公开(公告)号：US11108687B1

公开(公告)日：2021-08-31

申请号：US16129632

申请日：2018-09-12

Applicant: Amazon Technologies, Inc.

Inventor： Reuben Alexander Hawkins ,  Nicholas Gene Kalteux ,  Stewart Allen ,  Harshit Vijayvargia ,  Christopher Thomas ,  Rajagopal Subramaniyan ,  Gregory Skoczek ,  Rashid Michael Aga

IPC: H04L12/26 ,  H04L12/721 ,  H04L12/715 ,  H04L12/743 ,  H04L12/24 ,  H04L12/803 ,  H04L12/801 ,  H04L29/06

Abstract: A network function virtualization service includes an action implementation layer and an action decisions layer. On a flow of network traffic received at the service, the action implementation layer performs a packet processing action determined at the action decisions layer.

公开(公告)号：US11119739B1

公开(公告)日：2021-09-14

申请号：US16448523

申请日：2019-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Dheerendra Talur ,  Venkat Maithreya Paritala ,  Joseph Magerramov ,  Anthony Liguori

IPC: H04L29/06 ,  G06F9/455 ,  H04L29/08 ,  H04L12/753 ,  G06F8/41 ,  G06F9/30

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

公开(公告)号：US12047281B2

公开(公告)日：2024-07-23

申请号：US17459902

申请日：2021-08-27

Applicant: Amazon Technologies, Inc.

Inventor： Reuben Alexander Hawkins ,  Nicholas Gene Kalteux ,  Stewart Allen ,  Harshit Vijayvargia ,  Christopher Thomas ,  Rajagopal Subramaniyan ,  Gregory Skoczek ,  Rashid Michael Aga

IPC: H04L45/64 ,  H04L41/5041 ,  H04L43/04 ,  H04L45/00 ,  H04L45/7453 ,  H04L47/10 ,  H04L47/125 ,  H04L69/22

CPC classification number: H04L45/38 ,  H04L41/5041 ,  H04L43/04 ,  H04L45/64 ,  H04L45/7453 ,  H04L47/125 ,  H04L47/13 ,  H04L69/22

Abstract: A network function virtualization service includes an action implementation layer and an action decisions layer. On a flow of network traffic received at the service, the action implementation layer performs a packet processing action determined at the action decisions layer.

公开(公告)号：US11153195B1

公开(公告)日：2021-10-19

申请号：US16896133

申请日：2020-06-08

Applicant: Amazon Technologies, Inc.

Inventor： Joseph Elmar Magerramov ,  Ethan Joseph Torretta ,  Stewart Allen

IPC: H04L12/751 ,  H04L12/725 ,  H04W84/18 ,  H04W40/24 ,  H04W40/02

Abstract: Respective destination groups are provided to routing intermediaries associated with a packet processing application. The destination group comprises a set of fast-path packet processing nodes of a packet processing service to which the routing intermediaries are to transmit packets to be processed. After a determination is made that the set of fast-path nodes to be included in the destination groups has changed, the destination groups are modified gradually during an update propagation interval.

公开(公告)号：US11916880B1

公开(公告)日：2024-02-27

申请号：US16448459

申请日：2019-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Dheerendra Talur ,  Venkat Maithreya Paritala ,  Joseph Magerramov ,  Anthony Liguori

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  H04L63/0236 ,  H04L63/101 ,  G06F2009/45595

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

公开(公告)号：US11088944B2

公开(公告)日：2021-08-10

申请号：US16450690

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Andrew Davenport ,  Ciprian Dan Cosma ,  Anthony Nicholas Liguori ,  Joseph Elmar Magerramov

IPC: H04L12/703 ,  H04L12/935 ,  H04L12/747 ,  H04L29/06 ,  H04L12/707

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

公开(公告)号：US11296981B2

公开(公告)日：2022-04-05

申请号：US16450720

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Andrew Davenport ,  Ciprian Dan Cosma ,  Anthony Nicholas Liguori ,  Joseph Elmar Magerramov ,  Nachiappan Arumugam

IPC: H04L12/721 ,  H04L45/00 ,  H04L47/70 ,  G06F9/455

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.