Patent Grant
10992709
In modern computing environments, there is often a need to connect remote computing systems together using a network. For example, organizations such as corporations often have branch offices, employees, or contractors spread across multiple locations both within a country and worldwide. Current networking technologies allow communication between these disparate computing environments through both public and private computer networks. Often, separate computing environments are connected to each other using the Internet. By allowing offices and employees to connect to each other, an organization can create a unified computing environment.
Connecting an organization across both publicly and privately linked networks can pose a security risk for sensitive data. As data passes across the Internet or other public networks, it becomes vulnerable to many different kinds of electronic attacks. While individual applications or connections can utilize protections such as encryption, organizations have an interest in providing a secure link between offices or employees for all network traffic. A variety of techniques can be used to provide such a link. For example, organizations may purchase or lease a direct physical connection between two locations that is not open to the public. Additionally, organizations can employ applications that encrypt data. Or organizations can utilize traditional Virtual Private Networks to allow for secure communication.
In addition to protecting sensitive data against security vulnerabilities, organizations must ensure that connections between remote computing environments are reliable and efficient. Organizations can improve reliability in a number of ways including utilizing multiple connections across different internet service providers or networks in order to ensure that if one connection fails, other connections are available to maintain the network. Connections can traverse public networks, such as the Internet, or directly connect two endpoints on a private link. Organizations can increase efficiency by spreading their network traffic across multiple connections to increase overall bandwidth or by employing specific networking protocols that can increase efficiency when used on direct, private links. In some instances, organizations might also utilize specific types of connections for specific applications or purposes that are separate from their general network traffic.
While organizations can utilize various technologies to address security and reliability issues separately, addressing both issues simultaneously can present technical challenges. Organizations can use technologies like Internet Protocol Security (“IPsec”), described in more detail below and in the Internet Engineering Task Force (“IETF”) Request For Comment (“RFC”) 4301, to create a secure connection for all network traffic on a specific connection. IPsec, however, requires creating a shared set of credentials between a source and destination to allow for the secure communication. These credentials must be negotiated using a technology, such as Internet Key Exchange (“IKE”). The credentials and other security parameters that define an IPsec connection are referred to as a Security Association (“SA”). Anytime a link disconnects, a new SA must be established when the link returns, thereby adding to the overhead of maintaining the link. Further, each one-way connection requires its own SA. When both encryption and authentication are utilized, a common approach to ensure proper security, one or two SAs are necessary for each one-way link depending on the specific variation of IPsec that is utilized. Accordingly, every two-way connection between endpoints requires the negotiation of either two or four SAs to setup. Maintaining an IPsec setup across a typical two-way link can be fairly simple. But as the number of redundant or additional links grows, so does the number of SAs that must be negotiated and maintained. Maintaining multiple simultaneous IPsec connections to ensure reliable and secure communication in modern computing networks results in significant networking overhead and managerial challenges.
Reference will now be made to the accompanying drawings showing example embodiments of this disclosure. In the drawings:
Reference will now be made in detail to the exemplary embodiments implemented according to the present disclosure, the examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.
The embodiments described herein provide for secure communication between two network endpoints. These endpoints can be connected through one or more network connections. The secure communication provided by the described embodiments can utilize multiple network pathways simultaneously while only requiring the setup and maintenance for one IPsec connection. These technologies can drastically reduce the overhead and maintenance requirements for managing IPsec communications over multiple simultaneous links. Further in eliminating much of the overhead required to provide IPsec communications across multiple pathways, these technologies improve network efficiency and bandwidth. The embodiments described can additionally provide for intelligent selection of individual pathways based on data associated with each datagram transmitted across the networks.
One or more client devices 102 are devices that can acquire remote services from data center 120 through various means. Client devices 102 can communicate with data center 120 either directly (e.g., client device 102E) or indirectly through a public network 104 (e.g., client devices 102A-D) or a private network 110 (e.g., client device 102F). When client device 102 communicates through public network 104 or private network 110, a communication link can be established. For example, a link can be established by public network 104, gateway 106A, and appliance 108A, thereby providing a client device (e.g., client devices 102A-D) access to data center 120. A link can also be established by branch office 140 including appliance 108C, private network 110, and appliance 108A, thereby providing a client device (e.g., client device 102F) access to data center 120. Additional links can also be established by appliance 108B, gateway 106B, public network 104, gateway 106A and appliance 108A providing client device 102G with access to data center 120 through a public network 104. While client devices 102 are portrayed as a computer (e.g., client devices 102A, 102E, 102F, and 102G), a laptop (e.g., client device 102B), a tablet (e.g., client device 102C), and a mobile smart phone (e.g., client device 102D), it is appreciated that client device 102 could be any type of device (e.g., such as a wearable smart watch) that communicates packets to and from data center 120.
Public network 104 and private network 110 can be any type of network such as a wide area network (WAN), a local area network (LAN), or a metropolitan area network (MAN). As an example, a WAN can be the Internet or the World Wide Web, and a LAN can be a corporate Intranet. Public network 104 and private network 110 can be a wired network or a wireless network.
Gateways 106A-B are physical devices or are software that is part of a physical device that interfaces between two networks having different protocols. Gateways 106A-B, for example, can be a server, a router, a host, or a proxy server. In some embodiments, gateways 106A-B can include or be coupled to a firewall separating gateways 106A-B from public network 104 (e.g., Internet). Gateways 106A-B have the ability to modify signals received from client device 102 into signals that appliances 108A-B and/or data center 120 can understand and vice versa.
