TREA

Secure communication session resumption in a service function chain

Follow

Information

  • Patent Grant
  • 11539747
  • Patent Number
    11,539,747
  • Date Filed
    Monday, February 3, 2020
    4 years ago
  • Date Issued
    Tuesday, December 27, 2022
    a year ago
Information
Abstract
A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.
Description
TECHNICAL FIELD

The present technology relates generally to secure communication sessions, and more specifically relates to the resumption of Transport Layer Security (TLS) sessions without performing a full TLS handshake.


BACKGROUND

In a session between an endpoint client and an endpoint server secured with the Transport Layer Security (TLS) protocol, one or more Service Function (SF) nodes may act upon the traffic in the session to provide a service function (e.g. firewall, intrusion detection/prevention, traffic compression, etc.). The Service Function node will typically interpose itself into the secure TLS session and create two separate TLS session by acting as a proxy server for the endpoint client and acting as a proxy client for the endpoint server. The TLS session between the endpoint client and the Service Function node is associated with a unique set of cryptographic keys, generated during a TLS handshake. In some embodiments, multiple Service Function nodes can be interposed into the secure TLS session, creating a Service Function Chain (SFC).


If the endpoint client disconnects from the TLS session, it may still retain a copy of the unique set of cryptographic keys. In order to resume the TLS session, the endpoint client must reconnect to the same Service Function node and provide its copy of the unique set of cryptographic keys. In this manner, a full TLS handshake is avoided. If the endpoint client attempts to present its copy of the unique set of cryptographic keys to a different Service Function node, the connection request will be a rejected and a new full TLS handshake will have to be performed.


When no Service Function Chain is present, the endpoint client may be able to easily reconnect to the same Service Function node from the previous TLS session. However, when a Service Function Chain is present, endpoint client communications typically pass first through a Service Function Forwarder (SFF), which performs load balancing in order to determine where to forward an endpoint client communication. Even if the endpoint client presents its copy of the unique set of cryptographic keys, the Service Function node that generated these keys is unknown to the Service Function Forwarder, due to the inherent encryption associated with the TLS protocol. As such, it would be highly desirable to provide an improved method for TLS session resumption, such that a session resume request does not trigger a new TLS handshake, regardless of whether the session resume request is forwarded to the originating Service Function node or a new Service Function node.





BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific examples thereof which are illustrated in the appended drawings. Understanding that these drawings depict only examples of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:



FIG. 1 depicts a diagram of a network system in which embodiments of the present disclosure may operate;



FIG. 2 depicts a ladder diagram of the underlying message exchanged involved in a TLS handshake;



FIG. 3 depicts a ladder diagram of the underlying message exchange of an example embodiment of the present disclosure wherein a Service Function Forwarder forwards a TLS session resume request to the Service Function node that previously handled the session;



FIG. 4 depicts a ladder diagram of the underlying message exchange of an example embodiment of the present disclosure wherein a TLS session is resumed at a new Service Function node;



FIG. 5 depicts a ladder diagram of the underlying message exchange of an example embodiment of the present disclosure wherein an encrypted Pre-Shared Key is included in a TLS session resume request.



FIG. 6A depicts a conventional system bus computing system architecture;



FIG. 6B depicts an example computer system having a chipset architecture.





DESCRIPTION OF EXAMPLE EMBODIMENTS

The detailed description set forth below is intended as a description of various configurations of the subject technology and is not intended to represent the only configurations in which the subject technology can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject technology. However, it will be clear and apparent that the subject technology is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject technology.


Overview

Transport Layer Security, or TLS, is a cryptographic protocol used to provide secured communications between two computing devices, such as a client and a server. First standardized in 1999 as TLS 1.0, the TLS protocol has continued to be developed and updated in order to keep pace with the ever-increasing importance of security and encryption in the modern world. The previous version, TLS 1.2, has been subject to an increasing number of attacks, and the most recent version, TLS 1.3, was introduced in order to address these flaws and provide an overall enhanced security experience.


In order to establish a TLS session between a client and a server, a TLS handshake is performed in order to establish shared cryptographic keys. These shared cryptographic keys are typically uniquely associated with both the TLS session and the client/server devices themselves. As such, if a client wishes to resume a TLS session, the original cryptographic keys can be used to identify the originating server and forward the client resume request accordingly. The original cryptographic keys can then be used to resume the TLS session without having to perform a TLS handshake, reducing latency and increasing efficiency.


TLS 1.2 utilized a clear text message exchange for the TLS handshake, which allowed client resume requests to be easily forwarded to the proper originating server. However, TLS 1.3 now encrypts all TLS handshake messages except for the initial ClientHello, meaning that the association between a client resume request and the originating server is now opaque to other networked devices or forwarders, such as load balancers.


For example, consider a Service Function Forwarder (SFF) acting as a load balancer for various Service Function nodes (e.g. firewalls, intrusion detection/prevention, traffic compression etc.) acting as TLS proxies/servers. Under TLS 1.2, the SFF would receive a client resume request, consult previously observed clear text TLS handshake messages, and identify the originating server and forward the client resume request accordingly. Under TLS 1.3, the SFF would receive a client resume request and would be unable to identify the originating server, due to the encryption of the TLS handshake messages. At best, the SFF could perform normal load balancing, and the client resume request may coincidentally be forwarded to the originating server. However, it is far more likely that the client resume request will not be forwarded to the originating server, and will be forced to perform a new TLS handshake with the new server.


As such, current implementations of TLS 1.3 are often inefficient in terms of both time and computational resources due to new TLS handshakes being forced in response to improperly forwarded client resume requests. Further still, TLS 1.3 breaks many other networking techniques that relied upon the proper forwarding of client resume requests to their originating servers. For example, if a new TLS handshake does not have to be performed, a zero round trip mode (0-RTT) can be employed, where the client resume request contains an initial flight of data for the server to act upon.


Example Embodiments


FIG. 1 illustrates a simplified diagram of a network system 100 in which aspects of the present disclosure may operate. Network system 100 includes an endpoint client device 102 (also referred to as “client” or “client device”) and an endpoint server device 112 (also referred to as “server” or “server device”). Client 102 and server 112 can communicate secure messages to one another by establishing an encrypted TLS session, using, for example, version 1.3 of the TLS protocol, although it is understood that other versions of the TLS protocol may also be employed.


Interposed between client 102 and server 112 is a Service Function Group 120, comprising a Service Function Forwarder (SFF) 122 communicatively coupled to a plurality of Service Function (SF) nodes 124a-c. In some embodiments, SFF 122 can operate as a load balancer, forwarding traffic from client 102 (or other connected client devices, not shown) to an appropriate or otherwise selected SF node 124a-c.


While three SF nodes are illustrated, it is understood that the plurality of SF nodes can include a greater or lesser number of In general, each of the plurality of SF nodes 124a-c can provide various service functions to traffic passing through the Service Function Group 120. For example, such traffic might include the secure messages transmitted between client 102 and server 112. The various service functions can include, but are not limited to, firewalls, distributed denial of service (DDOS) protection, intrusion detection/prevention service (IDS/IPS), traffic optimizers, compression services, advertisement insertion, etc. A given one of the plurality of SF nodes 124a-c may be configured to provide one or more specific service functions, or may be configured to provide all of the service functions offered by Service Function Group 120.


In some embodiments, two or more of the plurality of SF nodes 124a-c may be provided on separate network devices or computing devices. In some embodiments, one or more of the SF nodes 124a-c may be provided by a single network device or computing device. Furthermore, the plurality of SF nodes 124a-c may operate on a single communications network, or may operate on a plurality of interconnected communication networks. As would be appreciated by one of ordinary skill in the art, additional modifications to the manner in which Service Function Group 120 distributes and manages the various service functions may be employed without departing from the scope of the present disclosure.


For purposes of clarity of explanation, the following description contemplates a scenario in which SF nodes 124a-c each provide a dedicated service function. Although only client device 102 is illustrated, additional client devices may simultaneously connect to Service Function Forwarder 122, and correspondingly, each of the SF nodes 124a-c may provide a dedicated service function to traffic originating from one or more client devices.


A Service Function Chain (SFC) is formed when two or more service functions are connected. For example, an SFC could be formed between SF node 124a and SF node 124b, wherein SF node 124a might be a firewall and SF node 124b might be a compression service. In this scenario, Service Function Forwarder receives a message stream from client 102, and forwards the message stream to the firewall of SF node 124a. SF node 124a performs firewall filtering, and then forwards the filtered message stream to the compression service of SF node 124b. SF node 124b performs compression, and forwards the compressed message stream to server 112.


