RSVP local protection signaling reduction
US-10020984-B1 · Jul 10, 2018 · US
Scaling gateway to gateway traffic using flow hash
US11075888B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11075888-B2 |
| Application number | US-201715831214-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 4, 2017 |
| Priority date | Dec 4, 2017 |
| Publication date | Jul 27, 2021 |
| Grant date | Jul 27, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer.
First claim
Opening claim text (preview).
We claim: 1. A method for processing a plurality of encrypted data messages sent over a plurality of encryption-secured tunnels using a plurality of data message processing units of a first computer in a first datacenter, each encryption-secured tunnel identified by a unique security parameter index (SPI), the method comprising: at the first computer: receiving the plurality of encrypted data messages through the plurality of encryption-secured tunnels established between the first computer and a second computer; using an SPI of a particular encrypted data message to select a processing unit in the plurality of processing units to process the particular encrypted data message; and using the selected processing unit to process the particular encrypted data message; wherein a first set of data messages received at a particular interface of the first computer over a first encryption-secured tunnel includes a first SPI to identify decryption parameters used for decrypting the first set of data messages, and wherein a second set of data messages received at the particular interface over a second, different encryption-secured tunnel includes a second, different SPI to identify decryption parameters used for decrypting the second set of data messages. 2. The method of claim 1 , wherein each SPI is an unencrypted header value used to identify decryption parameters for decrypting the encrypted data message. 3. The method of claim 2 , wherein using the SPI comprises hashing at least the unencrypted SPI of the particular encrypted data message to identify a particular processing unit to process the particular encrypted data message. 4. The method of claim 1 , wherein the first computer comprises a plurality of interfaces, each interface serving as a tunnel endpoint for at least one encryption-secured tunnel. 5. The method of claim 4 , wherein at least one interface in the plurality of interfaces serves as a tunnel endpoint for multiple encryption-secured tunnels between the first computer and the second computer. 6. The method of claim 1 , wherein multiple encryption-secured tunnels in the plurality of encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer. 7. The method of claim 1 , wherein the first and second encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer. 8. The method of claim 1 , wherein the encrypted data messages are encrypted using an internet protocol security (IPSec) protocol. 9. The method of claim 1 , wherein the processing units are processing cores of the set of CPUs. 10. The method of claim 1 , wherein the set of CPUs are a set of virtual CPUs (vCPUs) and the processing units are virtual processors of the set of vCPUs. 11. The method of claim 1 , wherein the processing units are virtual processing cores. 12. The method of claim 1 , wherein at least a plurality of different virtual processing cores corresponds to a plurality of different physical processing cores. 13. A non-transitory machine readable medium storing a program for execution by a plurality of processing units of a first computer in a first datacenter, the program for processing a plurality of encrypted data messages sent over a plurality of encryption-secured tunnels using the plurality of processing units of the first computer in the first datacenter, each encryption-secured tunnel identified by a unique security parameter index (SPI), the program comprising sets of instructions for: receiving the plurality of encrypted data messages through the plurality of encryption-secured tunnels established between the first computer and a second computer; using an SPI of a particular encrypted data message to select a processing unit in the plurality of processing units to process the particular encrypted data message; and using the selected processing unit to process the particular encrypted data message; wherein a first set of data messages received at a particular interface of the first computer over a first encryption-secured tunnel includes a first SPI to identify decryption parameters used for decrypting the first set of data messages, and wherein a second set of data messages received at the particular interface over a second, different encryption-secured tunnel includes a second, different SPI to identify decryption parameters used for decrypting the second set of data messages. 14. The non-transitory machine readable medium of claim 13 , wherein each SPI is an unencrypted header value used to identify decryption parameters for decrypting the encrypted data message. 15. The non-transitory machine readable medium of claim 14 , wherein the set of instructions for using the SPI comprises a set of instructions for hashing at least the unencrypted SPI of the particular encrypted data message to identify a particular processing unit to process the particular encrypted data message. 16. The non-transitory machine readable medium of claim 13 , wherein the first computer comprises a plurality of interfaces, each interface serving as a tunnel endpoint for at least one encryption-secured tunnel. 17. The non-transitory machine readable medium of claim 16 , wherein at least one interface in the plurality of interfaces serves as a tunnel endpoint for multiple encryption-secured tunnels between the first computer and the second computer. 18. The non-transitory machine readable medium of claim 17 , wherein multiple encryption-secured tunnels in the plurality of encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer. 19. The non-transitory machine readable medium of claim 13 , wherein the first and second encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer. 20. The non-transitory machine readable medium of claim 13 , wherein the encrypted data messages are encrypted using an internet protocol security (IPSec) protocol.
Assignees
Inventors
Classifications
Address table lookup; Address filtering · CPC title
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
- H04L9/3215Primary
using a plurality of channels (network architectures or network communication protocols using different networks H04L63/18) · CPC title
Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11075888B2 cover?
- For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data mes…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 27 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).