-
1.发明申请公开(公告)号:US20130268588A1
公开(公告)日:2013-10-10
申请号:US13438861
申请日:2012-04-04
申请人: David Chang , Abhijit Patra , Nagaraj Bagepalli , Murali Anantha
发明人: David Chang , Abhijit Patra , Nagaraj Bagepalli , Murali Anantha
IPC分类号: G06F15/16
CPC分类号: G06F9/45558 , G06F2009/45595 , H04L12/6418 , H04L41/12 , H04L49/70 , H04L67/10
摘要: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.
摘要翻译: 将分布式虚拟交换机组件的位置感提供到服务提供方案中,以减少在混合云环境中跨网络进行策略评估时观察到的延迟。 第一虚拟网络中的管理应用订阅由第二虚拟网络提供的虚拟网络服务。 将第一消息发送到第二虚拟网络,第一消息包括被配置为启动第二虚拟网络中的虚拟交换机的信息,该第二虚拟网络切换第二虚拟网络中的一个或多个虚拟机的网络流量,所述虚拟机被配置为扩展由 第一个虚拟网络进入第二个虚拟网络。 第二消息被发送到第二虚拟网络,第二消息包括被配置为启动在第二虚拟网络中为一个或多个虚拟机提供网络业务服务的虚拟服务节点的信息。
-
公开(公告)号:US08516241B2
公开(公告)日:2013-08-20
申请号:US13180678
申请日:2011-07-12
CPC分类号: H04L63/0263 , G06F9/45558 , G06F2009/45587 , G06F2009/45595 , H04L29/08927 , H04L29/08972 , H04L49/356 , H04L49/70 , H04L63/0218 , H04L63/0227
摘要: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.
-
公开(公告)号:US08730980B2
公开(公告)日:2014-05-20
申请号:US13337379
申请日:2011-12-27
申请人: Nagaraj Bagepalli , Abhijit Patra , David Chang
发明人: Nagaraj Bagepalli , Abhijit Patra , David Chang
IPC分类号: H04L12/56
CPC分类号: H04L49/356 , H04L49/70
摘要: Techniques are provided to start a virtual service node that is configured to provide network traffic services for one or more virtual machines. The virtual service node has at least one associated service profile comprising identifiers for corresponding service policies for network traffic services. The service policies identified in the at least one associated service profile are retrieved. A virtual machine is started with an associated virtual interface and a port profile is applied to the virtual interface, including information identifying the service profile. Information is provided to the virtual service node that informs the virtual service node of network parameters and assigned service profile of the virtual machine. Network traffic associated with the virtual machine is intercepted and redirected to the virtual service node. A virtual service data path is provided that enables dynamic service binding, virtual machine mobility support, and virtual service node chaining and/or clustering.
摘要翻译: 提供技术来启动被配置为为一个或多个虚拟机提供网络流量服务的虚拟服务节点。 虚拟服务节点具有包括用于网络业务服务的相应服务策略的标识符的至少一个相关联的服务简档。 检索在至少一个关联服务简档中标识的服务策略。 启动一个虚拟机与一个关联的虚拟接口,端口配置文件应用于虚拟接口,包括标识服务配置文件的信息。 信息被提供给向虚拟服务节点通知虚拟机的网络参数和分配的服务简档的虚拟服务节点。 与虚拟机关联的网络流量被拦截并重定向到虚拟服务节点。 提供虚拟服务数据路径,其实现动态服务绑定,虚拟机移动性支持以及虚拟服务节点链接和/或聚类。
-
4.发明授权公开(公告)号:US09313048B2
公开(公告)日:2016-04-12
申请号:US13438861
申请日:2012-04-04
申请人: David Chang , Abhijit Patra , Nagaraj Bagepalli , Murali Anantha
发明人: David Chang , Abhijit Patra , Nagaraj Bagepalli , Murali Anantha
CPC分类号: G06F9/45558 , G06F2009/45595 , H04L12/6418 , H04L41/12 , H04L49/70 , H04L67/10
摘要: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.
