公开(公告)号：US11916879B2

公开(公告)日：2024-02-27

申请号：US17567823

申请日：2022-01-03

Applicant: VMware LLC

Inventor： Manish Jain ,  Mani Kancherla

IPC: H04L9/40

CPC classification number: H04L63/0245 ,  H04L63/0263 ,  H04L63/0428 ,  H04L63/166 ,  H04L63/20

Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy. In some embodiments, the data message is encrypted, the first firewall process cannot decrypt the data message, and the second firewall process performs a decryption operation (e.g., a TLS-based decryption operation) to decrypt the data message.

公开(公告)号：US12166816B2

公开(公告)日：2024-12-10

申请号：US18123314

申请日：2023-03-19

Applicant: VMware LLC

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L67/1023 ,  H04L12/46 ,  H04L12/66 ,  H04L47/125 ,  H04L47/20 ,  H04L67/1027 ,  H04L101/622

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US11902050B2

公开(公告)日：2024-02-13

申请号：US16941473

申请日：2020-07-28

Applicant: VMware LLC

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/28 ,  H04L12/46 ,  H04L61/251 ,  H04L69/22 ,  H04L9/40 ,  G06F9/455

CPC classification number: H04L12/4641 ,  G06F9/45558 ,  H04L61/251 ,  H04L63/1416 ,  H04L69/22 ,  G06F2009/4557 ,  G06F2009/45595 ,  H04L2212/00

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

公开(公告)号：US12250194B2

公开(公告)日：2025-03-11

申请号：US18102697

申请日：2023-01-28

Applicant: VMware LLC

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L61/256 ,  H04L12/66 ,  H04L45/745 ,  H04L61/2592 ,  H04L61/5007 ,  H04L101/659

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPV6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.