和拓扑。 生成的拓扑信息存储在节点数据库中。 然后，节点数据库的内容被用于生成一个或多个环形网络，其中产生的每个环对应于唯一的线速度。 生成的一个或多个环的连接性被存储在环形数据库中，并且由其配置的环。

公开(公告)号：US08520672B2

公开(公告)日：2013-08-27

申请号：US12846796

申请日：2010-07-29

申请人： Jim Guichard ,  David Delano Ward ,  Cedell Adam Alexander, Jr. ,  Brian Lance Hiltscher ,  Doron Oz

发明人： Jim Guichard ,  David Delano Ward ,  Cedell Adam Alexander, Jr. ,  Brian Lance Hiltscher ,  Doron Oz

IPC分类号： H04L12/56

CPC分类号： H04L43/028 ,  H04L49/35 ,  H04L67/327

摘要： Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000) to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing.

摘要翻译： 使用由应用节点（例如，分组交换设备和/或诸如Cisco ASR 1000的计算平台）应用于分组的一个或多个服务，从服务节点（例如，分组交换设备）封装并发送分组，以生成 这是由服务节点用于处理分组所属的分组流的分组的结果。 应用于分组的服务的示例是分类服务，诸如但不限于对分组进行深度分组检查以识别分类结果。 例如，服务节点可以使用该分类结果来处理相同分组流中的其他分组，使得流的所有分组不需要也不典型地被发送到应用节点进行处理。

公开(公告)号：US08169903B2

公开(公告)日：2012-05-01

申请号：US11370469

申请日：2006-03-07

申请人： Doron Oz ,  Michel Khouderchah ,  Chandrasekar Krishnamurthy

发明人： Doron Oz ,  Michel Khouderchah ,  Chandrasekar Krishnamurthy

IPC分类号： G01R31/08 ,  G06F11/00 ,  G08C15/00 ,  H04J1/16 ,  H04J3/14 ,  H04J3/16 ,  H04J3/22 ,  H04L1/00 ,  H04L12/26 ,  H04L12/28 ,  H04L12/56 ,  G06F15/177 ,  G06F15/16

CPC分类号： H04L63/0272 ,  H04L12/4641 ,  H04L2012/5621

摘要： Methods and devices for managing traffic are described. Traffic from a source in a virtual private network (VPN) is received. The traffic is directed to a virtual interface that is designated to receive traffic from the VPN. The virtual interface is configured to associate the traffic with an identifier that uniquely identifies the VPN to a session border controller (SBC). The SBC can use the identifier to determine whether the source and the destination of the traffic are in the same VPN.

摘要翻译： 描述用于管理流量的方法和设备。 接收到来自虚拟专用网（VPN）中的源的流量。 流量被定向到被指定为从VPN接收流量的虚拟接口。 虚拟接口被配置为将流量与唯一地标识VPN的标识符相关联到会话边界控制器（SBC）。 SBC可以使用标识符来确定流量的源和目的地是否在同一个VPN中。

公开(公告)号：US20120026897A1

公开(公告)日：2012-02-02

申请号：US12846796

申请日：2010-07-29

申请人： Jim Guichard ,  David Delano Ward ,  Cedell Adam Alexander, JR. ,  Brian Lance Hiltscher ,  Doron Oz

发明人： Jim Guichard ,  David Delano Ward ,  Cedell Adam Alexander, JR. ,  Brian Lance Hiltscher ,  Doron Oz

IPC分类号： H04L12/26

CPC分类号： H04L43/028 ,  H04L49/35 ,  H04L67/327

摘要： Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000) to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing.

摘要翻译： 使用由应用节点（例如，分组交换设备和/或诸如Cisco ASR 1000的计算平台）应用于分组的一个或多个服务，从服务节点（例如，分组交换设备）封装并发送分组，以生成 这是由服务节点用于处理分组所属的分组流的分组的结果。 应用于分组的服务的示例是分类服务，诸如但不限于对分组进行深度分组检查以识别分类结果。 例如，服务节点可以使用该分类结果来处理相同分组流中的其他分组，使得流的所有分组不需要也不典型地被发送到应用节点进行处理。

公开(公告)号：US08024787B2

公开(公告)日：2011-09-20

申请号：US11416297

申请日：2006-05-02

申请人： Doron Oz ,  Nir Ben-Dvora ,  Eldad Bar Eli

发明人： Doron Oz ,  Nir Ben-Dvora ,  Eldad Bar Eli

IPC分类号： G06F9/455

CPC分类号： H04L45/00 ,  H04L45/56 ,  H04L63/0227

摘要： One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.

摘要翻译： 一个或多个防火墙用于基于对应用于分组的一个或多个防火墙中的每一个的进入和退出访问在分组上执行防火墙功能。 例如，当防火墙包含在路由器中时，路由器的接口通常映射到虚拟防火墙并进行访问。 基于确定的特定分组的路由，识别要应用的防火墙及其相应的进入和退出接入。 为了将安全策略中的防火墙本身的应用从网络拓扑和路由架构（例如，当前防火墙通常依赖的网络路由地址信息）分离，防火墙功能基于所识别的条目和 例如，防火墙的出口访问，而不是基于网络定义的地址。