公开(公告)号：US07061874B2

公开(公告)日：2006-06-13

申请号：US10050762

申请日：2002-01-18

申请人： Shashidhar Merugu ,  Ajay Chandra V Gummalla ,  Dolors Sala

发明人： Shashidhar Merugu ,  Ajay Chandra V Gummalla ,  Dolors Sala

IPC分类号： G06F17/30

CPC分类号： H04L47/10 ,  H04L47/2441 ,  Y10S707/99937

摘要： Classification of packets into flows is an inherent operation performed by networks that support enhanced services. To support multiple-dimensional packet classification, a packet classification system is provided to select representative bits from a packet to look up a set of rules. The per-flow classification works with a large set of rules, where each rule comprises of multiple fields and also allows fast dynamic variation in the rule set. A lookup process includes a simple and finite set of instructions that can be efficiently implemented as pipelined hardware and support very high packet arrival rates.

公开(公告)号：US20100049970A1

公开(公告)日：2010-02-25

申请号：US12502983

申请日：2009-07-14

申请人： Charles Fraleigh ,  Nitin Gupta ,  Case Larsen ,  Shashidhar Merugu ,  Eric Ogren ,  Paras Shah ,  Oleg Smolsky

发明人： Charles Fraleigh ,  Nitin Gupta ,  Case Larsen ,  Shashidhar Merugu ,  Eric Ogren ,  Paras Shah ,  Oleg Smolsky

IPC分类号： H04L29/06

CPC分类号： H04L63/0823 ,  H04L63/166

摘要： A local network traffic processor and an application are resident on a common computer system. The application is configured to trust a server certificate issued by a local network traffic processor, the local network traffic processor operatively being paired with a remote network traffic processor. A proxy server certificate, generated using identification information of a server associated with the remote network traffic processor and signed by the local certification authority, is used to establish a secure session between a local network traffic processor and the application.

摘要翻译： 本地网络流量处理器和应用程序驻留在通用计算机系统上。 该应用被配置为信任由本地网络流量处理器颁发的服务器证书，本地网络流量处理器可操作地与远程网络流量处理器配对。 使用由与远程网络流量处理器相关联并由本地认证机构签名的服务器的标识信息生成的代理服务器证书来建立本地网络流量处理器和应用之间的安全会话。

公开(公告)号：US20090083538A1

公开(公告)日：2009-03-26

申请号：US12327693

申请日：2008-12-03

申请人： Shashidhar Merugu ,  Case Thomas Larsen ,  Naveen Maveli

发明人： Shashidhar Merugu ,  Case Thomas Larsen ,  Naveen Maveli

IPC分类号： H04L9/00

CPC分类号： H04L9/0827 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/76

摘要： A method is provided for establishing a split-terminated secure communication connection between a client and a server. A first network intermediary intercepts a secure communication connection request directed from the client to the server. A second intermediary having a digital certificate in the name of the server (and a corresponding private key) acts in place of the server to establish a first secure communication session with the client, during which it receives a secret from the client for generating the session key. The second intermediary supplies the secret and/or the session key to the first intermediary, which allows the first intermediary to establish follow-on secure communication sessions in which the secret is reused. The second intermediary may also supply the first intermediary with a copy of its certificate so that it can respond to new secure communication requests and, yet further, may also supply a copy of the private key.

摘要翻译： 提供了一种用于在客户端和服务器之间建立拆分终端的安全通信连接的方法。 第一网络中介拦截从客户端引导到服务器的安全通信连接请求。 以服务器名称（和相应的私钥）具有数字证书的第二中介器代替服务器来与客户端建立第一安全通信会话，在此期间，它从客户端接收秘密以产生会话 键。 第二个中间人向秘密和/或会话密钥提供第一中介，这允许第一中间人建立后续的安全通信会话，其中秘密被重用。 第二中介还可以向第一中介提供其证书的副本，使得其可以响应新的安全通信请求，并且还可以提供私钥的副本。