Appliance 108A is a device that can optimize and control wide area network (WAN) traffic. In some embodiments, appliance 108A optimizes other types of network traffic, such as local area network (LAN) traffic, metropolitan area network (MAN) traffic, or wireless network traffic. Appliance 108A can also handle different network like Multiprotocol Label Switching (“MPLS”) common in many corporate networks. Appliance 108A can optimize network traffic by, for example, scheduling data packets in an established communication link so that the data packets can be transmitted or dropped at a scheduled time and rate. In some embodiments, appliance 108A is a physical device, such as Citrix System's Branch Repeater, Netscaler, or CloudBridge. In some embodiments, appliance 108A can be a virtual appliance. In some embodiments, appliance 108A can be a physical device having multiple instances of virtual machines (e.g., virtual Cloud Bridge). In some embodiments, a first appliance (e.g., appliance 108A) works in conjunction with or cooperation with a second appliance (e.g., appliance 108B or appliance 108C) to optimize network traffic. For example, the first appliance can be located between the WAN and a corporate LAN (e.g., data center 120), while a second appliance (e.g., appliance 108C) can be located between a branch office (e.g., branch office 140) and a WAN connection. An additional appliance (e.g., appliance 108B) could also be connected through public network 104. In some embodiments, the functionality of gateway 106A and appliance 108A can be located in a single physical device. Appliances 108A, 108B, and 108C can be functionally the same or similar.
Data center 120 is a central repository, either physical or virtual, for the storage, management, and dissemination of data and information pertaining to a particular public or private entity. Data center 120 can be used to house computer systems and associated components, such as one or physical servers, virtual servers, and storage systems. Data center 120 can include, among other things, one or more servers (e.g., server 122) and a backend system 130. In some embodiments data center 120 can include gateway 106, appliance 108, or a combination of both.
Server 122 is an entity represented by an IP address and can exist as a single entity or a member of a server farm. Server 122 can be a physical server or a virtual server. In some embodiments, server 122 can include a hardware layer, an operating system, and a hypervisor creating or managing one or more virtual machines. Server 122 provides one or more services to an endpoint. These services include providing one or more applications 128 to one or more endpoints (e.g., client devices 102A-G or branch office 140). For example, applications 128 can include Windows™-based applications and computing resources.
Desktop delivery controller 124 is a device that enables delivery of services, such as virtual desktops 126 to client devices (e.g., client devices 102A-G or branch office 140). Desktop delivery controller 124 provides functionality required to manage, maintain, and optimize all virtual desktop communications.
In some embodiments, the services include providing one or more virtual desktops 126 that can provide one or more applications 128. Virtual desktops 126 can include hosted shared desktops allowing multiple user to access a single shared Remote Desktop Services desktop, virtual desktop infrastructure desktops allowing each user to have their own virtual machine, streaming disk images, a local virtual machine, individual applications (e.g., one or more applications 128), or a combination thereof.
Backend system 130 is a single or multiple instances of computer networking hardware, appliances, or servers in a server farm or a bank of servers and interfaces directly or indirectly with server 122. For example, backend system 130 can include. Microsoft™ Active Directory, which can provide a number of network services, including lightweight directory access protocol (LDAP) directory services, Kerberos-based authentication, domain name system (DNS) based naming and other network information, and synchronization of directory updates amongst several servers. Backend system 130 can also include, among other things, an Oracle backend server, a SQL Server backend, and/or a dynamic host configuration protocol (DHCP). Backend system 130 can provide data, services, or a combination of both to data center 120, which can then provide that information via varying forms to client devices 102 or branch office 140.
Branch office 140 is part of a local area network (LAN) that is part of the WAN having data center 120. Branch office 140 can include, among other things, appliance 108C and remote backend 142. In some embodiments, appliance 108C can sit between branch office 140 and private network 110. As stated above, appliance 108C can work with appliance 108A. Remote backend 142 can be set up in similar manner as backend system 130 of data center 120. Client device 102F can be located on-site to branch office 140 or can be located remotely from branch office 140.
Appliances 108A-C and gateways 106A-B can be deployed as or executed on any type and form of computing device, such as a computer or networking devices capable of communicating on any type and form of network described herein. As shown in
As shown in
Furthermore, computing device 200 can include a network interface 218 to interface to a LAN, WAN, MAN, or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay, ATM), wireless connections, or some combination of any or all of the above. Network interface 218 can comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing computing device 200 to any type of network capable of communication and performing the operations described herein.
Networking can encompass many different technologies and protocols designed to connect two or more computing devices, systems, or environments. For example, the Internet Protocol (“IP”) is a standard communications protocol commonly used to control and route Internet traffic. IP is widely used as a backbone protocol for the Internet. The most commonly used versions of IP are IP version 4 (“IPv4”) and IP version 6 (“IPv6”). These protocols are described in IETF RFC 791 and IETF RFC 2460 respectively and are both well known in the art.