In some embodiments, when the TLS protocol is employed to encrypt traffic and message streams, each SF node in the Service Function Chain acts as a TLS proxy or server. In other words, each hop of a message stream between client 102 and server 112 requires its own TLS session, with the exception of Service Function Forwarder 122. Recalling that any given TLS session generates cryptographic keys uniquely corresponding to the two endpoints involved in the given TLS session, consider the context of the current example, wherein client 102 wishes to establish an encrypted TLS session with server 112.


A first proxy TLS session is established between client 102 and SF node 124a, with SF node 124a acting as a proxy server. A second proxy TLS session is established between SF node 124a and SF node 124b, with SF node 124a acting as a proxy client and SF node 124b acting as a proxy server. A third proxy TLS session is established between SF node 124b and server 112, with SF node 124b acting as a proxy client. Three hops are required to transmit a message stream between client 102 and server 112, and a corresponding three TLS sessions (and three sets of cryptographic keys) are generated.


Notably, client 102 is only directly involved in the very first TLS session, i.e. the TLS session connecting client 102 to the first SF node 124a of the Service Function Chain, meaning that client 102 also only exchanges TLS cryptographic keys with SF node 124a, even though the message stream from client 102 also passes through SF node 124b. As such, client 102 and SF node 124b are generally unaware of each other's presence in the communication path. Consequently, session resumption (which requires presenting a copy of the previously generated TLS cryptographic keys to the same SF node that generated said keys) becomes problematic if the session resumption request is directed anywhere but SF node 124a—a problem which is addressed by various aspects of the present disclosure.


The disclosure now turns to FIG. 2, which depicts a ladder diagram 200 of the underlying message exchange involved in a TLS handshake for the creation of the first TLS session between client 102 and SF node 124a, and the subsequent resumption of the TLS session. Client 102 begins by generating a ClientHello message 202, in accordance with the TLS protocol, which can contain cryptographic keying material or various cryptographic parameters for establishing cryptographic keying material. As discussed previously, while ClientHello message 202 may ultimately be destined for server 112 (not pictured), it is intercepted by Service Function Forwarder 122, which performs load balancing and forwards the ClientHello to an appropriate or otherwise selected Service Function node. In this example, Service Function Forwarder 122 forwards the ClientHello message 202 to SF node 124a.


SF node 124a receives and processes the ClientHello 202, determining the appropriate cryptographic parameters for the TLS session and generating a ServerHello message 204, which is transmitted to client 102 in order to convey the negotiated connection parameters. The ServerHello can contain cryptographic keying material and various other server parameters for establishing the TLS session. In accordance with the TLS protocol, the combination of the ClientHello message 202 and the ServerHello message 204 determines the shared keys that are used to secure and encrypt the TLS session. In some embodiments, Pre-Shared Key (PSK) key establishment can be employed, in which case the ClientHello 202 will contain several offered keys (i.e. PSKs) and the ServerHello 204 will contain an extension indicating which of the PSKs offered by client 102 was selected.


In order to finalize the establishment of the TLS session between client 102 and SF node 124a, client 102 receives and process ServerHello 204 before then transmitting a Finished message 206 to SF node 124a. The Finished message 206 is the final message in the authentication block, and is a Message Authentication Code (MAC) over the entire TLS handshake, which provides key confirmation and binds the identity of client 102 and SF node 124a to the selected keys. In PSK mode, Finished message 206 also authenticates the TLS handshake.


At this point, the TLS handshake is complete, and the first TLS session has been established between client 102 and SF node 124a. With the TLS session established, application-layer data can be exchanged, and is encrypted using the cryptographic keys determined from ClientHello 202 and ServerHello 204. Because this is a new TLS session, client 102 will not send application data prior to sending Finished message 206.


At some subsequent point in time, after Finished message 206 has been transmitted but before the TLS session is terminated, SF node 124a can transmit a NewSessionTicket 208 to client 102. This message creates a pre-shared key (PSK) binding between the ticket value of NewSessionTicket 208 and the resumption master secret. In other words, the client 102 can re-use the cryptographic key previously established in the first TLS session with SF node 124a to then resume the TLS session with SF node 124a at some later point in time, without having to perform another full TLS handshake. To do so, client 102 would include the ticket value of NewSessionTicket 208 in the “pre_shared_key” extension in its ClientHello message.


However, as mentioned previously, such a ClientHello, containing a PSK for TLS session resumption, must be directed to the same SF node that originated the PSK in the previous TLS session. In the context of the present example, a TLS session resumption request from client 102 would have to be forwarded to SF node 124a in order for the TLS session to be resumed without a new TLS handshake and key generation. However, in general, Service Function Forwarder 122 is unable to identify the SF node that generated a given PSK contained within a ClientHello message, due to various limitations of the TLS protocol.


Accordingly, FIG. 3 depicts a ladder diagram 300 of the underlying message exchange of an example embodiment of the present disclosure, designed to permit Service Function Forwarder 122 to correctly identify the SF node that generated a given PSK contained within a resume ClientHello message. As illustrated, a TLS session is established between client 102 and SF node 124a in a manner consistent with the above description of FIG. 2. However, after the TLS session has been established, SF node 124a is configured to further transmit a PSK identifier 310 to at least Service Function Forwarder 122. In some embodiments, a corresponding ticket lifetime may additionally be transmitted along with PSK identifier 310. In some embodiments, the transmission of PSK identifier 310 (and any corresponding ticket lifetime) may also be extended to include additional SF nodes of the same Service Function Group (i.e. SF nodes 124b and 124c of Service Function Group 120).


Upon receipt of PSK identifier 310, Service Function Forwarder 122 (and any SF nodes also receiving the PSK identifier) can construct a database or otherwise store in memory the association between the PSK identifier 310 and the originating SF node 124a. In some embodiments, the Service Function Forwarder 122 and the SF nodes may each construct a local memory structure for storing the PSK identifier 310. In some embodiments, a single centralized memory structure can be generated for storing the PSK identifier 310, and can be accessed by the Service Function Forwarder 122 and the SF nodes 124a-c as needed. In either embodiment, the memory structure can be stored in a conventional storage device (e.g. hard drive, solid state drive, etc.) or can be stored in RAM for faster access, and therefore, faster session resumption. Regardless of the specific configuration chosen for storing the PSK identifier 310, Service Function Forwarder 122 can access the memory structure to identify the appropriate originating SF node to forward a resume ClientHello message, as is described in greater detail below.


After PSK identifier 310 is transmitted to Service Function Forwarder 122 and any additional SF nodes, the TLS session between client 102 and SF node 124a continues as normal, exchanging application data 312 before the eventual termination 314 of the TLS session. Note that after terminating the TLS session with SF node 124a, client 102 still retains NewSessionTicket 208, which contains the PSK used in the TLS session and therefore allows session resumption without a new TLS handshake being required.


Thus, when client 102 desires to resume the TLS session, it generates a resume ClientHello message 316, which contains the ticket value of NewSessionTicket 208 in the “pre_shared_key” extension (i.e. the PSK identifier 310). Additionally, a zero round trip mode can be employed, wherein the ClientHello contains an initial flight of data or application data, encrypted using the PSK, such that the TLS session can be established and the initial flight of data immediately decrypted and acted upon, thereby increasing the speed and efficiency of the TLS session resumption.


The resume ClientHello message 316 is received at Service Function Forwarder 122, which parses the message to extract PSK identifier 310. Service Function Forwarder 122 may also extract and validate the corresponding ticket lifetime of PSK identifier 310 before proceeding. With the PSK identifier 310 extracted, Service Function Forwarder 122 then consults its database or memory structure to determine the specific SF node that is associated with PSK identifier 310, and therefore, is associated with the previous TLS session.


In this case, Service Function Forwarder 122 consults its database or memory structure and determines that the PSK identifier 310 contained within resume ClientHello message 316 was generated by SF node 124a, and therefore forwards resume ClientHello message 316 to SF node 124a. The TLS session then resumes using the same PSK that was used in the original TLS session between client 102 and SF node 124a.


If, for some reason, Service Function Forwarder 122 makes an error or otherwise fails to forward resume ClientHello message 316 to SF node 124a, the situation may still be resolved without resorting to a new TLS handshake. For example, if resume ClientHello message 316 is forwarded to SF node 124b, SF node 124b can extract the PSK identifier 310 and determine that the PSK identifier was generated by a different SF node. SF node 124b can then consult its memory structure, whether local or centralized, to determine that SF node 124a was the actual SF node that originated PSK identifier 310. On the basis of this determination, SF node 124b can redirect the resume ClientHello message 316 to SF node 124a, where the TLS session then resumes using the same PSK that was used in the original TLS session between client 102 and SF node 124a.


