Today, site-to-site virtual private network (VPN) configuration can be done with policy-based VPNs or route-based VPNs. The policy-based VPN relies on a policy defined by, for example, a system administrator, and the VPN configuration may be changed only if the policy is changed. As such, the policy-based VPN is difficult to dynamically modify and scale up, and the rules supported are limited to IP/Port/Protocol-based rules. In contrast, route-based VPN uses routing to decide which traffic needs to be protected and directed to a virtual tunnel interface (VTI). Since the route-based VPN supports dynamic routing protocols, it enables dynamic modification of the definitions of the protected traffic, and thus provides scalability. Additionally, the route-based VPN provides some benefits that are not provided by the policy-based VPN. For example, without reconfiguring the VPN, but based on dynamically updated Border Gateway Protocol (BGP) configuration data, the route-based VPN can dynamically modify the definitions of the protected traffic, and also supports high availability via routing.
However the route-based VPN also suffers from some performance issues, such as limited throughput. A packet sending gateway typically uses one VPN tunnel to transmit the protected traffic, but, if the traffic directed to the VPN tunnel exceeds the tunnel capacity, then some packets are dropped as the tunnel's throughput is limited. Additionally, other issues such as CPU balancing issues occur and a selected CPU may become overloaded while other CPUs may be underutilized.
Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method of some embodiments is performed by a gateway device (e.g., an edge gateway device). The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device (e.g., a virtual tunnel interface (VTI)). From multiple different firewall rules that map to multiple different secure tunnels used by the secure interface, the method matches the data message to a firewall rule that maps to a particular secure tunnel. The method then encapsulates the data message with a header that includes an indicator value (e.g., a security parameter index (SPI)) specifying the particular secure tunnel and forwards the encapsulated data message to a destination interface (e.g., a destination VTI of a destination gateway device).
In some embodiments, the network is implemented by an underlying physical infrastructure of wired and/or wireless communications mediums, routers, switches, etc., and, in some embodiments, may include the Internet, as well as any direct connections between the gateway devices. In some embodiments, the direct connections may refer to interconnections between network endpoints within a same datacenter and/or a same physical device, or other proprietary network connection interconnecting the gateway devices. The connections of some embodiments are established using Internet Protocol Security (IPsec). IPsec is a group of protocols that are used together to set up encrypted connections between devices such that private data can be securely sent over public networks. In some embodiments, IPsec is used to set up Virtual Private Networks (VPNs) by encrypting IP data messages and authenticating the source of the data messages. IPsec VPNs can be used by enterprises to interconnect geographically dispersed branch office locations across a Wide Area Network (WAN) (e.g., the Internet), as well as by cloud providers to encrypt IP traffic traversing datacenter interconnect WAN so as to meet the security and compliance requirements (e.g., in financial cloud and governmental cloud environments).
In some embodiments, the destination interface includes multiple different security associations (SAs) for processing data messages, with the different secure tunnels corresponding to the different SAs. Each SA, in some embodiments, is defined for processing data messages matching one or more firewall rules that map to the corresponding secure tunnels. In some embodiments, each SA performs one or more actions on received data messages according to the one or more firewall rules matching the received data messages. As such, the data message of some embodiments is received at the destination interface by a particular SA to which the particular secure tunnel maps. At the destination interface, any actions (e.g., decapsulation and/or decryption) specified by the particular SA are performed on the data message.
The source gateway device matches the data message to the firewall rule by matching a set of attributes (e.g., a set of message header values) of the data message to corresponding attributes specified by the firewall rule. Examples of such attributes include source and destination MAC addresses, source and destination IP addresses, source and destination port numbers, source and destination machine tags, and user identifiers, among others. In some embodiments, such as when the network is a cloud network (e.g., public or private cloud network), the attribute is a cloud service provider associated with a source and/or destination of the data message.
At time of setup, the source and destination gateway devices receive the firewall rules from a network manager in some embodiments. During an Internet key exchange (IKE) session, the source and destination gateway devices then negotiate multiple IPsec rules and integrate the received firewall rules with the IPsec rules. Additionally, during the IKE session, the source and destination gateway devices negotiate the secure tunnels and the SAs and map (1) the different firewall rules to the different secure tunnels as well as (2) the different secure tunnels to the different SAs.
