TREA

Application aware systems and methods to process user loadable network applications

Follow

Information

  • Patent Grant
  • 10389835
  • Patent Number
    10,389,835
  • Date Filed
    Tuesday, January 10, 2017
    8 years ago
  • Date Issued
    Tuesday, August 20, 2019
    5 years ago
Information
Abstract
Described herein are methods and systems for application aware fastpath processing over a data network. In some examples, application fastpath operates to facilitate application specific fastpath processing of data packets transferred between a client device and a server device over a network session of a data network.
Description
CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to co-pending U.S. patent application Ser. No. 14/995,136 filed on Jan. 13, 2016 and entitled “System and Method to Process a Chain of Network Applications”. The disclosure of the above-referenced application is incorporated herein in its entirety for all purposes.


FIELD OF THE INVENTION

This invention relates generally to data networks and more particularly to a data network operating application aware fastpath processing of network data traffic.


DESCRIPTION OF THE RELATED ART

In a typical network deployment scenario, a company, such as a service provider or a corporation, constructs a data network by purchasing or leasing one or more network devices, connects the devices with each other and to servers and gateways and configures the devices to reflect the network design. Although the data network is controlled and operated by the company, the company relies exclusively on the equipment vendor to provide functionality of the network devices. When the company purchases a personal computer or a server computer, the company can purchase or develop application software and download the software onto the computers. This application software is typically not supplied by the computer manufacturers. With this application software, the company can design a custom computing environment to fit their specific business needs. However, the company cannot add any network applications to their network devices.


It should be apparent from the foregoing that there is a need to provide a method to operate a user downloadable network application on a network device, and to provide application layer processing support to the user downloadable network application. There is also a need to provide fastpath processing by a data network that is specific to the many types of application data traffic that is processed by the network.


SUMMARY

This summary is provided to introduce a selection of concepts in a simplified form that are further described in the Detailed Description below. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.


According to some embodiments, the present technology is directed to a servicing node comprising a fastpath module for processing data packets, wherein the fastpath module: receives an application service request data packet from a client device, over a network session between the client device and the servicing node; obtains one or more network addresses from the data packet and matches the obtained one or more network addresses with a session table for the network session between the client device and the servicing node; determines that the one or more network addresses match an ingress session of the session table; stores the application service request data packet into an ingress message; and transmits the data packet to a server using egress session information.


According to other embodiments, the present technology is directed to a corresponding method for processing data packets via a fastpath module stored in memory at a servicing node and executed by at least one processor.





BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments are illustrated by way of example and not by limitation in the figures of the accompanying drawings, in which like references indicate similar elements.



FIG. 1 illustrates an embodiment of a network servicing node processing a session based on an application aware fastpath.



FIG. 2 illustrates a network node.



FIG. 3 illustrates an exemplary embodiment of processing a data packet of an ingress TCP session.



FIG. 4 illustrates an exemplary embodiment of processing a data packet of an egress TCP session.



FIG. 5 illustrates an exemplary embodiment of a HTTP network application.



FIG. 6 illustrates an exemplary embodiment of a NAT network application.



FIG. 7 illustrates an exemplary embodiment of a TCP proxy network application.





DETAILED DESCRIPTION

The following detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show illustrations in accordance with example embodiments. These example embodiments, which are also referred to herein as “examples,” are described in enough detail to enable those skilled in the art to practice the present subject matter. The embodiments can be combined, other embodiments can be utilized, or structural, logical, and electrical changes can be made without department from the scope of what is claimed. The following detailed description is therefore not to be taken in a limiting sense, and the scope is defined by the appended claims and their equivalents.



FIG. 1 illustrates an exemplary embodiment of a servicing node processing a service session between a client device and a server device according to a user loadable network application. In one embodiment, client 101 conducts a communication service session 140 (also referred to herein as session 140) with server 201 over data network 500. A data packet 141 of session 140 is sent to data network 500 from client 101 or server 201 and a data packet 142 of session 140 is sent to data network 500 from server 201 to client 101. Data packets 141 and 142 are processed by servicing node 501. Servicing node 501 may modify both data packets and forward the possibly modified data packets to server 201 or client 101 respectively, according to a network application 551 residing in servicing node 501. In the exemplary embodiment depicted in FIG. 1, servicing node 501 includes a fastpath module 563 which is application layer aware and provides application layer processing for network application 551 such that network application 551 does not need to perform similar processing.


In various embodiments, servicing node 501 may be a hardware or software implementation, operating as a server load balancer, application delivery controller, router, physical or virtual switch, or any other network controller or component.


In one embodiment, data network 500 includes an Ethernet network, an ATM network, a cellular network, a wireless network, a Frame Relay network, an optical network, an IP network or any data communication network utilizing other physical layer, link layer capability or network layer to carry data packets.


In one embodiment, network application 551 is obtained by servicing node 501 via a network application store 701. Co-pending patent application Ser. No. 14/995,136 filed on Jan. 13, 2016 and entitled “System and Method to Process a Chain of Network Applications” describes a servicing node 501 obtaining network application 551 and is incorporated herein in its entirety. In various embodiments, network application store server 701 includes a server computer connected to data network 500 using a network module of the server computer. Network application store server 701 includes a storage storing a plurality of network applications. In one embodiment, network application store server 701 communicates and transfers network application 551 to servicing node 501 using a HTTP session, a file transfer session, a FTP session, a SIP session, an e-commerce session, an enterprise application session, an email session, a file sharing session, or a Web-based communication session. Network application 551 may be a plurality of network applications.


In an exemplary embodiment, session 140 is based on TCP protocol. Fastpath module 563 includes a TCP fastpath module 634 that processes session 140. TCP fastpath 634 processes an ingress TCP session 641 representing a section of session 140 between client 101 and servicing node 501, and an egress TCP session 642 representing a section of session 140 between servicing node 501 and server 201.