Connections transmitting IP Datagrams (also commonly referred to as packets) can be secured using IPsec, a suite of protocols that build on IP. IPsec provides a framework for modifying each datagram before it is sent across the network to provide a secure connection between computing entities. A computing entity can be a hardware implemented computing device (e.g., any of gateways 106, appliances 108, client devices 102 from
Attempts have been made to support IPsec across multiple connections. For example A Multi-link Aggregate IPSec Model, Yun-he hang, et al., 3 Educ., Tech., and Computer Sci.: ETCS '09. First Int'l Workshop On, 489-493 (2009), proposed a software component that automatically manages IPsec across multiple connections between two endpoints. While this approach abstracts the IPsec management and overhead into a separate module making the use of IPsec across multiple simultaneous connections simpler for developers, the fundamental problems with IPsec across multiple connections remain—namely, as the number of connections increase, the software or hardware, regardless of the level of abstraction still must maintain SAs for each connection and incur the overhead of rebuilding each individual link that fails. Further, these approaches attempt to provide load balancing across the multiple connections by determining latency and other network characteristics at the time the SAs are created. But because these existing modules are unable to continually monitor properties of each connection, the provided load balancing is ineffective. Further, because these methods cannot analyze the contents of the encrypted datagrams they cannot provide quality-of-service benefits based on data content. Embodiments consistent with the present disclosure resolve these fundamental problems. These embodiments are described in more detail below.
The datagrams in
IPsec AH allows for the modification of IP datagrams so that the datagram can be authenticated. This authentication can, among other things, allow verification of the datagram source and/or ensure that the datagram has not changed in transit. IPsec AH does not provide for the encryption of the datagram although the data encapsulated in the datagram can be encrypted prior to modification by IPsec using some other process or application. IPsec AH can verify data by calculating a cryptographic hash of some of the fields in the datagram's IP header (e.g., IP header 301) and transmitting the calculated hash with the datagram.
IPsec ESP can allow for encryption of the IPsec payload, which includes the original IP datagram (e.g., IP datagram 300). IPsec ESP can also provide authentication using a cryptographic hash of the fields in the various headers similar to IPsec AH.
Generally, transport mode provides IPsec protection, in either AH or ESP form, from a source endpoint to a destination endpoint. Transport mode can be used to secure a direct link between two hosts.
Tunnel mode provides IPsec protection, in either AH or ESP form, along a portion of a connection between two endpoints. Although, tunnel mode can be used to secure the entire path between two endpoints, it is commonly used when two endpoints on separate secure networks communicate across an unsecured network such as the Internet. Tunnel mode can allow for only the portion of the connection crossing the public, unsecured network to be encapsulated with IPsec.
In tunnel 351 mode, IPsec calculates the cryptographic hash in the same way as can be done in transport 350 mode. In tunnel 351 mode, AH header 310 is placed before IP header 301. The entire datagram (e.g., AH header 310, IP header 301, and data 320) is then encapsulated in a new IP header that can specify new IP fields for the datagram. At the destination specified in new IP header 330, the destination can remove new IP header 330, perform the same authentication check using AH header 310 as is done in transport 350 mode, strip AH header 310, and route IP datagram 300 based on the original destination and fields in IP header 301.
In tunnel 356 mode, IPSec ESP encrypts the entire original IP datagram, including both IP header 301 and data 320. ESP header 340 is placed before IP header 301 and ESP trailer 341 is placed after data 320. As with transport 355 mode, optional authentication can be provided using a cryptographic hash of various header fields that are included in ESP auth 342. IPsec ESP can create new IP header 330 to control routing of the encapsulated datagram and places it at the beginning of the datagram. At the destination specified in new IP header 330, the destination device can verify the information in ESP auth 342, decrypt IP Header 301 and data 320 using the information in ESP header 340, ESP trailer 341, and predetermined keys, remove new IP header 330, ESP header 340, ESP trailer 341, and ESP auth 342 from the datagram, and route the datagram according to the original information in IP header 301.
Private network 401 can be any private network attached to additional computing devices. Private network can be private network 110 from
Similarly, client 403 can provide datagrams intended for other networks or devices to appliance 410 for processing. Client 403 can be one of client devices 102A-G. Client 403 can be directly connected to appliance 410 without passing through an intermediate network.
Appliance 410 can receive datagrams from private network 401, client 403, or any other computing device sending data to a network or computing device reachable by appliance 410. Appliance 410 can be source S1-S3 for multiple links connecting to destinations D1-D3, respectively. While appliance 410 is shown as the source of network connections, it is appreciated that appliance 410 can also receive data from other network devices or computers intended for private network 401 or client 403. Appliance 410 can consist of multiple components designed to provide a single IPsec channel across a network. In some embodiments appliance 410 is combined with gateway 420. In other embodiments gateway 420 is a separate component communicatively coupled with appliance 410.
Appliance 410 includes classifier 411. Classifier 411 is a module that can analyze datagrams supplied to appliance 410. Classifier 411 can inspect the datagrams and create metadata associated with the datagram to assist with routing decisions. The metadata associated with each datagram can be based on a variety of factors (e.g., the source or destination IP address, the underlying application, the additional protocols used in the datagram, the content of the datagram itself, or other attributes of the datagram). This metadata can be assigned according to preset rules or can be dynamic based on changing requirements of the system. For example, if the data in the IP datagram corresponds to type of traffic, metadata that indicates the particular DSCP tag can be added to the datagram. In this example, the metadata can indicate that the datagram contains Voice over IP (“VOIP”) traffic classified using DSCP tag Expedited Forwarding (“EF”) that can require a higher priority than other types of network traffic. When routing decisions are made, the specific metadata can affect the links that are chosen for different types of traffic. For example, datagrams associated with DSCP tag EF can be transmitted using a specific physical link best suited to this type of traffic. Datagrams with metadata that indicate the datagram carries VOIP traffic can be transmitted using low latency and low jitter connections to ensure a higher quality of service.