Advantageously, the TLS session has been resumed with a single transmission from client 102, and, using the same PSK as in the previous TLS session, SF node 124a is able to immediately act upon and decrypt any initial flight of data contained in resume ClientHello message 316. Accordingly, SF node 124a then generates a ServerHello message 318, as described previously, which also further includes corresponding application data responsive to the initial flight of data contained within resume ClientHello message 316. With the TLS session resumed, it then proceeds as normal, with the transmission of a Finished message 320 from client 102 and a subsequent exchange of application data 322.


In some embodiments, the PSK identifier and other data transmitted amongst the plurality of Service Function nodes 124a-c and the Service Function Forwarder 122 is shared using a publish-subscribe mechanism, as is known in the art. In such an embodiment, the SF node generating a NewSessionTicket and a new TLS session can be the publishing node. In some embodiments, the PSK identifier and other data transmitted amongst the plurality of Service Function nods 124a-c and the Service Function Forwarder 122 is shared via encapsulation in Network Service Header (NSH) metadata. In particular, an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) can be employed.


Furthermore, various transport protocols can be employed with any of the TLS sessions referenced herein. For example, transport protocols might include TCP (Transmission Control Protocol) and QUIC (Quick UDP Internet Connections). In some scenarios, TCP Fast Start may be employed in order to transmit an initial flight of zero round trip data in the ClientHello. In particular, TCP Fast Start allows the initial fight of data to be carried in SYN and SYN-ACK packets. In the context of the example of FIG. 3, if Service Function Forwarder 122 detects a TLS ClientHello message, such as ClientHello 316, within a SYN packet carrying the PSK extension, then Service Function Forwarder 122 will extract PSK identifier 310 from the SYN packet. The process of identifying the originating SF node corresponding to PSK identifier 310 then proceeds as described above, and Service Function Forwarder 122 then forwards the SYN packet and all subsequent packets in the TCP session to the originating SF node 124a.


QUIC also supports an initial flight of zero round trip data. QUIC runs over UDP (User Datagram Protocol), and Service Function Forwarder 122 can identify a QUIC packet on a new connection based on the public header fields of the packet. When Service Function Forwarder 122 sees a TLS ClientHello message, such as ClientHello 316, carrying a PSK extension, then Service Function Forwarder 122 will extract PSK identifier 310 from the QUIC packet. The process of identifying the originating SF node corresponding to PSK identifier 310 then proceeds as described above, and Service Function Forwarder 122 then forwards the QUIC packet and all subsequent packets in the QUIC session to the originating SF node 124a. Unlike TCP, where TLS exchange takes place after the TLS handshake, UDP has no such dependency. Therefore, a Service Function node acting as a QUIC proxy or server in a TLS session would need only to convey the PSK identifier 310 and the corresponding ticket lifetime, using NSH in a new NSH TLV, to the Service Function Forwarder 122. As a QUIC proxy or server, it would not be strictly necessary for a Service Function node to convey the actual PSK itself. In some embodiments, when the QUIC connection is terminated, the Service Function node associated with the QUIC connection can share the information that the QUIC connection is closed by using NSH in a new NSH TLV to Service Function Forwarder 122. On the basis of this received information, Service Function Forwarder 122 can remove the state that it maintains for the now closed QUIC connection. Normally, Service Function Forwarder 122 would not be able to make such a determination, as the “CONNECTION_CLOSE” frame used to terminate the QUIC connection is encrypted, and therefore not visible to Service Function Forwarder 122.


While FIG. 3 is directed towards an embodiment in which a resume ClientHello message is forwarded to the same SF node that originated the PSK and handled the previous TLS session, it is also contemplated that a resume ClientHello message can be forwarded to any SF node and the TLS session can be resumed without requiring a full TLS handshake. Accordingly, FIG. 4 depicts a ladder diagram 400 of the underlying message exchange of an example embodiment of the present disclosure, designed to permit a TLS session to be resumed at any SF node without requiring a full TLS handshake. As illustrated, a TLS session is first established between client 102 and SF node 124a in a manner consistent with the above description of FIGS. 2 and 3.


However, when SF node 124a transmits PSK identifier 410 to Service Function Forwarder 122, it additionally transmits the PSK itself, using, for example, either the publish-subscribe or NSH encapsulation mechanisms described above. As is illustrated, SF node 124a may additionally transmit PSK identifier 410 and the PSK itself to additional SF nodes of the same Service Function Group (i.e. SF nodes 124b and 124c of Service Function Group 120), prior to or concurrent with the Application Data 412, and before the End Session 414.


Upon receipt of PSK identifier 410 and the PSK, Service Function Forwarder 122 and any SF nodes also receiving the PSK identifier and PSK can construct a database or otherwise store in memory the association between the PSK identifier 410 and the PSK. In some embodiments, the Service Function Forwarder 122 and the SF nodes may each construct a local memory structure for storing the PSK identifier 410 and the PSK. In some embodiments, a single centralized memory structure can be generated for storing the PSK identifier 410 and the PSK, and can be accessed by the Service Function Forwarder 122 and the SF nodes 124a-c as needed. In either embodiment, the memory structure can be stored in a conventional storage device (e.g. hard drive, solid state drive, etc.) or can be stored in RAM for faster access, and therefore, faster session resumption.


Thus, when client 102 desires to resume the TLS session, it generates a resume ClientHello message 416, which contains the ticket value of NewSessionTicket 208 in the “pre_shared_key” extension (i.e. the PSK identifier 410). If a zero round trip mode is employed, ClientHello 416 can also include an initial flight of data. The resume ClientHello message 416 is then received at Service Function Forwarder 122. In one embodiment, Service Function Forwarder 122 parses the message to extract PSK identifier 410. With the PSK identifier 410 extracted, Service Function Forwarder 122 then consults its database or memory structure (local or centralized) to determine and retrieve the PSK that is associated with PSK identifier 410, and therefore, is associated with the previous TLS session. Service Function Forwarder 122 then selects an SF node to forward the resume ClientHello message 416 to. This selection can be performed based off of various factors for load balancing or otherwise controlling the plurality of SF nodes underneath the control of Service Function Forwarder 122. As illustrated, Service Function Forwarder selects SF node 124b, and forwards the resume ClientHello message 416 and the PSK that is associated with PSK identifier 410. Consequently, although SF node 124b did not handle the previous TLS session with client 102, it receives the PSK that was used to encrypt the previous TLS session, and therefore is able to handle the resumed TLS session with client 102.


In another embodiment, Service Function Forwarder may immediately forward resume ClientHello message 416 to a selected SF node, without also including the PSK associated with PSK identifier 410. In this embodiment, SF node 124b receives the resume ClientHello message 416 and extracts PSK identifier 410. Based upon a determination that PSK identifier 410 was generated by a different SF node, SF node 124b consults its database or memory structure (local or centralized) to retrieve the PSK associated with the PSK identifier 410. Once the appropriate PSK is retrieved, SF node 124b is able to handle the resumed TLS session with client 102, even though SF node 124b did not handle the initial or prior TLS session with client 102.


In either embodiment, no additional TLS handshake is required, and the original PSK used to encrypt the first TLS session is re-used by the new SF node 124b. In this manner, whenever a new TLS session is established within the Service Function Group 120, the PSK identifier and the associated PSK are circulated and stored such that client 102 can resume its TLS session with any SF node connected to Service Function Forwarder 122. When the ClientHello message 416 includes an initial flight of data, the corresponding ServerHello message 418 can likewise include Application Data, thereby allowing the TLS session to resume immediately (i.e. with zero round trip time). Once resumed, the TLS session may proceed as described previously, with client 102 transmitting a Finished message 420, thereby triggering two way communication of Application Data 422 between client 102 and the new SF node 124b.


It can be desirable to provide an additional level of security by encrypting the PSK before it is transmitted. FIG. 5 depicts a ladder diagram 500 of the underlying message exchange of an example embodiment of the present disclosure, wherein the transmission of an encrypted PSK and associated decrypting material can permit a TLS session to be resumed at any SF node without requiring a full TLS handshake. As illustrated, a TLS session is first established between client 102 and SF node 124a in a manner consistent with the above description of FIGS. 2 and 3.


However, rather than transmitting a standard PSK identifier, SF node 124a instead transmits a PSK identifier that is a self-contained and self-authenticated ticket that can be decrypted to obtain the PSK for the TLS session. In addition to the self-contained and self-authenticated ticket, SF node 124a additionally transmits cryptographic data 510, comprising a key identifier (e.g. the “key_name” value) and the required cryptographic keying material for decrypting the self-contained and self-authenticated ticket. As described previously, the required cryptographic keying material and the key identifier of cryptographic data 510 can be stored in a database or memory structure, either centrally located or localized. Similarly, SF node 124a can transmit the cryptographic data 510 to one or more of Service Function Forwarder 122 and the plurality of SF nodes 124a-c that are connected to the Service Function Forwarder, prior to or concurrent with the Application Data 512, and before the End Session 514.