In an exemplary embodiment, fastpath module 563 includes an application fastpath module 631 which provides application layer processing capability for an application layer protocol used by network application 551. The application layer protocol can include one or more of HTTP, SIP, FTP, secure HTTP, instant messaging protocol, file transfer protocol, streaming protocol, or real time streaming protocol. Application layer processing capability can include one or more of TCP proxy, legal interception, firewall, secure session proxy, SSL proxy, proxy gateway, IP tunnel, IP-IP tunnel, IPv4-v6 tunnel, GRE, L2TP or other layer 3 tunnel gateway processing. Fastpath module 563 may be a high performance TCP stack that overrides the normal fastpath processing for network application 551. By being application layer aware, fastpath module 563 can be more discriminating in terms of which network application is performed and process network traffic differently based on the network application being implemented. Generally a fastpath module can process network traffic with less computing power and more throughput than a normal processing module. However, due to the minimal processing of most fastpath modules, they can lack the capability to discern different types of network traffic and apply different processing based on the application that the network traffic is directed to, or generated from. In the embodiment depicted in FIG. 1, fastpath module 563 includes application fastpath 631 which provides the application-specific fastpath processing of network data traffic.


In exemplary embodiments, servicing node 501 receives data packet 141 of session 140 from client 101. Fastpath module 563 determines data packet 141 is associated to ingress TCP session 641. TCP fastpath 634 processes data packet 141 according to information in ingress TCP session 641, and sends data packet 141 to application fastpath 631. In one embodiment, application fastpath 631 processes data packet 141, optionally modifies data packet 141 and sends processed data packet 141 to TCP fastpath 634, which sends data packet 141 to server 201 using egress TCP session 642 information. In one embodiment, application fastpath 631 informs network application 551 of data packet 641 and optionally sends data packet 141 to network application 551. In one embodiment, network application 551 sends a modified data packet 141 to application fastpath 631, which sends modified data packet 641 to TCP fastpath 634 for transmission to server 201.


In one embodiment, application fastpath 631 informs network application 551 an indication based on an application layer protocol, and sends data packet 141 to network application 551 as an application layer message. In one embodiment, application fastpath 631 combines data packet 141 with prior received data packets over ingress TCP session 641 into an application layer message prior to sending to network application 551. In one embodiment, network application 551 sends modified data packet 141 as an application layer message to application fastpath 631. In one embodiment application fastpath 631 sends received application layer message to server 201 using one or more TCP data packets over egress TCP session 642.


In one embodiment, servicing node 501 receives data packet 142 of session 140 from server 201. Fastpath module 563 determines data packet 142 is associated to egress TCP session 642. TCP fastpath 634 processes data packet 142 according to information in egress TCP session 642, and sends data packet 142 to application fastpath 631. In one embodiment, application fastpath 631 processes data packet 142, optionally modifies data packet 142 and sends processed data packet 142 to TCP fastpath 634, which sends data packet 142 to client 101 using ingress TCP session 641 information. In one embodiment, application fastpath 631 informs network application 551 of data packet 142 and optionally sends data packet 142 to network application 551. In one embodiment, network application 551 sends a modified data packet 142 to application fastpath 631, which sends modified data packet 641 to TCP fastpath 634 for transmission to client 101.


In one embodiment, application fastpath 631 informs network application 551 an indication based on an application layer protocol, and sends data packet 142 to network application 551 as an application layer message. For example, an application layer protocol of HTTP, SMT, or FTP may identify the associated application, thus allowing data packet 142 to be sent to the relevant processing module based on the application layer protocol. In one embodiment, application fastpath 631 combines data packet 141 with prior received data packets over egress TCP session 642 into the application layer message prior to sending to network application 551. In one embodiment, network application 551 sends modified data packet 142 as an application layer message to application fastpath 631. In one embodiment application fastpath 631 sends received application layer message to client 101 using one or more TCP data packets over ingress TCP session 641.



FIG. 2 illustrates an embodiment of a network node 510 which can be a servicing node, a network application store server, a client device or a server device. In one embodiment, network node 510 includes a processor module 560, a network module 530, and a computer storage module 540. In one embodiment, processor module 560 includes one or more processors which may be a micro-processor, an Intel processor, an AMD processor, a MIPS processor, an ARM-based processor, or a RISC processor. In one embodiment, processor module 560 includes one or more processor cores embedded in a processor. In one embodiment, processor module 560 includes one or more embedded processors, or embedded processing elements in a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), or Digital Signal Processor (DSP). In one embodiment, network module 530 includes a network interface such as Ethernet, optical network interface, a wireless network interface, T1/T3 interface, a WAN or LAN interface. In one embodiment, network module 530 includes a network processor. In one embodiment, storage module 540 includes RAM, DRAM, SRAM, SDRAM or memory utilized by processor module 560 or network module 530. In one embodiment, storage module 540 stores data utilized by processor module 560. In one embodiment, storage module 540 includes a hard disk drive, a solid state drive, an external disk, a DVD, a CD, or a readable external disk. Storage module 540 stores one or more computer programming instructions which when executed by processor module 560 or network module 530 implement one or more of the functionality of this present invention. In one embodiment network node 510 includes an input/output (I/O) module 570, which may include a keyboard, a keypad, a mouse, a gesture based input sensor, a microphone, a physical or sensory input peripheral, a display, a speaker, or a physical or sensual output peripheral.


