公开(公告)号：US20210281442A1

公开(公告)日：2021-09-09

申请号：US16866621

申请日：2020-05-05

Applicant: VMWARE, INC.

Inventor： Sarthak Ray ,  Sourabh Bhattacharya ,  Awan Kumar Sharma ,  Yong Wang

IPC: H04L12/46 ,  H04L7/00 ,  H04L29/06 ,  H04L12/66 ,  H04L12/805 ,  H04L9/06

Abstract: Described herein are systems, methods, and software to manage maximum segment size (MSS) values associated with multiple tunnels according to an implementation. In one implementation, a gateway may obtain a Transmission Control Protocol (TCP) synchronize (SYN) packet from a computing node. The gateway may identify a tunnel associated with the TCP SYN packet, determine a maximum segment size (MSS) value based on the overhead associated with the tunnel, and replace a first MSS value in the TCP SYN packet with the MSS value determined by the gateway. Once added, the gateway may encapsulate the TCP SYN packet and communicate the packet to a second gateway.

公开(公告)号：US11552878B1

公开(公告)日：2023-01-10

申请号：US17492723

申请日：2021-10-04

Applicant: VMWARE, INC.

Inventor： Awan Kumar Sharma ,  Yong Wang ,  Sourabh Bhattacharya ,  Deepika Kunal Solanki ,  Sarthak Ray ,  Jochen Behrens

IPC: G06F15/173 ,  H04L45/24 ,  H04L9/40 ,  H04L45/00 ,  H04L45/42

Abstract: Described herein are systems, methods, and software to manage replay windows in multipath connections between gateways. In one implementation, a first gateway may receive a packet directed toward a second gateway and identify a path from a plurality of paths to the second gateway. Once identified, the first gateway may increment a sequence number associated with the path and encapsulate the packet with a unique identifier for the path in the header with the incremented sequence number. The first gateway the communicates the encapsulated packet to the second gateway.

公开(公告)号：US20220394016A1

公开(公告)日：2022-12-08

申请号：US17570364

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sourabh Bhattacharya ,  Sarthak Ray

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method that identifies multiple paths between a first site and a second site. A security association (SA) is established for transmitting encrypted payload from the first site to the second site in a virtual private network (VPN) session. The method selects a path based on metrics that are obtained for the paths. The selected path is defined by a first endpoint address of the first site and a second endpoint address of the second site. The method sends a message from the first site to the second site to update the SA to switch from using an original path to using the selected path. The message indicates the first and second endpoint addresses. The method transmits a packet including a payload that is encrypted according to the updated SA.

公开(公告)号：US11424958B2

公开(公告)日：2022-08-23

申请号：US16866621

申请日：2020-05-05

Applicant: VMWARE, INC.

Inventor： Sarthak Ray ,  Sourabh Bhattacharya ,  Awan Kumar Sharma ,  Yong Wang

IPC: H04L12/46 ,  H04L7/00 ,  H04L69/16 ,  H04L12/66 ,  H04L9/40 ,  H04L47/36 ,  H04L9/06

Abstract: Described herein are systems, methods, and software to manage maximum segment size (MSS) values associated with multiple tunnels according to an implementation. In one implementation, a gateway may obtain a Transmission Control Protocol (TCP) synchronize (SYN) packet from a computing node. The gateway may identify a tunnel associated with the TCP SYN packet, determine a maximum segment size (MSS) value based on the overhead associated with the tunnel, and replace a first MSS value in the TCP SYN packet with the MSS value determined by the gateway. Once added, the gateway may encapsulate the TCP SYN packet and communicate the packet to a second gateway.

