USRE50121E1 - Service chaining based on labels in control and forwarding - Google Patents
Service chaining based on labels in control and forwarding Download PDFInfo
- Publication number
- USRE50121E1 USRE50121E1 US17/104,933 US202017104933A USRE50121E US RE50121 E1 USRE50121 E1 US RE50121E1 US 202017104933 A US202017104933 A US 202017104933A US RE50121 E USRE50121 E US RE50121E
- Authority
- US
- United States
- Prior art keywords
- network
- overlay
- service
- controller
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000015654 memory Effects 0.000 claims description 20
- 238000001514 detection method Methods 0.000 claims description 8
- 238000005070 sampling Methods 0.000 claims description 4
- 238000005201 scrubbing Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims 6
- 238000007689 inspection Methods 0.000 claims 3
- 238000003780 insertion Methods 0.000 claims 1
- 230000037431 insertion Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 238000005266 casting Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000153 supplemental effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
Definitions
- Embodiments of the present invention relate to networking.
- SPs Enterprises and Service Providers
- SPs have a common requirement to pass data traffic through certain locations or along certain paths.
- a network system comprising a plurality of service locations, wherein each service location is equipped to make independent forwarding decisions based on policy and wherein a service can be provided in a redundant fashion making the infrastructure aware of where a service is located and how it can be backed up.
- FIG. 1 shows and architecture for achieving service chaining, with emphasis on a control plane, in accordance with one embodiment of the invention.
- FIG. 2 shows and architecture for achieving service chaining, with emphasis on a forwarding plane, in accordance with one embodiment of the invention.
- FIG. 3 shows a flowchart of operation for constructing a service chain, in accordance with one embodiment of the invention.
- FIGS. 4 - 5 show examples of service chains, in accordance with one embodiment of the invention.
- FIG. 6 shows a high-level block diagram for an overlay controller, in accordance with one embodiment of the invention.
- FIG. 7 shows a high-level block diagram of hardware for a router, in accordance with one embodiment of the invention.
- embodiments of the present invention disclose a service chain construct that may be used to facilitate routing within a network based on service availability within the network.
- FIG. 1 shows an embodiment 100 of the overlay network.
- the overlay network 100 includes an overlay controller 102 , a mapping server 104 , and a plurality of overlay edge routers 106 .
- the overlay controller 102 is configured to orchestrate the overlay network 100 using a secure transport (TLS, Transport Layer Security, IETF RFC5246) and a designated overlay control plane protocol over underlying network infrastructure 108 .
- the network infrastructure 108 may include a public network such as the Internet.
- the overlay control plane protocol may operate in a similar fashion to BGP (IETF RFC4271), in functions related to route and policy distribution, reliable transport over TCP (IETF RFC793), and optimal path selection process and distributed state creation.
- the overlay control plane protocol in order for the overlay control plane protocol to provide a functional architecture, it distributes overlay routes that are learned from each location where an overlay network element is present, together with external addresses used as next-hop addresses for the overlay routes.
- the external addresses may be assigned to the physical interfaces of the overlay network elements that attach to the underlying network 108 .
- the overlay routes may only be accessed through the overlay network 100 and the next-hop addresses can only be reached through the underlying network 108 .
- the overlay routes and next-hop addresses provide for a complete and functional overlay architecture, as will be explained.
- the underlying network 108 the only element used to forward traffic between the sites is the next-hop address.
- the underlying network 108 does not know about any other routes, addresses or labels that may be used for providing a functional network infrastructure within the overlay network 100 itself.
- Secure tunnels are established between the next-hop addresses, which define the elements (hubs or edges) that actually instantiate the overlay network 100 .
- the secure tunnels define a control plane, as shown in FIG. 1
- all traffic that use the overlay network 100 for transport is carried within this topology of tunnels.
- the overlay controller 102 processes control plane traffic, but does not get involved in the processing of data traffic. All data traffic is processed by the network elements present at site locations, such as a branch office, or central locations, such as a data center or a headquarters location. These network elements if, at a branch location is referred to as an “edge” and if, at a central location, is referred to as a “hub”. In FIG. 1 hubs are indicated by reference numeral 110 , whereas edges are indicated by reference numeral 106 . In one embodiment, secure peer-to-peer links between the hubs and services define a forwarding plane, as shown in FIG. 2 .
- services within a network may be provided at two or more layers.
- the most common layers are User services or Applications, and Network services or Applications.
- the differentiator between the two is that users will actively interact with user services, such as those provided through a web-browser, where network services are applied to network traffic in a way that is, or at least should be, transparent to the user.
- Providing applications for user consumption requires the network to carry traffic from the user endpoint to the service endpoint and back.
- Providing network services requires a direct interaction between the network elements closest to the user, the network elements closest to the service, and traditionally, all the network elements in between.
- Even with this simplification that removes dependency on the intermediate network there are still challenges in providing network level services that can be delivered in a way that is transparent to the user. These challenges include:
- An enormous benefit of providing services in an overlay network 100 is that the network elements sitting in between the user facing elements and the service facing elements do not have to be involved in the delivery of network level services.
- the entire responsibility of providing the service now rests with network element serving the user location and the network element serving the service location.
- the network element serving the user location is referred to as an “edge router or “edge, wherein the network element serving the service location will be referred to as a “hub router” or “hub”.
- the overlay controller may be provisioned with or at least have access to traffic policy functions. These traffic policy functions may be distributed to selected hubs and edges and may be used to direct traffic.
- traffic policy functions may be distributed to selected hubs and edges and may be used to direct traffic.
- the use of labels that identify services and provide for a forwarding tag allows the overlay network 100 to overcome all of the previously presented challenges. Labels that represent Virtual Private Networks (VPN) may be combined, in some embodiments, with the Service labels to provide services that are VPN-specific and are reached using VPN-specific policies, versus general overlay network policies for reaching a service identified solely by a service label applicable to the entire overlay network.
- VPN Virtual Private Networks
- the Hub router In each of the locations where a network level service is being provided, which technically could be either an Edge or a Hub location but for the sake of simplicity in the examples are presented as Hub sites, the Hub router is configured with information on which service it is providing and how to reach from a locally configured interface. The hub router will advertise this service using a label that identifies the type of service and how edge routers, by prepending the same label to packets being sent out from their sites, can reach the service. The next-hop address that the hub router uses to connect with the underlying network is also used as the means of actually getting to the same hub site across the intermediate network. This is how an edge router forwarding traffic into the overlay network determines which tunnel to use to reach the intended destination.
- Services that may exist and provided at the network level include, but are not limited to, the following:
- the overlay controller 102 constructs policies that are subsequently distributed to the network elements (hubs and edges) involved.
- the set of policies and their required contents are related to the exact nature of the service chain that is being constructed. Two examples are provided below.
- Example 1 Simple Service-Chain with Only a Single Service
- the setup for this service and network infrastructure is the following:
- Hub2 advertises a service with a Label of 1 and a Service-type of Firewall (see FIG. 1 ). The steps in creating the service chain are shown in FIG. 4 .
- the network administrator decides that all traffic going to and from the Internet must pass through the firewall service
- Hub3 The Internet entry and exit point is through a hub router referred to as Hub3, which could be advertised as a service but not in this example, for reasons of simplicity.
- Each Edge location is equipped with the necessary routing information required to determine if traffic must be sent to the Internet or not.
- Block 400 Hub2 advertises Service information: (Service-Type, Label) to the controller 102 .
- Block 402 The overlay controller 102 constructs the set of required policies and distributes them accordingly. This means that each node involved will be assigned a policy for managing the required traffic flow.
- Block 404 Every Edge-router receives an outbound policy (for traffic towards the Internet) stipulating that all the traffic matching the routes received from Hub3, will be encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2. This will ensure all traffic destined for the Internet is using the tunnel from the Edge-router to Hub2
- Block 406 The controller 102 creates a policy (in) for Service Locations: For received Traffic arriving tagged with Service-Label, forward traffic to service-element and advertises the policy thus created to each hub.
- Hub2 receives an inbound policy (for traffic received on its external interface), stipulating that all received traffic matching Service Label 1 is sent to the firewall. Exactly how the traffic is forwarded is a local decision.
- Hub2 receives an outbound policy (for traffic received from the Firewall) stipulating that the traffic destined for the Internet must be encapsulated with a next-hop address of Hub3, taking the traffic to the Internet. Any traffic destined for an Edge-router in the overlay network is sent with an encapsulation of that Edge-routers next-hop address
- Hub3 receives an inbound policy (for traffic received from the Internet) stipulating that all traffic matching a destination advertised from an Edge-router is encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2
- Hub1 hosts the Intrusion Detection service and advertises a service with a Label of 2 and a Service-type of Intrusion Detection.
- Hub2 hosting the firewall service, has one addition to its outbound policy. All traffic destined for any Edge-router in the overlay network must be encapsulated with a Service-label of 2 and a next-hop address of Hub1.
- FIG. 5 shows a flowchart corresponding to this example of service chaining. Referring the FIG. 5 , C1 to C3 are conditions and the processing blocks are as provided below:
- Block 500 Edge1 receives a packet destined for Network Entry/Exit point. Local policy tells Edge1 that the path to reach Hub3 is through Hub2
- Block 502 Edge1 encapsulates the packet with information containing the address of Hub2 and the Label for the Service at Hub2, then sends it off.
- Hub2 receives the packet from Hub2 with the Service-label.
- the service label is removed and forwarded to the service-element.
- Block 506 Hub2 later receives the packet from the service-element.
- Local policy dictates that traffic destined for Hub3 should use the address of Hub3.
- Block 508 Hub2 encapsulates the packet with information containing the address of Hub3, then sends it off.
- control plane protocol used in this architecture is designed to distribute routing information, policy information and labels. By overloading the labels with inherent representations of services, information on services can be distributed without any modifications to the protocol itself.
- service-labels can be assigned in VPN-specific ranges to avoid the use of a label-stack.
- multiple service-locations can advertise the same service-type using identical labels, which would allow for each ingress Edge-router to distribute load across the set of service-sites based on some condition that is inherently defined or decided by policy.
- Associating services with Service-type designators and associating them with the external addresses of Hub-locations provides inherent location and service-availability awareness. This could be further augmented by geo-location information or other more specific location-related attributes.
- FIG. 3 to a method for establishing a service chain is shown in FIG. 3 .
- the method includes the following blocks:
- Block 300 The overlay controller 102 establishes secure control channel with all associated network elements (hubs and edges).
- Block 302 The service-hosting locations (hubs) advertise their service type and associated label to the overlay controller 102 .