公开(公告)号：US08613071B2

公开(公告)日：2013-12-17

申请号：US11489414

申请日：2006-07-18

申请人： Mark Stuart Day ,  Case Larsen ,  Shashidhar Merugu

发明人： Mark Stuart Day ,  Case Larsen ,  Shashidhar Merugu

IPC分类号： G06F21/00

CPC分类号： H04L9/0825 ,  H04L9/3263 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/166 ,  H04L2209/56

摘要： Transaction accelerators can be configured to terminate secure connections. A server-side accelerator intercepts a secure connection request that is from a client and that is directed to a server. The server-side accelerator responds to the secure connection request in place of the server, thereby establishing a secure connection between the client and the server-side accelerator. Alternatively, the server-side accelerator monitors the establishment of a secure connection between the client and the server. After the secure connection has been established, the server-side accelerator forwards security information to a client-side accelerator, enabling the client-side accelerator to assume control of the secure connection. As a result of this arrangement, the client-side accelerator is able to encrypt and decrypt data on the secure connection and accelerate it in cooperation with the server-side accelerator. In a further embodiment, the accelerated traffic between accelerators is carried across the network via another secure connection.

摘要翻译： 可以将事务加速器配置为终止安全连接。 服务器端加速器拦截来自客户机并且被定向到服务器的安全连接请求。 服务器端加速器代替服务器响应安全连接请求，从而在客户端和服务器端加速器之间建立安全连接。 或者，服务器端加速器监视客户机和服务器之间的安全连接的建立。 建立安全连接后，服务器端加速器将安全信息转发给客户端加速器，使客户端加速器能够控制安全连接。 作为这种安排的结果，客户端加速器能够加密和解密安全连接上的数据，并与服务器端加速器协同加速。 在另一实施例中，加速器之间的加速业务通过另一安全连接跨越网络进行。

公开(公告)号：US20090083537A1

公开(公告)日：2009-03-26

申请号：US12327681

申请日：2008-12-03

申请人： Case Thomas Larsen ,  Shashidhar Merugu ,  Paras Shah ,  Naveen Maveli

发明人： Case Thomas Larsen ,  Shashidhar Merugu ,  Paras Shah ,  Naveen Maveli

IPC分类号： H04L9/00

CPC分类号： H04L63/0281 ,  H04L9/0827 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/0428 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/76

摘要： A network intermediary device such as a transaction accelerator intercepts a client request for a secure communication connection with a server. The intermediary issues a substitute connection request to the server and receives a digital certificate during establishment of a secure communication session between the intermediary and the server. Based on information in the received digital certificate, the intermediary selects an appropriate operational configuration for responding to the client's request. The intermediary consults an ordered list or other collection of digital certificates it possesses, and chooses one having a common name that matches the server's common name. The match may comprise the first matching name, the longest match, the best match, the broadest match (e.g., a certificate having a name that includes one or more wildcard characters), etc. The intermediary then uses the selected certificate (and corresponding private key) to establish a secure communication session with the client.

摘要翻译： 诸如事务加速器之类的网络中介装置拦截客户端与服务器进行安全通信连接的请求。 中间人向服务器发出替代连接请求，并在中间人和服务器之间建立安全通信会话期间接收数字证书。 根据接收到的数字证书中的信息，中间人选择适当的操作配置以响应客户端的请求。 中介人查阅其拥有的有序列表或数字证书的其他集合，并选择一个具有与服务器通用名称相匹配的通用名称。 匹配可以包括第一匹配名称，最长匹配，最佳匹配，最广泛匹配（例如，具有包括一个或多个通配符的名称的证书）等。然后中介使用所选择的证书（和相应的私有 密钥）建立与客户端的安全通信会话。

公开(公告)号：US20080005274A1

公开(公告)日：2008-01-03

申请号：US11754940

申请日：2007-05-29

申请人： Kartik Subbanna ,  Nitin Gupta ,  Adityashankar Kini ,  Daniel O'Sullivan ,  Shashidhar Merugu ,  Steven Procter ,  Vivasvat Keswani

发明人： Kartik Subbanna ,  Nitin Gupta ,  Adityashankar Kini ,  Daniel O'Sullivan ,  Shashidhar Merugu ,  Steven Procter ,  Vivasvat Keswani