Thus, when client 102 desires to resume a TLS session, it generates a resume ClientHello message 516, which contains the self-contained and self-authenticated ticket in the “pre_shared_key” extension. If a zero round trip mode is employed, ClientHello 516 can also include an initial flight of data. The resume ClientHello message 516 is then received at Service Function Forwarder 122, which can perform load balancing or other forwarding logic to select an SF node to forward the resume ClientHello to. As illustrated, the selected node is SF node 124b. In one embodiment, Service Function Forwarder 122 parses ClientHello message 516 to extract the self-contained and self-authenticated ticket. Service Function Forwarder 122 then consults the database or memory structure to determine and retrieve, based on the key identifier, the required cryptographic keying material for decrypting the self-contained and self-authenticated ticket. Service Function Forwarder 122 then forwards resume ClientHello message 516 and the required cryptographic keying material for decrypting the self-contained and self-authenticated ticket to SF node 124b. Upon receipt, SF node 124b extracts the self-contained and self-authenticated ticket from resume ClientHello message 516, and utilizes the required cryptographic keying material received from the Service Function Forwarder 122 to decrypt the self-contained and self-authenticated ticket, thereby obtaining the PSK used to encrypt the previous TLS session between client 102 and SF node 124a. In this manner, SF node 124b is able to handle the resume TLS session with client 102, even though SF node 124b had no previous involvement in the prior TLS session.


In another embodiment, Service Function Forwarder 122 performs load balancing or other forwarding logic and immediately forwards resume ClientHello message 516 to the selected SF node 124b. Upon receipt, SF node 124b extracts the self-contained self-authenticated ticket from the PSK identifier of the ClientHello, and consults the database or memory structure to retrieve the required cryptographic keying material, based upon the key identifier. Once retrieved, SF node 124b uses the required cryptographic keying material to decrypt the self-contained and self-authenticated ticket, thereby obtaining the PSK used to encrypt the previous TLS session between client 102 and SF node 124a.


In either embodiment, no additional TLS handshake is required, and the TLS session is able to resume quickly and seamlessly because the original PSK used to encrypt the first TLS session is re-used by the new SF node 124b. In this manner, whenever a new TLS session is established within the Service Function Group 120, the key identifier and required cryptographic keying material of cryptographic data 510 are circulated and stored such that client 102 can resume its TLS session with any SF node connected to Service Function Forwarder 122. When the ClientHello message 516 includes an initial flight of data, the corresponding ServerHello message 518 can likewise include Application Data, thereby allowing the TLS session to resume immediately (i.e. with zero round trip time). Once resumed, the TLS session may proceed as described previously, with client 102 transmitting a Finished message 520, thereby triggering two way communication of Application Data 522 between client 102 and the new SF node 124b.


In general, methods of the present disclosure bring increased visibility of TLS sessions and their corresponding originating SF node to one or more of the Service Function Forwarder and the plurality of coupled SF nodes. Accordingly, new and improved methods for TLS session resumption are provided, such that the Service Function Forwarder can build and maintain a database or memory structure that tracks the associations between PSKs and their originating SF node. With this information, the Service Function Forwarder is capable of forwarding client resume requests to the same SF node that previously handled the TLS session with the client. Alternatively, the present disclosure also enables a different, new SF node to handle the TLS session resumption without forcing a new TLS handshake, by permitting the new SF node to locate and retrieve the same PSK that was used to encrypt the previous TLS session. In a first approach, the PSK is stored in a database or memory structure along with a corresponding PSK identifier. In a second approach, the PSK is stored in encrypted form in a self-contained and self-authenticating ticket that is transmitted to the new SF node, and the required cryptographic keying material to decrypt and extract the PSK is stored in a database or memory structure. By virtue of the present disclosure, client devices can thus resume TLS sessions at any SF node without having to perform a new TLS handshake, saving time and reducing unnecessary usage of computational resources.



FIG. 6A and FIG. 6B illustrate example system embodiments. The more appropriate embodiment will be apparent to those of ordinary skill in the art when practicing the present technology. Persons of ordinary skill in the art will also readily appreciate that other system embodiments are possible.



FIG. 6A illustrates a conventional system bus computing system architecture 600 wherein the components of the system are in electrical communication with each other using a bus 605. Exemplary system 600 includes a processing unit (CPU or processor) 610 and a system bus 605 that couples various system components including the system memory 615, such as read only memory (ROM) 620 and random access memory (RAM) 625, to the processor 610. The system 600 can include a cache of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 610. The system 600 can copy data from the memory 615 and/or the storage device 630 to the cache 612 for quick access by the processor 610. In this way, the cache can provide a performance boost that avoids processor 610 delays while waiting for data. These and other modules can control or be configured to control the processor 610 to perform various actions. Other system memory 615 may be available for use as well. The memory 615 can include multiple different types of memory with different performance characteristics. The processor 610 can include any general purpose processor and a hardware module or software module, such as module 1632, module 2634, and module 3636 stored in storage device 630, configured to control the processor 610 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. The processor 610 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.


To enable user interaction with the computing device 600, an input device 645 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 635 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with the computing device 600. The communications interface 640 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.


Storage device 630 is a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 625, read only memory (ROM) 620, and hybrids thereof.


The storage device 630 can include software modules 632, 634, 636 for controlling the processor 610. Other hardware or software modules are contemplated. The storage device 630 can be connected to the system bus 605. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 610, bus 605, display 635, and so forth, to carry out the function.



FIG. 6B illustrates an example computer system 650 having a chipset architecture that can be used in executing the described method and generating and displaying a graphical user interface (GUI). Computer system 650 is an example of computer hardware, software, and firmware that can be used to implement the disclosed technology. System 650 can include a processor 655, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. Processor 655 can communicate with a chipset 660 that can control input to and output from processor 655. In this example, chipset 660 outputs information to output device 665, such as a display, and can read and write information to storage device 670, which can include magnetic media, and solid state media, for example. Chipset 660 can also read data from and write data to RAM 675. A bridge 680 for interfacing with a variety of user interface components 685 can be provided for interfacing with chipset 660. Such user interface components 685 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. In general, inputs to system 650 can come from any of a variety of sources, machine generated and/or human generated.


Chipset 660 can also interface with one or more communication interfaces 690 that can have different physical interfaces. Such communication interfaces can include interfaces for wired and wireless local area networks, for broadband wireless networks, as well as personal area networks. Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the machine itself by processor 655 analyzing data stored in storage 670 or 675. Further, the machine can receive inputs from a user via user interface components 665 and execute appropriate functions, such as browsing functions by interpreting these inputs using processor 655.


It can be appreciated that example systems 600 and 650 can have more than one processor 610 or be part of a group or cluster of computing devices networked together to provide greater processing capability.


For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.


In some embodiments the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.


Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.


Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.


The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.


Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims. Moreover, claim language reciting “at least one of” a set indicates that one member of the set or multiple members of the set satisfy the claim.