- Block 304 The overlay controller 102 uses the service information received when constructing policies for the edge routers that are to use them.
- the central controller can either:
- Block 306 The central controller pushes the service policies to the edge routers. These policies link traffic to the ultimate destination with a service chain.
- Block 308 The central controller can also push policies to the service hosting routers, instructing them of their role in a given service chain and how to forward inbound and outbound traffic related to each VPN and each Service.
- the controller 102 has the option of building a policy involving a service chain in two different ways:
- Controller uses the policy to resolve the overlay routes over service routes. It then advertises the resolved overlay routes to those edge nodes that are provisioned to receive those routes.
- policies can be implemented that takes the availability, capacity, latency, location and other aspects of the service chain into account and gives each edge router the awareness to select the most optimal service chain.
- the edge routers are kept unaware of that they are using a service chain and simply operate based on the information they have been provided for the purpose of forwarding traffic.
- a service route, service label, service identifier and transport location identify each service.
- Specific service chains are established by policy and do not require any additional information to be distributed for traffic to flow along the path instantiated by the creation of the service chain.
- the Service Route is distributed for identification purposes only and is not used for forwarding. ⁇
- each edge node uses existing destination routes that are given a next-hop TLOC pointing to the entry point of a service chain.
- This route to TLOC assignment can be done by the central controller as a way of enforcing central service-chain policy, or by edge router when enforcing policies either distributed by the central controller or created locally on the device.
- each service router in the path of a service chain accepts inbound traffic based on the destination TLOC and VPN Label in the received packet and forwards it out the associated interface for the specific service being associated with the TLOC/Label combination.
- each service router In the outbound direction, each service router must be equipped with policy describing what the next hop is for the particular destination. This allows for each service router to support multiple service chains and different policies for each direction of traffic. Since the outgoing direction is controlled by policy, this allows for great flexibility in choosing the next point in the service chain based on individually defined criteria for that service chain, service, or service router.
- the service chaining architecture provides for the ability to create both unidirectional and bi-directional service chains simply by means of policy with no requirement to advertise additional routing information or labels.
- the service chaining architecture is inherently aware of which services are present in a fully functional service chain. This awareness allows for the ability to qualify the eligibility of each specific service chain as the nature of each chain might change during the course of providing service. If crucial service may fail then the service chain could be taken out of service whereas the failure of non-crucial service could render the chain to operate either uninterrupted or with lower priority versus other available chains.
- the service type is included in the advertisements from each service location and allows for each hop in a service chain, inclusive of ingress and egress points, to make decisions of which specific instance of a given service-type to use. Deciding factors can include capacity, location, current load and other influential characteristics.
- Each hop in a service chain is equipped to make decisions of which instance of a given service to use at any time. This is strongly linked to the service-type awareness claim but does not have to be. Redundancy through any casting can also be linked to capacity, location, current load and other influential factors aside from service-type.
- Policies pushed by the central controller can be used to dictate primary and secondary, or backup, locations where a given service is being provided. This further extends the Service-type awareness function described above.
- the switch from a primary to a backup service can be decided upon and pushed by the central controller, or through previously defined and pushed policy, take place at the edge router upon detection of pre-defined failure conditions.
- Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
- Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
- the service chaining concept described has the distinct advantage that the entire function can be provisioned from a central controller location without having to perform and specific per edge-node configuration or provisioning.
- edge-nodes that are to use a defined service chain are triggered to do so by the central controller.
- changes in current service chain or service site affiliation, or service chain eligibility, decisions and changes can be taken and executed upon by the central controller, the edge node, or both. How these actions are performed depend on how the policies were constructed at the central controller.
- This claim however, does not limit the provisioning or operation of a service chain that is partially performed by the central controller and augmented by service routers or edge routers.
- FIG. 6 shows an example of hardware 600 that may be used to implement the overlay controller 102 , in accordance with one embodiment.
- the hardware 600 may includes at least one processor 602 coupled to a memory 604 .
- the processor 603 may represent one or more processors (e.g., microprocessors), and the memory 604 may represent random access memory (RAM) devices comprising a main storage of the hardware, as well as any supplemental levels of memory e.g., cache memories, non-volatile or back-up memories (e.g. programmable or flash memories), read-only memories, etc.
- the memory 604 may be considered to include memory storage physically located elsewhere in the hardware, e.g. any cache memory in the processor 602 , as well as any storage capacity used as a virtual memory, e.g., as stored on a mass storage device.
- the hardware also typically receives a number of inputs and outputs for communicating information externally.
- the hardware may include one or more user input output devices 606 (e.g., a keyboard, mouse, etc.) and a display 608 .
- the hardware 600 may also include one or more mass storage devices 610 , e.g., a Universal Serial Bus (USB) or other removable disk drive, a hard disk drive, a Direct Access Storage Device (DASD), an optical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk (DVD) drive, etc.) and/or a USB drive, among others.
- USB Universal Serial Bus
- DASD Direct Access Storage Device
- CD Compact Disk
- DVD Digital Versatile Disk
- USB Universal Serial Bus
- the hardware may include an interface with one or more networks 612 (e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others) to permit the communication of information with other computers coupled to the networks.
- networks 612 e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others
- the hardware typically includes suitable analog and/or digital interfaces between the processor 612 and each of the components, as is well known in the art.
- the hardware 600 operates under the control of an operating system 614 , and executes application software 616 which includes various computer software applications, components, programs, objects, modules, etc. to perform the techniques described above.
- routines executed to implement the embodiments of the invention may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.”
- the computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects of the invention.
- processors in a computer cause the computer to perform operations necessary to execute elements involving the various aspects of the invention.
- the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and that the invention applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution.
- Examples of computer-readable media include but are not limited to recordable type media such as volatile and non-volatile memory devices, USB and other removable media, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
- recordable type media such as volatile and non-volatile memory devices, USB and other removable media
- hard disk drives such as hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
- CD ROMS Compact Disk Read-Only Memory
- DVDs Digital Versatile Disks
- flash drives among others.
- FIG. 7 shows a block diagram of hardware 700 for edge routers and hubs describe above, in accordance with one embodiment of the invention.
- the hardware 700 includes a routing chip 704 coupled to a forwarding chip 708 .
- the routing chip 704 performs functions such as path computations, routing table maintenance, and reachability propagation.
- Components of the routing chip include a CPU or processor 704 , which is coupled to a memory 706 .
- the memory stores instructions to perform the methods disclosed herein.
- the forwarding chip is responsible for packet forwarding along a plurality of line interfaces 710 .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for routing is disclosed. The method comprises establishing an overlay network, comprising a plurality of network elements and an overlay controller; wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network; receiving by the overlay controller, information from each service-hosting network element information said information identifying a service hosted at that service-hosting network element, and label associated with the service-hosting network element; identifying by the overlay controller, at least one policy that associates traffic from a site with a service; and causing by said overly controller, the at least one policy to be executed so that traffic from the site identified in the policy is routed using the underlying transport network to the service-hosting network element associated with the said service.
Description
Embodiments of the present invention relate to networking.
Enterprises and Service Providers (SPs) have a common requirement to pass data traffic through certain locations or along certain paths.
Existing solutions have the ability to pass traffic through a single location or to tie traffic to a specific path by determining a specific hop-by-hop forwarding path. However, if any service along the path experiences a disruption, then the only remedy is to rely on routing protocols that inherently lack awareness of service locations.
In one aspect there is provided a network system comprising a plurality of service locations, wherein each service location is equipped to make independent forwarding decisions based on policy and wherein a service can be provided in a redundant fashion making the infrastructure aware of where a service is located and how it can be backed up.
In a second aspect there is provided a mechanism to allow for several different services to be tied together in a chain.
Other aspects of the invention will be apparent from the detailed description below.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block or flow diagram form only in order to avoid obscuring the invention. Accommodate
Reference in this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearance of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
Moreover, although the following description contains many specifics for the purposes of illustration, anyone skilled in the art will appreciate that many variations and/or alterations to the details are within the scope of the present invention. Similarly, although many of the features of the present invention are described in terms of each other, or in conjunction with each other, one skilled in the art will appreciate that many of these features can be provided independently of other features. Accordingly, this description of the invention is set forth without any loss of generality to, and without imposing limitations upon, the invention.
Broadly, embodiments of the present invention disclose a service chain construct that may be used to facilitate routing within a network based on service availability within the network.
In one embodiment, to realize the service chain construct, network elements may be interconnected across a regular network infrastructure in order to provide an overlay network on top of the regular network infrastructure. FIG. 1 shows an embodiment 100 of the overlay network. Referring to FIG. 1 , the overlay network 100 includes an overlay controller 102, a mapping server 104, and a plurality of overlay edge routers 106. The overlay controller 102 is configured to orchestrate the overlay network 100 using a secure transport (TLS, Transport Layer Security, IETF RFC5246) and a designated overlay control plane protocol over underlying network infrastructure 108. In one embodiment, the network infrastructure 108 may include a public network such as the Internet. The overlay control plane protocol may operate in a similar fashion to BGP (IETF RFC4271), in functions related to route and policy distribution, reliable transport over TCP (IETF RFC793), and optimal path selection process and distributed state creation.
In one embodiment, in order for the overlay control plane protocol to provide a functional architecture, it distributes overlay routes that are learned from each location where an overlay network element is present, together with external addresses used as next-hop addresses for the overlay routes. The external addresses may be assigned to the physical interfaces of the overlay network elements that attach to the underlying network 108. In one embodiment, the overlay routes may only be accessed through the overlay network 100 and the next-hop addresses can only be reached through the underlying network 108. Together, the overlay routes and next-hop addresses provide for a complete and functional overlay architecture, as will be explained. As far as the underlying network 108 is concerned, the only element used to forward traffic between the sites is the next-hop address. The underlying network 108 does not know about any other routes, addresses or labels that may be used for providing a functional network infrastructure within the overlay network 100 itself.
Secure tunnels are established between the next-hop addresses, which define the elements (hubs or edges) that actually instantiate the overlay network 100. The secure tunnels define a control plane, as shown in FIG. 1 Thus, all traffic that use the overlay network 100 for transport is carried within this topology of tunnels.
In one embodiment, within the overlay network 100, the overlay controller 102 processes control plane traffic, but does not get involved in the processing of data traffic. All data traffic is processed by the network elements present at site locations, such as a branch office, or central locations, such as a data center or a headquarters location. These network elements if, at a branch location is referred to as an “edge” and if, at a central location, is referred to as a “hub”. In FIG. 1 hubs are indicated by reference numeral 110, whereas edges are indicated by reference numeral 106. In one embodiment, secure peer-to-peer links between the hubs and services define a forwarding plane, as shown in FIG. 2 .