In one embodiment, client device 101 is a computing device connected to data network 500 using a network module of client device 101. Client device 101 can be a personal computer, a laptop computer, a tablet, a smartphone, a mobile phone, an Internet phone, a netbook, a home gateway, a broadband gateway, a network appliance, a set top box, a media server, a personal media play, a personal digital assistant, an access gateway, a networking switch, a server computer, a network storage computer, or any computing device comprising a network module and a processor module.


In one embodiment, server device 201 is a server computer connected to data network 500 using a network module of the server computer. Server device 201 serves application service session 140 requested by client device 101. In one embodiment, application service session 140 includes a HTTP session, a file transfer session, a FTP session, a voice over IP session, a SIP session, a video or audio streaming session, an e-commerce session, an enterprise application session, an email session, an online gaming session, a teleconference session, or a Web-based communication session.



FIG. 3 illustrates an exemplary embodiment of processing an ingress TCP session. In one embodiment, client 101 sends data packet 141 of session 140 towards server 201 and fastpath module 563 receives data packet 141. In one embodiment, session 140 is based on TCP protocol. In one embodiment, fastpath module 563 includes a TCP fastpath module 634 which includes one or more computing programming instructions processing TCP protocol. TCP fastpath 634 receives and processes data packet 141.


In one embodiment, TCP fastpath 634 determines data packet 141 is a request to establish a TCP session. The request may be in the form of a TCP/SYN request. TCP fastpath 634 obtains one or more network addresses from data packet 141 and matches the obtained network addresses against service table 630. In one embodiment, the network addresses of data packet 141 include one or more of source IP address, source TCP port number, destination IP address and destination TCP port number. In one embodiment, TCP fastpath 634 determines there is a match for service table 630 and service table 630 provides an indication to application fastpath 631 for further processing of data packet 141. TCP fastpath 634 creates an ingress TCP session 641 record associating to data packet 141. In one embodiment, TCP fastpath 634 stores the obtained network addresses in ingress TCP session 641 and stores ingress TCP session 641 in session table 640. In one embodiment, TCP fastpath 634 stores an indication of application fastpath 631 in ingress TCP session 641. In one embodiment, TCP fastpath 634 sends data packet 141 to application fastpath 631.


In one embodiment, TCP fastpath 634 determines data packet 141 is not a request to establish a TCP session (i.e. a TCP session has already been established). TCP fastpath 634 obtains one or more network addresses from data packet 141 and matches the obtained network addresses against session table 640. If TCP fastpath 634 determines there is a match with ingress TCP session 641 of session table 640, TCP fastpath 634 sends data packet 141 to application fastpath 631, to be processed according to an indication in ingress TCP session 641.


In one embodiment, application fastpath 631 receives data packet 141. Upon processing data packet 141, application fastpath 631 determines if an ingress application layer message has been received. If application fastpath 631 determines data packet 141 is a TCP session request, application fastpath 631 may determine an ingress message 646 is received and stores the TCP session request indication into ingress message 646. In one embodiment, application fastpath 631 determines data packet 141 does not provide sufficient information for an ingress message, application fastpath 631 stores data packet 141 for further processing. For example, if a session has been established, but no relevant data has been exchanged or action taken yet over the session, application fastpath 631 may store data packet 141 until application fastpath 631 can determine what actions will be taken over the session. In one embodiment, application fastpath 631 determines data packet 141, in conjunction with previously stored received data packet from ingress TCP session 641, an ingress message 646 is received. Application fastpath 631 stores the combined data packets into ingress message 646.


In one embodiment, application fastpath 631 sends ingress message 646 to network application 551.


In one embodiment, application fastpath 631 determines a type for ingress message 646 and includes the type into ingress message 646. Ingress message 646 type can be, among other things, one of a TCP session request, an application session request, an application data message, an application session disconnect, an application session error, or a TCP session disconnect.


In one embodiment, application fastpath 631 creates a session context 652 and stores ingress TCP session 641 information such as the one or more network addresses of ingress TCP session 641 into session context 652. In one embodiment application fastpath 631 sends session context 652 to network application 551.


In one embodiment, network application 551 receives ingress message 646, receives session context 652, and processes ingress message 646 and session context 652. In some embodiments, network application 551 stores a server 201 network address into session context 652, so as for application fastpath to create an egress TCP session 642 with server 201. Network application may also store a source network address to be used for the creation of egress TCP session 642. In various embodiments, network application 551 sends modified session context 652 to application fastpath 631. Network application 551 may send an indication to application fastpath 631 to establish egress TCP session 642 with server 201.


In one embodiment, network application 551 modifies ingress message 646 and sends modified ingress message 646 to application fastpath 631.


In one embodiment, application fastpath 631 receives modified session context 652 from network application 551. In one embodiment, application fastpath 631 receives an indication to establish egress TCP session 642 with server 201. Application fastpath 631 obtains server 201 network address information from session context 652. In one embodiment, network address of server 201 is stored in session context 652 by network application 551 and application fastpath 631 obtains the server 201 network address from session context 652. In one embodiment, application fastpath 631 uses the destination network address of ingress TCP session 641 stored in session context 652 as server 201 network address. In one embodiment, network application 551 specifies a source network address for egress TCP session 642 in session context 652, application fastpath 631 obtains the source network address. In one embodiment, application fastpath 631 selects a source network address for egress TCP session 642. Application fastpath 631 instructs TCP fastpath 634 to establish egress TCP session 642 with server 201, using the source network address and server 201 network address. The source network address may be the same as the network address for the client 101. In various embodiments, application fastpath 631 receives an indication from TCP fastpath 634 that egress TCP session 642 is successfully established, application fastpath 631 stores egress TCP session 642 information into session context 652. Application fastpath 631 may also store the source network address and server 201 network address into session context 652.