Claims
  • 1. A method comprising: receiving a connection request from a client device, the connection request including at least an identifier;determining, from the identifier, the client device was previously connected to a communication session with a first node;in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier;determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and a destination device; andtransmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node.
  • 2. The method of claim 1, wherein the second node is determined by uniquely associated with the identifier from the connection request node.
  • 3. The method of claim 2, wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second node determines the TCP SYN packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the TCP SYN packet.
  • 4. The method of claim 2, wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second node determines the QUIC packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the QUIC packet.
  • 5. The method of claim 1, wherein the second node is selected by performing load balancing at a Service Function Forwarder (SFF).
  • 6. The method of claim 5, wherein a Pre-Shared Key (PSK) associated with the identifier is stored as an entry in a memory structure and the identifier is a corresponding entry lookup key for the PSK, such that the second node is configured to extract the identifier from the connection request and obtain the PSK from the memory structure to re-establish the communication session.
  • 7. The method of claim 5, wherein the identifier includes a self-contained ticket containing an encrypted copy of a Pre-Shared Key (PSK), and the second node is configured to receive required cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of nodes, such that the second node is configured to extract the PSK from the self-contained ticket to re-establish the communication session.
  • 8. The method of claim 1, further comprising: forwarding the identifier to a Service Function Forwarder (SFF) and/or one or more of the group of nodes including a publish-subscribe mechanism.
  • 9. A non-transitory computer-readable device having stored therein instructions which, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving a connection request from a client device, the connection request including at least an identifier;determining, from the identifier, the client device was previously connected to a communication session with a first node;in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier;determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and device; andtransmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node.
  • 10. The non-transitory computer-readable device of claim 9, wherein the instructions further cause the at least one processor to determining the second node is uniquely associated with the identifier from the connection request.
  • 11. The non-transitory computer-readable device of claim 9, wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second node determines the TCP SYN packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the TCP SYN packet.
  • 12. The non-transitory computer-readable device of claim 9, wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second node determines the QUIC packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the QUIC packet.
  • 13. The non-transitory computer-readable device of claim 9, wherein the instructions further cause the at least one processor to select the second node by performing load balancing at a Service Function Forwarder (SFF).
  • 14. The non-transitory computer-readable device of claim 13, wherein a Pre-Shared Key (PSK) associated with the identifier is stored as an entry in a memory structure and the identifier is a corresponding entry lookup key for the PSK, such that the second node extracts the identifier from the connection request and obtains the PSK from the memory structure in order to re-establish the communication session.
  • 15. The non-transitory computer-readable device of claim 13, wherein the identifier includes a self-contained ticket containing an encrypted copy of a Pre-Shared Key (PSK), and the second node is configured to receive cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of nodes, such that the second node is configured to extract the PSK from the self-contained ticket to re-establish the communication session.
  • 16. The non-transitory computer-readable device of claim 9, wherein the instructions further cause the at least one processor to forward the identifier to a Service Function Forwarder (SFF) and/or one or more of a plurality of nodes with a publish-subscribe mechanism or a modification of Network Service Header (NSH) metadata.
  • 17. A system comprising: at least one processor; anda computer-readable memory coupled to the at least one processor, the memory including instructions stored therein that, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving a connection request from a client device, the connection request including at least an identifier;determining, from the identifier, the client device was previously connected to a communication session with a first node;in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier;determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and destination device; andtransmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node.
  • 18. The system of claim 17, wherein the operations include causing the at least one processor to determine the second node is uniquely associated with the identifier from the connection request.
  • 19. The system of claim 17, wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second node determines the QUIC packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the QUIC packet.
  • 20. The system of claim 17, wherein the operations include selecting the second node by performing load balancing at a Service Function Forwarder (SFF).
CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No. 15/582,026, filed Apr. 28, 2017, the contents of which is incorporated herein by reference in its entirety.