After metadata is associated with the IP datagram, the datagram is provided to IPsec 412. IPsec 412 is a module designed to encode an IP datagram consistent with the IPsec specification and based on the properties stored in SA 413. SA 413 can be an SA created according to a process such as IKE to allow IPsec communication with a desired endpoint (e.g., gateway 421 or appliance 430). SA 413 is created prior to datagrams being transmitted by appliance 410. Many IPsec modules commonly available can be incorporated into appliance 410 to provide the functionality described for IPsec 412.
Packet analyzer 417 is a module designed to analyze encoded datagrams and associated metadata, to provide routing information, and to add additional fields to the datagram. For example, packet analyzer might determine, based on the metadata provided by classifier 411, that the datagram should be sent using an MPLS connection. In another example, packet analyzer 417 will determine that the datagram can be sent according to the fastest route or that the datagram has a low importance and can be prioritized below other network traffic. These determinations can be associated with the encoded datagram as additional metadata. Further, packet analyzer 417 can add a timestamp and sequence number to the encoded datagram. This timestamp and sequence number can be used by a receiving appliance (e.g., appliance 430) to reassemble a sequence of datagrams that were sent across different physical links in the proper order. After analysis, packet analyzer can provide the datagram and associated metadata to gateway 420.
Gateway 420 is a module designed to handle the routing and physical connections to remote networks and devices. As previously described, in some embodiments, gateway 420 is part of appliance 410. In other embodiments gateway 420 is a separate module. Gateway 420 provides physical connections to other networks or computing devices. Additionally, gateway 420 can include modules or functionality designed to route network traffic and monitor physical network links. When physical network links fail, gateway 420 can re-establish the connection. Because SA is setup at a virtual endpoint prior to gateway 420, re-establishing physical links does not require the overhead associated with creating new SAs. Instead, when physical links are re-established, they are already part of the IPsec protected pathway without the need for a new SA.
Gateway 420 can include packet router 421. Packet router 421 is a module designed to route IP datagrams according to the content and metadata associated with those datagrams, and the current state of the various network connections. Packet router 421 can base routing decisions solely on the information in the datagram's metadata or can combine the metadata information with information provided by link evaluator 422. Link evaluator 422 is described in more detail below. Packet router 421 can use the provided information to select the optimal link (e.g., one of network connections represented by network sources S1-S3) for a specific datagram. For example, if packet analyzer 417 has designated that a datagram contains data classified as DSCP tag EF, packet router 421 can choose a dedicated physical link for best suited for this type of traffic. In another example, if data provided by link evaluator 422 indicates that a particular link is degraded or overwhelmed, packet router 421 can avoid adding new traffic to that physical link. After packet router 421 chooses a link, the datagram can be transmitted on the selected connection.
Link evaluator 422 is a module designed to continually analyze the status of active network connections. After datagrams are transmitted from sources S1-S3, the source can provide transmission statistics to link evaluator 422. This can include the time for the datagram to reach one of destinations D1-D3, the error rate of a particular connection, or any other statistic relevant to the status of a network link. Link evaluator 422 can combine the information from each of the network connections and provide that information to packet router 421 to assist with routing decisions. Additionally, link evaluator 422 can detect when a particular connection has failed and alert gateway 420 that the link must be re-established.
Datagrams transmitted by gateway 420 can be received at destinations D1-D3 of gateway 421. Gateway 421 is a module designed to receive datagrams arriving on multiple physical connections and combine them into a single datagram stream for decoding. Although not shown in
Appliance 430 can include IPsec module 432, which can decode an IP datagram consistent with the IPsec specification and based on the properties stored in SA 433. SA 433 can be an SA setup according to a process such as IKE to allow IPsec communication with a desired endpoint. (e.g., gateway 420 or appliance 410). SA 433 is created prior to datagrams being received by appliance 430. Many IPsec modules commonly available can be incorporated into appliance 430 to provide the functionality described for IPsec 432. IPsec 432 can have the same structure and functionality as IPsec 412 (and vice versa). Further, SA 433 can match SA 413 to allow IPsec 432 to decode datagrams encoded with IPsec 412.
After decoding the received datagrams, appliance 430 can route the datagrams according to the IP addresses in the original IP headers. The datagrams can, for example, be routed directly to client device 405 or 404, which can be an example of client device 102 from
The block diagram of
The embodiment and modules or components disclosed in
The appliance can then classify (step 520) the datagram according to the destination and other characteristics. For example, a classifier (e.g., classifier 411) can be used to consider, inter alia, the type of datagram, the type of the data or protocol within the datagram, and the relative importance of the datagram related to other network traffic.
After classifying the datagram, the classifier can associate (step 530) metadata with the datagram based on the classification. This metadata can describe the contents or nature of the datagram for later use by a routing engine. The metadata can indicate, among other things, the type of data in the datagram, the importance of the datagram, and the encapsulated protocols.
After metadata is associated with the datagram, the appliance can encode (step 540) the datagram using an encoding that follows IPsec policies. The appliance can use any standard IPsec module or system. The SA used by the IPsec module or system can be negotiated ahead of time using commonly understood techniques such as IKE.
After encoding, the appliance can (e.g., using packet analyzer 417) associate (step 550) additional control information to the encoded datagram. The additional information can include, at least, a timestamp and a sequence number. The timestamp and sequence number can be used at the destination endpoint to reorganize datagrams that have taken different paths into the same sequence as they were produced.