Providing Services
In general, services within a network may be provided at two or more layers. However, the most common layers are User services or Applications, and Network services or Applications. The differentiator between the two is that users will actively interact with user services, such as those provided through a web-browser, where network services are applied to network traffic in a way that is, or at least should be, transparent to the user.
Providing applications for user consumption requires the network to carry traffic from the user endpoint to the service endpoint and back. Providing network services requires a direct interaction between the network elements closest to the user, the network elements closest to the service, and traditionally, all the network elements in between. Even with this simplification that removes dependency on the intermediate network, there are still challenges in providing network level services that can be delivered in a way that is transparent to the user. These challenges include:
Chaining multiple services together, either in the same or in different locations of the network;
Overloading an existing control plane protocol with service information in a way that it was not designed to handle;
Minimizing the rerouting and shuffling of network traffic such that it only has to touch the sites where the services required for a given type of traffic are located;
Providing different services or chains of services depending on the direction of traffic; Requirements may be different depending on whether the traffic is originating from user location or is destined for a user location
Offering different services depending on which virtual domain a given user may be a part of;
Providing traffic load distribution across multiple different locations that are providing different instances of the same service;
Distributing awareness across the network of which services are available and where the are located;
Providing Services in the Overlay Network 100
An enormous benefit of providing services in an overlay network 100 is that the network elements sitting in between the user facing elements and the service facing elements do not have to be involved in the delivery of network level services. The entire responsibility of providing the service now rests with network element serving the user location and the network element serving the service location. As used herein the network element serving the user location is referred to as an “edge router or “edge, wherein the network element serving the service location will be referred to as a “hub router” or “hub”.
In one embodiment, the overlay controller may be provisioned with or at least have access to traffic policy functions. These traffic policy functions may be distributed to selected hubs and edges and may be used to direct traffic. In one embodiment, the use of labels that identify services and provide for a forwarding tag, allows the overlay network 100 to overcome all of the previously presented challenges. Labels that represent Virtual Private Networks (VPN) may be combined, in some embodiments, with the Service labels to provide services that are VPN-specific and are reached using VPN-specific policies, versus general overlay network policies for reaching a service identified solely by a service label applicable to the entire overlay network.
In each of the locations where a network level service is being provided, which technically could be either an Edge or a Hub location but for the sake of simplicity in the examples are presented as Hub sites, the Hub router is configured with information on which service it is providing and how to reach from a locally configured interface. The hub router will advertise this service using a label that identifies the type of service and how edge routers, by prepending the same label to packets being sent out from their sites, can reach the service. The next-hop address that the hub router uses to connect with the underlying network is also used as the means of actually getting to the same hub site across the intermediate network. This is how an edge router forwarding traffic into the overlay network determines which tunnel to use to reach the intended destination.
Services that may exist and provided at the network level include, but are not limited to, the following:
Firewall services
Intrusion Detection services
Traffic scrubbing services
Traffic sampling and analytical services
Caching
Deep Packet Inspection
Internet Service
Based on the advertisements of routes from each edge and hub router and the advertisements of service labels from each hub router hosting a service, potentially restricted on a per-VPN basis by associating a service-label with a VPN-label, the overlay controller 102 constructs policies that are subsequently distributed to the network elements (hubs and edges) involved. The set of policies and their required contents are related to the exact nature of the service chain that is being constructed. Two examples are provided below.
The setup for this service and network infrastructure is the following:
A router in a hub location, Hub2 advertises a service with a Label of 1 and a Service-type of Firewall (see FIG. 1 ). The steps in creating the service chain are shown in FIG. 4 .
The network administrator decides that all traffic going to and from the Internet must pass through the firewall service
The Internet entry and exit point is through a hub router referred to as Hub3, which could be advertised as a service but not in this example, for reasons of simplicity.
Each Edge location is equipped with the necessary routing information required to determine if traffic must be sent to the Internet or not.
The setup and distribution of policies will take place as follows:
Block 400: Hub2 advertises Service information: (Service-Type, Label) to the controller 102.
Block 402: The overlay controller 102 constructs the set of required policies and distributes them accordingly. This means that each node involved will be assigned a policy for managing the required traffic flow.
Block 404: Every Edge-router receives an outbound policy (for traffic towards the Internet) stipulating that all the traffic matching the routes received from Hub3, will be encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2. This will ensure all traffic destined for the Internet is using the tunnel from the Edge-router to Hub2
Block 406: The controller 102 creates a policy (in) for Service Locations: For received Traffic arriving tagged with Service-Label, forward traffic to service-element and advertises the policy thus created to each hub.
Block 408: Hub2 receives an inbound policy (for traffic received on its external interface), stipulating that all received traffic matching Service Label 1 is sent to the firewall. Exactly how the traffic is forwarded is a local decision.
Block 410: Hub2 receives an outbound policy (for traffic received from the Firewall) stipulating that the traffic destined for the Internet must be encapsulated with a next-hop address of Hub3, taking the traffic to the Internet. Any traffic destined for an Edge-router in the overlay network is sent with an encapsulation of that Edge-routers next-hop address
Block 412: Hub3 receives an inbound policy (for traffic received from the Internet) stipulating that all traffic matching a destination advertised from an Edge-router is encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2
Using the same setup as in the prior example, but adding that all traffic returning from the Internet must not only pass through the Firewall Service, but also pass through an Intrusion Detection Service, the modification required to the infrastructure is the following:
Hub1 hosts the Intrusion Detection service and advertises a service with a Label of 2 and a Service-type of Intrusion Detection.
The changes in setup and distribution of policies is following:
Hub2, hosting the firewall service, has one addition to its outbound policy. All traffic destined for any Edge-router in the overlay network must be encapsulated with a Service-label of 2 and a next-hop address of Hub1.
Hub1 is equipped with policies identical to what Hub2 had in the previous example, with the differences being that the label matching is done on Service-label 2 for inbound traffic. FIG. 5 shows a flowchart corresponding to this example of service chaining. Referring the FIG. 5 , C1 to C3 are conditions and the processing blocks are as provided below:
Block 500: Edge1 receives a packet destined for Network Entry/Exit point. Local policy tells Edge1 that the path to reach Hub3 is through Hub2
Block 502: Edge1 encapsulates the packet with information containing the address of Hub2 and the Label for the Service at Hub2, then sends it off.
Block 504: Hub2 receives the packet from Hub2 with the Service-label. The service label is removed and forwarded to the service-element.
Block 508 Hub2 encapsulates the packet with information containing the address of Hub3, then sends it off.
Delivering on Other Requirements
The list of requirements presented earlier had several attributes that were not covered in the previous examples. The facilities used to deliver on those requirements are all present in this architecture and are used in the following ways to ensure that all requirements can be met
For purposes of clarity, the control plane protocol used in this architecture is designed to distribute routing information, policy information and labels. By overloading the labels with inherent representations of services, information on services can be distributed without any modifications to the protocol itself.
The rerouting and reshuffling of traffic and control information is avoided entirely by making this service-chaining architecture policy driven and decoupled from the underlying forwarding plane represented by the intermediate underlying network.
By adding VPN-designations to the service attachments points, services can be delivered on a per-VPN basis. This requires the use of a label-stack where one label represent the VPN and another label represents the service. Alternatively, and at a higher administrative cost, service-labels can be assigned in VPN-specific ranges to avoid the use of a label-stack.
If traffic-load distribution is desired, then multiple service-locations can advertise the same service-type using identical labels, which would allow for each ingress Edge-router to distribute load across the set of service-sites based on some condition that is inherently defined or decided by policy.
Associating services with Service-type designators and associating them with the external addresses of Hub-locations, provides inherent location and service-availability awareness. This could be further augmented by geo-location information or other more specific location-related attributes.
Establishment of a Service Chain
In one embodiment, to a method for establishing a service chain is shown in FIG. 3 . Referring to FIG. 3 , the method includes the following blocks:
Block 300: The overlay controller 102 establishes secure control channel with all associated network elements (hubs and edges).
Block 302: The service-hosting locations (hubs) advertise their service type and associated label to the overlay controller 102.
Block 304: The overlay controller 102 uses the service information received when constructing policies for the edge routers that are to use them.
The central controller can either:
Apply the service policy to overlay routes before sending those to edge nodes with overlay next hop and label changed to that of service.
Block 306: The central controller pushes the service policies to the edge routers. These policies link traffic to the ultimate destination with a service chain.
Block 308: The central controller can also push policies to the service hosting routers, instructing them of their role in a given service chain and how to forward inbound and outbound traffic related to each VPN and each Service.
Policy Construction and Information Distribution
In one embodiment, the controller 102 has the option of building a policy involving a service chain in two different ways:
1) The services along with the policies are both advertised to the edge routers that are to use them.
2) Services are advertised service nodes to the controller. Controller then uses the policy to resolve the overlay routes over service routes. It then advertises the resolved overlay routes to those edge nodes that are provisioned to receive those routes.
In the first option, policies can be implemented that takes the availability, capacity, latency, location and other aspects of the service chain into account and gives each edge router the awareness to select the most optimal service chain. In the second option, the edge routers are kept unaware of that they are using a service chain and simply operate based on the information they have been provided for the purpose of forwarding traffic.
Service Identification
In one embodiment, a service route, service label, service identifier and transport location (TLOC) identify each service. Specific service chains are established by policy and do not require any additional information to be distributed for traffic to flow along the path instantiated by the creation of the service chain. The Service Route is distributed for identification purposes only and is not used for forwarding.\
Traffic Forwarding in the Service Chain
In one embodiment, each edge node uses existing destination routes that are given a next-hop TLOC pointing to the entry point of a service chain. This route to TLOC assignment can be done by the central controller as a way of enforcing central service-chain policy, or by edge router when enforcing policies either distributed by the central controller or created locally on the device.
In one embodiment, each service router in the path of a service chain accepts inbound traffic based on the destination TLOC and VPN Label in the received packet and forwards it out the associated interface for the specific service being associated with the TLOC/Label combination. In the outbound direction, each service router must be equipped with policy describing what the next hop is for the particular destination. This allows for each service router to support multiple service chains and different policies for each direction of traffic. Since the outgoing direction is controlled by policy, this allows for great flexibility in choosing the next point in the service chain based on individually defined criteria for that service chain, service, or service router.