US Referenced Citations (367)
Number Name Date Kind
3629512 Yuan Dec 1971 A
4769811 Eckberg, Jr. et al. Sep 1988 A
5408231 Bowdon Apr 1995 A
5491690 Alfonsi et al. Feb 1996 A
5557609 Shobatake et al. Sep 1996 A
5600638 Bertin et al. Feb 1997 A
5687167 Bertin et al. Nov 1997 A
6115384 Parzych Sep 2000 A
6167438 Yates et al. Dec 2000 A
6226684 Sung May 2001 B1
6400681 Bertin et al. Jun 2002 B1
6661797 Goel et al. Dec 2003 B1
6687229 Kataria et al. Feb 2004 B1
6799270 Bull et al. Sep 2004 B1
6888828 Partanen et al. May 2005 B1
6993593 Iwata Jan 2006 B2
7027408 Nabkel et al. Apr 2006 B2
7062567 Benitez et al. Jun 2006 B2
7095715 Buckman et al. Aug 2006 B2
7096212 Tribble et al. Aug 2006 B2
7139239 McFarland Nov 2006 B2
7165107 Pouyoul et al. Jan 2007 B2
7197008 Shabtay et al. Mar 2007 B1
7197660 Liu et al. Mar 2007 B1
7209435 Kuo et al. Apr 2007 B1
7227872 Biswas et al. Jun 2007 B1
7231462 Berthaud et al. Jun 2007 B2
7333990 Thiagarajan et al. Feb 2008 B1
7443796 Albert et al. Oct 2008 B1
7458084 Zhang et al. Nov 2008 B2
7472411 Wing et al. Dec 2008 B2
7486622 Regan et al. Feb 2009 B2
7536396 Johnson et al. May 2009 B2
7552201 Areddu et al. Jun 2009 B2
7558261 Arregoces et al. Jul 2009 B2
7567504 Darling et al. Jul 2009 B2
7571470 Arregoces et al. Aug 2009 B2
7573879 Narad et al. Aug 2009 B2
7610375 Portolani et al. Oct 2009 B2
7643468 Arregoces et al. Jan 2010 B1
7644182 Banerjee et al. Jan 2010 B2
7647422 Singh et al. Jan 2010 B2
7657898 Sadiq Feb 2010 B2
7657940 Portolani et al. Feb 2010 B2
7668116 Wijnands et al. Feb 2010 B2
7684321 Muirhead et al. Mar 2010 B2
7738469 Shekokar et al. Jun 2010 B1
7751409 Carolan Jul 2010 B1
7793157 Bailey et al. Sep 2010 B2
7814284 Glass et al. Oct 2010 B1
7831693 Lai Nov 2010 B2
7852785 Lund et al. Dec 2010 B2
7860095 Forissier et al. Dec 2010 B2
7860100 Khalid et al. Dec 2010 B2
7895425 Khalid et al. Feb 2011 B2
7899012 Ho et al. Mar 2011 B2
7899861 Feblowitz et al. Mar 2011 B2
7907595 Khanna et al. Mar 2011 B2
7908480 Firestone et al. Mar 2011 B2
7983174 Monaghan et al. Jul 2011 B1
7990847 Leroy et al. Aug 2011 B1
8000329 Fendick et al. Aug 2011 B2
8018938 Fromm et al. Sep 2011 B1
8094575 Vadlakonda et al. Jan 2012 B1
8095683 Balasubramanian Jan 2012 B2
8116307 Thesayi et al. Feb 2012 B1
8166465 Feblowitz et al. Apr 2012 B2
8180909 Hartman et al. May 2012 B2
8191119 Wing et al. May 2012 B2
8195774 Lambeth et al. Jun 2012 B2
8280354 Smith et al. Oct 2012 B2
8281302 Durazzo et al. Oct 2012 B2
8291108 Raja et al. Oct 2012 B2
8305900 Bianconi Nov 2012 B2
8311045 Quinn et al. Nov 2012 B2
8316457 Paczkowski et al. Nov 2012 B1
8355332 Beaudette et al. Jan 2013 B2
8442043 Sharma et al. May 2013 B2
8451817 Cheriton May 2013 B2
8464336 Wei et al. Jun 2013 B2
8473981 Gargi Jun 2013 B1
8479298 Keith et al. Jul 2013 B2
8498414 Rossi Jul 2013 B2
8520672 Guichard et al. Aug 2013 B2
8601152 Chou Dec 2013 B1
8605588 Sankaran et al. Dec 2013 B2
8612612 Dukes et al. Dec 2013 B1
8627328 Mousseau et al. Jan 2014 B2
8645952 Biswas et al. Feb 2014 B2
8676965 Gueta Mar 2014 B2
8676980 Kreeger et al. Mar 2014 B2
8700892 Bollay et al. Apr 2014 B2
8724466 Kenigsberg et al. May 2014 B2
8730980 Bagepalli et al. May 2014 B2
8743885 Khan et al. Jun 2014 B2
8751420 Hjelm et al. Jun 2014 B2
8762534 Hong et al. Jun 2014 B1
8762707 Killian et al. Jun 2014 B2
8792490 Jabr et al. Jul 2014 B2
8793400 Mcdysan et al. Jul 2014 B2
8812730 Vos et al. Aug 2014 B2
8819419 Carlson et al. Aug 2014 B2
8825070 Akhtar et al. Sep 2014 B2
8830834 Sharma et al. Sep 2014 B2
8904037 Haggar et al. Dec 2014 B2
8984284 Purdy, Sr. et al. Mar 2015 B2
9001827 Appenzeller Apr 2015 B2
9071533 Hui et al. Jun 2015 B2
9077661 Andreasen et al. Jul 2015 B2
9088584 Feng et al. Jul 2015 B2
9130872 Kumar et al. Sep 2015 B2
9143438 Khan et al. Sep 2015 B2
9160797 Mcdysan Oct 2015 B2
9178812 Guichard et al. Nov 2015 B2
9189285 Ng et al. Nov 2015 B2
9203711 Agarwal et al. Dec 2015 B2
9253274 Quinn et al. Feb 2016 B2
9300579 Frost et al. Mar 2016 B2
9300585 Kumar et al. Mar 2016 B2
9311130 Christenson et al. Apr 2016 B2
9319324 Beheshti-Zavareh et al. Apr 2016 B2
9325565 Yao et al. Apr 2016 B2
9338097 Anand et al. May 2016 B2
9344337 Kumar et al. May 2016 B2
9374297 Bosch et al. Jun 2016 B2
9379931 Bosch et al. Jun 2016 B2
9385950 Quinn et al. Jul 2016 B2
9398486 La Roche, Jr. et al. Jul 2016 B2
9407540 Kumar et al. Aug 2016 B2
9413655 Shatzkamer et al. Aug 2016 B2
9424065 Singh et al. Aug 2016 B2
9436443 Chiosi et al. Sep 2016 B2
9444675 Guichard et al. Sep 2016 B2
9473570 Bhanujan et al. Oct 2016 B2
9479443 Bosch et al. Oct 2016 B2
9491094 Patwardhan et al. Nov 2016 B2
9537836 Maller et al. Jan 2017 B2
9558029 Behera et al. Jan 2017 B2
9559970 Kumar et al. Jan 2017 B2
9571405 Pignataro et al. Feb 2017 B2
9608896 Kumar et al. Mar 2017 B2
9614739 Kumar et al. Apr 2017 B2
9660909 Guichard et al. May 2017 B2
9723106 Shen et al. Aug 2017 B2
9774533 Zhang et al. Sep 2017 B2
9794379 Kumar et al. Oct 2017 B2
9825911 Brandwine Nov 2017 B1
9882776 Aybay et al. Jan 2018 B2
9929945 Schultz et al. Mar 2018 B2
10003530 Zhang et al. Jun 2018 B2
10291607 Cifelli May 2019 B1
10951652 Sharifi Mehr Mar 2021 B1
20010023442 Masters Sep 2001 A1
20020085562 Hufferd et al. Jul 2002 A1
20020131362 Callon Sep 2002 A1
20020156893 Pouyoul et al. Oct 2002 A1
20020167935 Nabkel et al. Nov 2002 A1
20030023879 Wray Jan 2003 A1
20030026257 Xu et al. Feb 2003 A1
20030037070 Marston Feb 2003 A1
20030088698 Singh et al. May 2003 A1
20030110081 Tosaki et al. Jun 2003 A1
20030120816 Berthaud et al. Jun 2003 A1
20030179742 Ogier Sep 2003 A1
20030214913 Kan et al. Nov 2003 A1
20030226142 Rand Dec 2003 A1
20040109412 Hansson et al. Jun 2004 A1
20040148391 Lake, Sr. et al. Jul 2004 A1
20040199812 Earl Oct 2004 A1
20040213160 Regan et al. Oct 2004 A1
20040264481 Darling et al. Dec 2004 A1
20040268357 Joy et al. Dec 2004 A1
20050044197 Lai Feb 2005 A1
20050058118 Davis Mar 2005 A1
20050060572 Kung Mar 2005 A1
20050086367 Conta et al. Apr 2005 A1
20050120101 Nocera Jun 2005 A1
20050152378 Bango et al. Jul 2005 A1
20050157645 Rabie et al. Jul 2005 A1
20050160180 Rabje et al. Jul 2005 A1
20050204042 Banerjee et al. Sep 2005 A1
20050210096 Bishop et al. Sep 2005 A1
20050257002 Nguyen Nov 2005 A1
20050281257 Yazaki et al. Dec 2005 A1
20050286540 Hurtta et al. Dec 2005 A1
20050289244 Sahu et al. Dec 2005 A1
20060005240 Sundarrajan et al. Jan 2006 A1
20060031374 Lu et al. Feb 2006 A1
20060037072 Rao Feb 2006 A1
20060045024 Previdi et al. Mar 2006 A1
20060074502 Mcfarland Apr 2006 A1
20060092950 Arregoces et al. May 2006 A1
20060095960 Arregoces et al. May 2006 A1
20060112400 Zhang et al. May 2006 A1
20060146767 Moganti Jul 2006 A1
20060155862 Kathi et al. Jul 2006 A1
20060168223 Mishra et al. Jul 2006 A1
20060233106 Achlioptas et al. Oct 2006 A1
20060233155 Srivastava Oct 2006 A1
20070061441 Landis et al. Mar 2007 A1
20070067435 Landis et al. Mar 2007 A1
20070094397 Krelbaum et al. Apr 2007 A1
20070143851 Nicodemus et al. Jun 2007 A1
20070237147 Quinn et al. Oct 2007 A1
20070250836 Li et al. Oct 2007 A1
20080056153 Liu Mar 2008 A1
20080080509 Khanna et al. Apr 2008 A1
20080080517 Roy et al. Apr 2008 A1
20080170542 Hu Jul 2008 A1
20080177896 Quinn et al. Jul 2008 A1
20080181118 Sharma et al. Jul 2008 A1
20080196083 Parks et al. Aug 2008 A1
20080209039 Tracey et al. Aug 2008 A1
20080219287 Krueger et al. Sep 2008 A1
20080225710 Raja et al. Sep 2008 A1
20080291910 Tadimeti et al. Nov 2008 A1
20090003364 Fendick et al. Jan 2009 A1
20090006152 Timmerman et al. Jan 2009 A1
20090037713 Khalid et al. Feb 2009 A1
20090094684 Chinnusamy et al. Apr 2009 A1
20090116412 Yanagihara May 2009 A1
20090204612 Keshavarz-nia et al. Aug 2009 A1
20090271656 Yokota et al. Oct 2009 A1
20090300207 Giaretta et al. Dec 2009 A1
20090305699 Deshpande et al. Dec 2009 A1
20090328054 Paramasivam et al. Dec 2009 A1
20100058329 Durazzo et al. Mar 2010 A1
