公开(公告)号：US10701107B2

公开(公告)日：2020-06-30

申请号：US15833024

申请日：2017-12-06

申请人： Nicira, Inc.

发明人： Sushruth Gopal ,  Ly Loi ,  Yong Wang ,  Michael Parsa

IPC分类号： H04L29/06 ,  G06F9/50

摘要： Certain embodiments described herein are generally directed to deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. In some embodiments, an IPSec component residing within a destination tunnel endpoint is configured to select a CPU core ID of a virtual CPU using a CPU selection function. In some embodiments, the IPSec component selects an SPI value corresponding to the CPU core ID. In some embodiments, the IPsec component indicates the SPI value to a source tunnel endpoint for use in establishing an in-bound security association, wherein the in-bound security association is used by the source tunnel endpoint to encrypt a data packet received from the source endpoint and destined for the destination endpoint.

公开(公告)号：US11431677B2

公开(公告)日：2022-08-30

申请号：US15868789

申请日：2018-01-11

申请人： NICIRA, INC.

发明人： Sushruth Gopal ,  Jayant Jain ,  Subrahmanyam Manuguri ,  Anirban Sengupta ,  Deepa Kalani ,  Alok Tiagi ,  Sushil Singh

IPC分类号： H04L9/40 ,  G06F9/455 ,  H04L69/22 ,  H04L69/329

摘要： The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

公开(公告)号：US20190253390A1

公开(公告)日：2019-08-15

申请号：US15897129

申请日：2018-02-14

申请人： Nicira, Inc.

发明人： Alok Tiagi ,  Jayant Jain ,  Sushruth Gopal ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC分类号： H04L29/06

摘要： Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (Li) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.

公开(公告)号：US10791092B2

公开(公告)日：2020-09-29

申请号：US15897129

申请日：2018-02-14

申请人： Nicira, Inc.

发明人： Alok Tiagi ,  Jayant Jain ,  Sushruth Gopal ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC分类号： H04L29/06 ,  H04L29/08

摘要： Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (L7) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.