The service chaining architecture and method described above provides the following benefits:
Bidirectional Service Chains:
The service chaining architecture provides for the ability to create both unidirectional and bi-directional service chains simply by means of policy with no requirement to advertise additional routing information or labels.
Service Chain Eligibility:
The service chaining architecture is inherently aware of which services are present in a fully functional service chain. This awareness allows for the ability to qualify the eligibility of each specific service chain as the nature of each chain might change during the course of providing service. If crucial service may fail then the service chain could be taken out of service whereas the failure of non-crucial service could render the chain to operate either uninterrupted or with lower priority versus other available chains.
Service-Type Awareness:
The service type is included in the advertisements from each service location and allows for each hop in a service chain, inclusive of ingress and egress points, to make decisions of which specific instance of a given service-type to use. Deciding factors can include capacity, location, current load and other influential characteristics.
Service any Casting:
Each hop in a service chain is equipped to make decisions of which instance of a given service to use at any time. This is strongly linked to the service-type awareness claim but does not have to be. Redundancy through any casting can also be linked to capacity, location, current load and other influential factors aside from service-type.
Primary and Backup Service Locations:
Policies pushed by the central controller can be used to dictate primary and secondary, or backup, locations where a given service is being provided. This further extends the Service-type awareness function described above. The switch from a primary to a backup service can be decided upon and pushed by the central controller, or through previously defined and pushed policy, take place at the edge router upon detection of pre-defined failure conditions.
Equal and Unequal Cost Load-Balancing:
Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
Centrally Administered and Provisioned Service Chains:
The service chaining concept described has the distinct advantage that the entire function can be provisioned from a central controller location without having to perform and specific per edge-node configuration or provisioning. As soon as the policy creation is complete on the central controller and services have been made available and linked with the defined policies, edge-nodes that are to use a defined service chain are triggered to do so by the central controller. For convergence between service locations, changes in current service chain or service site affiliation, or service chain eligibility, decisions and changes can be taken and executed upon by the central controller, the edge node, or both. How these actions are performed depend on how the policies were constructed at the central controller. This claim however, does not limit the provisioning or operation of a service chain that is partially performed by the central controller and augmented by service routers or edge routers.
The hardware also typically receives a number of inputs and outputs for communicating information externally. For interface with a user or operator, the hardware may include one or more user input output devices 606 (e.g., a keyboard, mouse, etc.) and a display 608. For additional storage, the hardware 600 may also include one or more mass storage devices 610, e.g., a Universal Serial Bus (USB) or other removable disk drive, a hard disk drive, a Direct Access Storage Device (DASD), an optical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk (DVD) drive, etc.) and/or a USB drive, among others. Furthermore, the hardware may include an interface with one or more networks 612 (e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others) to permit the communication of information with other computers coupled to the networks. It should be appreciated that the hardware typically includes suitable analog and/or digital interfaces between the processor 612 and each of the components, as is well known in the art.
The hardware 600 operates under the control of an operating system 614, and executes application software 616 which includes various computer software applications, components, programs, objects, modules, etc. to perform the techniques described above.
In general, the routines executed to implement the embodiments of the invention, may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” The computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects of the invention. Moreover, while the invention has been described in the context of fully functioning computers and computer systems, those skilled in the art will appreciate that the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and that the invention applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution. Examples of computer-readable media include but are not limited to recordable type media such as volatile and non-volatile memory devices, USB and other removable media, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that the various modification and changes can be made to these embodiments without departing from the broader spirit of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than in a restrictive sense.
Claims (45)
1. A method for routing, comprising:
establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network;
receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service;
receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service;
constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and
pushingdistributing, by the overlay controller, the policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second network elementhosting the second service.
2. The method of claim 1 , wherein the pushing distributing comprises:
in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
3. The method of claim 1 , wherein the pushing distributing comprises:
in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
4. The method of claim 1 , wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
5. A non-transitory computer-readable medium having stored thereon, instructions which, when executed by a controller, cause the controller to perform or control performance of operations comprising:
establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network;
receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service;
receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service;
constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and
pushingdistributing, by the overlay controller, the policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second networkelement hosting the second service.
6. The non-transitory computer-readable medium of claim 5 , wherein the pushing distributing comprises:
in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
7. The non-transitory computer-readable medium of claim 5 , wherein the pushing distributing comprises:
in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
8. The non-transitory computer-readable medium of claim 5 , wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
9. An overlay controller, comprising:
a processor; and
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the overlay controller to perform or control performance of operations, comprising:
establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network;
receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service;
receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service;
constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and
pushingdistributing, by the overlay controller, the at least one policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second network elementhosting the second service.
10. The overlay controller of claim 9 , wherein the pushing distributing comprises:
in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
11. The overlay controller of claim 9 , wherein the pushing distributing comprises:
in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
12. The overlay controller of claim 9 , wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
13. The method of claim 1 , wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
14. The non-transitory computer-readable medium of claim 5 , wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
15. The overlay controller of claim 9 , wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
16. The overlay controller of claim 9 , wherein the first message indicates that the first service is associated with a particular virtual private network (VPN).
17. The overlay controller of claim 16 , wherein the policy instructs the site to insert the first label into data packets that are sent through the particular VPN and forgo insertion of the first label into data packets that are sent outside the particular VPN.
18. The overlay controller of claim 16 , wherein the second message indicates that the second service is associated with the particular VPN.
19. A method for forwarding network traffic to a network service in an overlay network, the method comprising:
establishing an overlay network, comprising a plurality of network devices and an overlay controller, wherein the overlay controller is in communication with one or more of the network devices via a communications channel established through an underlying transport network, wherein at least a plurality of the network devices are overlay network devices, each overlay network device operative to establish a network layer tunnel with at least one other overlay network device of the overlay network;
receiving, by the overlay controller, a first message from at least one of the plurality of network devices, the first message relating to a network service available through a first overlay network device of the overlay network, the first message comprising a first identifier associated with the network service;
receiving, by the overlay controller, a second message from at least one of the plurality of network devices, the second message identifies a user service available through a first network device and including a second identifier associated with the user service;
constructing based on at least a portion of the first and second message, one or more policies;
distributing the one or more policies to one or more of the overlay network devices of the overlay network,
at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with one or more services and matching an attribute to the first overlay network device;
wherein the first overlay network device is operative to provide the network traffic to the first network service, and subsequently forward the network traffic received from the network service to the first network device.
20. The method of claim 19 , wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
21. The method of claim 19 , wherein the user service is accessible through a browser.
22. The method of claim 19 , further comprising
receiving, by the overlay controller, a first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
23. The method of claim 19 , wherein each overlay network device is operative to establish a secure network layer tunnel with at least one other overlay network device of the overlay network.
24. The method of claim 19 , wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
25. The method of claim 19 , wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
26. The method of claim 19 , wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
27. The method of claim 19 , wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
28. An overlay network controller, comprising:
a processor;
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
establish an overlay network; comprising a plurality of overlay network devices and the overlay controller;
communicate with each overlay network device via a communications channel established through an underlying transport network;
facilitate the establishment by each overlay network device of a network layer tunnel with at least one other overlay network device of the overlay network;
access a first message defining a network service available through a first overlay network device of the overlay network, wherein the first message comprising a first identifier associated with the network service;
access a second message identifying a user service available through a first network device and including a second identifier associated with the user service;
construct one or more policies and distribute the one or more policies to one or more of the overlay network devices of the overlay network,
at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with the user service and matching an attribute to the first overlay network device;
wherein the first overlay network device is operative to provide the network traffic to the network service, and subsequently forward the network traffic received from the network service to the first network device.
29. The overlay network controller of claim 28 , wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
30. The overlay network controller of claim 28 , wherein the user service is accessible through a browser.
31. The overlay network controller of claim 28 , wherein the instructions which when executed by the processor causes the controller to receive the first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
32. The overlay network controller of claim 28 , wherein each overlay network device establishes a secure network layer tunnel with at least one other overlay network device of the overlay network.
33. The overlay network controller of claim 28 , wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
34. The overlay network controller of claim 28 , wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
35. The overlay network controller of claim 28 , wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
36. The overlay network controller of claim 28 , wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
37. A system for forwarding network traffic to a network service in an overlay network, the system comprising:
a controller and a plurality of overlay network devices, the plurality of overlay network devices each operative to establish a network layer tunnel with at least one other overlay network device of the plurality of overlay network devices;
the controller comprising:
a processor;
a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to:
establish an overlay network comprising the plurality of overlay network devices and an overlay controller, wherein the overlay controller communicates with each overlay network device via a communications channel established through an underlying transport network,
access a first message defining the network service available through a first overlay network device of the overlay network, the first message comprising a first identifier associated with the network service;
access a second message identifying to a user service available through a first network device and including a second identifier associated with the user service;
construct one or more policies and distribute the one or more policies to one or more of the overlay network devices of the overlay network,
at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with the user service and matching an attribute to the first overlay network device;
wherein the first overlay network device is operative to provide the network traffic to the network service, and subsequently forward the network traffic received from the network service to a second network device having reachability to the first network device.
38. The system of claim 37 , wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
39. The system of claim 37 , wherein the user service is accessible through a browser.
40. The system of claim 37 , wherein the instructions which when executed by the processor causes the controller to receive a first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
41. The system of claim 37 , wherein each overlay network device is operative to establish a secure network layer tunnel with at least one other overlay network device of the overlay network.