IPC分类号： G06F15/16

CPC分类号： H04L47/10 ,  H04L47/266 ,  H04L47/323 ,  H04L47/33 ,  H04L49/90

摘要： In a system where transactions are accelerated with asynchronous writes that require acknowledgements, with pre-acknowledging writes at a source of the writes, a destination-side transaction accelerator includes a queue for queue writes to a destination, at least some of the writes being pre-acknowledged by a source-side transaction accelerator prior to the write completing at the destination, a memory for storing a status of a destination-side queue and possibly other determinants, and logic for signaling to the source-side transaction accelerator with instructions to alter pre-acknowledgement rules to hold off on and pursue pre-acknowledgements based on the destination-side queue status. The rules can take into account adjusting the flow of pre-acknowledged requests or pre-acknowledgements at the sender-side transaction accelerator based at least on the computed logical length.

摘要翻译： 在使用需要确认的异步写入来加速交易的系统中，通过在写入的源处进行预确认写入，目的地侧事务加速器包括用于向目的地的队列写入的队列，至少一些写入是预先 在目的地写入完成之前由源侧事务加速器确认，用于存储目的地侧队列和可能的其他决定因素的状态的存储器以及用于向源侧事务加速器发信号的逻辑，其具有改变的指令 基于目的地端队列状态的预先确认规则来阻止和追踪预认证。 该规则可以考虑到至少基于所计算的逻辑长度来调整在发送方事务加速器处的预先确认的请求或预确认的流。

公开(公告)号：US08463843B2

公开(公告)日：2013-06-11

申请号：US11754940

申请日：2007-05-29

申请人： Kartik Subbanna ,  Nitin Gupta ,  Adityashankar Kini ,  Daniel Conor O'Sullivan ,  Shashidhar Merugu ,  Steven James Procter ,  Vivasvat Manohar Keswani

发明人： Kartik Subbanna ,  Nitin Gupta ,  Adityashankar Kini ,  Daniel Conor O'Sullivan ,  Shashidhar Merugu ,  Steven James Procter ,  Vivasvat Manohar Keswani

IPC分类号： G06F15/16

CPC分类号： H04L47/10 ,  H04L47/266 ,  H04L47/323 ,  H04L47/33 ,  H04L49/90

摘要： In a system where transactions are accelerated with asynchronous writes that require acknowledgements, with pre-acknowledging writes at a source of the writes, a destination-side transaction accelerator includes a queue for queue writes to a destination, at least some of the writes being pre-acknowledged by a source-side transaction accelerator prior to the write completing at the destination, a memory for storing a status of a destination-side queue and possibly other determinants, and logic for signaling to the source-side transaction accelerator with instructions to alter pre-acknowledgement rules to hold off on and pursue pre-acknowledgements based on the destination-side queue status. The rules can take into account adjusting the flow of pre-acknowledged requests or pre-acknowledgements at the sender-side transaction accelerator based at least on the computed logical length.

摘要翻译： 在使用需要确认的异步写入来加速交易的系统中，通过在写入的源处进行预确认写入，目的地侧事务加速器包括用于向目的地的队列写入的队列，至少一些写入是预先 在目的地写入完成之前由源侧事务加速器确认，用于存储目的地侧队列和可能的其他决定因素的状态的存储器以及用于向源侧事务加速器发信号的逻辑，其具有改变的指令 基于目的地端队列状态的预先确认规则来阻止和追踪预认证。 该规则可以考虑到至少基于所计算的逻辑长度来调整在发送方事务加速器处的预先确认的请求或预确认的流。

公开(公告)号：US08438628B2

公开(公告)日：2013-05-07

申请号：US12826430

申请日：2010-06-29

申请人： Paras Shah ,  Case Thomas Larsen ,  Shashidhar Merugu ,  Yongsub Nam

发明人： Paras Shah ,  Case Thomas Larsen ,  Shashidhar Merugu ,  Yongsub Nam

IPC分类号： G06F21/00

CPC分类号： H04L63/062 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/0428 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/76

摘要： A method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client's and the server's similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.