摘要翻译: 将分布式虚拟交换机组件的位置感提供到服务提供方案中,以减少在混合云环境中跨网络进行策略评估时观察到的延迟。 第一虚拟网络中的管理应用订阅由第二虚拟网络提供的虚拟网络服务。 将第一消息发送到第二虚拟网络,第一消息包括被配置为启动第二虚拟网络中的虚拟交换机的信息,该第二虚拟网络切换第二虚拟网络中的一个或多个虚拟机的网络流量,所述虚拟机被配置为扩展由 第一个虚拟网络进入第二个虚拟网络。 第二消息被发送到第二虚拟网络,第二消息包括被配置为启动在第二虚拟网络中为一个或多个虚拟机提供网络业务服务的虚拟服务节点的信息。
-
公开(公告)号:US08677453B2
公开(公告)日:2014-03-18
申请号:US12123227
申请日:2008-05-19
申请人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
发明人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
IPC分类号: H04L29/06
CPC分类号: G06F21/6227 , G06F21/6218 , G06F2221/2141 , H04L63/101
摘要: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于高度并行评估XACML策略的技术。 在一个实施例中,从包括用户属性和环境属性中的至少一个的资源的访问请求中提取属性。 在存储有以XACML编写的规则和策略的策略存储器中,并行地执行多个单独搜索,每个搜索属性中的每一个,其中使用位向量算法优化地存储规则和策略。 然后将与属性相关联的单独搜索结果组合以使用预定的策略组合算法来生成单个最终结果。 然后,基于单个最终结果确定客户端是否有资格访问数据中心的所请求的资源,包括执行第七层访问控制过程,其中网络元件作为到数据中心的应用服务网关操作。 还描述了其它方法和装置。
-
公开(公告)号:US20090288136A1
公开(公告)日:2009-11-19
申请号:US12123227
申请日:2008-05-19
申请人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
发明人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
IPC分类号: G06F21/00
CPC分类号: G06F21/6227 , G06F21/6218 , G06F2221/2141 , H04L63/101
摘要: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于高度并行评估XACML策略的技术。 在一个实施例中,从包括用户属性和环境属性中的至少一个的资源的访问请求中提取属性。 在存储有以XACML编写的规则和策略的策略存储器中,并行地执行多个单独搜索,每个搜索属性中的每一个,其中使用位向量算法优化地存储规则和策略。 然后将与属性相关联的单独搜索结果组合以使用预定的策略组合算法来生成单个最终结果。 然后,基于单个最终结果确定客户端是否有资格访问数据中心的所请求的资源,包括执行第七层访问控制过程,其中网络元件作为到数据中心的应用服务网关操作。 还描述了其它方法和装置。
-
公开(公告)号:US20090288104A1
公开(公告)日:2009-11-19
申请号:US12123225
申请日:2008-05-19
申请人: Nagaraj Bagepalli , David Chang , Surendra Kumar , Abhijit Patra
发明人: Nagaraj Bagepalli , David Chang , Surendra Kumar , Abhijit Patra
IPC分类号: G06F9/54 , G06F15/173
CPC分类号: H04L67/2804 , H04L63/10 , H04L67/02 , H04L67/2819 , H04L69/22
摘要: Techniques for providing extensibility framework for processing network packets are described herein. In one embodiment, in response to a packet received at a network element, the packet is processed using a generic process for performing a first type of operations required by the packet, wherein the first type of operations is common to a type of the packet. An extended process is invoked, via an extensibility application programming interface (API), to perform a custom operation that is not common to the generic process and is not statically known to the generic process, in order to determine whether the packet is eligible to access a resource of at least one of a plurality of application servers of a datacenter, including a layer-7 access control process. The network element operates as an application service gateway for the datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于提供用于处理网络分组的可扩展性框架的技术。 在一个实施例中,响应于在网络元件处接收到的分组,使用用于执行分组所需的第一类型的操作的通用处理来处理分组,其中第一类型的操作对于分组的类型是共同的。 通过可扩展性应用程序编程接口(API)调用扩展过程,以执行通用过程不常见的定制操作,并且通用过程不是静态知道的,以便确定数据包是否有资格访问 数据中心的多个应用服务器中的至少一个的资源,包括第7层访问控制过程。 网络元件作为数据中心的应用服务网关运行。 还描述了其它方法和装置。
-
公开(公告)号:US20130163606A1
公开(公告)日:2013-06-27
申请号:US13337379
申请日:2011-12-27
申请人: Nagaraj Bagepalli , Abhijit Patra , David Chang
发明人: Nagaraj Bagepalli , Abhijit Patra , David Chang
IPC分类号: H04L12/56
CPC分类号: H04L49/356 , H04L49/70
摘要: Techniques are provided to start a virtual service node that is configured to provide network traffic services for one or more virtual machines. The virtual service node has at least one associated service profile comprising identifiers for corresponding service policies for network traffic services. The service policies identified in the at least one associated service profile are retrieved. A virtual machine is started with an associated virtual interface and a port profile is applied to the virtual interface, including information identifying the service profile. Information is provided to the virtual service node that informs the virtual service node of network parameters and assigned service profile of the virtual machine. Network traffic associated with the virtual machine is intercepted and redirected to the virtual service node. A virtual service data path is provided that enables dynamic service binding, virtual machine mobility support, and virtual service node chaining and/or clustering.