The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all the embodiments described by this document, a full review of the Summary, the Detailed Description, the Drawings, and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, the Detailed Description, and the Drawings.
The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.
In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.
Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method of some embodiments is performed by a gateway device (e.g., an edge gateway device). The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device (e.g., a virtual tunnel interface (VTI)). From multiple different firewall rules that map to multiple different secure tunnels used by the secure interface, the method matches the data message to a firewall rule that maps to a particular secure tunnel. The method then encapsulates the data message with a header that includes an indicator value (e.g., a security parameter index (SPI)) specifying the particular secure tunnel, and forwards the encapsulated data message to a destination interface (e.g., a destination VTI of a destination gateway device).
In some embodiments, connections using the paths 120 are established using Internet Protocol Security (IPsec). IPsec is a group of protocols that are used together to set up encrypted connections between devices such that private data can be securely sent over public networks. In some embodiments, IPsec is used to set up Virtual Private Networks (VPNs) by encrypting IP data messages and authenticating the source of the data messages. In some embodiments, one or more of the paths 120 are through a VPN tunnel (not shown) between the source and destination gateways 110 and 115. IPsec VPNs can be used by enterprises to interconnect geographically-dispersed branch office locations across a Wide Area Network (WAN) (e.g., the Internet), as well as by cloud providers to encrypt IP traffic traversing datacenter interconnect WAN so as to meet the security and compliance requirements (e.g., in financial cloud and governmental cloud environments).
The source gateway 110 includes IPsec tunnels datapath 130, as shown. In some embodiments, each of the gateways 110 and 115 also includes an Internet key exchange (IKE) control stack (not shown). The IKE-control stack is a submodule of the VPN control plane, while the IPsec tunnels datapaths 130 and 140 represent the VPN dataplane. In some embodiments, these modules are modules of software instructions being executed by one or more processing units (e.g., a processor) of a computing device. In some embodiments, the modules are modules of hardware circuits implemented by one or more integrated circuits (ICs) of an electronic apparatus. The modules (i.e., IKE-control stack and IPsec tunnels datapath) are separate modules, in some embodiments, while in other embodiments, some of the modules can be combined into a single module.
In some embodiments, the IKE control stack (not shown) controls the operations of IPsec, including establishing and maintaining VPN sessions and security associations (SAs). The IKE control stacks provide the necessary key data to IPsec tunnels datapaths 130 and 140 for authenticating and encrypting payloads (e.g., SA information, SA group object information, and port information for encapsulation). The IPsec tunnels datapaths 130 and 140 perform the operations of the individual VPN tunnels, in some embodiments, and are responsible for path selection, as will be described further below.
The IPsec tunnels datapath 130 performs the operations of the individual VPN tunnels (i.e., one or more of the paths 120). In some embodiments, the source gateway 110 also includes a traffic analyzer (not shown) to which the IPsec tunnels datapath 130 provides traffic statistics of the tunnels. In some embodiments, The IPsec tunnels datapath 130 may include various VPN data plane modules. The IPsec tunnels datapath 130 also performs encryption and authentication of payloads based on the SA information provided by an IKE control stack (not shown) of the source gateway 110. In some embodiments, the IPsec tunnels datapath 130 also encapsulates encrypted payloads in UDP headers that include UDP port numbers based on a path identified for a data message (e.g., based on the firewall rules table 125).
An SA is the establishment of shared security attributes between two network entities (e.g., between a pair of gateways of different datacenters, or between two network endpoints) to support secure communication (e.g., a VPN connection/tunnel). An SA may correspond to a one-way or simplex connection. An SA may include attributes such as cryptographic algorithm and mode, traffic encryption key, and parameters for the network data to be passed over the connection. An SA is a form of contract between the two network entities detailing how to exchange and protect information among each other, including indicating how to encrypt/decrypt data. Each SA may include a mutually agreed-upon key, one or more secure protocols, and an SPI value identifying the SA, among other data.