In one embodiment, after establishing egress TCP session 642, application fastpath 631 sends ingress message 646 to server 201, by instructing TCP fastpath 634 to send ingress message 646 over egress TCP session 642. In one embodiment, application fastpath 631 receives a modified ingress message 646 from network application 551 and sends the modified ingress message 646 to server 201. In one embodiment, application fastpath 631 processes ingress message 646 and optionally modifies ingress message 646. Application fastpath 631 sends ingress message 646 to server 201 after processing.


In one embodiment, TCP fastpath 634 receives an instruction from application fastpath 631 to establish egress TCP session 642 with server 201. TCP fastpath 634 obtains a source network address and a server 201 network address from application fastpath 631. TCP fastpath 634 then establishes egress TCP session 642 with server 201. Upon establishing egress TCP session 642, TCP fastpath 634 creates an egress TCP session 642 record and stores egress TCP session 642 record into session table 640. In one embodiment, TCP fastpath 634 sends egress TCP session 642 information to application fastpath 631.


In one embodiment, TCP fastpath 634 receives ingress message 646 from application fastpath 631. TCP fastpath 634 sends ingress message 646 to server 201 using one or more TCP data packets over egress TCP session 642.



FIG. 4 illustrates an exemplary embodiment of processing an egress TCP session. In one embodiment, Fastpath module 563 receives data packet 142 from server 201. Fastpath module 563 determines data packet 142 includes a TCP data packet and instructs TCP fastpath 634 to process data packet 142.


In one embodiment, TCP fastpath 634 matches data packet 142 against session table 640. TCP fastpath 634 obtains one or more network addresses from data packet 142 and matches the one or more network addresses against session table 640. In one embodiment TCP fastpath 634 determines there is a match with egress TCP session 642. TCP fastpath 634 sends data packet 142 to application fastpath 631 according to egress TCP session 642.


In one embodiment, application fastpath 631 receives data packet 142 over egress TCP session 642 from TCP fastpath 634. Application fastpath 631 retrieves session context 652 according to egress TCP session 642. Application fastpath 631 then processes data packet 142 and determines if an egress application layer message is received. In one embodiment, application fastpath 631 determines an egress message 647 is received and stores data packet 142 into egress message 647. In one embodiment, application fastpath 631 determines there is not sufficient information for an egress message, and application fastpath 631 stores data packet 142 for later processing. In one embodiment, application fastpath 631 determines that an egress message 647 is received from data packet 142 in combination with previously stored data packets. Application fastpath 631 stores the combined data packets into egress message 647. In one embodiment, application fastpath 631 determines an egress message type, which can be a TCP session establishment completion, a TCP session reset, a TCP session disconnect, an application layer data packet, a response to an application request, an application error message, or other application layer message. Application fastpath 631 may store the egress message type into egress message 647. In one embodiment, application fastpath 631 sends egress message 647 to network application 551. In one embodiment, application fastpath 631 sends egress message 647 at a request from network application 551. In one embodiment, application fastpath 631 sends session context 652 to network application 551 together with egress message 647. In one embodiment, application fastpath 631 does not send egress message 647 to network application 551.


In one embodiment network application 551 receives and processes egress message 647. In one embodiment, network application 551 modifies egress message 647 and sends modified egress message 647 to application fastpath 631. In one embodiment, network application 551 does not modify egress message 647. In one embodiment, network application 551 sends an indication to application fastpath 631 to continue processing egress message 647.


In one embodiment application fastpath 631 receives modified egress message 647 and possibly a continuation indication from network application 551. In one embodiment, application fastpath 631 processes egress message 647, with or without modification from network application 551, and possibly further modifies egress message 647. Upon processing egress message 647, application fastpath 631 instructs TCP fastpath 634 to send egress message 647 to client 101 over ingress TCP session 641, according to information stored in session context 652.


In one embodiment, TCP fastpath 634 receives egress message 647 and an instruction to send egress message 647 to client 101 over ingress TCP session 641. TCP fastpath 634 sends egress message 647 using one or more TCP data packets over ingress TCP session 641 to client 101.



FIG. 5 illustrates an exemplary embodiment of a Fastpath assisting a HTTP-based network application. FIG. 5 is to be read in combination of FIG. 3 and FIG. 4. In this embodiment, network application 551 includes an HTTP application 552, a network application based on HTTP protocol. In one embodiment, HTTP application 552 includes functionality of one or more of server selection, server load balancing, cookie insertion and removal, HTTP proxy, secure HTTP proxy, HTTP firewall, HTTP-based threat protection system (TPS), and XML firewall. In one embodiment, ingress message 646 can be an HTTP request message such as a GET-REQUEST or a POST-REQUEST. An egress message 647 can be an HTTP response message. Application fastpath 631 includes HTTP fastpath, which may process cookie insertion or removal, HTTP header pattern substitution, or HTTP content processing.


In one embodiment, HTTP application 552 indicates to application fastpath 631 to send both HTTP request messages and HTTP response messages to HTTP application 552. In one embodiment, HTTP application 552 indicates to application fastpath 631 to send only HTTP request messages. In one embodiment, HTTP application 552 provides server 201 information to HTTP fastpath to establish egress TCP session with server 201. In one embodiment, HTTP application 552 provides cookie information and other information to HTTP fastpath such that HTTP fastpath can process cookie insertion/removal and other HTTP data packet processing. In this way, server selection by HTTP application 552 may occur based on content of the data packet being processed, rather than simply the source and destination.


Application fastpath 631, operating in conjunction with HTTP fastpath, allows for fastpath processing of the specific structure of http packets (header and body), in compliance with the protocol. Thus, in the exemplary embodiment of FIG. 5, application fastpath 631 is able to parse the data packets according to the HTTP syntax and grammar.