摘要翻译: 提供技术来启动被配置为为一个或多个虚拟机提供网络流量服务的虚拟服务节点。 虚拟服务节点具有包括用于网络业务服务的相应服务策略的标识符的至少一个相关联的服务简档。 检索在至少一个关联服务简档中标识的服务策略。 启动一个虚拟机与一个关联的虚拟接口,端口配置文件应用于虚拟接口,包括标识服务配置文件的信息。 信息被提供给向虚拟服务节点通知虚拟机的网络参数和分配的服务简档的虚拟服务节点。 与虚拟机关联的网络流量被拦截并重定向到虚拟服务节点。 提供虚拟服务数据路径,其实现动态服务绑定,虚拟机移动性支持以及虚拟服务节点链接和/或聚类。
-
公开(公告)号:US20130019277A1
公开(公告)日:2013-01-17
申请号:US13180678
申请日:2011-07-12
IPC分类号: G06F21/00
CPC分类号: H04L63/0263 , G06F9/45558 , G06F2009/45587 , G06F2009/45595 , H04L29/08927 , H04L29/08972 , H04L49/356 , H04L49/70 , H04L63/0218 , H04L63/0227
摘要: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.
-
公开(公告)号:US08094560B2
公开(公告)日:2012-01-10
申请号:US12123223
申请日:2008-05-19
申请人: Nagaraj Bagepalli , Abhijit Patra
发明人: Nagaraj Bagepalli , Abhijit Patra
CPC分类号: H04L45/42 , H04L45/38 , H04L49/1546 , H04L49/254 , H04L49/3063 , H04L49/351
摘要: Techniques for multi-stage multi-core processing of network packets are described herein. In one embodiment, work units are received within a network element, each work unit representing a packet of different flows to be processed in multiple processing stages. Each work unit is identified by a work unit identifier that uniquely identifies a flow in which the associated packet belongs and a processing stage that the associated packet is to be processed. The work units are then dispatched to multiple core logic, such that packets of different flows can be processed concurrently by multiple core logic and packets of an identical flow in different processing stages can be processed concurrently by multiple core logic, in order to determine whether the packets should be transmitted to one or more application servers of a datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于网络分组的多阶段多核处理的技术。 在一个实施例中,工作单元被接收在网络元件内,每个工作单元表示将在多个处理阶段中处理的不同流的分组。 每个工作单元由唯一地标识相关联的分组所属的流程的工作单元标识符和相关联的分组被处理的处理阶段来标识。 然后将工作单元分配到多个核心逻辑,使得可以通过多个核心逻辑并行地处理不同流的分组,并且可以通过多个核心逻辑并行处理不同处理阶段中的相同流的分组,以便确定是否 应将数据包传输到数据中心的一个或多个应用程序服务器。 还描述了其它方法和装置。
-
-
-
-
-
-
-
-
-
搜索结果
36 条记录 (耗时 0.02 秒)