42. The system of claim 37 , wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
43. The system of claim 37 , wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
44. The system of claim 37 , wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
45. The system of claim 37 , wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US17/104,933 USRE50121E1 (en) | 2013-09-16 | 2020-11-25 | Service chaining based on labels in control and forwarding |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/028,514 US10142254B1 (en) | 2013-09-16 | 2013-09-16 | Service chaining based on labels in control and forwarding |
| US17/104,933 USRE50121E1 (en) | 2013-09-16 | 2020-11-25 | Service chaining based on labels in control and forwarding |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/028,514 Reissue US10142254B1 (en) | 2013-09-16 | 2013-09-16 | Service chaining based on labels in control and forwarding |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| USRE50121E1 true USRE50121E1 (en) | 2024-09-10 |
Family
ID=64315634
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/028,514 Active 2035-02-21 US10142254B1 (en) | 2013-09-16 | 2013-09-16 | Service chaining based on labels in control and forwarding |
| US17/104,933 Active 2035-02-21 USRE50121E1 (en) | 2013-09-16 | 2020-11-25 | Service chaining based on labels in control and forwarding |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/028,514 Active 2035-02-21 US10142254B1 (en) | 2013-09-16 | 2013-09-16 | Service chaining based on labels in control and forwarding |
Country Status (1)
| Country | Link |
|---|---|
| US (2) | US10142254B1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240205144A1 (en) * | 2022-12-13 | 2024-06-20 | Certes Networks, Inc. | Policy Driven Traffic Routing Through Dynamically Inserted Network Services |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016045705A1 (en) * | 2014-09-23 | 2016-03-31 | Nokia Solutions And Networks Oy | Control of communication using service function chaining |
| US10924298B2 (en) * | 2015-02-11 | 2021-02-16 | Hewlett Packard Enterprise Development Lp | Network service chain construction |
| US11277338B2 (en) * | 2016-09-26 | 2022-03-15 | Juniper Networks, Inc. | Distributing service function chain data and service function instance data in a network |
| US11258628B2 (en) * | 2019-06-24 | 2022-02-22 | Cisco Technology, Inc. | Plug and play at sites using TLOC-extension |
| US11916758B2 (en) * | 2019-08-02 | 2024-02-27 | Cisco Technology, Inc. | Network-assisted application-layer request flow management in service meshes |
| US11658900B2 (en) | 2021-06-16 | 2023-05-23 | Ciena Corporation | Responding to operator commands in a multi-homing ethernet virtual private network (EVPN) |
| US12261772B2 (en) | 2022-09-12 | 2025-03-25 | Ciena Corporation | Variable preemption for LSP tunnels |
Citations (117)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6044396A (en) | 1995-12-14 | 2000-03-28 | Time Warner Cable, A Division Of Time Warner Entertainment Company, L.P. | Method and apparatus for utilizing the available bit rate in a constrained variable bit rate channel |
| US6289419B1 (en) | 1998-03-06 | 2001-09-11 | Sharp Kabushiki Kaisha | Consistency control device merging updated memory blocks |
| US6535607B1 (en) | 1998-11-02 | 2003-03-18 | International Business Machines Corporation | Method and apparatus for providing interoperability between key recovery and non-key recovery systems |
| US6594361B1 (en) | 1994-08-19 | 2003-07-15 | Thomson Licensing S.A. | High speed signal processing smart card |
| US20030140142A1 (en) | 2002-01-18 | 2003-07-24 | David Marples | Initiating connections through firewalls and network address translators |
| US6611872B1 (en) | 1999-01-11 | 2003-08-26 | Fastforward Networks, Inc. | Performing multicast communication in computer networks by using overlay routing |
| US6675225B1 (en) | 1999-08-26 | 2004-01-06 | International Business Machines Corporation | Method and system for algorithm-based address-evading network snoop avoider |
| US20040034702A1 (en) | 2002-08-16 | 2004-02-19 | Nortel Networks Limited | Method and apparatus for exchanging intra-domain routing information between VPN sites |
| US20040088369A1 (en) | 2002-10-31 | 2004-05-06 | Yeager William J. | Peer trust evaluation using mobile agents in peer-to-peer networks |
| US20040103205A1 (en) | 1998-10-30 | 2004-05-27 | Science Applications International Corporation | Method for establishing secure communication link between computers of virtual private network |
| US20040184603A1 (en) | 2003-03-21 | 2004-09-23 | Pearson David Spencer | Systems and methods for quantum cryptographic key transport |
| US20040203590A1 (en) | 2002-09-11 | 2004-10-14 | Koninklijke Philips Electronics N.V. | Set-up of wireless consumer electronics device using a learning remote control |
| US20050021610A1 (en) | 2003-06-27 | 2005-01-27 | Bruno Bozionek | Method and arrangement for accessing a first terminal in a first communication network from a second communication node in a second communication network |
| US20050044356A1 (en) | 1999-12-22 | 2005-02-24 | Sunil Srivastava | Method and apparatus for distributing and updating private keys of multicast group managers using directory replication |
| US20050071280A1 (en) | 2003-09-25 | 2005-03-31 | Convergys Information Management Group, Inc. | System and method for federated rights management |
| US20050094814A1 (en) | 2003-10-31 | 2005-05-05 | Tadahiro Aihara | Electronic apparatus and encryption key updating |
| US20060015643A1 (en) | 2004-01-23 | 2006-01-19 | Fredrik Orava | Method of sending information through a tree and ring topology of a network system |
| CN1254059C (en) | 2002-12-10 | 2006-04-26 | 华为技术有限公司 | Method of realizing special multiple-protocol label exchanging virtual network |
| US20060088031A1 (en) | 2004-10-26 | 2006-04-27 | Gargi Nalawade | Method and apparatus for providing multicast messages within a virtual private network across a data communication network |
| US20060155721A1 (en) | 2005-01-12 | 2006-07-13 | Network Appliance, Inc. | Buffering proxy for telnet access |
| US20060165233A1 (en) | 2003-12-17 | 2006-07-27 | Masao Nonaka | Methods and apparatuses for distributing system secret parameter group and encrypted intermediate key group for generating content encryption and decryption deys |
| US7117530B1 (en) | 1999-12-07 | 2006-10-03 | Watchguard Technologies, Inc. | Tunnel designation system for virtual private networks |
| US20060221830A1 (en) | 2005-03-31 | 2006-10-05 | Sbc Knowledge Ventures Lp | Method and apparatus for managing end-to-end quality of service policies in a communication system |
| US7120682B1 (en) | 2001-03-08 | 2006-10-10 | Cisco Technology, Inc. | Virtual private networks for voice over networks applications |
| US20060233180A1 (en) | 2005-04-14 | 2006-10-19 | Alcatel | Systems and methods for managing network services between private networks |
| US20060288209A1 (en) | 2005-06-20 | 2006-12-21 | Vogler Dean H | Method and apparatus for secure inter-processor communications |
| US20070086431A1 (en) | 2005-10-13 | 2007-04-19 | Abu-Amara Hosame H | Privacy proxy of a digital security system for distributing media content to a local area network |
| US20070104115A1 (en) * | 2005-11-10 | 2007-05-10 | Dan Decasper | Overlay network infrastructure |
| US20070118885A1 (en) | 2005-11-23 | 2007-05-24 | Elrod Craig T | Unique SNiP for use in secure data networking and identity management |
| US20070140110A1 (en) | 2005-12-21 | 2007-06-21 | Microsoft Corporation | Peer communities |
| US20070153782A1 (en) | 2005-12-30 | 2007-07-05 | Gregory Fletcher | Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows |
| US7251824B2 (en) | 2000-12-19 | 2007-07-31 | Intel Corporation | Accessing a private network |
| US20070185814A1 (en) | 2005-10-18 | 2007-08-09 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
| US20070230688A1 (en) | 2005-08-18 | 2007-10-04 | Nec Corporation | Secret communication system and method for generating shared secret information |
| US20070248232A1 (en) | 2006-04-10 | 2007-10-25 | Honeywell International Inc. | Cryptographic key sharing method |
| US20070299954A1 (en) | 2006-06-27 | 2007-12-27 | International Business Machines Corporation | System, method and program for determining a network path by which to send a message |
| US20080013738A1 (en) | 2006-04-19 | 2008-01-17 | Nec Corporation | Secret communications system and channel control method |
| US20080080716A1 (en) | 2006-09-29 | 2008-04-03 | Mcalister Donald Kent | Back-up for key authority point for scaling and high availability for stateful failover |
| US20080130902A1 (en) | 2006-04-10 | 2008-06-05 | Honeywell International Inc. | Secure wireless instrumentation network system |
| US20080147820A1 (en) | 2006-12-19 | 2008-06-19 | Nec Corporation | Method and system for managing shared information |
| US20080273704A1 (en) | 2005-12-01 | 2008-11-06 | Karl Norrman | Method and Apparatus for Delivering Keying Information |
| US20090193253A1 (en) | 2005-11-04 | 2009-07-30 | Rainer Falk | Method and server for providing a mobile key |
| US20090216910A1 (en) | 2007-04-23 | 2009-08-27 | Duchesneau David D | Computing infrastructure |
| US20090220080A1 (en) | 2008-02-29 | 2009-09-03 | Michael Herne | Application-Level Service Access to Encrypted Data Streams |
| US20090296924A1 (en) | 2008-05-30 | 2009-12-03 | Infineon Technologies North America Corp. | Key management for communication networks |
| US20100014677A1 (en) | 2007-06-28 | 2010-01-21 | Taichi Sato | Group subordinate terminal, group managing terminal, server, key updating system, and key updating method therefor |
| US20100058082A1 (en) | 2008-08-27 | 2010-03-04 | Lenovo (Singapore) Ple., Ltd. | Maintaining network link during suspend state |
| US20100064008A1 (en) | 2007-03-13 | 2010-03-11 | Huawei Technologies Co., Ltd. | Peer-to-peer network system, proxy service peer, and method for peer interworking between overlay networks |
| US20100122084A1 (en) | 2007-07-24 | 2010-05-13 | Huawei Technologies Co., Ltd. | Method, apparatus and system for registering new member in group key management |
| US20100169563A1 (en) | 2008-12-30 | 2010-07-01 | Jeremy Horner | Content Addressable Memory and Method |
| US20100281251A1 (en) | 2008-06-12 | 2010-11-04 | Telefonaktiebolaget L M Ericsson (Publ) | Mobile Virtual Private Networks |
