公开(公告)号：US20210203688A1

公开(公告)日：2021-07-01

申请号：US16732140

申请日：2019-12-31

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/823

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

公开(公告)号：US11736399B2

公开(公告)日：2023-08-22

申请号：US17247950

申请日：2020-12-31

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Pankaj Malviya ,  Jagadish Narasimha Grandhi

IPC: H04L45/745 ,  H04L47/625

CPC classification number: H04L45/745 ,  H04L47/625 ,  H04L2212/00

Abstract: A network device may forward fragments of an IPv4 network packet encapsulated in IPv6 network packets from an IPv6 network to an IPv4 network without reassembling the IPv4 network packet. The network device may receive and buffer the one or more fragments of a fragment flow associated with the IPv4 network packet until it receives a fragment of the fragment flow that includes an indication of the source port of the IPv4 network packet. When the network device receives the fragment that includes the indication of the source port of the IPv4 network packet, the network device may dispatch each fragment of the fragment flow that it has received to the IPv4 network.

公开(公告)号：US20210144173A1

公开(公告)日：2021-05-13

申请号：US16682882

申请日：2019-11-13

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/823 ,  H04L29/12 ,  H04L12/861 ,  H04L12/751

Abstract: A network device may receive, from a first network, one or more fragments of a first network packet of a first network packet type, where the first network packet encapsulates a second network packet of a second network packet type. The network device may buffer the one or more fragments in. The network device may, upon receiving a fragment of the first network packet that includes an indication of a source network address and a source port for the second network packet, perform an anti-spoof check of the fragment flow without assembling the first network packet. The network device may, based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet: assemble the first network packet, decapsulate the second network packet from the assembled first network packet, and forward, to a second network, the second network packet.

公开(公告)号：US20210126863A1

公开(公告)日：2021-04-29

申请号：US17247950

申请日：2020-12-31

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Pankaj Malviya ,  Jagadish Narasimha Grandhi

IPC: H04L12/741 ,  H04L12/863

Abstract: A network device may forward fragments of an IPv4 network packet encapsulated in IPv6 network packets from an IPv6 network to an IPv4 network without reassembling the IPv4 network packet. The network device may receive and buffer the one or more fragments of a fragment flow associated with the IPv4 network packet until it receives a fragment of the fragment flow that includes an indication of the source port of the IPv4 network packet. When the network device receives the fragment that includes the indication of the source port of the IPv4 network packet, the network device may dispatch each fragment of the fragment flow that it has received to the IPv4 network.

公开(公告)号：US11570283B1

公开(公告)日：2023-01-31

申请号：US16947141

申请日：2020-07-20

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Swamy Sadashivaiah Renu Kananda ,  Jagadish Narasimha Grandhi

IPC: H04L69/166 ,  H04L69/22 ,  H04L45/741 ,  H04L9/40

Abstract: A network device may receive, from a first network, a network packet of a first network packet type that encapsulates a fragment of a second network packet of a second network packet type, where the network packet includes an extension header that indicates a source port and a destination port for the second network packet. The network device may perform an anti-spoof check on the fragment of the second network packet based at least in part on at least one of: the source port or the destination port for the second network packet that is indicated by the extension header. The network device may, based on the fragment passing the anti-spoof check, forward the fragment of the second network packet to a second network.

公开(公告)号：US11451585B2

公开(公告)日：2022-09-20

申请号：US16682882

申请日：2019-11-13

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L9/40 ,  H04L45/02 ,  H04L45/00 ,  H04L47/32 ,  H04L49/90 ,  H04L69/22 ,  H04L101/686

Abstract: A network device may receive, from a first network, one or more fragments of a first network packet of a first network packet type, where the first network packet encapsulates a second network packet of a second network packet type. The network device may buffer the one or more fragments in. The network device may, upon receiving a fragment of the first network packet that includes an indication of a source network address and a source port for the second network packet, perform an anti-spoof check of the fragment flow without assembling the first network packet. The network device may, based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet: assemble the first network packet, decapsulate the second network packet from the assembled first network packet, and forward, to a second network, the second network packet.

公开(公告)号：US11165701B1

公开(公告)日：2021-11-02

申请号：US16836240

申请日：2020-03-31

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L12/749 ,  H04L29/06 ,  H04L12/851 ,  H04L29/12

Abstract: A network device may receive, from a first network, a network packet of a first network packet type that encapsulates a fragment of a second network packet of a second network packet type, where the network packet is part of a flow of a plurality of network packets of the first network packet type that encapsulates fragments of the second network packet, and where the network packet includes a flow label that indicates a source port for the second network packet. The network device may perform an anti-spoof check on the fragment of the second network packet based at least in part on the source port for the second network packet that is indicated by the flow label of the network packet. The network device may, based on the fragment passing the anti-spoof check, forward the fragment of the second network packet to a second network.

公开(公告)号：US11882150B2

公开(公告)日：2024-01-23

申请号：US18145788

申请日：2022-12-22

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L9/40 ,  H04L47/32 ,  H04L61/2592 ,  H04L69/22 ,  H04L12/46 ,  H04L101/686

CPC classification number: H04L63/1466 ,  H04L47/32 ,  H04L61/2592 ,  H04L63/029 ,  H04L63/0236 ,  H04L63/1425 ,  H04L69/22 ,  H04L12/4641 ,  H04L2101/686

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

公开(公告)号：US20230130595A1

公开(公告)日：2023-04-27

申请号：US18145788

申请日：2022-12-22

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L9/40 ,  H04L47/32 ,  H04L61/2592 ,  H04L69/22

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

公开(公告)号：US11570207B2

公开(公告)日：2023-01-31

申请号：US16732140

申请日：2019-12-31

Applicant: Juniper Networks, Inc.

Inventor： Ashish Suresh Ghule ,  Jagadish Narasimha Grandhi

IPC: H04L29/06 ,  H04L9/40 ,  H04L47/32 ,  H04L61/2592 ,  H04L69/22 ,  H04L12/46 ,  H04L101/686

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.