The IPsec tunnels datapath 130 includes a VTI 132, an encryption module 134, an encapsulation module 136, and a data plane routing module 138. When a data message's source (e.g., source application, source machine, etc.) uses the gateway 110 to send certain data using a VPN session between the gateway 110 and the gateway 115, the IPsec tunnels datapath 130 receives the data at the routing interface VTI 132. The VTI 132 uses the firewall rules table 125 to identify an SA for the data message. As illustrated, the firewall rules table 125 lists attributes along with SAs corresponding to those attributes. For example, SA1 is specified for data messages having source MAC address X, SA2 is specified for data messages with destination MAC address Y, SA3 is specified for data messages with VM tag M, SA4 is specified for data messages tagged with an identifier for the cloud service provider (CSP) AWS, and lastly SA5 is specified for data messages tagged with an identifier for the CSP Azure.
It should be noted that while communications in the diagram 100 are illustrated and described as flowing from gateway 110 to gateway 115, communications can also flow from gateway 115 to gateway 110, according to some embodiments, and the firewall rules 125 at the destination gateway 115 can be used to map to SAs at the source gateway 110. Also, in some embodiments, the firewall rules for a source may differ from the firewall rules for a destination in that the matching is reversed. For instance, a firewall for a source gateway may be specified for data messages with a source IP “A” and a destination IP “B”, while the corresponding firewall rule for a destination gateway may be specified for data messages with a source IP “B” and a destination IP “A”. Additionally, the firewall rules in some embodiments can also include firewall rules defined to match different IP sets, groups of IP sets, and security groups. For instance, in some embodiments, a firewall rule may be defined for IP addresses corresponding to a particular set of machines that belong to the same security group.
Once the appropriate SA is identified for the data message, the data is packaged as an inner packet 150. An encryption module 134 encrypts the inner packet into an IPsec encrypted packet 155 according to the encryption parameters of the SA information provided by the VTI 132 from the table 125. The encryption module 134 also appends other IPsec-related fields based on the SA information (e.g., ESP header, ESP trailer, ESP authentication, new IP, etc.). An encapsulation module 136 then encapsulates the IPsec encrypted packet 155 as a UDP encapsulated packet 160 with a UDP encapsulation header, which may include UDP port number that is used to indicate the selected path (i.e., the path to which the matching firewall rule and selected SA map). A data plane routing module 138 then sends the UDP encapsulated data message 160 via the selected path/tunnel 120.
The destination gateway 115 also includes an IPsec tunnels datapath 140. When a data message is received at the destination gateway 115, the data message is decapsulated and decrypted according to the selected SA (i.e., the SA associated with the tunnel through which the data message was sent). Similar to the IPsec tunnels datapath 130 for egress data messages, the VTI 142 of the IPsec tunnels datapath 140 passes the UDP encapsulated data message 160 to the decapsulation module 144, which decapsulates the data message and provides the encrypted data message 155 to the decryption module 146. The decryption module 146 then decrypts the data message according to the selected SA and provides the decapsulated and decrypted data message 150 to the data plane processing module 148.
Different flows of a same SA may be processed by different processing cores. Specifically, a first set of flow identifiers of a first flow including a first UDP port number may be hashed to select a first processor core for decrypting the first data message, and a second set of flow identifiers of a second flow including a second UDP port number may be hashed to select a second, different processor core for decrypting the second data message. Flows of different SAs may also be processed by different processing cores, even when the flows have the same IP addresses and UDP ports. Specifically, a first set of flow identifiers of a first flow including a first SPI may be hashed to select a first processor core for decrypting the first data message, and a second set of flow identifiers of a second flow including a second, different SPI may be hashed to select a second, different processor core for decrypting the second data message.
The process 200 uses (at 220) a firewall rules table to match the data message to a firewall rule that maps to a particular secure tunnel used by the secure interface. For instance, the VTI 132 in the diagram 100 described above uses the firewall rules table 125, which includes a list of attributes and SAs designated for data messages matching those attributes. Each of the SAs has a corresponding secure tunnel, according to some embodiments. In some embodiments, one SA may match to multiple different attributes, while in other embodiments, each SA is designated for a particular attribute.
