公开(公告)号：US20220394016A1

公开(公告)日：2022-12-08

申请号：US17570364

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sourabh Bhattacharya ,  Sarthak Ray

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method that identifies multiple paths between a first site and a second site. A security association (SA) is established for transmitting encrypted payload from the first site to the second site in a virtual private network (VPN) session. The method selects a path based on metrics that are obtained for the paths. The selected path is defined by a first endpoint address of the first site and a second endpoint address of the second site. The method sends a message from the first site to the second site to update the SA to switch from using an original path to using the selected path. The message indicates the first and second endpoint addresses. The method transmits a packet including a payload that is encrypted according to the updated SA.

公开(公告)号：US20230143157A1

公开(公告)日：2023-05-11

申请号：US17564274

申请日：2021-12-29

Applicant: VMWARE, INC.

Inventor： Deepika Solanki ,  Yong Wang ,  Sarthak Ray

IPC: H04L9/40

CPC classification number: H04L63/029 ,  H04L63/162 ,  H04L63/0428

Abstract: The disclosure provides an approach for logical switch level load balancing of Layer 2 virtual private network (L2VPN) traffic. A method of securing communications with a peer gateway generally includes establishing, at a virtual tunnel interface of a local gateway, a plurality of security tunnels with the peer gateway. Each of the plurality of security tunnels is associated with a different set of one or more layer 2 segments and with one or more security associations (SAs) with the peer gateway. The method generally includes receiving a packet, at the local gateway, via a first L2 segment. The method generally includes selecting one of the plurality of security tunnels and an SA associated with the selected security tunnel based on the L2 segment via which the packet was received. The method generally includes encrypting and encapsulating the packet based on the selected security tunnel and SA.

公开(公告)号：US20220394014A1

公开(公告)日：2022-12-08

申请号：US17570363

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Sourabh Bhattacharya ,  Deepika Solanki ,  Sarthak Ray

IPC: H04L9/40 ,  H04L45/42 ,  H04L45/24 ,  H04L47/125 ,  H04L45/12

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

公开(公告)号：US20220393967A1

公开(公告)日：2022-12-08

申请号：US17570365

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Sourabh Bhattacharya ,  Yong Wang ,  Sarthak Ray

IPC: H04L45/24 ,  H04L45/42 ,  H04L45/12 ,  H04L12/46

Abstract: Some embodiments provide a method that establishes multiple active uplinks for a VPN session with a VPN peer using a first uplink interface to access a first set of paths and a second uplink interface to access a second set of paths. The method selects a path from a pool of paths by using a hash value derived from data to be transmitted to a peer in the VPN session. The paths in the pool are identified from the first and second sets of paths based on performance metrics. When the selected path is accessible by the first uplink interface, the method transmits the data as an IPsec packet over the first uplink interface. When the selected path is accessible by the second uplink interface, the method transmits the data as an IPsec packet over the second uplink interface, wherein the data is encrypted according to a security association.

公开(公告)号：US20220394017A1

公开(公告)日：2022-12-08

申请号：US17570366

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray ,  Sourabh Bhattacharya

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method that receives an encapsulated packet for a virtual private network (VPN) session. The encapsulated packet incluides (i) a set of flow identifiers of a network traffic flow that includes a user datagram protocol (UDP) port number and (ii) a payload encrypted according to a security association (SA). The method hashes the set of flow identifiers of the network traffic flow to select a processor core from a plurality of processor cores. The method uses the selected processor core to decrypt the payload in the encapsulated packet according to the SA.

公开(公告)号：US20220393981A1

公开(公告)日：2022-12-08

申请号：US17570362

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray ,  Sourabh Bhattacharya

IPC: H04L47/10 ,  H04L47/80 ,  H04L12/46

Abstract: Some embodiments provide a method that assigns, at a VPN client, a QoS class to each path of multiple paths based on performance metrics for paths. The paths are available for use by a VPN client to reach a VPN server. The method identifies a QoS class for a packet. The method selects a path based on the identified QoS class of the packet and the QoS class assigned to each path. The method transmits the packet using the selected path.