摘要翻译： 提供了一种方法和装置，用于通过客户端认证来分离终止安全客户端 - 服务器通信连接。 在客户端和服务器之间的握手过程中，合作网络中介机构会中继握手信息，而不改变消息。 至少一个中介具有服务器的私钥，并且从握手消息中提取一组数据字段，包括可以用私钥解密的客户端 - 密钥交换消息。 中间人使用提取的数据来计算与客户端和服务器的类似计算分离的客户机 - 服务器会话密钥，并且可以经由安全通信信道将密钥发送到另一中介。 因此，客户端和服务器建立端到端客户端 - 服务器连接，并且可以彼此认证，之后网络中介可以透明地对客户端和服务器拦截和优化客户机 - 服务器通信。

公开(公告)号：US20070038853A1

公开(公告)日：2007-02-15

申请号：US11489414

申请日：2006-07-18

申请人： Mark Day ,  Case Larsen ,  Shashidhar Merugu

发明人： Mark Day ,  Case Larsen ,  Shashidhar Merugu

IPC分类号： H04L9/00

CPC分类号： H04L9/0825 ,  H04L9/3263 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/166 ,  H04L2209/56

摘要： Transaction accelerators can be configured to terminate secure connections. A server-side accelerator intercepts a secure connection request from a client and directed to a server. The server-side accelerator responds to secure connection request in place of the server, thereby establishing a secure connection between the client and the server-side accelerator. Alternatively, the server-side accelerator monitors the establishment of a secure connection between the client and the server. After the secure connection has been established, the server-side accelerator forwards security information to a client-side accelerator, enabling the client-side accelerator to assume control of the secure connection. As a result of this arrangement, the client-side accelerator is able to encrypt and decrypt data on the secure connection and accelerate it in cooperation with the server-side accelerator. In a further embodiment, the accelerated traffic between accelerators is carried across the network via another secure connection.

摘要翻译： 可以将事务加速器配置为终止安全连接。 服务器端加速器拦截来自客户端的安全连接请求并定向到服务器。 服务器端加速器代替服务器响应安全连接请求，从而在客户端和服务器端加速器之间建立安全连接。 或者，服务器端加速器监视客户机和服务器之间的安全连接的建立。 在建立安全连接后，服务器端加速器将安全信息转发到客户端加速器，使客户端加速器能够承担对安全连接的控制。 作为这种安排的结果，客户端加速器能够加密和解密安全连接上的数据，并与服务器端加速器协同加速。 在另一实施例中，加速器之间的加速业务通过另一安全连接跨越网络进行。

公开(公告)号：US08478986B2

公开(公告)日：2013-07-02

申请号：US12327693

申请日：2008-12-03

申请人： Shashidhar Merugu ,  Case Thomas Larsen ,  Naveen Maveli

发明人： Shashidhar Merugu ,  Case Thomas Larsen ,  Naveen Maveli

IPC分类号： H04L29/06

CPC分类号： H04L9/0827 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/76

摘要： A method is provided for establishing a split-terminated secure communication connection between a client and a server. A first network intermediary intercepts a secure communication connection request directed from the client to the server. A second intermediary having a digital certificate in the name of the server (and a corresponding private key) acts in place of the server to establish a first secure communication session with the client, during which it receives a secret from the client for generating the session key. The second intermediary supplies the secret and/or the session key to the first intermediary, which allows the first intermediary to establish follow-on secure communication sessions in which the secret is reused. The second intermediary may also supply the first intermediary with a copy of its certificate so that it can respond to new secure communication requests and, yet further, may also supply a copy of the private key.

摘要翻译： 提供了一种用于在客户端和服务器之间建立拆分终端的安全通信连接的方法。 第一网络中介拦截从客户端引导到服务器的安全通信连接请求。 以服务器名称（和相应的私钥）具有数字证书的第二中介器代替服务器来与客户端建立第一安全通信会话，在此期间，它从客户端接收秘密以产生会话 键。 第二个中间人向秘密和/或会话密钥提供第一中介，这允许第一中间人建立后续的安全通信会话，其中秘密被重用。 第二中介还可以向第一中介提供其证书的副本，使得其可以响应新的安全通信请求，并且还可以提供私钥的副本。