Once a matching firewall rule has been identified, the process 200 encrypts (at 230) the data message according to encryption parameters for the particular secure tunnel. As discussed above, each secure tunnel is associated with a particular SA. In some embodiments, each SA may include attributes such as cryptographic algorithm and mode, traffic encryption key, and parameters for the data to be passed over a connection to the destination gateway. As an SA is a form of contract between two network entities detailing how to exchange and protect information among each other, parameters for how to encrypt/decrypt data can also be specified for each SA, according to some embodiments. Each SA may include a mutually agreed-upon key, one or more secure protocols, and an SPI value identifying the SA, among other data. Accordingly, an inner packet of the data message of some embodiments is encrypted according to the SA corresponding to the particular secure tunnel.
The process 200 next encapsulates (at 240) the data message with a header that includes an SPI specifying the particular secure tunnel (and the corresponding SA). Because the inner packet of the data message is encrypted, any network address specified by the inner packet cannot be used to route the packet, and thus the SPI for the secure tunnel and SA is encapsulated in a header of the data message in order for the data message to be able to reach its intended destination. In some embodiments, each SA has a different SPI value associated therewith, and the tuples of header values of data messages communicated across the different VPN tunnels may hash to different CPUs at the destination gateway for processing. The SPI values of some embodiments are also used as flow identifiers.
The process 200 forwards (at 250) the encapsulated data message via the secure tunnel to a destination interface. For instance, the data plane routing module 138 receives the encapsulated data message 160 from the encapsulation module 136 and forwards the data message via the selected secure tunnel to the destination gateway 115. After forwarding the data message at 250, the process 200 ends.
The process 300 decapsulates (at 320) the data message to identify an SPI specified for the data message. The SPI is used to identify the appropriate SA for processing the data message. More specifically, in some embodiments, the SPI is used to determine which CPU to use for decrypting the data message as the inner packet data of the data message is encrypted and thus cannot be used for this determination. In the diagram 100, for example, the decapsulation module 144 receives data messages from the VTI 142 and decapsulates these received data messages.
The process 300 next decrypts (at 330) the decapsulated data message according to the selected SA that corresponds to the identified SPI. Referring again to the diagram 100, after decapsulating a data message, the decapsulation module 144 provides the decapsulated data message to the decryption module 146, which decrypts the payload (i.e., inner packet) of the data message in accordance with the SPI identified in the header of the data message during decapsulation.
The process 300 performs (at 340) one or more actions on the decrypted data message. This additional processing is performed in some embodiments by the data plane processing module 148, which receives the decrypted data message from the decryption module 146. In some embodiments, the actions that may be performed on the data message are performed according to the matching firewall rule and/or other IPsec rules and policies that may be applicable to the data message or the selected SA. For instance, in some embodiments, a network address translation (NAT) operation may be performed on the data message.
The process 300 then forwards (at 350) the data message to its destination in the datacenter. In the diagram 100, for example, the data plane processing module 148 forwards data messages to their destinations after performing any additional processing required in step 340 above. In some embodiments, the data message may be destined to a particular server in the same datacenter as the gateway device in order to access resources of the particular server. Also, in some embodiments, the destination gateway may be a VPN server and the data messages are destined to the VPN server. Following 350, the process 300 ends.
Before the IKE session 400 is initiated, the source and destination gateways 410 and 415 receive, at their respective datacenters 420 and 425, firewall rules 430 from the network manager 450. The firewall rules 430, in some embodiments, are defined for use in the datacenters 420 and 425 and may be used to micro-segment security policies of IPsec SAs that are to be negotiated. The firewall rules 430, in some embodiments, may include one or more actions to be performed on data messages that match to the firewall rules. During the IKE session 400, the gateways 410 and 415 establish an IPsec tunnel using the IKE protocol. The IPsec tunnel is then used by the gateways 410 and 415 to negotiate encryption, authentication, and other protocols and other parameters (e.g., SAs), as illustrated by the control messages 460 and 465. The gateway 410 may use multiple addresses of local endpoints in the datacenter 420 to establish multiple SAs and IPsec tunnels.
