公开(公告)号：US11700321B2

公开(公告)日：2023-07-11

申请号：US17509935

申请日：2021-10-25

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch

IPC: H04L12/00 ,  H04L69/163 ,  H04L9/40 ,  H04L69/166 ,  H04L67/56

CPC classification number: H04L69/163 ,  H04L63/126 ,  H04L67/56 ,  H04L69/166

Abstract: A TCP intermediate device receives a SYN packet from a TCP client that is destined for a TCP origin server and indicates support for TCP fast open (TFO). A SYN-ACK packet is transmitted to the TCP client that includes a first TFO cookie set by the TCP intermediate device. An ACK packet is received from the TCP client. A SYN packet is sent to the TCP origin server and a second SYN-ACK packet is received in response that includes a second TFO cookie set by the TCP origin server. An ACK packet to the TCP origin server. Sometime after the TCP connection is completed, a SYN packet from the TCP client is received that includes the first TFO cookie and a payload of data. The TCP intermediate device modifies the SYN packet to include the second TFO cookie and transmits the modified SYN packet to the TCP origin server.

公开(公告)号：US20220400166A1

公开(公告)日：2022-12-15

申请号：US17893003

申请日：2022-08-22

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L67/63 ,  H04L9/40 ,  H04L67/10 ,  H04L12/46

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US11882199B2

公开(公告)日：2024-01-23

申请号：US17893003

申请日：2022-08-22

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L67/10 ,  H04L12/46 ,  H04L29/06 ,  H04L9/32 ,  H04L67/63 ,  H04L9/40

CPC classification number: H04L67/63 ,  H04L12/4633 ,  H04L12/4641 ,  H04L63/0272 ,  H04L67/10

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US11349934B2

公开(公告)日：2022-05-31

申请号：US17138396

申请日：2020-12-30

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch

IPC: H04L67/141 ,  H04L67/01 ,  H04L7/00 ,  H04L69/326

Abstract: A TCP intermediate device receives a first SYN packet from a TCP client to establish a TCP connection between the TCP client and a TCP origin server. Prior to the TCP connection being fully established, the TCP intermediate device transmits a second SYN packet to the TCP origin server. The TCP intermediate device transmits a first SYN-ACK packet to the TCP client. The TCP intermediate device receives a first ACK packet from the TCP client. The TCP intermediate device receives a second SYN-ACK packet from the TCP origin server. The TCP intermediate device transmits a second ACK packet to the TCP origin server as part of establishing the third TCP connection.

公开(公告)号：US20200336409A1

公开(公告)日：2020-10-22

申请号：US16387431

申请日：2019-04-17

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/751 ,  H04L12/741

Abstract: A method and a VPN server for VPN route optimization are described. The VPN server establishes a first VPN connection with a first client device and a second VPN connection with a second client device. The VPN server determines that the first and second client devices are part of a same local network; and responsive to determining that the first and the second client devices are part of the same local network, transmits, to the first client device through the first VPN connection, a second public network address of the second client device, and to the second client device through the second VPN connection, a first public network address of the first client device. The transmission of the first and second public network addresses causes the first client device to determine an optimal route from the first client device to the second client device for the traffic in the VPN.

公开(公告)号：US11949647B2

公开(公告)日：2024-04-02

申请号：US17728407

申请日：2022-04-25

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L61/2592 ,  H04L12/46 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

CPC classification number: H04L61/2592 ,  H04L12/4633 ,  H04L12/4641 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

Abstract: A tunnel is established between a first edge server of a distributed edge compute and routing service and a tunnel client residing on an origin server. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the first edge server. The routing rules are based at least in part on traffic information gathered from processing other traffic that traverses the distributed edge compute and routing service. A request for content served by the origin server through the tunnel is received at a second edge server of the distributed edge compute and routing service. A path from the second edge server to the first edge server is determined based on the routing rules. The request is transmitted on the determined path. The first edge server receives the request and transmits the request to the origin server over the tunnel.

公开(公告)号：US11425216B2

公开(公告)日：2022-08-23

申请号：US16836613

申请日：2020-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L12/721 ,  H04L29/06 ,  H04L29/12 ,  H04L67/63 ,  H04L9/40 ,  H04L67/10 ,  H04L12/46 ,  G06F3/0481

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US11316787B2

公开(公告)日：2022-04-26

申请号：US17020605

申请日：2020-09-14

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Dane Orion Knecht

IPC: H04L45/745 ,  H04L12/46 ,  H04L67/56 ,  H04L67/01 ,  H04L67/10

Abstract: Method and apparatus for traffic optimization in virtual private networks (VPNs). A client device establishes a first VPN connection with a first server based on first VPN credentials. Traffic is transmitted and received through the first VPN connection to and from the first server. A second server is identified based on traffic optimization criteria that need to be satisfied by the VPN connection. Upon receipt of the identification of the second server the client device is to use the second server as a destination of a second VPN connection. The second VPN connection satisfies a set of traffic optimization goals for at least one flow from the flows forwarded through the first VPN connection. Based on the identification of the second server, the client device establishes the second VPN connection for the flow between the client device and the second server.

公开(公告)号：US20210203760A1

公开(公告)日：2021-07-01

申请号：US17138410

申请日：2020-12-30

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch

IPC: H04L29/06 ,  H04L29/08

Abstract: A TCP intermediate device receives a SYN packet from a TCP client that is destined for a TCP origin server and indicates support for TCP fast open (TFO). A SYN-ACK packet is transmitted to the TCP client that includes a TFO cookie set by the TCP intermediate device. The TCP intermediate device receives a first ACK packet from the TCP client. A SYN packet is sent to the TCP origin server and a second SYN-ACK packet is received in response that does not indicate support for TFO. An ACK packet to the TCP origin server. Sometime after the TCP connection is completed, the TCP intermediate device receives a SYN packet from the TCP client that includes the TFO cookie and a payload of data. The TCP intermediate device establishes a TCP connection with the TCP origin server and transmits the payload of data to the TCP origin server.

公开(公告)号：US10666613B2

公开(公告)日：2020-05-26

申请号：US16160294

申请日：2018-10-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/46

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.