In various embodiments of the present disclosure, a user of a network node 510 can create and apply custom network applications with application layer processing on network node 510. The user-created custom network applications may override previous network application(s) operating on a network node 510 or may supplement network application(s) previously operating on network node 510. For example, if data is arriving from a mobile network, a user may desire a custom TCP stack. Embodiments of the present disclosure allow a user to insert headers with the disclosed modules that are proprietary and specific to the user's needs. The network node 510 and modules operating in conjunction with network node 510 provide insertion points for application level processing done by the user. While the above HTTP fastpath example illustrates one exemplary method of custom operation, other methods of custom operation are within the scope of the present disclosure.



FIG. 6 illustrates an exemplary embodiment of a fastpath module assisting a network application based on network address translation (NAT). FIG. 6 is to be read in combination of FIG. 3 and FIG. 4. In this embodiment, network application 551 includes an NAT application 553, a network application handling network address translation. In one embodiment, NAT application 553 includes functionality of one or more of source network address selection, port address selection, application level gateway (ALG), and application level gateway processing for SIP, FTP or other protocols. In one embodiment, ingress message 646 can be a TCP session request message or a TCP data packet. An egress message 647 can be a TCP data packet. Application fastpath 631 includes network address transition (NAT) fastpath, which may include processing for network address substitution, or ALG for a plurality of application layer protocols.


In one embodiment, NAT application 553 indicates to application fastpath 631 to send both ingress TCP session request message, ingress TCP data packets and egress TCP data packets to NAT application 553. In one embodiment, NAT application 553 indicates to application fastpath 631 to send only ingress TCP session request message. In one embodiment, NAT application 553 provides information to application fastpath 631 to perform network address substitution or ALG processing. In this way, application fastpath 631, when including NAT fastpath, may allow for the payload of data packets to be changed in accordance with network address translation through the application fastpath 631 since the data packets may have the network addresses embedded in the payload itself.



FIG. 7 illustrates an exemplary embodiment of a Fastpath module assisting a network application providing TCP proxy functionality. FIG. 7 is to be read in combination with FIG. 3 and FIG. 4. In this embodiment, network application 551 includes a TCP proxy application 554, a network application providing TCP proxy functionality. In one embodiment, TCP proxy application 554 includes functionality of one or more of server address selection, network and/or port address selection, secure TCP session proxy functionality, SSL proxy functionality, deep packet inspection and/or other security functionality. In one embodiment, ingress message 646 can be a TCP session request message or a TCP data packet. An egress message 647 can be a TCP data packet. Application fastpath 631 includes TCP proxy fastpath, which may include processing capability for network address substitution, ALG for one or more of application layer protocols, encryption and decryption, packet tracing, or other security related processing.


In one embodiment, TCP proxy application 554 indicates to application fastpath 631 to send TCP session request messages, ingress TCP data packets and egress TCP data packets to TCP proxy application 554. In one embodiment, TCP proxy application 554 indicates to application fastpath 631 to send only TCP session request messages. In one embodiment, TCP proxy application 554 indicates to application fastpath 631 network address translation and ALG information such that TCP proxy fastpath can perform network address substitution and ALG for ingress TCP session and egress TCP session. In one embodiment, TCP proxy application 554 provides to TCP proxy fastpath attributes related to security processing.


The above description is illustrative and not restrictive. Many variations of the invention will become apparent to hose of skill in the art upon review of this disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the appended claims along with their full scope of equivalents. While the present invention has been described in connection with a series of embodiments, these descriptions are not intended to limit the scope of the invention to the particular forms set forth herein. It will be further understood that the methods of the invention are not necessarily limited to the discrete steps or the order of the steps described. To the contrary, the present descriptions are intended to cover such alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims and otherwise appreciated by one of ordinary skill in the art.