20100063988 Khalid Mar 2010 A1
20100080226 Khalid Apr 2010 A1
20100165985 Sharma et al. Jul 2010 A1
20100191612 Raleigh Jul 2010 A1
20100211658 Hoogerwerf et al. Aug 2010 A1
20110023090 Asati et al. Jan 2011 A1
20110032833 Zhang et al. Feb 2011 A1
20110055845 Nandagopal et al. Mar 2011 A1
20110131338 Hu Jun 2011 A1
20110137991 Russell Jun 2011 A1
20110142056 Manoj Jun 2011 A1
20110161494 Mcdysan et al. Jun 2011 A1
20110222412 Kompella Sep 2011 A1
20110255538 Srinivasan et al. Oct 2011 A1
20110267947 Dhar et al. Nov 2011 A1
20120016977 Robertson Jan 2012 A1
20120131662 Kuik et al. May 2012 A1
20120147894 Mulligan et al. Jun 2012 A1
20120324442 Barde Dec 2012 A1
20120331135 Alon et al. Dec 2012 A1
20130003735 Chao et al. Jan 2013 A1
20130003736 Szyszko et al. Jan 2013 A1
20130040640 Chen et al. Feb 2013 A1
20130044636 Koponen et al. Feb 2013 A1
20130121137 Feng et al. May 2013 A1
20130124708 Lee et al. May 2013 A1
20130163594 Sharma et al. Jun 2013 A1
20130163606 Bagepalli et al. Jun 2013 A1
20130238806 Moen Sep 2013 A1
20130272305 Lefebvre et al. Oct 2013 A1
20130311675 Kancherla Nov 2013 A1
20130329584 Ghose et al. Dec 2013 A1
20140010083 Hamdi et al. Jan 2014 A1
20140010096 Kamble et al. Jan 2014 A1
20140036730 Nellikar et al. Feb 2014 A1
20140050223 Foo et al. Feb 2014 A1
20140067758 Boldyrev et al. Mar 2014 A1
20140105062 McDysan et al. Apr 2014 A1
20140181267 Wadkins et al. Jun 2014 A1
20140254603 Banavalikar et al. Sep 2014 A1
20140259012 Nandlall et al. Sep 2014 A1
20140279863 Krishnamurthy et al. Sep 2014 A1
20140280836 Kumar et al. Sep 2014 A1
20140286354 Van De Poel Sep 2014 A1
20140317261 Shatzkamer et al. Oct 2014 A1
20140321459 Kumar et al. Oct 2014 A1
20140334295 Guichard et al. Nov 2014 A1
20140344439 Kempf et al. Nov 2014 A1
20140362682 Guichard et al. Dec 2014 A1
20140362857 Guichard et al. Dec 2014 A1
20140369209 Khurshid et al. Dec 2014 A1
20140376558 Rao et al. Dec 2014 A1
20150003455 Haddad et al. Jan 2015 A1
20150012584 Lo et al. Jan 2015 A1
20150012988 Jeng et al. Jan 2015 A1
20150029871 Frost et al. Jan 2015 A1
20150032871 Allan et al. Jan 2015 A1
20150052516 French et al. Feb 2015 A1
20150071285 Kumar et al. Mar 2015 A1
20150074276 DeCusatis et al. Mar 2015 A1
20150082308 Kiess et al. Mar 2015 A1
20150085635 Wijnands et al. Mar 2015 A1
20150085870 Narasimha et al. Mar 2015 A1
20150089082 Patwardhan et al. Mar 2015 A1
20150092564 Aldrin Apr 2015 A1
20150103827 Quinn et al. Apr 2015 A1
20150117308 Kant Apr 2015 A1
20150124622 Kovvali et al. May 2015 A1
20150131484 Aldrin May 2015 A1
20150131660 Shepherd et al. May 2015 A1
20150156035 Foo et al. Jun 2015 A1
20150180725 Varney et al. Jun 2015 A1
20150180767 Tam et al. Jun 2015 A1
20150181309 Shepherd et al. Jun 2015 A1
20150188949 Mahaffey et al. Jul 2015 A1
20150195197 Yong et al. Jul 2015 A1
20150222516 Deval et al. Aug 2015 A1
20150222533 Birrittella et al. Aug 2015 A1
20150236948 Dunbar et al. Aug 2015 A1
20150319078 Lee et al. Nov 2015 A1
20150319081 Kasturi et al. Nov 2015 A1
20150326473 Dunbar et al. Nov 2015 A1
20150333930 Aysola et al. Nov 2015 A1
20150334027 Bosch et al. Nov 2015 A1
20150341285 Aysola et al. Nov 2015 A1
20150365495 Fan et al. Dec 2015 A1
20150381465 Narayanan et al. Dec 2015 A1
20150381557 Fan et al. Dec 2015 A1
20160014016 Guichard Jan 2016 A1
20160028604 Chakrabarti et al. Jan 2016 A1
20160028640 Zhang et al. Jan 2016 A1
20160043952 Zhang et al. Feb 2016 A1
20160050117 Voellmy et al. Feb 2016 A1
20160050132 Zhang Feb 2016 A1
20160080263 Park et al. Mar 2016 A1
20160099853 Nedeltchev et al. Apr 2016 A1
20160119159 Zhao et al. Apr 2016 A1
20160119253 Kang et al. Apr 2016 A1
20160127139 Tian et al. May 2016 A1
20160134518 Callon et al. May 2016 A1
20160134535 Callon May 2016 A1
20160139939 Bosch et al. May 2016 A1
20160164776 Biancaniello Jun 2016 A1
20160165014 Nainar et al. Jun 2016 A1
20160173373 Guichard et al. Jun 2016 A1
20160173464 Wang et al. Jun 2016 A1
20160182336 Doctor et al. Jun 2016 A1
20160182342 Singaravelu et al. Jun 2016 A1
20160182684 Connor et al. Jun 2016 A1
20160212017 Li et al. Jul 2016 A1
20160226742 Apathotharanan et al. Aug 2016 A1
20160248685 Pignataro et al. Aug 2016 A1
20160277250 Maes Sep 2016 A1
20160285720 Mäenpäá et al. Sep 2016 A1
20160315916 Rothstein Oct 2016 A1
20160323165 Boucadair et al. Nov 2016 A1
20160352629 Wang et al. Dec 2016 A1
20160380966 Gunnalan et al. Dec 2016 A1
20170019303 Swamy et al. Jan 2017 A1
20170031804 Ciszewski et al. Feb 2017 A1
20170078175 Xu et al. Mar 2017 A1
20170126643 Wood May 2017 A1
20170134357 Ohlsson May 2017 A1
20170187609 Lee et al. Jun 2017 A1
20170208000 Bosch et al. Jul 2017 A1
20170214627 Zhang et al. Jul 2017 A1
20170237656 Gage et al. Aug 2017 A1
20170250917 Ruckstuhl et al. Aug 2017 A1
20170272470 Gundamaraju et al. Sep 2017 A1
20170279664 Zhang Sep 2017 A1
20170279712 Nainar et al. Sep 2017 A1
20170310611 Kumar et al. Oct 2017 A1
20170331741 Fedyk et al. Nov 2017 A1
20180013841 Nainar et al. Jan 2018 A1
20180026884 Nainar et al. Jan 2018 A1
20180026887 Nainar et al. Jan 2018 A1
20180041470 Schultz et al. Feb 2018 A1
20180062991 Nainar et al. Mar 2018 A1
20180139796 Beijar May 2018 A1
20180198823 Johansson Jul 2018 A1
Foreign Referenced Citations (12)
Number Date Country
103716123 Apr 2014 CN
103716137 Apr 2014 CN
3160073 Apr 2017 EP
2016149686 Aug 2016 JP
WO 2011029321 Mar 2011 WO
WO 2012056404 May 2012 WO
WO 2015065353 May 2015 WO
WO 2015180559 Dec 2015 WO
WO 2015187337 Dec 2015 WO
WO 2016004556 Jan 2016 WO
WO 2016058245 Apr 2016 WO
WO 2017011607 Jan 2017 WO
Non-Patent Literature Citations (60)
Entry
Aldrin, S., et al. “Service Function Chaining Operation, Administration and Maintenance Framework,” Internet Engineering Task Force, Oct. 26, 2014, 13 pages.
Alizadeh, Mohammad, et al., “CONGA: Distributed Congestion-Aware Load Balancing for Datacenters,” SIGCOMM '14, Aug. 17-22, 2014, 12 pages.
Author Unknown, “ANSI/SCTE 35 2007 Digital Program Insertion Cueing Message for Cable,” Engineering Committee, Digital Video Subcommittee, American National Standard, Society of Cable Telecommunications Engineers, © Society of Cable Telecommunications Engineers, Inc. 2007 All Rights Reserved, 140 Philips Road, Exton, PA 19341; 42 pages.
Author Unknown, “AWS Lambda Developer Guide,” Amazon Web Services Inc., May 2017, 416 pages.
Author Unknown, “CEA-708,” from Wikipedia, the free encyclopedia, Nov. 15, 2012; 16 pages http://en.wikipedia.org/w/index.php?title=CEA-708&oldid=523143431.
Author Unknown, “Cisco and Intel High-Performance VNFs on Cisco NFV Infrastructure,” White Paper, Cisco and Intel, Oct. 2016, 7 pages.
Author Unknown, “Cloud Functions Overview,” Cloud Functions Documentation, Mar. 21, 2017, 3 pages; https://cloud.google.com/functions/docs/concepts/overview.
Author Unknown, “Cloud-Native VNF Modelling,” Open Source Mano, © ETSI 2016, 18 pages.
Author Unknown, “Digital Program Insertion,” from Wikipedia, the free encyclopedia, Jan. 2, 2012; 1 page http://en.wikipedia.org/w/index.php?title=Digital_Program_Insertion&oldid=469076482.
Author Unknown, “Dynamic Adaptive Streaming over HTTP,” from Wikipedia, the free encyclopedia, Oct. 25, 2012; 3 pages, http://en.wikipedia.org/w/index.php?title=Dynannic_Adaptive_Streanning_over_HTTP&oldid=519749189.
Author Unknown, “GStreamer and in-band metadata,” from RidgeRun Developer Connection, Jun. 19, 2012, 5 pages https://developersidgerun.conn/wiki/index.php/GStreanner_and_in-band_nnetadata.
Author Unknown, “IEEE Standard for the Functional Architecture of Next Generation Service Overlay Networks, IEEE Std. 1903-2011,” IEEE, Piscataway, NJ, Oct. 7, 2011; 147 pages.
Author Unknown, “ISO/IEC JTC 1/SC 29, Information Technology—Dynamic Adaptive Streaming over HTTP (DASH)—Part 1: Media Presentation Description and Segment Formats,” International Standard © ISO/IEC 2012—All Rights Reserved; Jan. 5, 2012; 131 pages.