The network 405, in some embodiments, is implemented by an underlying physical infrastructure of wired and/or wireless communications mediums, routers, switches, etc., and, in some embodiments, may include the Internet, as well as any direct connections between the gateways 410 and 415. In some embodiments, the direct connections may refer to interconnections between network endpoints within a same datacenter and/or a same physical device, or other proprietary network connection interconnecting the gateways 410 and 415. Once the IKE session is completed and all of the necessary parameters have been negotiated, the gateways 410 and 415 can continue to communicate using the established VPN session, according to some embodiments.
Rather than relying on other methods, such as simple ECMP, to perform path selection based on fixed outer IP addresses, the gateway 410 uses the firewall rules provided by the network manager 450 to perform path selection for each data message. In other words, path selection is based on which firewall rule a data message matches to as each firewall rule has a corresponding tunnel and SA. As each tunnel 510 has an associated SA 520, data messages received at the gateway 415 will be received at the appropriate SA without any additional routing required as also described in the embodiments above.
Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer-readable storage medium (also referred to as computer-readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer-readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer-readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.
In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.
The bus 605 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 600. For instance, the bus 605 communicatively connects the processing unit(s) 610 with the read-only memory 630, the system memory 625, and the permanent storage device 635.
From these various memory units, the processing unit(s) 610 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) 610 may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 630 stores static data and instructions that are needed by the processing unit(s) 610 and other modules of the computer system 600. The permanent storage device 635, on the other hand, is a read-and-write memory device. This device 635 is a non-volatile memory unit that stores instructions and data even when the computer system 600 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 635.
Other embodiments use a removable storage device (such as a floppy disk, flash drive, etc.) as the permanent storage device. Like the permanent storage device 635, the system memory 625 is a read-and-write memory device. However, unlike storage device 635, the system memory 625 is a volatile read-and-write memory, such as random access memory. The system memory 625 stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 625, the permanent storage device 635, and/or the read-only memory 630. From these various memory units, the processing unit(s) 610 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.
The bus 605 also connects to the input and output devices 640 and 645. The input devices 640 enable the user to communicate information and select commands to the computer system 600. The input devices 640 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 645 display images generated by the computer system 600. The output devices 645 include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as touchscreens that function as both input and output devices 640 and 645.
Finally, as shown in
Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, any other optical or magnetic media, and floppy disks. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.