Claims
  • 1. A servicing node comprising: a fastpath module for processing data packets, the fastpath module stored in memory at the servicing node and executed by at least one processor, wherein the fastpath module: receives an application service request data packet from a client device, over a network session between the client device and the servicing node;obtains one or more network addresses from the application service request data packet and matches the obtained one or more network addresses with a session table for the network session between the client device and the servicing node;determines that the one or more network addresses match an ingress session of the session table, the session table storing an indication for processing application service request data packets associated with the ingress session using a network application residing at the servicing node, wherein the network application includes a user-loadable network application loaded into the servicing node by a user of the servicing node;stores the application service request data packet into an ingress message;based on the indication, sending the ingress message to the network application for processing; andupon the processing, transmits the application service request data packet to a server using egress session information.
  • 2. The servicing node of claim 1, wherein the servicing node is a server load balancer.
  • 3. The servicing node of claim 1, wherein the servicing node is an application delivery controller.
  • 4. The servicing node of claim 1, wherein the ingress message is an application layer message.
  • 5. The servicing node of claim 1, wherein the fastpath module further: processes the application service request data packet according to an application layer protocol used by the network application.
  • 6. The servicing node of claim 5, wherein the application layer protocol is one of: HTTP, SIP, FTP, secure HTTP, instant messaging protocol, file transfer protocol, streaming protocol, or real time streaming protocol.
  • 7. The servicing node of claim 1, wherein the fastpath module is a high performance TCP stack.
  • 8. The servicing node of claim 1, wherein the fastpath module transmits the ingress message to the network application via fastpath processing.
  • 9. The servicing node of claim 1, wherein the fastpath module further: receives a response data packet from the server;determines that the data packet is associated to the egress session;processes the data packet according to egress session information; andsends the processed data packet to the client device using ingress session information.
  • 10. The servicing node of claim 9, wherein the egress session information and the ingress session information are stored in the session table.
  • 11. The servicing node of claim 9, wherein the egress session and the ingress session are TCP sessions.
  • 12. The servicing node of claim 9, wherein the egress session and the ingress session are HTTP sessions.
  • 13. The servicing node of claim 9, wherein the egress session and the ingress session are SIP sessions.
  • 14. A method for processing data packets via a fastpath module stored in memory at a servicing node and executed by at least one processor, the method comprising: receiving an application service request data packet from a client device, over a network session between the client device and the servicing node;obtaining one or more network addresses from the application service request data packet and matching the obtained one or more network addresses with a session table for the network session between the client device and the servicing node;determining that the one or more network addresses match an ingress session of the session table, the session table storing an indication for processing application service request data packets associated with the ingress session using a network application residing at the servicing node, wherein the network application includes a user-loadable network application loaded to the servicing node by a user of the servicing node;storing the application service request data packet into an ingress message;based on the indication, sending the ingress message to the network application for processing; andupon the processing, transmitting the application service request data packet to a server using egress session information.
  • 15. The method of claim 14, wherein the servicing node is an application delivery controller.
  • 16. The method of claim 14, wherein the ingress message is an application layer message.
  • 17. The method of claim 14, further comprising: processing the application service request data packet according to an application layer protocol used by the network application.
  • 18. The method of claim 17, wherein the application layer protocol is one of: HTTP, SIP, FTP, secure HTTP, instant messaging protocol, file transfer protocol, streaming protocol, or real time streaming protocol.
  • 19. The method of claim 14, wherein the ingress message is transmitted to the network application via fastpath processing.
  • 20. The method of claim 14, further comprising: receiving a response data packet from the server;determining that the data packet is associated to the egress session;processing the data packet according to egress session information; andsending the processed data packet to the client device using ingress session information.