公开(公告)号：US20220394014A1

公开(公告)日：2022-12-08

申请号：US17570363

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Sourabh Bhattacharya ,  Deepika Solanki ,  Sarthak Ray

IPC: H04L9/40 ,  H04L45/42 ,  H04L45/24 ,  H04L47/125 ,  H04L45/12

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

公开(公告)号：US20220393967A1

公开(公告)日：2022-12-08

申请号：US17570365

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Sourabh Bhattacharya ,  Yong Wang ,  Sarthak Ray

IPC: H04L45/24 ,  H04L45/42 ,  H04L45/12 ,  H04L12/46

Abstract: Some embodiments provide a method that establishes multiple active uplinks for a VPN session with a VPN peer using a first uplink interface to access a first set of paths and a second uplink interface to access a second set of paths. The method selects a path from a pool of paths by using a hash value derived from data to be transmitted to a peer in the VPN session. The paths in the pool are identified from the first and second sets of paths based on performance metrics. When the selected path is accessible by the first uplink interface, the method transmits the data as an IPsec packet over the first uplink interface. When the selected path is accessible by the second uplink interface, the method transmits the data as an IPsec packet over the second uplink interface, wherein the data is encrypted according to a security association.

公开(公告)号：US11336629B2

公开(公告)日：2022-05-17

申请号：US16802580

申请日：2020-02-27

Applicant: VMWARE, INC.

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Manmeet Khurana ,  Shailesh Urhekar ,  Sourabh Bhattacharya

IPC: H04L29/06 ,  H04L45/74 ,  H04L69/22

Abstract: Certain embodiments described herein are generally directed to systems and methods for deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. For example, certain embodiments described herein relate to configuring a destination tunnel endpoint (TEP) with an encapsulating security payload (ESP) receive side scaling (RSS) mode to assign each incoming packet, received from a certain source endpoint (EP), to a certain RSS queue based on an identifier that is encoded in an SPI value included the packet.

公开(公告)号：US20210136049A1

公开(公告)日：2021-05-06

申请号：US16802580

申请日：2020-02-27

Applicant: VMWARE, INC.

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Manmeet Khurana ,  Shailesh Urhekar ,  Sourabh Bhattacharya

IPC: H04L29/06 ,  H04L12/741

Abstract: Certain embodiments described herein are generally directed to systems and methods for deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. For example, certain embodiments described herein relate to configuring a destination tunnel endpoint (TEP) with an encapsulating security payload (ESP) receive side scaling (RSS) mode to assign each incoming packet, received from a certain source endpoint (EP), to a certain RSS queue based on an identifier that is encoded in an SPI value included the packet.

公开(公告)号：US11770389B2

公开(公告)日：2023-09-26

申请号：US17012235

申请日：2020-09-04

Applicant: VMWARE, INC.

Inventor： Sourabh Bhattacharya ,  Yong Wang ,  Awan Kumar Sharma ,  Bhargav Puvvada ,  Mayur Katke

IPC: H04L9/40 ,  H04L47/125 ,  H04L9/08

CPC classification number: H04L63/1416 ,  H04L9/0891 ,  H04L47/125 ,  H04L63/029 ,  H04L63/0485 ,  H04L63/20

Abstract: Certain embodiments described herein are relate to a method for dynamically rekeying a security association. The method includes establishing, by a destination tunnel endpoint (TEP), an in-bound security association with a source TEP, with a first security parameter index (SPI) value, for encrypting data packets communicated between the source TEP and the destination TEP. The method further includes rekeying, by the destination TEP, the in-bound security association, the rekeying including generating a second SPI value for replacing the first SPI value based on a trigger event relating to at least one of a real-time security score of the in-bound security association, a number of security associations assigned to a compute resource that the in-bound security resource is assigned to, an amount of load managed by the compute resource that the in-bound security resource is assigned to, and an indication received from an administrator.

公开(公告)号：US20220394017A1

公开(公告)日：2022-12-08

申请号：US17570366

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Deepika Solanki ,  Awan Kumar Sharma ,  Yong Wang ,  Sarthak Ray ,  Sourabh Bhattacharya

IPC: H04L9/40 ,  H04L12/46

Abstract: Some embodiments provide a method that receives an encapsulated packet for a virtual private network (VPN) session. The encapsulated packet incluides (i) a set of flow identifiers of a network traffic flow that includes a user datagram protocol (UDP) port number and (ii) a payload encrypted according to a security association (SA). The method hashes the set of flow identifiers of the network traffic flow to select a processor core from a plurality of processor cores. The method uses the selected processor core to decrypt the payload in the encapsulated packet according to the SA.