| US20100325423A1 (en) | 2009-06-22 | 2010-12-23 | Craig Stephen Etchegoyen | System and Method for Securing an Electronic Communication |
| US20110010553A1 (en) | 2009-07-10 | 2011-01-13 | Robert S Cahn | On-Line Membership Verification |
| US20110064222A1 (en) | 2008-05-19 | 2011-03-17 | Qinetiq Limited | Quantum key distribution involving moveable key device |
| US20110075674A1 (en) | 2009-09-30 | 2011-03-31 | Alcatel-Lucent Usa Inc. | Scalable architecture for enterprise extension in a cloud topology |
| US7925592B1 (en) | 2006-09-27 | 2011-04-12 | Qurio Holdings, Inc. | System and method of using a proxy server to manage lazy content distribution in a social network |
| US20110110377A1 (en) | 2009-11-06 | 2011-05-12 | Microsoft Corporation | Employing Overlays for Securing Connections Across Networks |
| US20110164750A1 (en) | 2008-09-17 | 2011-07-07 | Koninklijke Phillips Electronics N.V. | Method for communicating in a network, a communication device and a system therefor |
| US7995573B2 (en) | 2004-12-06 | 2011-08-09 | Swisscom Ag | Method and system for mobile network nodes in heterogeneous networks |
| US8023504B2 (en) * | 2008-08-27 | 2011-09-20 | Cisco Technology, Inc. | Integrating security server policies with optimized routing control |
| US20110296510A1 (en) | 2010-05-27 | 2011-12-01 | Microsoft Corporation | Protecting user credentials using an intermediary component |
| US20120051221A1 (en) | 2009-05-06 | 2012-03-01 | Dinh Thai Bui | Traffic-engineered connection establishment across resource domains for data transport |
| US20120092986A1 (en) | 2010-10-15 | 2012-04-19 | Futurewei Technologies, Inc. | System And Method For Computing A Backup Egress Of A Point-To-Multi-Point Label Switched Path |
| US20120134361A1 (en) * | 2009-12-18 | 2012-05-31 | Wong Wendy C | System and method of utilizing a framework for information routing in large-scale distributed systems using swarm intelligence |
| US20120180122A1 (en) | 2009-09-18 | 2012-07-12 | Zte Corporation | Implementation method and system of virtual private network |
| US8224971B1 (en) | 2009-12-28 | 2012-07-17 | Amazon Technologies, Inc. | Using virtual networking devices and routing information to initiate external actions |
| US20120266209A1 (en) | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
| US20120284370A1 (en) | 2011-05-02 | 2012-11-08 | Authentec, Inc. | Method, system, or user device for adaptive bandwidth control of proxy multimedia server |
| WO2013007496A1 (en) | 2011-07-08 | 2013-01-17 | Alcatel Lucent | Centralized system for routing ethernet packets over an internet protocol network |
| US20130034094A1 (en) | 2011-08-05 | 2013-02-07 | International Business Machines Corporation | Virtual Switch Data Control In A Distributed Overlay Network |
| US20130051559A1 (en) | 2011-08-26 | 2013-02-28 | Shinichi Baba | Key sharing device, key sharing method, and computer program product |
| US20130121142A1 (en) * | 2010-07-05 | 2013-05-16 | Huawei Technologies Co., Ltd. | Method and apparatus for forwarding multicast traffic |
| US20130163446A1 (en) | 2011-12-22 | 2013-06-27 | Voipfuture Gmbh | Correlation of Media Plane and Signaling Plane of Media Services in a Packet-Switched Network |
| US20130182712A1 (en) | 2012-01-13 | 2013-07-18 | Dan Aguayo | System and method for managing site-to-site vpns of a cloud managed network |
| US20130201909A1 (en) | 2012-02-06 | 2013-08-08 | Juniper Networks, Inc. | Mobile node host route installation and withdrawal |
| US8516552B2 (en) | 2009-01-28 | 2013-08-20 | Headwater Partners I Llc | Verifiable service policy implementation for intermediate networking devices |
| US8515079B1 (en) | 2007-01-26 | 2013-08-20 | Cisco Technology, Inc. | Hybrid rekey distribution in a virtual private network environment |
| US20130223444A1 (en) | 2012-02-23 | 2013-08-29 | Christopher D. Liljenstolpe | System and methods for managing network packet forwarding with a controller |
| US20130251154A1 (en) | 2012-03-23 | 2013-09-26 | Yoshimichi Tanizawa | Key generating device and key generating method |
| US20130266007A1 (en) | 2012-04-10 | 2013-10-10 | International Business Machines Corporation | Switch routing table utilizing software defined network (sdn) controller programmed route segregation and prioritization |
| US8594323B2 (en) | 2004-09-21 | 2013-11-26 | Rockstar Consortium Us Lp | Method and apparatus for generating large numbers of encryption keys |
| US20130329725A1 (en) | 2012-06-06 | 2013-12-12 | Juniper Networks, Inc. | Facilitating operation of one or more virtual networks |
| US20130335582A1 (en) | 2012-06-15 | 2013-12-19 | Fujitsu Limited | Method of controlling information processing apparatus and information processing apparatus |
| US20140003425A1 (en) * | 2012-06-29 | 2014-01-02 | Futurewei Technologies, Inc. | Implementing a Multicast Virtual Private Network by Using Multicast Resource Reservation Protocol-Traffic Engineering |
| US20140079059A1 (en) | 2009-03-29 | 2014-03-20 | Ltn Global Communications, Inc. | System and method that routes flows via multicast flow transport for groups |
| US20140153572A1 (en) | 2012-11-30 | 2014-06-05 | Georg Hampel | Software-defined network overlay |
| US20140153457A1 (en) | 2012-12-05 | 2014-06-05 | T-Mobile USA, Inc | Energy-Efficient Push/Poll Notification Service |
| US20140189363A1 (en) | 2012-12-28 | 2014-07-03 | Moka5, Inc. | Separate cryptographic keys for protecting different operations on data |
| US20140223520A1 (en) | 2011-08-30 | 2014-08-07 | Securepush Ltd. | Guardian control over electronic actions |
| US20140297438A1 (en) | 2005-01-21 | 2014-10-02 | Robin Dua | Method and system of processing payments using a proxy credential |
| US20140294018A1 (en) | 2011-11-11 | 2014-10-02 | Pismo Labs Technology Limited | Protocol for layer two multiple network links tunnelling |
| US8868698B2 (en) | 2004-06-05 | 2014-10-21 | Sonos, Inc. | Establishing a secure wireless network with minimum human intervention |
| US8879739B2 (en) | 2012-11-26 | 2014-11-04 | Nagravision S.A. | Method, system and device for securely transferring digital content between electronic devices within a communication network managed by a management center |
| US20140331050A1 (en) | 2011-04-15 | 2014-11-06 | Quintessence Labs Pty Ltd. | Qkd key management system |
| US20140380039A1 (en) | 1998-10-30 | 2014-12-25 | Virnetx, Inc. | System and method employing an agile network protocol for secure communications using secure domain names |
| US20150006737A1 (en) | 2012-11-19 | 2015-01-01 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for providing network traversing service |
| US20150033298A1 (en) | 2013-07-25 | 2015-01-29 | Phantom Technologies, Inc. | Device authentication using proxy automatic configuration script requests |
| US8954740B1 (en) | 2010-10-04 | 2015-02-10 | Symantec Corporation | Session key proxy decryption method to secure content in a one-to-many relationship |
| US8959333B2 (en) | 2006-06-01 | 2015-02-17 | Nokia Siemens Networks Gmbh & Co. Kg | Method and system for providing a mesh key |
| US20150103839A1 (en) | 2013-10-13 | 2015-04-16 | Nicira, Inc. | Bridging between Network Segments with a Logical Router |
| US20150106620A1 (en) | 2013-10-15 | 2015-04-16 | Intuit Inc. | Method and system for providing a secure secrets proxy |
| US20150127797A1 (en) | 2013-11-05 | 2015-05-07 | Cisco Technology, Inc. | System and method for multi-path load balancing in network fabrics |
| WO2015092491A1 (en) | 2013-12-20 | 2015-06-25 | Pismo Labs Technology Limited | Methods and systems for transmitting and receiving packets |
| US20150229490A1 (en) | 2014-02-12 | 2015-08-13 | Hob Gmbh & Co. Kg | Communication system for transmittingunder a tunnel protocol between at least two data computers via a wide area network and a method for running such a communication system |
| US20150256521A1 (en) | 2009-10-31 | 2015-09-10 | Saife, Inc. | Secure communication system for mobile devices |
| US20160036785A1 (en) | 2013-03-13 | 2016-02-04 | Jumpto Media Inc. | Secure network communication |
| US20160080268A1 (en) | 2014-09-16 | 2016-03-17 | CloudGenix, Inc. | Methods and systems for hub high availability and network load and scaling |
| US20160226762A1 (en) | 2015-01-30 | 2016-08-04 | Nicira, Inc. | Implementing logical router uplinks |
| US9467478B1 (en) | 2013-12-18 | 2016-10-11 | vIPtela Inc. | Overlay management protocol for secure routing based on an overlay network |
| US20170076291A1 (en) | 2015-09-10 | 2017-03-16 | Transworld Holdings PCC Limited (S1 Technology Cell) | Proxy device for representing multiple credentials |
| US9659170B2 (en) | 2015-01-02 | 2017-05-23 | Senteon LLC | Securing data on untrusted devices |
| US20170155628A1 (en) | 2015-12-01 | 2017-06-01 | Encrypted Dynamics LLC | Device, system and method for fast and secure proxy re-encryption |
| US20170223154A1 (en) | 2015-01-30 | 2017-08-03 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for connecting a gateway router to a set of scalable virtual ip network appliances in overlay networks |
| US20180054438A1 (en) | 2015-03-02 | 2018-02-22 | Microsoft Technology Licensing, Llc | Proxy service for uploading data from a source to a destination |
| US20180091417A1 (en) | 2015-04-07 | 2018-03-29 | Umbra Technologies Ltd. | System and method for virtual interfaces and advanced smart routing in a global virtual network |
| US9980303B2 (en) | 2015-12-18 | 2018-05-22 | Cisco Technology, Inc. | Establishing a private network using multi-uplink capable network devices |
| US10298672B2 (en) | 2015-12-18 | 2019-05-21 | Cisco Technology, Inc. | Global contact-point registry for peer network devices |
-
2013
- 2013-09-16 US US14/028,514 patent/US10142254B1/en active Active
-
2020
- 2020-11-25 US US17/104,933 patent/USRE50121E1/en active Active
Patent Citations (123)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6594361B1 (en) | 1994-08-19 | 2003-07-15 | Thomson Licensing S.A. | High speed signal processing smart card |
| US6044396A (en) | 1995-12-14 | 2000-03-28 | Time Warner Cable, A Division Of Time Warner Entertainment Company, L.P. | Method and apparatus for utilizing the available bit rate in a constrained variable bit rate channel |
| US6289419B1 (en) | 1998-03-06 | 2001-09-11 | Sharp Kabushiki Kaisha | Consistency control device merging updated memory blocks |