US Referenced Citations (212)
Number Name Date Kind
5774660 Brendel et al. Jun 1998 A
5862339 Bonnaure et al. Jan 1999 A
5875185 Wang et al. Feb 1999 A
5958053 Denker Sep 1999 A
6003069 Cavill Dec 1999 A
6047268 Bartoli et al. Apr 2000 A
6075783 Voit Jun 2000 A
6131163 Wiegel Oct 2000 A
6321338 Porras et al. Nov 2001 B1
6374300 Masters Apr 2002 B2
6456617 Oda et al. Sep 2002 B1
6483600 Schuster et al. Nov 2002 B1
6535516 Leu et al. Mar 2003 B1
6578066 Logan et al. Jun 2003 B1
6587866 Modi et al. Jul 2003 B1
6600738 Alperovich et al. Jul 2003 B1
6658114 Farn et al. Dec 2003 B1
6772205 Lavian et al. Aug 2004 B1
6772334 Glawitsch Aug 2004 B1
6779033 Watson et al. Aug 2004 B1
6804224 Schuster et al. Oct 2004 B1
7010605 Dharmarajan Mar 2006 B1
7058718 Fontes et al. Jun 2006 B2
7069438 Balabine et al. Jun 2006 B2
7143087 Fairweather Nov 2006 B2
7167927 Philbrick et al. Jan 2007 B2
7181524 Lele Feb 2007 B1
7228359 Monteiro Jun 2007 B1
7254133 Govindarajan et al. Aug 2007 B2
7269850 Govindarajan et al. Sep 2007 B2
7301899 Goldstone Nov 2007 B2
7310686 Uysal Dec 2007 B2
7328267 Bashyam et al. Feb 2008 B1
7337241 Boucher et al. Feb 2008 B2
7343399 Hayball et al. Mar 2008 B2
7370353 Yang May 2008 B2
7373500 Ramelson et al. May 2008 B2
7391725 Huitema et al. Jun 2008 B2
7398317 Chen et al. Jul 2008 B2
7423977 Joshi Sep 2008 B1
7430755 Hughes et al. Sep 2008 B1
7467202 Savchuk Dec 2008 B2
7506360 Wilkinson et al. Mar 2009 B1
7512980 Copeland et al. Mar 2009 B2
7552323 Shay Jun 2009 B2
7584262 Wang et al. Sep 2009 B1
7590736 Hydrie et al. Sep 2009 B2
7610622 Touitou et al. Oct 2009 B2
7613193 Swami et al. Nov 2009 B2
7613822 Joy et al. Nov 2009 B2
7673072 Boucher et al. Mar 2010 B2
7675854 Chen et al. Mar 2010 B2
7711790 Barrett et al. May 2010 B1
7733866 Mishra et al. Jun 2010 B2
7747748 Allen Jun 2010 B2
7826487 Mukerji et al. Nov 2010 B1
7965727 Sakata et al. Jun 2011 B2
7979694 Touitou et al. Jul 2011 B2
7990847 Leroy et al. Aug 2011 B1
7992201 Aldridge et al. Aug 2011 B2
8081640 Ozawa et al. Dec 2011 B2
8090866 Bashyam et al. Jan 2012 B1
8099492 Dahlin et al. Jan 2012 B2
8116312 Riddoch et al. Feb 2012 B2
8122116 Matsunaga et al. Feb 2012 B2
8151019 Le et al. Apr 2012 B1
8185651 Moran et al. May 2012 B2
8261339 Aldridge et al. Sep 2012 B2
8379515 Mukerji Feb 2013 B1
8559437 Mishra et al. Oct 2013 B2
8560693 Wang et al. Oct 2013 B1
RE44701 Chen et al. Jan 2014 E
8681610 Mukerji Mar 2014 B1
8782221 Han Jul 2014 B2
8977749 Han Mar 2015 B1
8996670 Kupinsky et al. Mar 2015 B2
9094364 Jalan et al. Jul 2015 B2
9106561 Jalan et al. Aug 2015 B2
9137301 Dunlap et al. Sep 2015 B1
9154584 Han Oct 2015 B1
9386088 Zheng et al. Jul 2016 B2
9455956 Mihelich et al. Sep 2016 B2
9531846 Han et al. Dec 2016 B2
9602442 Han Mar 2017 B2
20010042200 Lamberton et al. Nov 2001 A1
20020026515 Michielsens et al. Feb 2002 A1
20020032799 Wiedeman et al. Mar 2002 A1
20020078164 Reinschmidt Jun 2002 A1
20020091844 Craft et al. Jul 2002 A1
20020103916 Chen et al. Aug 2002 A1
20020138618 Szabo Sep 2002 A1
20020141386 Minert et al. Oct 2002 A1
20020143991 Chow et al. Oct 2002 A1
20020188678 Edecker et al. Dec 2002 A1
20030009591 Hayball et al. Jan 2003 A1
20030035409 Wang et al. Feb 2003 A1
20030061506 Cooper et al. Mar 2003 A1
20030135625 Fontes et al. Jul 2003 A1
20040010545 Pandya Jan 2004 A1
20040062246 Boucher et al. Apr 2004 A1
20040073703 Boucher Apr 2004 A1
20040078419 Ferrari et al. Apr 2004 A1
20040078480 Boucher et al. Apr 2004 A1
20040103315 Cooper et al. May 2004 A1
20040250059 Ramelson et al. Dec 2004 A1
20050005207 Herneque Jan 2005 A1
20050036511 Baratakke et al. Feb 2005 A1
20050039033 Meyers et al. Feb 2005 A1
20050080890 Yang et al. Apr 2005 A1
20050163073 Heller et al. Jul 2005 A1
20050198335 Brown et al. Sep 2005 A1
20050213586 Cyganski et al. Sep 2005 A1
20050240989 Kim et al. Oct 2005 A1
20050281190 McGee et al. Dec 2005 A1
20060023721 Miyake et al. Feb 2006 A1
20060036610 Wang Feb 2006 A1
20060041745 Parnes Feb 2006 A1
20060069804 Miyake et al. Mar 2006 A1
20060164978 Werner et al. Jul 2006 A1
20060168319 Trossen Jul 2006 A1
20060230129 Swami et al. Oct 2006 A1
20060280121 Matoba Dec 2006 A1
20070019543 Wei et al. Jan 2007 A1
20070022479 Sikdar et al. Jan 2007 A1
20070076653 Park et al. Apr 2007 A1
20070124502 Li May 2007 A1
20070180119 Khivesara et al. Aug 2007 A1
20070185998 Touitou et al. Aug 2007 A1
20070195792 Chen et al. Aug 2007 A1
20070230337 Igarashi et al. Oct 2007 A1
20070242738 Park et al. Oct 2007 A1
20070243879 Park et al. Oct 2007 A1
20070245090 King et al. Oct 2007 A1
20070248009 Petersen Oct 2007 A1
20080016161 Tsirtsis et al. Jan 2008 A1
20080031263 Ervin et al. Feb 2008 A1
20080076432 Senarath et al. Mar 2008 A1
20080120129 Seubert et al. May 2008 A1
20080225722 Khemani et al. Sep 2008 A1
20080253390 Das et al. Oct 2008 A1
20080291911 Lee et al. Nov 2008 A1
20080298303 Tsirtsis Dec 2008 A1
20090024722 Sethuraman et al. Jan 2009 A1
20090031415 Aldridge et al. Jan 2009 A1
20090077651 Poeluev Mar 2009 A1
20090092124 Singhal et al. Apr 2009 A1
20090138606 Moran et al. May 2009 A1
20090138945 Savchuk May 2009 A1
20090164614 Christian et al. Jun 2009 A1
20090285196 Lee et al. Nov 2009 A1
20090288134 Foottit et al. Nov 2009 A1
20100042869 Szabo et al. Feb 2010 A1