While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application-specific integrated circuits (ASICs) or field-programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself.
As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms “display” or “displaying” mean displaying on an electronic device. As used in this specification, the terms “computer-readable medium,” “computer-readable media,” and “machine-readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.
While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
6330562 | Boden et al. | Dec 2001 | B1 |
6968441 | Schnee | Nov 2005 | B1 |
7003118 | Yang et al. | Feb 2006 | B1 |
7243225 | Poeluev et al. | Jul 2007 | B2 |
7284111 | Sae-Koe | Oct 2007 | B1 |
7373660 | Guichard et al. | May 2008 | B1 |
7383353 | Valdevit et al. | Jun 2008 | B2 |
7555544 | Rattner et al. | Jun 2009 | B1 |
7814310 | Bouchard et al. | Oct 2010 | B2 |
7962358 | Fernandez et al. | Jun 2011 | B1 |
8549300 | Kumar | Oct 2013 | B1 |
8566452 | Goodwin, III et al. | Oct 2013 | B1 |
9483286 | Basavaiah et al. | Nov 2016 | B2 |
9535750 | Wilkes et al. | Jan 2017 | B1 |
9588813 | Dubey et al. | Mar 2017 | B1 |
9755972 | Mao et al. | Sep 2017 | B1 |
9813379 | Shevade et al. | Nov 2017 | B1 |
9929970 | Matthews et al. | Mar 2018 | B1 |
10020984 | Jork et al. | Jul 2018 | B1 |
10257167 | Matthews et al. | Apr 2019 | B1 |
10491466 | Hira et al. | Nov 2019 | B1 |
10498529 | Hashmi et al. | Dec 2019 | B1 |
10498708 | Wang et al. | Dec 2019 | B2 |
10601779 | Matthews et al. | Mar 2020 | B1 |
10623372 | Wang et al. | Apr 2020 | B2 |
10701107 | Gopal et al. | Jun 2020 | B2 |
10742601 | Xie | Aug 2020 | B2 |
11075888 | Jain et al. | Jul 2021 | B2 |
11095617 | Jain et al. | Aug 2021 | B2 |
11347561 | Kumar et al. | May 2022 | B1 |
11729153 | Jain et al. | Aug 2023 | B2 |
20020010866 | McCullough et al. | Jan 2002 | A1 |
20020097724 | Halme et al. | Jul 2002 | A1 |
20030088787 | Egevang | May 2003 | A1 |
20040143734 | Buer et al. | Jul 2004 | A1 |
20050165953 | Oba et al. | Jul 2005 | A1 |
20050198531 | Kaniz et al. | Sep 2005 | A1 |
20050213603 | Karighattam et al. | Sep 2005 | A1 |
20060002388 | Grebus et al. | Jan 2006 | A1 |
20060029278 | Alasia et al. | Feb 2006 | A1 |
20060227807 | Jakubik et al. | Oct 2006 | A1 |
20080123593 | Fujita et al. | May 2008 | A1 |
20080144625 | Wu et al. | Jun 2008 | A1 |
20080165964 | Lewis et al. | Jul 2008 | A1 |
20080307024 | Michaels et al. | Dec 2008 | A1 |
20090122990 | Gundavelli et al. | May 2009 | A1 |
20090231999 | Verma et al. | Sep 2009 | A1 |
20100138560 | Kivinen et al. | Jun 2010 | A1 |
20100191958 | Chen | Jul 2010 | A1 |
20100217949 | Schopp et al. | Aug 2010 | A1 |
20110035740 | Powell | Feb 2011 | A1 |
20110113236 | Chenard et al. | May 2011 | A1 |
20120027002 | Jones et al. | Feb 2012 | A1 |
20120027314 | Lee et al. | Feb 2012 | A1 |
20120102278 | Joffray et al. | Apr 2012 | A1 |
20120124591 | Cadambi et al. | May 2012 | A1 |
20120170459 | Olesinski et al. | Jul 2012 | A1 |
20120303949 | Liu et al. | Nov 2012 | A1 |
20140089480 | Zhu | Mar 2014 | A1 |
20140108665 | Arora et al. | Apr 2014 | A1 |
20140313932 | Saltsidis | Oct 2014 | A1 |
20150052525 | Raghu | Feb 2015 | A1 |
20150195138 | Horman | Jul 2015 | A1 |
20150363240 | Koizumi | Dec 2015 | A1 |
20160057108 | Hu | Feb 2016 | A1 |
20160088072 | Likhtarov et al. | Mar 2016 | A1 |
20160135074 | Welin et al. | May 2016 | A1 |
20160182509 | Kantecki et al. | Jun 2016 | A1 |
20160212098 | Roch | Jul 2016 | A1 |
20160226815 | Wan et al. | Aug 2016 | A1 |
20160277478 | Narasimhamurthy | Sep 2016 | A1 |
20160352628 | Reddy et al. | Dec 2016 | A1 |
20170024293 | Bell et al. | Jan 2017 | A1 |
20170054603 | Kulkarni et al. | Feb 2017 | A1 |