| US20040103205A1 (en) | 1998-10-30 | 2004-05-27 | Science Applications International Corporation | Method for establishing secure communication link between computers of virtual private network |
| US20140380039A1 (en) | 1998-10-30 | 2014-12-25 | Virnetx, Inc. | System and method employing an agile network protocol for secure communications using secure domain names |
| US6535607B1 (en) | 1998-11-02 | 2003-03-18 | International Business Machines Corporation | Method and apparatus for providing interoperability between key recovery and non-key recovery systems |
| US6611872B1 (en) | 1999-01-11 | 2003-08-26 | Fastforward Networks, Inc. | Performing multicast communication in computer networks by using overlay routing |
| US6675225B1 (en) | 1999-08-26 | 2004-01-06 | International Business Machines Corporation | Method and system for algorithm-based address-evading network snoop avoider |
| US7117530B1 (en) | 1999-12-07 | 2006-10-03 | Watchguard Technologies, Inc. | Tunnel designation system for virtual private networks |
| US20050044356A1 (en) | 1999-12-22 | 2005-02-24 | Sunil Srivastava | Method and apparatus for distributing and updating private keys of multicast group managers using directory replication |
| US7251824B2 (en) | 2000-12-19 | 2007-07-31 | Intel Corporation | Accessing a private network |
| US7120682B1 (en) | 2001-03-08 | 2006-10-10 | Cisco Technology, Inc. | Virtual private networks for voice over networks applications |
| US20030140142A1 (en) | 2002-01-18 | 2003-07-24 | David Marples | Initiating connections through firewalls and network address translators |
| US20040034702A1 (en) | 2002-08-16 | 2004-02-19 | Nortel Networks Limited | Method and apparatus for exchanging intra-domain routing information between VPN sites |
| US20040203590A1 (en) | 2002-09-11 | 2004-10-14 | Koninklijke Philips Electronics N.V. | Set-up of wireless consumer electronics device using a learning remote control |
| US20040088369A1 (en) | 2002-10-31 | 2004-05-06 | Yeager William J. | Peer trust evaluation using mobile agents in peer-to-peer networks |
| CN1254059C (en) | 2002-12-10 | 2006-04-26 | 华为技术有限公司 | Method of realizing special multiple-protocol label exchanging virtual network |
| US20040184603A1 (en) | 2003-03-21 | 2004-09-23 | Pearson David Spencer | Systems and methods for quantum cryptographic key transport |
| US20050021610A1 (en) | 2003-06-27 | 2005-01-27 | Bruno Bozionek | Method and arrangement for accessing a first terminal in a first communication network from a second communication node in a second communication network |
| US20050071280A1 (en) | 2003-09-25 | 2005-03-31 | Convergys Information Management Group, Inc. | System and method for federated rights management |
| US20050094814A1 (en) | 2003-10-31 | 2005-05-05 | Tadahiro Aihara | Electronic apparatus and encryption key updating |
| US20060165233A1 (en) | 2003-12-17 | 2006-07-27 | Masao Nonaka | Methods and apparatuses for distributing system secret parameter group and encrypted intermediate key group for generating content encryption and decryption deys |
| US20060015643A1 (en) | 2004-01-23 | 2006-01-19 | Fredrik Orava | Method of sending information through a tree and ring topology of a network system |
| US8868698B2 (en) | 2004-06-05 | 2014-10-21 | Sonos, Inc. | Establishing a secure wireless network with minimum human intervention |
| US8594323B2 (en) | 2004-09-21 | 2013-11-26 | Rockstar Consortium Us Lp | Method and apparatus for generating large numbers of encryption keys |
| US20060088031A1 (en) | 2004-10-26 | 2006-04-27 | Gargi Nalawade | Method and apparatus for providing multicast messages within a virtual private network across a data communication network |
| US7995573B2 (en) | 2004-12-06 | 2011-08-09 | Swisscom Ag | Method and system for mobile network nodes in heterogeneous networks |
| US20060155721A1 (en) | 2005-01-12 | 2006-07-13 | Network Appliance, Inc. | Buffering proxy for telnet access |
| US20140297438A1 (en) | 2005-01-21 | 2014-10-02 | Robin Dua | Method and system of processing payments using a proxy credential |
| US20060221830A1 (en) | 2005-03-31 | 2006-10-05 | Sbc Knowledge Ventures Lp | Method and apparatus for managing end-to-end quality of service policies in a communication system |
| US20060233180A1 (en) | 2005-04-14 | 2006-10-19 | Alcatel | Systems and methods for managing network services between private networks |
| US20060288209A1 (en) | 2005-06-20 | 2006-12-21 | Vogler Dean H | Method and apparatus for secure inter-processor communications |
| US20070230688A1 (en) | 2005-08-18 | 2007-10-04 | Nec Corporation | Secret communication system and method for generating shared secret information |
| US20070086431A1 (en) | 2005-10-13 | 2007-04-19 | Abu-Amara Hosame H | Privacy proxy of a digital security system for distributing media content to a local area network |
| US20070185814A1 (en) | 2005-10-18 | 2007-08-09 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
| US20090193253A1 (en) | 2005-11-04 | 2009-07-30 | Rainer Falk | Method and server for providing a mobile key |
| US20070104115A1 (en) * | 2005-11-10 | 2007-05-10 | Dan Decasper | Overlay network infrastructure |
| US20070118885A1 (en) | 2005-11-23 | 2007-05-24 | Elrod Craig T | Unique SNiP for use in secure data networking and identity management |
| US20080273704A1 (en) | 2005-12-01 | 2008-11-06 | Karl Norrman | Method and Apparatus for Delivering Keying Information |
| US20070140110A1 (en) | 2005-12-21 | 2007-06-21 | Microsoft Corporation | Peer communities |
| US20070153782A1 (en) | 2005-12-30 | 2007-07-05 | Gregory Fletcher | Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows |
| US20070248232A1 (en) | 2006-04-10 | 2007-10-25 | Honeywell International Inc. | Cryptographic key sharing method |
| US20080130902A1 (en) | 2006-04-10 | 2008-06-05 | Honeywell International Inc. | Secure wireless instrumentation network system |
| US20080013738A1 (en) | 2006-04-19 | 2008-01-17 | Nec Corporation | Secret communications system and channel control method |
| US8041039B2 (en) | 2006-04-19 | 2011-10-18 | Nec Corporation | Secret communications system and channel control method |
| US8959333B2 (en) | 2006-06-01 | 2015-02-17 | Nokia Siemens Networks Gmbh & Co. Kg | Method and system for providing a mesh key |
| US20070299954A1 (en) | 2006-06-27 | 2007-12-27 | International Business Machines Corporation | System, method and program for determining a network path by which to send a message |
| US7925592B1 (en) | 2006-09-27 | 2011-04-12 | Qurio Holdings, Inc. | System and method of using a proxy server to manage lazy content distribution in a social network |
| US20080080716A1 (en) | 2006-09-29 | 2008-04-03 | Mcalister Donald Kent | Back-up for key authority point for scaling and high availability for stateful failover |
| US20080147820A1 (en) | 2006-12-19 | 2008-06-19 | Nec Corporation | Method and system for managing shared information |
| US8515079B1 (en) | 2007-01-26 | 2013-08-20 | Cisco Technology, Inc. | Hybrid rekey distribution in a virtual private network environment |
| US20100064008A1 (en) | 2007-03-13 | 2010-03-11 | Huawei Technologies Co., Ltd. | Peer-to-peer network system, proxy service peer, and method for peer interworking between overlay networks |
| US20130306276A1 (en) | 2007-04-23 | 2013-11-21 | David D Duchesneau | Computing infrastructure |
| US20090216910A1 (en) | 2007-04-23 | 2009-08-27 | Duchesneau David D | Computing infrastructure |
| US20100014677A1 (en) | 2007-06-28 | 2010-01-21 | Taichi Sato | Group subordinate terminal, group managing terminal, server, key updating system, and key updating method therefor |
| US20100122084A1 (en) | 2007-07-24 | 2010-05-13 | Huawei Technologies Co., Ltd. | Method, apparatus and system for registering new member in group key management |
| US20090220080A1 (en) | 2008-02-29 | 2009-09-03 | Michael Herne | Application-Level Service Access to Encrypted Data Streams |
| US20110064222A1 (en) | 2008-05-19 | 2011-03-17 | Qinetiq Limited | Quantum key distribution involving moveable key device |
| US20090296924A1 (en) | 2008-05-30 | 2009-12-03 | Infineon Technologies North America Corp. | Key management for communication networks |
| US20100281251A1 (en) | 2008-06-12 | 2010-11-04 | Telefonaktiebolaget L M Ericsson (Publ) | Mobile Virtual Private Networks |
| US8023504B2 (en) * | 2008-08-27 | 2011-09-20 | Cisco Technology, Inc. | Integrating security server policies with optimized routing control |
| US20100058082A1 (en) | 2008-08-27 | 2010-03-04 | Lenovo (Singapore) Ple., Ltd. | Maintaining network link during suspend state |
| US20110164750A1 (en) | 2008-09-17 | 2011-07-07 | Koninklijke Phillips Electronics N.V. | Method for communicating in a network, a communication device and a system therefor |
| US20100169563A1 (en) | 2008-12-30 | 2010-07-01 | Jeremy Horner | Content Addressable Memory and Method |
| US8516552B2 (en) | 2009-01-28 | 2013-08-20 | Headwater Partners I Llc | Verifiable service policy implementation for intermediate networking devices |
| US20140079059A1 (en) | 2009-03-29 | 2014-03-20 | Ltn Global Communications, Inc. | System and method that routes flows via multicast flow transport for groups |
| US20120051221A1 (en) | 2009-05-06 | 2012-03-01 | Dinh Thai Bui | Traffic-engineered connection establishment across resource domains for data transport |
| US20100325423A1 (en) | 2009-06-22 | 2010-12-23 | Craig Stephen Etchegoyen | System and Method for Securing an Electronic Communication |
| US20110010553A1 (en) | 2009-07-10 | 2011-01-13 | Robert S Cahn | On-Line Membership Verification |
| US20120180122A1 (en) | 2009-09-18 | 2012-07-12 | Zte Corporation | Implementation method and system of virtual private network |
| US20110075674A1 (en) | 2009-09-30 | 2011-03-31 | Alcatel-Lucent Usa Inc. | Scalable architecture for enterprise extension in a cloud topology |
| US20150256521A1 (en) | 2009-10-31 | 2015-09-10 | Saife, Inc. | Secure communication system for mobile devices |
| US20110110377A1 (en) | 2009-11-06 | 2011-05-12 | Microsoft Corporation | Employing Overlays for Securing Connections Across Networks |
| US20120134361A1 (en) * | 2009-12-18 | 2012-05-31 | Wong Wendy C | System and method of utilizing a framework for information routing in large-scale distributed systems using swarm intelligence |
| US8224971B1 (en) | 2009-12-28 | 2012-07-17 | Amazon Technologies, Inc. | Using virtual networking devices and routing information to initiate external actions |
