Partitioning data sets for transmission on multiple physical links
US-2016127520-A1 · May 5, 2016 · US
Segmentation of encrypted segments in networks
US11729155B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11729155-B2 |
| Application number | US-202117458969-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 27, 2021 |
| Priority date | Oct 27, 2017 |
| Publication date | Aug 15, 2023 |
| Grant date | Aug 15, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of packets where each packet in the packets includes an encrypted segment of the payload, a respective encryption header, and a respective authentication value. The payload of the first packet is segmented to form a plurality of encrypted segments based on the size. The first host sends the packets to the second host and receives an indication that a packet was not received. A second packet including the encrypted segment is sent to the second compute node.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at a first host, encapsulated packets segmented from a first jumbo packet, each of the encapsulated packets including a respective authentication value, an encrypted header, and an encrypted segment of a payload of the first jumbo packet; for each of the encapsulated packets: decapsulating the encapsulated packet, wherein the decapsulating comprises removing an outer header of the encapsulated packet; decrypting the decapsulated packet; and verifying the decrypted packet using the respective authentication value; based on the verifying, creating a second jumbo packet comprising the decrypted packets and information for one or more encapsulated packets from the first jumbo packet not received by the first host; and sending the second jumbo packet to a destination compute node. 2. The method of claim 1 , wherein a hypervisor receives the encapsulated packets and a tunnel endpoint decapsulates the encapsulated packets. 3. The method of claim 1 , wherein verifying the decrypted packet comprises: generating a signature for a decrypted packet; comparing the signature to the authentication value for the segment encrypted packet; and determining the decrypted packet is valid based on the authentication value matching the signature of the decrypted packet. 4. The method of claim 1 , further comprising aggregating the decrypted packets with the inner header of the jumbo packet. 5. The method of claim 1 , further comprising determining if any encapsulated packets from the first jumbo packet are missing; and based on determining that at least one of the encapsulated packet from the first jumbo packet is missing, sending selective acknowledgements for received encapsulated packet from the first jumbo packet. 6. The method of claim 5 , further comprising receiving the at least one missing encapsulated packet; and based on receiving the at least one encapsulated, processing the second jumbo packet payload. 7. The method of claim 1 , further comprising encapsulating, a hypervisor, a missing segment of the payload, and adding an encryption header to the missing segment. 8. A system comprising: a host computing device; and a processor programmed to: receive, at a first host, encapsulated packets segmented from a first jumbo packet, each of the encapsulated packets including a respective authentication value, an encrypted header, and an encrypted segment of a payload of the first jumbo packet; for each of the encapsulated packets: decapsulate the encapsulated packet, wherein the decapsulating comprises removing an outer header of the encapsulated packet; decrypt the decapsulated packet; and verify the decrypted packet using the respective authentication value; based on the verifying, create a second jumbo packet comprising the decrypted packets and information for one or more encapsulated packets from the first jumbo packet not received by the first host; and send the second jumbo packet to a destination compute node. 9. The system of claim 8 , wherein the processor is a hardware processor. 10. The system of claim 8 , wherein verifying the decrypted packet comprises: generating a signature for a decrypted packet; comparing the signature to the authentication value for the encrypted packet; and determining the decrypted packet is valid based on the authentication value matching the signature of the decrypted packet. 11. The system of claim 8 , wherein the processor is further programmed to aggregate the decrypted packets with the inner header of the jumbo packet. 12. The system of claim 8 , wherein the processor is further programmed to: determine if any encapsulated packets from the first jumbo packet are missing; and based on determining that at least one of the encapsulated packet from the first jumbo packet is missing, send selective acknowledgements for received encapsulated packet from the first jumbo packet. 13. The system of claim 8 , wherein the processor is further programmed to: receive the at least one missing encapsulated packet; and based on receiving the at least one encapsulated, process the second jumbo packet payload. 14. The system of claim 8 , wherein the processor is further programmed to encapsulate, a hypervisor, a missing segment of the payload, and adding an encryption header to the missing segment. 15. One or more non-transitory computer-readable media having computer executable instructions thereon, that when executed by one or more processors, cause the one or more processors to: receive, at a first host, encapsulated packets segmented from a first jumbo packet, each of the encapsulated packets including a respective authentication value, an encrypted header, and an encrypted segment of a payload of the first jumbo packet; for each of the encapsulated packets: decapsulate the encapsulated packet, wherein the decapsulating comprises removing an outer header of the encapsulated packet; decrypt the decapsulated packet; and verify the decrypted packet using the respective authentication value; based on the verifying, create a second jumbo packet comprising the decrypted packets and information for one or more encapsulated packets from the first jumbo packet not received by the first host; and send the second jumbo packet to a destination compute node. 16. The or more non-transitory computer-readable media of claim 15 , wherein a hypervisor receives the encapsulated packets and a tunnel endpoint decapsulates the encapsulated packets. 17. The or more non-transitory computer-readable media of claim 15 , wherein verifying the decrypted packet comprises: generating a signature for a decrypted packet; comparing the signature to the authentication value for the segment encrypted packet; and determining the decrypted packet is valid based on the authentication value matching the signature of the decrypted packet. 18. The or more non-transitory computer-readable media of claim 15 , wherein the computer-executable instructions further cause the one or more processors to aggregate the decrypted packets with the inner header of the jumbo packet. 19. The or more non-transitory computer-readable media of claim 15 , wherein the computer-executable instructions further cause the one or more processors to: determine if any encapsulated packets from the first jumbo packet are missing; and based on determining that at least one of the encapsulated packet from the first jumbo packet is missing, send selective acknowledgements for received encapsulated packet from the first jumbo packet. 20. The or more non-transitory computer-readable media of claim 15 , wherein the computer-executable instructions further cause the one or more processors to: receive the at least one missing encapsulated packet; and based on receiving the at least one encapsulated, process the second jumbo packet payload.
Assignees
Inventors
Classifications
- H04L63/0485Primary
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
by determining packet size, e.g. maximum transfer unit [MTU] · CPC title
Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title
Parsing or analysis of headers · CPC title
in the data link layer [OSI layer 2], e.g. HDLC · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11729155B2 cover?
- A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of p…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0485. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 15 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).