20170063787 | Kwok et al. | Mar 2017 | A1 |
20170063979 | Saeki | Mar 2017 | A1 |
20170331724 | Carney | Nov 2017 | A1 |
20170374025 | Pan | Dec 2017 | A1 |
20180054458 | Marck et al. | Feb 2018 | A1 |
20180062875 | Tumuluru | Mar 2018 | A1 |
20180067786 | Trung et al. | Mar 2018 | A1 |
20180092140 | Dong | Mar 2018 | A1 |
20180131521 | Yang et al. | May 2018 | A1 |
20180176124 | Kancherla et al. | Jun 2018 | A1 |
20180241655 | Tsirkin | Aug 2018 | A1 |
20180262598 | Zhang | Sep 2018 | A1 |
20190114206 | Murugesan et al. | Apr 2019 | A1 |
20190173850 | Jain | Jun 2019 | A1 |
20190173851 | Jain et al. | Jun 2019 | A1 |
20190190892 | Menachem et al. | Jun 2019 | A1 |
20190266217 | Arakawa et al. | Aug 2019 | A1 |
20190306086 | Boutros et al. | Oct 2019 | A1 |
20190372936 | Sullenberger et al. | Dec 2019 | A1 |
20200059457 | Raza et al. | Feb 2020 | A1 |
20200099670 | Kessler et al. | Mar 2020 | A1 |
20200186507 | Dhanabalan et al. | Jun 2020 | A1 |
20200351254 | Xiong et al. | Nov 2020 | A1 |
20200403922 | Yu et al. | Dec 2020 | A1 |
20210021523 | Wang et al. | Jan 2021 | A1 |
20210036887 | Meng | Feb 2021 | A1 |
20210136049 | Wang et al. | May 2021 | A1 |
20210185025 | Wang et al. | Jun 2021 | A1 |
20210377232 | Jain et al. | Dec 2021 | A1 |
20210385203 | Wang et al. | Dec 2021 | A1 |
20210392121 | Thangapandi et al. | Dec 2021 | A1 |
20210400029 | Wang et al. | Dec 2021 | A1 |
20220191139 | Dutta | Jun 2022 | A1 |
20220191145 | Duraj et al. | Jun 2022 | A1 |
20220291970 | Kumar et al. | Sep 2022 | A1 |
20220393967 | Solanki et al. | Dec 2022 | A1 |
20220393981 | Solanki et al. | Dec 2022 | A1 |
20220394014 | Wang et al. | Dec 2022 | A1 |
20220394016 | Solanki et al. | Dec 2022 | A1 |
20220394017 | Solanki et al. | Dec 2022 | A1 |
20230118718 | Solanki et al. | Apr 2023 | A1 |
20230231826 | Pawar | Jul 2023 | A1 |
Number | Date | Country |
---|---|---|
2870048 | Nov 2013 | CA |
102801695 | Nov 2012 | CN |
110677426 | Jan 2020 | CN |
20030013496 | Feb 2003 | KR |
2016020727 | Feb 2016 | WO |
2016049609 | Mar 2016 | WO |
2022260711 | Dec 2022 | WO |
Entry |
---|
Barker, Elaine, et al., “Guide to IPsec VPNs,” NIST SP 800-77 Rev. 1, Jun. 30, 2020, 166 pages, retrieved from https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/final. |
Kim, Joongi, et al., “NBA (Network Balancing Act): A High-performance Packet Processing Framework for Heterogeneous Processors,” EuroSys '15, Apr. 21-24, 2015, 14 pages, ACM, Bordeaux, France. |
Muramatsu, Shin, et al., “VSE: Virtual Switch Extension for Adaptive CPU Core Assignment in softirq,” 2014 IEEE 6th International Conference on Cloud Computing Technology and Science, Dec. 15-18, 2014, 6 pages, IEEE, Singapore. |
Non-Published Commonly Owned U.S. Appl. No. 17/570,362, filed Jan. 6, 2022, 85 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/570,363, filed Jan. 6, 2022, 87 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/570,364, filed Jan. 6, 2022, 86 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/570,365, filed Jan. 6, 2022, 85 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/570,366, filed Jan. 6, 2022, 86 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/715,510, filed Apr. 7, 2022, 34 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 17/827,889, filed May 30, 2022, 42 pages, VMware, Inc. |
Son, Jeongseok, et al., “Protego: Cloud-Scale Multitenant IPsec Gateway,” Proceedings of the 2017 USENIX Annual Technical Conference (USENIX ATC '17), Jul. 12-14, 2017, 15 pages, USENIX Association, Santa Clara, CA. |
Non-Published Commonly Owned U.S. Appl. No. 18/224,558, filed Jul. 20, 2023, 51 pages, Nicira, Inc. |
Number | Date | Country | |
---|---|---|---|
20230396587 A1 | Dec 2023 | US |