The appliance can (e.g., using gateway 420, packet router 421, and sources S1-S3) transmit (step 560) the encoded datagram based on the associated metadata and the appliance's knowledge of the each individual network link. The appliance can favor links having faster response times in order to optimize bandwidth. In some embodiments, the source (e.g., one of S1-S3 from
After the datagram is transmitted, the source of the transmission can obtain (step 570) transmission statistics about the specific physical connection used. Those statistics can include, for example, the number of dropped packets, the error rates, the latency, and other analytics related to the physical link. These connection statistics can be provided to the appliance (e.g., using link evaluator 422). The appliance can evaluate (step 580) the connection statistics and provide the evaluations to the appliance (e.g., using packet router 421). Accordingly, the evaluations are updated periodically as the datagrams are transmitted and network conditions fluctuate.
After obtaining the datagram, the appliance can organize (step 620) the datagram among other datagrams obtained based on the timestamp and sequence number embedded in the datagram. Although each datagram is individually processed, because the datagrams can be transmitted across any one of many physical links, they may not arrive in the same order in which they were sent. In some embodiments, the organization can occur after the datagram has been decoded.
After organizing the datagram with other associated datagrams, the appliance can decode (step 630) the datagram (e.g., using an IPsec 432 and SA 433) in the proper sequence based on the timestamps and sequence numbers of the related datagrams. The appliance can than route (step 640) the decoded datagram to a computing device (e.g., client 405, client 404, or another device connected to private network 402) according to the original IP header destination.
In the foregoing specification, embodiments have been described with reference to numerous specific details that can vary from implementation to implementation. Certain adaptations and modifications of the described embodiments can be made. Other embodiments can be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. It is intended that the specification and examples be considered as exemplary only. It is also intended that the sequence of steps shown in figures are only for illustrative purposes and are not intended to be limited to any particular sequence of steps. As such, those skilled in the art can appreciate that these steps can be performed in a different order while implementing the same method.
This patent application is a continuation of, and claims priority to and the benefit of U.S. patent application Ser. No. 14/811,695, titled “EFFICIENT USE OF IPSEC TUNNELS IN MULTI-PATH ENVIRONMENT,” and filed Jul. 28, 2015, the contents of all of which are hereby incorporated herein by reference in its entirety for all purposes.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6438612 | Ylonen | Aug 2002 | B1 |
| 6792534 | Medvinsky | Sep 2004 | B2 |
| 6941377 | Diamant | Sep 2005 | B1 |
| 7082530 | Diamant | Jul 2006 | B1 |
| 7099904 | Nakatsuka | Aug 2006 | B2 |
| 7181012 | Arkko | Feb 2007 | B2 |
| 7287269 | Burton | Oct 2007 | B2 |
| 7296155 | Trostle | Nov 2007 | B1 |
| 7305706 | Moon | Dec 2007 | B2 |
| 7320143 | Le Pennec | Jan 2008 | B2 |
| 7333799 | Natarajan | Feb 2008 | B2 |
| 7346926 | Vaarala | Mar 2008 | B2 |
| 7353542 | Shiga | Apr 2008 | B2 |
| 7389412 | Sharma | Jun 2008 | B2 |
| 7421578 | Huang | Sep 2008 | B1 |
| 7461152 | Bird | Dec 2008 | B2 |
| 7505442 | Kniveton | Mar 2009 | B2 |
| 7535870 | Nikander | May 2009 | B2 |
| 7558956 | Tsuji | Jul 2009 | B2 |
| 7571463 | Fedyk | Aug 2009 | B1 |
| 7577130 | Natarajan | Aug 2009 | B2 |
| 7600131 | Krishna | Oct 2009 | B1 |
| 7711830 | Bird | May 2010 | B2 |
| 7716331 | Le Pennec | May 2010 | B2 |
| 7849197 | Bird | Dec 2010 | B2 |