| US20110296510A1 (en) | 2010-05-27 | 2011-12-01 | Microsoft Corporation | Protecting user credentials using an intermediary component |
| US20130121142A1 (en) * | 2010-07-05 | 2013-05-16 | Huawei Technologies Co., Ltd. | Method and apparatus for forwarding multicast traffic |
| US8954740B1 (en) | 2010-10-04 | 2015-02-10 | Symantec Corporation | Session key proxy decryption method to secure content in a one-to-many relationship |
| US20120092986A1 (en) | 2010-10-15 | 2012-04-19 | Futurewei Technologies, Inc. | System And Method For Computing A Backup Egress Of A Point-To-Multi-Point Label Switched Path |
| US20140331050A1 (en) | 2011-04-15 | 2014-11-06 | Quintessence Labs Pty Ltd. | Qkd key management system |
| US20120284370A1 (en) | 2011-05-02 | 2012-11-08 | Authentec, Inc. | Method, system, or user device for adaptive bandwidth control of proxy multimedia server |
| WO2013007496A1 (en) | 2011-07-08 | 2013-01-17 | Alcatel Lucent | Centralized system for routing ethernet packets over an internet protocol network |
| US20130034094A1 (en) | 2011-08-05 | 2013-02-07 | International Business Machines Corporation | Virtual Switch Data Control In A Distributed Overlay Network |
| US20130051559A1 (en) | 2011-08-26 | 2013-02-28 | Shinichi Baba | Key sharing device, key sharing method, and computer program product |
| US20140223520A1 (en) | 2011-08-30 | 2014-08-07 | Securepush Ltd. | Guardian control over electronic actions |
| US20140294018A1 (en) | 2011-11-11 | 2014-10-02 | Pismo Labs Technology Limited | Protocol for layer two multiple network links tunnelling |
| US20130163446A1 (en) | 2011-12-22 | 2013-06-27 | Voipfuture Gmbh | Correlation of Media Plane and Signaling Plane of Media Services in a Packet-Switched Network |
| US20150092603A1 (en) | 2012-01-13 | 2015-04-02 | Cisco Technology, Inc. | System and method for managing site-to-site vpns of a cloud managed network |
| US20130182712A1 (en) | 2012-01-13 | 2013-07-18 | Dan Aguayo | System and method for managing site-to-site vpns of a cloud managed network |
| US20130201909A1 (en) | 2012-02-06 | 2013-08-08 | Juniper Networks, Inc. | Mobile node host route installation and withdrawal |
| US20130223444A1 (en) | 2012-02-23 | 2013-08-29 | Christopher D. Liljenstolpe | System and methods for managing network packet forwarding with a controller |
| US20130251154A1 (en) | 2012-03-23 | 2013-09-26 | Yoshimichi Tanizawa | Key generating device and key generating method |
| US20130266007A1 (en) | 2012-04-10 | 2013-10-10 | International Business Machines Corporation | Switch routing table utilizing software defined network (sdn) controller programmed route segregation and prioritization |
| US20130329725A1 (en) | 2012-06-06 | 2013-12-12 | Juniper Networks, Inc. | Facilitating operation of one or more virtual networks |
| US20120266209A1 (en) | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
| US20130335582A1 (en) | 2012-06-15 | 2013-12-19 | Fujitsu Limited | Method of controlling information processing apparatus and information processing apparatus |
| US20140003425A1 (en) * | 2012-06-29 | 2014-01-02 | Futurewei Technologies, Inc. | Implementing a Multicast Virtual Private Network by Using Multicast Resource Reservation Protocol-Traffic Engineering |
| US20150006737A1 (en) | 2012-11-19 | 2015-01-01 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for providing network traversing service |
| US8879739B2 (en) | 2012-11-26 | 2014-11-04 | Nagravision S.A. | Method, system and device for securely transferring digital content between electronic devices within a communication network managed by a management center |
| US20140153572A1 (en) | 2012-11-30 | 2014-06-05 | Georg Hampel | Software-defined network overlay |
| US20140153457A1 (en) | 2012-12-05 | 2014-06-05 | T-Mobile USA, Inc | Energy-Efficient Push/Poll Notification Service |
| US20140189363A1 (en) | 2012-12-28 | 2014-07-03 | Moka5, Inc. | Separate cryptographic keys for protecting different operations on data |
| US20160036785A1 (en) | 2013-03-13 | 2016-02-04 | Jumpto Media Inc. | Secure network communication |
| US20150033298A1 (en) | 2013-07-25 | 2015-01-29 | Phantom Technologies, Inc. | Device authentication using proxy automatic configuration script requests |
| US20150103839A1 (en) | 2013-10-13 | 2015-04-16 | Nicira, Inc. | Bridging between Network Segments with a Logical Router |
| US20150106620A1 (en) | 2013-10-15 | 2015-04-16 | Intuit Inc. | Method and system for providing a secure secrets proxy |
| US20150127797A1 (en) | 2013-11-05 | 2015-05-07 | Cisco Technology, Inc. | System and method for multi-path load balancing in network fabrics |
| US9467478B1 (en) | 2013-12-18 | 2016-10-11 | vIPtela Inc. | Overlay management protocol for secure routing based on an overlay network |
| US10277558B2 (en) | 2013-12-18 | 2019-04-30 | Cisco Technology, Inc. | Overlay management protocol for secure routing based on an overlay network |
| US9736113B1 (en) | 2013-12-18 | 2017-08-15 | vIPtela Inc. | Overlay management protocol for secure routing based on an overlay network |
| WO2015092491A1 (en) | 2013-12-20 | 2015-06-25 | Pismo Labs Technology Limited | Methods and systems for transmitting and receiving packets |
| US20150229490A1 (en) | 2014-02-12 | 2015-08-13 | Hob Gmbh & Co. Kg | Communication system for transmittingunder a tunnel protocol between at least two data computers via a wide area network and a method for running such a communication system |
| US20160080268A1 (en) | 2014-09-16 | 2016-03-17 | CloudGenix, Inc. | Methods and systems for hub high availability and network load and scaling |
| US9659170B2 (en) | 2015-01-02 | 2017-05-23 | Senteon LLC | Securing data on untrusted devices |
| US20160226762A1 (en) | 2015-01-30 | 2016-08-04 | Nicira, Inc. | Implementing logical router uplinks |
| US20170223154A1 (en) | 2015-01-30 | 2017-08-03 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for connecting a gateway router to a set of scalable virtual ip network appliances in overlay networks |
| US20180054438A1 (en) | 2015-03-02 | 2018-02-22 | Microsoft Technology Licensing, Llc | Proxy service for uploading data from a source to a destination |
| US20180091417A1 (en) | 2015-04-07 | 2018-03-29 | Umbra Technologies Ltd. | System and method for virtual interfaces and advanced smart routing in a global virtual network |
| US20170076291A1 (en) | 2015-09-10 | 2017-03-16 | Transworld Holdings PCC Limited (S1 Technology Cell) | Proxy device for representing multiple credentials |
| US20170155628A1 (en) | 2015-12-01 | 2017-06-01 | Encrypted Dynamics LLC | Device, system and method for fast and secure proxy re-encryption |
| US9980303B2 (en) | 2015-12-18 | 2018-05-22 | Cisco Technology, Inc. | Establishing a private network using multi-uplink capable network devices |
| US10298672B2 (en) | 2015-12-18 | 2019-05-21 | Cisco Technology, Inc. | Global contact-point registry for peer network devices |
| US10917926B2 (en) | 2015-12-18 | 2021-02-09 | Cisco Technology, Inc. | Establishing a private network using multi-uplink capable network devices |
Non-Patent Citations (7)
| Title |
|---|
| "Aruba Central Support Page: Advertising Overlay Routes", Hewlett Packard Enterprise Development, 2021, 8 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/routing/overlay_routing.htm. |
| "Aruba Central Support Page", Hewlett Packard Enterprise Development, 2021, 2 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/overlay-orchestration/tunnel-orchestration.htm. |
| "Aruba SD-WAN Solution, User Guide", Hewlett Packard Enterprise Company, 2019, 316 pages. |
| "FAQ: Vormetric Key Management Key Vault", Version 5.2, May 14, 2012, 5 pages. |
| "FAQ: Vormetric Key Management—Key Agent for Oracle Transparent Data Encryption", Version 7.2, Jul. 2, 2012, 8 pages, Vormetric.com. |
| "Ipsec UDP Mode in Silver Peak Unity EdgeConnect", Silver Peak, Whitepaper, 12 pages, https://www.silver-peak.com/sites/default/files/userdocs/silver-peak-whitepaper-ipsec-udp-1018_1.pdf. |
| Lara et al., "Network Innovation using OpenFlow: A Survey," CSE Jounral Articles, Dept. of Computer Science and Engineering, 2014, pp. 1-21. |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240205144A1 (en) * | 2022-12-13 | 2024-06-20 | Certes Networks, Inc. | Policy Driven Traffic Routing Through Dynamically Inserted Network Services |
Also Published As
| Publication number | Publication date |
|---|---|
| US10142254B1 (en) | 2018-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE50121E1 (en) | Service chaining based on labels in control and forwarding | |
| EP3824602B1 (en) | Multi-cloud connectivity using srv6 and bgp | |
| US12047244B2 (en) | Method and system of connecting to a multipath hub in a cluster | |
| US9294396B2 (en) | Port extender | |
| EP3323228B1 (en) | Highly available service chains for network services | |
| CN107624240B (en) | Configuration of network elements for automatic policy-based routing | |
| US20190342161A1 (en) | Managing use of alternative intermediate destination computing nodes for provided computer networks | |
| US10243834B1 (en) | Interconnecting virtual networks using an ethernet virtual private network (EVPN) and virtual extensible local area network (VXLAN) based overlay network | |
| US7944854B2 (en) | IP security within multi-topology routing | |
| US11456956B2 (en) | Systems and methods for dynamic connection paths for devices connected to computer networks | |
| US20170019303A1 (en) | Service Chains for Network Services | |
| US20140192645A1 (en) | Method for Internet Traffic Management Using a Central Traffic Controller | |
| US10237179B2 (en) | Systems and methods of inter data center out-bound traffic management | |
| EP3474504B1 (en) | Leaf-to-spine uplink bandwidth advertisement to leaf-connected servers | |
| US9967140B2 (en) | Virtual links for network appliances | |
| US8472324B1 (en) | Managing route selection in a communication network | |
| US20150358243A1 (en) | External service plane | |
| Paul et al. | OpenADN: a case for open application delivery networking | |
| Dayananda et al. | Architecture for inter-cloud services using IPsec VPN | |
| US8645564B2 (en) | Method and apparatus for client-directed inbound traffic engineering over tunnel virtual network links | |
| WO2018171901A1 (en) | System and method for dynamic peer detection in a software defined network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |