What technology area does this patent fall under?

Primary CPC classification H04L63/0209. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Intelligent flow state synchronization to improve resiliency, availability, and/or performance of redundant network security devices

US11706193B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11706193-B2
Application number	US-202117397848-A
Country	US
Kind code	B2
Filing date	Aug 9, 2021
Priority date	Aug 9, 2021
Publication date	Jul 18, 2023
Grant date	Jul 18, 2023

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

First claim

Opening claim text (preview).

What is claimed is: 1. A system comprising: a) at least one upstream router; b) at least one downstream router; and c) a first plurality (N) of security devices arranged between the at least one upstream router and the at least one downstream router, each of the first plurality of security devices providing bidirectional security services for a plurality of bidirectional flows between the at least one upstream router and the at least one downstream router, wherein a consistent hash ring algorithm for generating a consistent hash ring is used to assign each of the plurality of bidirectional flows to (1) a primary one of the first plurality of security devices, and (2) a set (M) of one or more of the first plurality of security devices serving as backup security device(s), wherein M+1 is less than N, and wherein, for each of the plurality of bidirectional flows, the primary one of the first plurality of security devices and set of M backup security device(s) synchronize bidirectional flow state information with one another, but do not synchronize the bidirectional flow state information with all of the N security devices. 2. The system of claim 1 wherein, for each of the plurality of bidirectional flows, the primary one of the first plurality of security devices and set of M backup security device(s) synchronize the bidirectional flow state information only with one another, but not with any other one of the N security devices. 3. The system of claim 1 , wherein for each of the plurality of bidirectional flows, the M backup security device(s) are the M next unique security device(s) following the primary security device on the consistent hash ring. 4. The system of claim 3 , wherein for each of the plurality of bidirectional flows, the M backup security device(s) are the M next unique security device(s) following the primary security device on the consistent hash ring in a clockwise direction. 5. The system of claim 1 , wherein upon failure of a primary security device assigned to a given bidirectional flow, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to a next available one of the M backup security device(s) assigned to the given bidirectional flow on the consistent hash ring. 6. The system of claim 5 , wherein, upon recovery of the primary security device assigned to the given bidirectional flow, responsive to the recovery, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to the primary security device assigned to the given bidirectional flow. 7. The system of claim 1 , wherein M is more than 1, and wherein upon failure of both (1) a primary security device assigned to a given bidirectional flow and (2) a next one of the M backup security device(s) on the consistent hash ring assigned to the given bidirectional flow, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to a next available one of the M backup security device(s) assigned to the given bidirectional flow on the consistent hash ring. 8. A security system for use between at least one upstream router and at least one downstream router, the security system comprising: a first plurality (N) of security devices arranged between the at least one upstream router and the at least one downstream router, each of the first plurality of security devices being configured to provide bidirectional security services for a plurality of bidirectional flows between the at least one upstream router and the at least one downstream router, wherein, for each of the plurality of bidirectional flows, (1) one of the first plurality of security devices is assigned, as a primary security device to the bidirectional flow, using a consistent hash ring algorithm for generating a consistent hash ring, and (2) a set (M) of one or more of the first plurality of security devices is assigned, as backup security device(s) to the bidirectional flow, using the consistent hash ring algorithm, wherein M+1 is less than N, each of the first plurality of security devices being configured with a state synchronization process in which, for each of the plurality of bidirectional flows, the primary security device assigned to the bidirectional flow and set of M backup security device(s) assigned to the bidirectional flow, synchronize bidirectional flow state information with one another, but do not synchronize bidirectional flow state information with all of the N security devices. 9. The security system of claim 8 wherein, for each of the plurality of flows, the primary security device assigned to the bidirectional flow and set of M backup security device(s) assigned to the bidirectional flow, synchronize the bidirectional flow state information only with one another, but not with any other one of the N security devices. 10. The security system of claim 8 , wherein for each of the plurality of bidirectional flows, the M backup security device(s) assigned to the bidirectional flow are the M next unique security device(s) following, on the consistent hash ring, the primary security device assigned to the bidirectional flow. 11. The security system of claim 10 , wherein for each of the plurality of bidirectional flows, the M backup security device(s) assigned to the bidirectional flow are the M next unique security device(s) following, in a clockwise direction on the consistent hash ring, the primary security device assigned to the bidirectional flow. 12. The security system of claim 8 , wherein upon failure of a primary security device assigned to a given bidirectional flow, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to a next available one of the M backup security device(s) assigned to the given bidirectional flow on the consistent hash ring. 13. The security system of claim 12 , wherein, upon recovery of the primary security device assigned to the given bidirectional flow, responsive to the recovery, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to the primary security device assigned to the given bidirectional flow. 14. The security system of claim 8 , wherein M is more than 1, and wherein upon failure of both (1) a primary security device assigned to a given bidirectional flow and (2) a next one of the M backup security device(s) on the consistent hash ring assigned to the given bidirectional flow, the at least one upstream router and the at least one downstream router forward any packets belonging to the given bidirectional flow to a next available one of the M backup security device(s) assigned to the given bidirectional flow on the consistent hash ring. 15. A computer-implemented method for use in a system having (1) at least one upstream router, (2) at least one downstream router, and (3) a first plurality (N) of security devices arranged between the at least one upstream router and the at least one downstream router, each of the first plurality of security devices being configured to provide bidirectional security services for packets received from the at least one upstream router and for packets received from the at least one downstream router, the computer-implemented method comprising: a) assigning, using a consistent hash ring algorithm for generating a consistent hash ring, for each of a plurality of bidirectional flows, (1) one of the first plurality of security de

Assignees

Juniper Networks Inc

Inventors

Classifications

H04L63/0209Primary
Architectural arrangements, e.g. perimeter networks or demilitarized zones · CPC title
H04L41/0668
by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure · CPC title
H04L45/28Primary
using route fault recovery · CPC title
H04L67/1027
Persistence of sessions during load balancing · CPC title
H04L67/142
Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms · CPC title

Patent family

Related publications grouped by family.

View patent family 78500416

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11706193B2 cover?: Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For…
Who is the assignee on this patent?: Juniper Networks Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0209. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).