| 7940779 | Giaretta | May 2011 | B2 |
| 7941843 | Iwama | May 2011 | B2 |
| 7945666 | Wunner | May 2011 | B2 |
| 7945944 | Burton | May 2011 | B2 |
| 7995994 | Khetawat | Aug 2011 | B2 |
| 7996670 | Krishna | Aug 2011 | B1 |
| 8009631 | Nikander | Aug 2011 | B2 |
| 8036664 | Khetawat | Oct 2011 | B2 |
| 8037302 | Vaarala | Oct 2011 | B2 |
| 8041335 | Khetawat | Oct 2011 | B2 |
| 8041939 | Ylitalo | Oct 2011 | B2 |
| 8073428 | Khetawat | Dec 2011 | B2 |
| 8150397 | Khetawat | Apr 2012 | B2 |
| 8186026 | Xiang | May 2012 | B2 |
| 8201233 | Beaulieu | Jun 2012 | B2 |
| 8204502 | Khetawat | Jun 2012 | B2 |
| 8239706 | Yang | Aug 2012 | B1 |
| 8261055 | Sakai | Sep 2012 | B2 |
| 8296825 | Leone | Oct 2012 | B2 |
| 8336093 | Eom | Dec 2012 | B2 |
| 8346949 | Vaarala | Jan 2013 | B2 |
| 8392701 | Chang | Mar 2013 | B2 |
| 8392716 | Oishi | Mar 2013 | B2 |
| 8413226 | Vikberg | Apr 2013 | B2 |
| 8438629 | Lee | May 2013 | B2 |
| 8477616 | Rogers | Jul 2013 | B1 |
| 8484466 | Marin | Jul 2013 | B2 |
| 8549135 | Yazdani | Oct 2013 | B1 |
| 8555361 | Nakhjiri | Oct 2013 | B2 |
| 8593963 | Giaretta | Nov 2013 | B2 |
| 8607302 | Morris | Dec 2013 | B2 |
| 8612582 | Dare | Dec 2013 | B2 |
| 8615581 | Dare | Dec 2013 | B2 |
| 8644256 | Nikander | Feb 2014 | B2 |
| 8650290 | Dare | Feb 2014 | B2 |
| 8654723 | O'Leary | Feb 2014 | B2 |
| 8671273 | Roy-Chowdhury | Mar 2014 | B2 |
| 8701160 | Liang | Apr 2014 | B2 |
| 8743812 | Yin | Jun 2014 | B2 |
| 8745213 | Dare | Jun 2014 | B2 |
| 8788655 | Dare | Jul 2014 | B2 |
| 8856322 | Dare | Oct 2014 | B2 |
| 8862883 | Cherukuri | Oct 2014 | B2 |
| 9264397 | Meyer | Feb 2016 | B2 |
| 9300626 | Meyer | Mar 2016 | B2 |
| 9357374 | Giaretta | May 2016 | B2 |
| RE46113 | Xiang | Aug 2016 | E |
| 9444789 | Cherukuri | Sep 2016 | B2 |
| 9602470 | Lien | Mar 2017 | B2 |
| 9652911 | Fedronic | May 2017 | B2 |
| 9686127 | Ramachandran | Jun 2017 | B2 |
| 9712494 | Vaarala | Jul 2017 | B2 |
| 9712502 | Vaarala | Jul 2017 | B2 |
| 9742626 | Ramachandran | Aug 2017 | B2 |
| 9762397 | Vaarala | Sep 2017 | B2 |
| 9794237 | Johnson | Oct 2017 | B2 |
| 9813343 | Williams | Nov 2017 | B2 |
| 9838362 | Vaarala | Dec 2017 | B2 |
| 9847875 | Berzin | Dec 2017 | B1 |
| 9871691 | Anand | Jan 2018 | B2 |
| 9898878 | Fedronic | Feb 2018 | B2 |
| 9906402 | Ramachandran | Feb 2018 | B2 |
| 9930543 | Godley | Mar 2018 | B2 |
| 9960958 | Ramachandran | May 2018 | B2 |
| 10089803 | Fedronic | Oct 2018 | B2 |
| 10091102 | Thubert | Oct 2018 | B2 |
| 10097403 | Anand | Oct 2018 | B2 |
| 10097404 | Yadav | Oct 2018 | B2 |
| 10110422 | Yadav | Oct 2018 | B2 |
| 10142164 | Ramachandran | Nov 2018 | B2 |
| 10153940 | Anand | Dec 2018 | B2 |
| 10270809 | Williams | Apr 2019 | B2 |
| 10374871 | Ramachandran | Aug 2019 | B2 |
| 10417849 | Fedronic | Sep 2019 | B2 |
| 10536863 | Godley | Jan 2020 | B2 |
| 10560314 | Ramachandran | Feb 2020 | B2 |
| 10637782 | Dillon | Apr 2020 | B2 |
| 10673818 | Vaarala | Jun 2020 | B2 |
| 10721097 | Nandoori | Jul 2020 | B2 |
| 10812370 | Raut | Oct 2020 | B2 |
| 20020052200 | Arkko | May 2002 | A1 |
| 20020062344 | Ylonen | May 2002 | A1 |
| 20020065785 | Tsuda | May 2002 | A1 |
| 20020116154 | Nowak | Aug 2002 | A1 |
| 20030002676 | Stachura | Jan 2003 | A1 |
| 20030014627 | Krishna | Jan 2003 | A1 |
| 20030016679 | Adams | Jan 2003 | A1 |
| 20030023846 | Krishna | Jan 2003 | A1 |
| 20030031151 | Sharma | Feb 2003 | A1 |
| 20030039234 | Sharma | Feb 2003 | A1 |
| 20030182553 | Medvinsky | Sep 2003 | A1 |
| 20040059909 | Le Pennec | Mar 2004 | A1 |
| 20040153560 | Masuhiro | Aug 2004 | A1 |
| 20040215955 | Tamai | Oct 2004 | A1 |
| 20050076228 | Davis | Apr 2005 | A1 |
| 20050101305 | Natarajan | May 2005 | A1 |
| 20050138380 | Fedronic | Jun 2005 | A1 |
| 20050160273 | Oishi | Jul 2005 | A1 |
| 20050160290 | Moon | Jul 2005 | A1 |
| 20050177722 | Vaarala | Aug 2005 | A1 |
| 20050185644 | Tsuji | Aug 2005 | A1 |
| 20050192923 | Nakatsuka | Sep 2005 | A1 |
| 20050198531 | Kaniz et al. | Sep 2005 | A1 |