20100054139 Chun et al. Mar 2010 A1
20100061319 Aso et al. Mar 2010 A1
20100064008 Yan et al. Mar 2010 A1
20100095018 Khemani et al. Apr 2010 A1
20100106854 Kim et al. Apr 2010 A1
20100205310 Altshuler et al. Aug 2010 A1
20100228819 Wei Sep 2010 A1
20100235522 Chen et al. Sep 2010 A1
20100238828 Russell Sep 2010 A1
20100262819 Yang et al. Oct 2010 A1
20100265824 Chao et al. Oct 2010 A1
20100268814 Cross et al. Oct 2010 A1
20100318631 Shukla Dec 2010 A1
20100322252 Suganthi et al. Dec 2010 A1
20100333101 Pope et al. Dec 2010 A1
20110007652 Bai Jan 2011 A1
20110032941 Quach et al. Feb 2011 A1
20110060831 Ishii et al. Mar 2011 A1
20110083174 Aldridge et al. Apr 2011 A1
20110093522 Chen et al. Apr 2011 A1
20110099623 Garrard et al. Apr 2011 A1
20110149879 Noriega et al. Jun 2011 A1
20110209157 Sumida et al. Aug 2011 A1
20110276982 Nakayama et al. Nov 2011 A1
20110302256 Sureshehandra et al. Dec 2011 A1
20120008495 Shen et al. Jan 2012 A1
20120039175 Sridhar et al. Feb 2012 A1
20120117382 Larson et al. May 2012 A1
20120173759 Agarwal et al. Jul 2012 A1
20120215910 Wada Aug 2012 A1
20120290727 Tivig Nov 2012 A1
20130135996 Torres et al. May 2013 A1
20130136139 Zheng May 2013 A1
20130166762 Jalan et al. Jun 2013 A1
20130176854 Chisu et al. Jul 2013 A1
20130176908 Baniel et al. Jul 2013 A1
20130191486 Someya et al. Jul 2013 A1
20130250765 Ehsan Sep 2013 A1
20130258846 Damola Oct 2013 A1
20140012972 Han Jan 2014 A1
20140086052 Cai et al. Mar 2014 A1
20140169168 Jalan et al. Jun 2014 A1
20140207845 Han et al. Jul 2014 A1
20140254367 Jeong et al. Sep 2014 A1
20140258536 Chiong Sep 2014 A1
20140286313 Fu et al. Sep 2014 A1
20140359052 Joachimpillai et al. Dec 2014 A1
20150026794 Zuk et al. Jan 2015 A1
20150156223 Xu et al. Jun 2015 A1
20150237173 Virkki et al. Aug 2015 A1
20150244566 Puimedon Aug 2015 A1
20150296058 Jalan et al. Oct 2015 A1
20150312092 Golshan et al. Oct 2015 A1
20150350048 Sampat et al. Dec 2015 A1
20150350379 Jalan et al. Dec 2015 A1
20160014052 Han Jan 2016 A1
20160014126 Jalan et al. Jan 2016 A1
20170048107 Dosovitsky et al. Feb 2017 A1
20170048356 Thompson et al. Feb 2017 A1
20170201418 Jalan Jul 2017 A1
Foreign Referenced Citations (44)
Number Date Country
1372662 Oct 2002 CN
1473300 Feb 2004 CN
1529460 Sep 2004 CN
1575582 Feb 2005 CN
1910869 Feb 2007 CN
101189598 May 2008 CN
101442425 May 2009 CN
101682532 Mar 2010 CN
102123156 Jul 2011 CN
102577252 Jul 2012 CN
103533018 Jan 2014 CN
103944954 Jul 2014 CN
104040990 Sep 2014 CN
104137491 Nov 2014 CN
104796396 Jul 2015 CN
102577252 Mar 2016 CN
1209876 May 2002 EP
2296313 Mar 2011 EP
2760170 Jul 2014 EP
2760170 Dec 2015 EP
1189438 Jun 2014 HK
1199153 Jun 2015 HK
1199779 Jul 2015 HK
1200617 Aug 2015 HK
261CHE2014 Jul 2016 IN
2000307634 Nov 2000 JP
2014143686 Aug 2014 JP
5906263 Apr 2016 JP
1020130096624 Aug 2013 KR
101576585 Dec 2015 KR
269763 Feb 1996 TW
425821 Mar 2001 TW
444478 Jul 2001 TW
WO2001013228 Feb 2001 WO
WO2001014990 Mar 2001 WO
WO2003103237 Dec 2003 WO
WO2008053954 May 2008 WO
WO2011049770 Apr 2011 WO
WO2011079381 Jul 2011 WO
WO2013081952 Jun 2013 WO
WO2013096019 Jun 2013 WO
WO2014031046 Feb 2014 WO
WO2014093829 Jun 2014 WO
WO2015164026 Oct 2015 WO
Non-Patent Literature Citations (13)
Entry
Search Report and Written Opinion dated Jan. 5, 2018 for PCT Application No. PCT/US2017/057722.
Cardellini et al., “Dynamic Load Balancing on Web-server Systems”, IEEE Internet Computing, vol. 3, No. 3, May-Jun. 1999, 24 pages.
Goldszmidt et al., “NetDispatcher: A TCP Connection Router,” IBM Research Report RC 20853, May 19, 1997, pp. 1-31.
Koike et al., “Transport Middleware for Network-Based Control,” IEICE Technical Report, Jun. 22, 2000, vol. 100, No. 53, pp. 13-18.
Yamamoto et al., “Performance Evaluation of Window Size in Proxy-based TCP for Multi-hop Wireless Networks,” IPSJ SIG Technical Reports, May 15, 2008, vol. 2008, No. 44, pp. 109-114.
Abe et al., “Adaptive Split Connection Schemes in Advanced Relay Nodes,” IEICE Technical Report, Feb. 22, 2010, vol. 109, No. 438, pp. 25-30.
Gite, Vivek, “Linux Tune Network Stack (Buffers Size) to Increase Networking Performance,” nixCraft [online], Jul. 8, 2009 [retreived on Apr. 13, 2016], Retreived from the Internt: <URL:http://www.cyberciti.biz/faq/linux-tcp-tuning/>, 24 pages.
“Tcp—TCP Protocol,” FreeBSD, Linux Programmer's Manual [online], Nov. 25, 2007 [retreived on Apr. 13, 2016], Retreived from the Internet: <URL:https://www.freebsd.org/cgi/man.cgi?query=tcp&apropos=0&sektion=7&manpath=SuSE+Linux%2Fi386+11.0&format=asci>, 11 pages.
“Enhanced Interior Gateway Routing Protocol”, Cisco, Document ID 16406, Sep. 9, 2005 update, 43 pages.
Crotti, Manuel et al., “Detecting HTTP Tunnels with Statistical Mechanisms”, IEEE International Conference on Communications, Jun. 24-28, 2007, pp. 6162-6168.
Haruyama, Takahiro et al., “Dial-to-Connect VPN System for Remote DLNA Communication”, IEEE Consumer Communications and Networking Conference, CCNC 2008. 5th IEEE, Jan. 10-12, 2008, pp. 1224-1225.
Chen, Jianhua et al., “SSL/TLS-based Secure Tunnel Gateway System Design and Implementation”, IEEE International Workshop on Anti-counterfeiting, Security, Identification, Apr. 16-18, 2007, pp. 258-261.
“EIGRP MPLS VPN PE-CE Site of Origin (SoO)”, Cisco Systems, Feb. 28, 2006, 14 pages.
Related Publications (1)
Number Date Country
20180198879 A1 Jul 2018 US