Partitioning data sets for transmission on multiple physical links
US-2016127520-A1 · May 5, 2016 · US
Segmentation of encrypted segments in networks
US11108751B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11108751-B2 |
| Application number | US-201715796656-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 27, 2017 |
| Priority date | Oct 27, 2017 |
| Publication date | Aug 31, 2021 |
| Grant date | Aug 31, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of packets where each packet in the packets includes an encrypted segment of the payload, a respective encryption header, and a respective authentication value. The payload of the first packet is segmented to form a plurality of encrypted segments based on the size. The first host sends the packets to the second host and receives an indication that a packet was not received. A second packet including the encrypted segment is sent to the second compute node.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for sending packets to a destination node, the method comprising: generating, from a payload of a first packet, and in response to a determination that the first packet exceeds a maximum transmission unit (MTU) size that defines a maximum size for sending packets from a source node to the destination node, a plurality of encrypted packet segments, a respective encryption header for each encrypted packet segment, and a respective authentication value for each encrypted packet segment; forming a plurality of packets from the plurality of encrypted packet segments, wherein each packet in the plurality of packets includes one of the encrypted packet segments, a respective encryption header for the one of the encrypted packet segments, and a respective authentication value that is used to verify the one of the encrypted packet segments, wherein each packet in the plurality of packets is less than or equal to the MTU size; sending the plurality of packets to the destination node; receiving an indication that one of the plurality of packets was not received by the destination node; and sending a second packet including the encrypted segment that was not received in the one of the plurality of the packets to the destination node, wherein encrypted segments other than one or more encrypted segments that were not received are not resent to the destination node. 2. The method of claim 1 , wherein each of the encrypted segments is independently decryptable using the respective encryption header and the respective authentication value for the respective encrypted segment. 3. The method of claim 1 , wherein sending the second packet comprises: receiving a third packet with the segment that was not received in the one of the plurality of the packets from the first compute node; and encrypting the segment that was not received in the one of the plurality of the packets and including the encrypted segment in the third packet. 4. A method for forming a plurality of packets from a first packet, the method comprising: calculating a maximum segment size based on a maximum transmission unit (MTU) size that defines a maximum size for sending packets from a source node to a destination node; calculating a size of an encrypted segment based on the maximum segment size, a size of an encryption header for the encrypted segment, and a size of an authentication value for the encrypted segment; generating, from a payload of the first packet, and in response to a determination that the first packet exceeds the maximum transmission unit size, a plurality of encrypted packet segments, a respective encryption header for each encrypted packet segment, and a respective authentication value for each encrypted packet segment; and forming the plurality of packets from the plurality of encrypted packet segments, wherein each packet in the plurality of packets includes one of the encrypted packet segments, a respective encryption header for the one of the encrypted packet segments, and a respective authentication value that is used to verify the one of the encrypted packet segments, wherein each packet in the plurality of packets is less than or equal to the MTU size. 5. The method of claim 4 , wherein calculating the maximum segment size comprises: calculating the maximum segment size based on the MTU size, a first header of the first packet, and an outer header that encapsulates the first packet. 6. The method of claim 5 , wherein forming the plurality of packets comprises: adding the outer header and the first header to one or more of the plurality of payloads to form the plurality of packets. 7. The method of claim 4 , wherein each of the encrypted segments is independently decryptable using the respective encryption header and the respective authentication value for the respective encrypted segment. 8. The method of claim 4 , further comprising: receiving a segment that was not received in the one of the plurality of the packets from the first compute node; and encrypting the segment that was not received in the one of the plurality of the packets and including the encrypted segment in a packet. 9. A non-transitory computer-readable storage medium containing instructions for sending packets to a destination node, wherein the instructions, when executed, control a computer system to be operable for: generating, from a payload of a first packet, and in response to a determination that the first packet exceeds a maximum transmission unit (MTU) size that defines a maximum size for sending packets from a source node to the destination node, a plurality of encrypted packet segments, a respective encryption header for each encrypted packet segment, and a respective authentication value for each encrypted packet segment; forming a plurality of packets from the plurality of encrypted packet segments, wherein each packet in the plurality of packets includes one of the encrypted packet segments, a respective encryption header for the one of the encrypted packet segments, and a respective authentication value that is used to verify the one of the encrypted packet segments, wherein each packet in the plurality of packets is less than or equal to the MTU size; sending the plurality of packets to the destination node; receiving an indication that one of the plurality of packets was not received by the destination node; and sending a second packet including the encrypted segment that was not received in the one of the plurality of the packets to the destination node, wherein encrypted segments other than one or more encrypted segments that were not received are not resent to the destination node. 10. The non-transitory computer-readable storage medium of claim 9 , wherein each of the encrypted segments is independently decryptable using the respective encryption header and the respective authentication value for the respective encrypted segment. 11. The non-transitory computer-readable storage medium of claim wherein sending the second packet comprises: receiving a third packet with the segment that was not received in the one of the plurality of the packets from the first compute node; and encrypting the segment that was not received in the one of the plurality of the packets and including the encrypted segment in the third packet. 12. A non-transitory computer-readable storage medium containing instructions for forming a plurality of packets from a first packet, wherein, the instructions, when executed, control a computer system to be operable for: calculating a maximum segment size based on a maximum transmission unit (MTU) size that defines a maximum size for sending packets from a source node to a destination node; calculating a size of an encrypted segment based on the maximum segment size, a size of an encryption header for the encrypted segment, and a size of an authentication value for the encrypted segment; generating, from a payload of the first packet, and in response to a determination that the first packet exceeds the maximum transmission unit size, a plurality of encrypted packet segments, a respective encryption header for each encrypted packet segment, and a respective authentication value for each encrypted packet segment; and forming the plurality of packets from the plurality of encrypted packet segments, wherein each packet in the plurality of packets includes one of the encrypted packet segments, a respective encryption header for the one of the encrypted packet segments, and a respective authentication value that is used to verify the one of the encrypted packet segments, wherein each packet in the plurality of packets is less than or equal to the MTU
Assignees
Inventors
Classifications
- H04L63/0485Primary
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title
by determining packet size, e.g. maximum transfer unit [MTU] · CPC title
Parsing or analysis of headers · CPC title
in the data link layer [OSI layer 2], e.g. HDLC · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11108751B2 cover?
- A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of p…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0485. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 31 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).