| 20050198691 | Xiang | Sep 2005 | A1 |
| 20050216725 | Vaarala | Sep 2005 | A1 |
| 20050240648 | Bird | Oct 2005 | A1 |
| 20050257274 | Shiga | Nov 2005 | A1 |
| 20060002388 | Grebus | Jan 2006 | A1 |
| 20060155981 | Mizutani | Jul 2006 | A1 |
| 20060173968 | Vaarala | Aug 2006 | A1 |
| 20060191002 | Lee | Aug 2006 | A1 |
| 20060212937 | Natarajan | Sep 2006 | A1 |
| 20060221921 | Kniveton | Oct 2006 | A1 |
| 20060230446 | Vu | Oct 2006 | A1 |
| 20060274693 | Nikander | Dec 2006 | A1 |
| 20070006296 | Nakhjiri | Jan 2007 | A1 |
| 20070186100 | Wakameda | Aug 2007 | A1 |
| 20070192842 | Beaulieu | Aug 2007 | A1 |
| 20070214502 | McAlister | Sep 2007 | A1 |
| 20070226777 | Burton | Sep 2007 | A1 |
| 20070253371 | Harper | Nov 2007 | A1 |
| 20080028203 | Sakai | Jan 2008 | A1 |
| 20080043758 | Giaretta | Feb 2008 | A1 |
| 20080052769 | Leone | Feb 2008 | A1 |
| 20080059798 | Fedronic | Mar 2008 | A1 |
| 20080066153 | Burton | Mar 2008 | A1 |
| 20080076386 | Khetawat | Mar 2008 | A1 |
| 20080076392 | Khetawat | Mar 2008 | A1 |
| 20080076393 | Khetawat | Mar 2008 | A1 |
| 20080076411 | Khetawat | Mar 2008 | A1 |
| 20080076412 | Khetawat | Mar 2008 | A1 |
| 20080076419 | Khetawat | Mar 2008 | A1 |
| 20080076420 | Khetawat | Mar 2008 | A1 |
| 20080076425 | Khetawat | Mar 2008 | A1 |
| 20080098226 | Zokumasui | Apr 2008 | A1 |
| 20080127297 | Morris | May 2008 | A1 |
| 20080147871 | Le Pennec | Jun 2008 | A1 |
| 20080168551 | Eom | Jul 2008 | A1 |
| 20080215676 | Bird | Sep 2008 | A1 |
| 20080215738 | Bird | Sep 2008 | A1 |
| 20080222298 | Bird | Sep 2008 | A1 |
| 20080232382 | Iwama | Sep 2008 | A1 |
| 20080261596 | Khetawat | Oct 2008 | A1 |
| 20080305792 | Khetawat | Dec 2008 | A1 |
| 20090063851 | Nijdam | Mar 2009 | A1 |
| 20090113203 | Tsuge | Apr 2009 | A1 |
| 20090117876 | Inoue | May 2009 | A1 |
| 20090144819 | Babbar | Jun 2009 | A1 |
| 20090262682 | Khetawat | Oct 2009 | A1 |
| 20090262683 | Khetawat | Oct 2009 | A1 |
| 20090262684 | Khetawat | Oct 2009 | A1 |
| 20090262702 | Khetawat | Oct 2009 | A1 |
| 20090262703 | Khetawat | Oct 2009 | A1 |
| 20090262704 | Khetawat | Oct 2009 | A1 |
| 20090264095 | Khetawat | Oct 2009 | A1 |
| 20090264126 | Khetawat | Oct 2009 | A1 |
| 20090265541 | Ylitalo | Oct 2009 | A1 |
| 20090265542 | Khetawat | Oct 2009 | A1 |
| 20090265543 | Khetawat | Oct 2009 | A1 |
| 20090285181 | Nikander | Nov 2009 | A1 |
| 20090327713 | Marin | Dec 2009 | A1 |
| 20100031015 | Hamamura | Feb 2010 | A1 |
| 20100098419 | Levy | Apr 2010 | A1 |
| 20100223458 | McGrew | Sep 2010 | A1 |
| 20100257355 | Shinozaki | Oct 2010 | A1 |
| 20100313023 | Ren | Dec 2010 | A1 |
| 20110093945 | Vikberg | Apr 2011 | A1 |
| 20110164498 | Giaretta | Jul 2011 | A1 |
| 20110213969 | Nakhjiri | Sep 2011 | A1 |
| 20110252228 | Chang | Oct 2011 | A1 |
| 20110271326 | Liang | Nov 2011 | A1 |
| 20110274091 | Nikander | Nov 2011 | A1 |
| 20110276699 | Pedersen | Nov 2011 | A1 |
| 20110289311 | Roy-Chowdhury | Nov 2011 | A1 |
| 20120032945 | Dare | Feb 2012 | A1 |
| 20120036220 | Dare | Feb 2012 | A1 |
| 20120036245 | Dare | Feb 2012 | A1 |
| 20120036440 | Dare | Feb 2012 | A1 |
| 20120036442 | Dare | Feb 2012 | A1 |
| 20120036552 | Dare | Feb 2012 | A1 |
| 20120147839 | Yin | Jun 2012 | A1 |
| 20120224566 | O'Leary | Sep 2012 | A1 |
| 20130039487 | McGrew | Feb 2013 | A1 |
| 20130080781 | Vaarala | Mar 2013 | A1 |
| 20130091352 | Patel | Apr 2013 | A1 |
| 20130097423 | Mizumaki | Apr 2013 | A1 |
| 20130103819 | Meyer | Apr 2013 | A1 |
| 20130103940 | Badea | Apr 2013 | A1 |
| 20130132539 | Meyer | May 2013 | A1 |
| 20130145000 | Meyer | Jun 2013 | A1 |
| 20130145011 | Hyatt | Jun 2013 | A1 |
| 20130254531 | Liang | Sep 2013 | A1 |
| 20130263249 | Song et al. | Oct 2013 | A1 |
| 20130298182 | May | Nov 2013 | A1 |
| 20130311778 | Cherukuri | Nov 2013 | A1 |
| 20140101435 | Kinoshita | Apr 2014 | A1 |
| 20140192808 | Thubert | Jul 2014 | A1 |
| 20140286306 | Giaretta | Sep 2014 | A1 |
| 20140289314 | Dare | Sep 2014 | A1 |