Author Unknown, “M-PEG 2 Transmission,” © Dr. Gorry Fairhurst, 9 pages [Published on or about Jan. 12, 2012] http://www.erg.abdn.ac.uk/future-net/digital-video/mpeg2-trans.html.
Author Unknown, “MPEG Transport Stream,” from Wikipedia, the free encyclopedia, Nov. 11, 2012; 7 pages, http://en.wikipedia.org/w/index.php?title=MPEG_transport_streann&oldid=522468296.
Author Unknown, “Network Functions Virtualisation (NFV); Use Cases,” ETSI, GS NFV 001 v1.1.1, Architectural Framework, © European Telecommunications Standards Institute, Oct. 2013, 50 pages.
Author Unknown, “OpenNebula 4.6 User Guide,” Jun. 12, 2014, opennebula.org, 87 pages.
Author Unknown, “Understanding Azure, A Guide for Developers,” Microsoft Corporation, Copyright © 2016 Microsoft Corporation, 39 pages.
Author Unknown, “3GPP TR 23.803 V7.0.0 (Sep. 2005) Technical Specification: Group Services and System Aspects; Evolution of Policy Control and Charging (Release 7),” 3rd Generation Partnership Project (3GPP), 650 Route des Lucioles—Sophia Antipolis Val bonne—France, Sep. 2005; 30 pages.
Author Unknown, “3GPP TS 23.203 V8.9.0 (Mar. 2010) Technical Specification: Group Services and System Aspects; Policy and Charging Control Architecture (Release 8),” 3rd Generation Partnership Project (3GPP), 650 Route des Lucioles—Sophia Antipolis Val bonne—France, Mar. 2010; 116 pages.
Author Unknown, “3GPP TS 23.401 V13.5.0 (Dec. 2015) Technical Specification: 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Release 13),” 3GPP, 650 Route des Lucioles—Sophia Antipolis Valbonne—France, Dec. 2015, 337 pages.
Author Unknown, “3GPP TS 23.401 V9.5.0 (Jun. 2010) Technical Specification: Group Services and Systems Aspects; General Packet Radio Service (GPRS) Enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access (Release 9),” 3rd Generation Partnership Project (3GPP), 650 Route des Lucioles—Sophia Antipolis Valbonne—France, Jun. 2010; 259 pages.
Author Unknown, “3GPP TS 29.212 V13.1.0 (Mar. 2015) Technical Specification: 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Policy and Charging Control (PCC); Reference points (Release 13),” 3rd Generation Partnership Project (3GPP), 650 Route des Lucioles—Sophia Antipolis Valbonne—France, Mar. 2015; 230 pages.
Author Unknown, “Service-Aware Network Architecture Based on SDN, NFV, and Network Intelligence,” 2014, 8 pages.
Baird, Andrew, et al. “AWS Serverless Multi-Tier Architectures; Using Amazon API Gateway and AWS Lambda,” Amazon Web Services Inc., Nov. 2015, 20 pages.
Bi, Jing, et al., “Dynamic Provisioning Modeling for Virtualized Multi-tier Applications in Cloud Data Center,” 2010 IEEE 3rd International Conference on Cloud Computing, Jul. 5, 2010, pp. 370-377, IEEE Computer Society.
Bitar, N., et al., “Interface to the Routing System (I2RS) for the Service Chaining: Use Cases and Requirements,” draft-bitar-i2rs-service-chaining-01, Feb. 14, 2014, pp. 1-15.
Boucadair, Mohamed, et al., “Differentiated Service Function Chaining Framework,” Network Working Group Internet Draft draft-boucadair-network-function-chaining-03, Aug. 21, 2013, 21 pages.
Bremler-Barr, Anat, et al., “Deep Packet Inspection as a Service,” CoNEXT '14, Dec. 2-5, 2014, pp. 271-282.
Cisco Systems, Inc. “Cisco NSH Service Chaining Configuration Guide,” Jul. 28, 2017, 11 pages.
Cisco Systems, Inc. “Cisco VN-LINK: Virtualization-Aware Networking,” 2009, 9 pages.
Dunbar, et al., “Architecture for Chaining Legacy Layer 4-7 Service Functions,” IETF Network Working Group Internet Draft, draft-dunbar-sfc-legacy-14-17-chain-architecture-03.txt, Feb. 10, 2014; 17 pages.
Ersue, Mehmet, “ETSI NFV Management and Orchestration—An Overview,” Presentation at the IETF# 88 Meeting, Nov. 3, 2013, 14 pages.
Farrel, A., et al., “A Path Computation Element (PCE)—Based Architecture,” RFC 4655, Network Working Group, Aug. 2006, 40 pages.
Fayaz, Seyed K., et al., “Efficient Network Reachability Analysis using a Succinct Control Plane Representation,” 2016, ratul.org, pp. 1-16.
Halpern, Joel, et al., “Service Function Chaining (SFC) Architecture,” Internet Engineering Task Force (IETF), Cisco, Oct. 2015, 32 pages.
Hendrickson, Scott, et al. “Serverless Computation with OpenLambda,” Elastic 60, University of Wisconson, Madison, Jun. 20, 2016, 7 pages, https://www.usenix.org/system/files/conference/hotcloud16/hotcloud16_hendrickson.pdf.
Jiang, Y., et al., “An Architecture of Service Function Chaining,” IETF Network Working Group Internet Draft, draft-jiang-sfc-arch-01.txt, Feb. 14, 2014; 12 pages.
Jiang, Yuanlong, et al., “Fault Management in Service Function Chaining,” Network Working Group, China Telecom, Oct. 16, 2015, 13 pages.
Katsikas, Goergios P., et al., “Profiling and accelerating commodity NFV service chains with SCC,” The Journal of Systems and Software, vol. 127, Jan. 2017, pp. 12-27.
Kumar, Surendra, et al., “Service Function Path Optimization: draft-kumar-sfc-sfp-optimization-00.txt,” Internet Engineering Task Force, IETF; Standard Working Draft, May 10, 2014, 14 pages.
Kumbhare, Abhijit, et al., “Opendaylight Service Function Chaining Use-Cases,” Oct. 14, 2014, 25 pages.
Li, Hongyu, “Service Function Chaining Use Cases”, IETF 88 Vancouver, Nov. 7, 2013, 7 pages.
Mortensen, A., et al., “Distributed Denial of Service (DDoS) Open Threat Signaling Requirements,” DOTS, Mar. 18, 2016, 16 pages; https://tools.ietf.org/pdf/draft-ietf-dots-requirements-01.pdf.
Newman, David, “Review: FireEye fights off multi-stage malware,” Network World, May 5, 2014, 7 pages.
Nguyen, Kim-Khoa, et al. “Distributed Control Plane Architecture of Next Generation IP Routers,” IEEE, 2009, 8 pages.
Penno, Reinaldo, et al. “Packet Generation in Service Function Chains,” draft-penno-sfc-packet-03, Apr. 29, 2016, 25 pages.
Penno, Reinaldo, et al. “Services Function Chaining Traceroute,” draft-penno-sfc-trace-03, Sep. 30, 2015, 9 pages.
Pierre-Louis, Marc-Arhtur, “OpenWhisk: A quick tech preview,” DeveloperWorks Open, IBM, Feb. 22, 2016, modified Mar. 3, 2016, 7 pages; https://developer.ibm.com/open/2016/02/22/openwhisk-a-quick-tech-preview/.
Pujol, Pua Capdevila, “Deployment of NFV and SFC scenarios,” EETAC, Master Thesis, Advisor: David Rincon Rivera, Universitat Politecnica De Catalunya, Feb. 17, 2017, 115 pages.
Quinn, P., et al., “Network Service Header,” Network Working Group, Mar. 24, 2015, 42 pages; https://tools.ietf.org/pdf/draft-ietf-sfc-nsh-00.pdf.
Quinn, P., et al., “Network Service Chaining Problem Statement,” draft-quinn-nsc-problem-statement-03.txt, Aug. 26, 2013, 18 pages.
Quinn, Paul, et al., “Network Service Header,” Network Working Group, draft-quinn-sfc-nsh-02.txt, Feb. 14, 2014, 21 pages.
Quinn, Paul, et al., “Network Service Header,” Network Working Group, draft-quinn-nsh-00.txt, Jun. 13, 2013, 20 pages.
Quinn, Paul, et al., “Network Service Header,” Network Working Group Internet Draft draft-quinn-nsh-01, Jul. 12, 2013, 20 pages.
Quinn, Paul, et al., “Service Function Chaining (SFC) Architecture,” Network Working Group Internet Draft draft-quinn-sfc-arch-05.txt, May 5, 2014, 31 pages.
Quinn, Paul, et al., “Service Function Chaining: Creating a Service Plane via Network Service Headers,” IEEE Computer Society, 2014, pp. 38-44.
Wong, Fei, et al., “SMPTE-TT Embedded in ID3 for HTTP Live Streaming, draft-smpte-id3-http-live-streaming-00,” Informational Internet Draft, Jun. 2012, 7 pages http://tools.ietf.org/htnnl/draft-snnpte-id3-http-live-streaming-00.
Yadav, Rishi, “What Real Cloud-Native Apps Will Look Like,” Crunch Network, posted Aug. 3, 2016, 8 pages; https://techcrunch.com/2016/08/03/what-real-cloud-native-apps-wiil-look-like/.
Zhang, Ying, et al. “StEERING: A Software-Defined Networking for Inline Service Chaining,” IEEE, 2013, IEEE, p. 10 pages.
Related Publications (1)
Number Date Country
20200177631 A1 Jun 2020 US
Continuations (1)
Number Date Country
Parent 15582026 Apr 2017 US
Child 16780047 US