Interposer with Security Assistant Key Escrow
US-2015288679-A1 · Oct 8, 2015 · US
Configuring and operating a XaaS model in a datacenter
US10129077B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10129077-B2 |
| Application number | US-201514841648-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 31, 2015 |
| Priority date | Sep 30, 2014 |
| Publication date | Nov 13, 2018 |
| Grant date | Nov 13, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters. The service-node clusters can perform the same service or can perform different services in some embodiments. This tunnel-based approach for distributing data messages to service nodes/clusters is advantageous for seamlessly implementing in a datacenter a cloud-based XaaS model (where XaaS stands for X as a service, and X stands for anything), in which any number of services are provided by service providers in the cloud.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of implementing a service model in a datacenter comprising a plurality of host computers executing a plurality of source compute nodes (SCNs), the method comprising: providing a particular host computer with parameters for establishing first and second tunnels between the particular host computer and first and second service nodes of first and second service providers external to the datacenter; and providing the particular host computer with a service-action set that includes first and second service actions to be respectively performed by the first and second service nodes on at least one data message flow of one SCN executing on the particular host computer, each service action in the service-action set defined by referencing an identifier that identifies one service provider for performing the service action, each tunnel for use in relaying each data message of said data message flow to a service node of a service provider to perform a service action on the data message, wherein after performing the first service action on each data message of said data message flow, the first service node of the first service provider sends a response data message back to the particular host computer along the first tunnel and the data message is sent to the second service node of the second service provider along the second tunnel for the second service node to perform the second service action on the data message. 2. The method of claim 1 , wherein the provided service-action set is provided with a flow identifier that identifies the data message flow to which the first and second service actions of the provided service-action set have to be applied. 3. The method of claim 2 , wherein providing the service-action set comprises providing a service-action rule that comprises the service-action set and the flow identifier of the data message flow. 4. The method of claim 2 , wherein providing the service-action set comprises providing a service-action policy from which the particular host computer generates a service-action rule, said service-action rule comprising the service-action set and the flow identifier of the data message flow. 5. The method of claim 2 , wherein the service-action set's provided flow identifier is for use by a service-processing module that executes on the particular host computer and that compares header values of SCN-associated data message flows with the flow identifier in order to identify data message flows on which the service-action set has to be performed. 6. The method of claim 5 , wherein the service-processing module is a filter deployed on an egress datapath of the SCN in order to intercept and examine data messages that the SCN transmits. 7. The method of claim 5 , wherein the service-processing module is a filter deployed on an ingress datapath of the SCN in order to intercept and examine data messages that are received for SCN before these messages are supplied to the SCN. 8. The method of claim 1 , wherein the provided tunnel-establishing parameters comprise tunnel header packet parameters. 9. The method of claim 8 , wherein the provided tunnel-establishing parameters further comprise tunnel keys for allowing multiple different data message flows to use one tunnel from the particular host computer to a particular service provider. 10. The method of claim 8 , wherein the provided tunnel-establishing parameters further comprise parameters for generating tunnel keys for allowing multiple different data message flows to use one tunnel from the particular host computer to a particular service provider. 11. The method of claim 1 , wherein the service-provider identifier identifies the service provider by identifying a tunnel to a service node of the service provider. 12. The method of claim 1 , wherein providing the tunnel-establishing parameters comprises providing parameters to establish a plurality of tunnels to a plurality of service nodes of a first service provider, and providing the service-action set comprises providing a service-action identifier that identifies the first service provider for a service action through a plurality of tunnel identifiers that identify the plurality of tunnels to the plurality of service nodes of the first service provider. 13. The method of claim 1 , wherein providing the tunnel-establishing parameters comprises providing parameters to establish a plurality of tunnels to a plurality of service nodes of the first service provider (SP), the method further comprising providing a set of load balancing criteria for selecting tunnels in the plurality of first SP tunnels for data message flows distributed to the first SP, said selection of tunnels distributing data message flows among the plurality of service nodes of the first SP in a load balanced way based on the load balancing criteria set. 14. The method of claim 1 , wherein providing the tunnel-establishing parameters comprises providing parameters to establish at least two tunnels to two service nodes of two service providers that perform the same service action, the method further comprising providing a set of selection criteria for selecting one of the two provided tunnels to the first and second service providers for a data message flow. 15. The method of claim 14 , wherein the selection criteria set comprises dynamically assessed criteria. 16. The method of claim 1 , wherein different service providers are different service vendors that operate in different datacenters that connect to the datacenter of the particular host computer through a public network. 17. The method of claim 1 , wherein the data message sent to the first service node is a first data message and the response data message is a second data message, and the response second data message is a modified version of the first data message, said modification accounting for the processing of the first data message by the first service node. 18. A non-transitory machine readable medium storing a program for implementing a service model in a datacenter comprising a plurality of host computers executing a plurality of source computer nodes (SCNs), the program comprising sets of instructions for: providing a particular host computer with parameters for establishing first and second tunnels between the particular host computer and first and second service nodes of first and second service providers external to the datacenter; and providing the particular host computer with a service-action set that includes first and second service actions to be respectively performed by the first and second service nodes on at least one data message flow of one SCN executing on the particular host computer, each service action in the service-action set defined by referencing an identifier that identifies one service provider for performing the service action, each tunnel for use in relaying each data message of said data message flow to a service node of a service provider to perform a service action on the data message, wherein after performing the first service action on each data message of said data message flow, the first service node of the first service provider sends a response data message back to the particular host computer along the first tunnel and the data message is sent to the second service node of the second service provider along the second tunnel for the second service node to perform the second service action on the data message. 19. The machine readable medium of claim 18 , wherein the provided service-action s
Assignees
Inventors
Classifications
Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] · CPC title
Parsing or analysis of headers · CPC title
Session management (for real-time applications in data packet communications networks H04L65/1066) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10129077B2 cover?
- Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCN…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/0803. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 13 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).