| 20140351590 | Lien | Nov 2014 | A1 |
| 20140372761 | Cherukuri | Dec 2014 | A1 |
| 20150085664 | Sachdev | Mar 2015 | A1 |
| 20150117349 | Godley | Apr 2015 | A1 |
| 20150149220 | Omar | May 2015 | A1 |
| 20150181630 | Miyagawa | Jun 2015 | A1 |
| 20150188823 | Williams | Jul 2015 | A1 |
| 20150188943 | Williams | Jul 2015 | A1 |
| 20150195265 | Chen | Jul 2015 | A1 |
| 20150295899 | Chen | Oct 2015 | A1 |
| 20160080195 | Ramachandran | Mar 2016 | A1 |
| 20160080211 | Anand | Mar 2016 | A1 |
| 20160080212 | Ramachandran | Mar 2016 | A1 |
| 20160080221 | Ramachandran | Mar 2016 | A1 |
| 20160080225 | Yadav | Mar 2016 | A1 |
| 20160080230 | Anand | Mar 2016 | A1 |
| 20160080250 | Ramachandran | Mar 2016 | A1 |
| 20160080251 | Ramachandran | Mar 2016 | A1 |
| 20160080252 | Ramachandran | Mar 2016 | A1 |
| 20160080268 | Anand | Mar 2016 | A1 |
| 20160080280 | Ramachandran | Mar 2016 | A1 |
| 20160080285 | Ramachandran | Mar 2016 | A1 |
| 20160080502 | Yadav | Mar 2016 | A1 |
| 20160234341 | Dare | Aug 2016 | A1 |
| 20160380984 | Johnson | Dec 2016 | A1 |
| 20170093580 | Vaarala | Mar 2017 | A9 |
| 20170093799 | Vaarala | Mar 2017 | A1 |
| 20170099266 | Vaarala | Apr 2017 | A1 |
| 20170155590 | Dillon | Jun 2017 | A1 |
| 20170272409 | Vaarala | Sep 2017 | A1 |
| 20170272410 | Vaarala | Sep 2017 | A1 |
| 20170287243 | Fedronic | Oct 2017 | A1 |
| 20170366344 | Berzin | Dec 2017 | A1 |
| 20170374025 | Pan | Dec 2017 | A1 |
| 20180069797 | Williams | Mar 2018 | A1 |
| 20180070249 | Godley | Mar 2018 | A1 |
| 20180218551 | Fedronic | Aug 2018 | A1 |
| 20190088049 | Fedronic | Mar 2019 | A1 |
| 20190253454 | Williams | Aug 2019 | A1 |
| 20190327112 | Nandoori | Oct 2019 | A1 |
| 20190334775 | Ghadge | Oct 2019 | A1 |
| 20190364420 | Rommer | Nov 2019 | A1 |
| 20200044954 | Raut | Feb 2020 | A1 |
| 20200195431 | Athmalingam | Jun 2020 | A1 |
| 20200213848 | Wan | Jul 2020 | A1 |
| 20200274853 | Vaarala | Aug 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 2005201275 -1 | Oct 2005 | AU |
| 1926839 | Mar 2007 | CN |
| 104247367 | Dec 2014 | CN |
| 05-095373 | Apr 1993 | JP |
| 2000-216815 | Aug 2000 | JP |
| 2003-209569 | Jul 2003 | JP |
| 2015-515210 | May 2015 | JP |
| WO-2007103338 | Sep 2007 | WO |
| WO-2015047143 | Apr 2015 | WO |
| Entry |
|---|
| Final Office Action for JP Appl. No. 2017-568321, dated Jul. 11, 2019. |
| Office Action for JP Appl. No. 2017-568321, dated Jan. 28, 2019. |
| International Search Report and Written Opinion for International Appl. No. PCT/US2016/044317, dated Oct. 5, 2016. |
| U.S. Notice of Allowance for U.S. Appl. No. 14/811,695, dated Apr. 23, 2018. |
| U.S. Office Action for U.S. Appl. No. 14/811,695, dated May 17, 2017. |
| U.S. Office Action for U.S. Appl. No. 14/811,695, dated Nov. 16, 2016. |
| U.S. Office Action for U.S. Appl. No. 14/811,695, dated Nov. 16, 2017. |
| Office Action in KR Appl. No. 10-2018-7002657, dated Sep. 9, 2019. |
| Anonymous: “Multipath routing—Wikipedia”, Jul. 5, 2015 (Jul. 5, 2015), Retrieved from the Internet: URL:https://en.wikipedia.org/w/index.php?title=Multipath_routing&oldid=670116588 [retrieved on Apr. 8, 2020]. |
| Chanda Abhishek et al: “Content based traffic engineering in software defined information centric networks”, Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on, IEEE, Apr. 14, 2013 (Apr. 14, 2013), pp. 357-362,DOI: 10.1109/infcomw.2013.6970717 ISBN: 978-1-4799-0055-8 [retrieved on Dec. 1, 2014]. |
| Examination Report for EP Appl. No. 16747986.4, dated Apr. 15, 2020. |
| First Office Action for CN Appl. No. 201680042825.7, dated Mar. 27, 2020. |
| Second Office Action in KR Appl. No. 10-2018-7002657, dated Feb. 28, 2020. |
| First Examination Report for IN Appl. No. 201717046919, dated May 15, 2020. |
| Second Office Action on CN Appl. No. 201680042825.7 dated Oct. 20, 2020. |
| Number | Date | Country | |
|---|---|---|---|
| 20180316723 A1 | Nov 2018 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 14811695 | Jul 2015 | US |
| Child | 16028106 | US |
