Packet routing using a software-defined networking (sdn) switch
US-2017195255-A1 · Jul 6, 2017 · US
Selective offloading of packet flows with flow state management
US11949659B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11949659-B2 |
| Application number | US-202117374468-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 13, 2021 |
| Priority date | Jul 27, 2016 |
| Publication date | Apr 2, 2024 |
| Grant date | Apr 2, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: obtaining a first packet of an Internet Protocol packet flow at a security device; providing the first packet to a firewall of the security device; obtaining, at a classifier of the security device, an indication from the firewall that the Internet Protocol packet flow is to be split between a processing entity of the security device and the firewall of the security device such that non-control packets of the Internet Protocol packet flow are to be provided to the processing entity and control packets configured to indicate a change in a flow state of the Internet Protocol packet flow are to be provided to the firewall; storing data at the security device that indicates that the non-control packets of the Internet Protocol packet flow are to be provided to the processing entity; obtaining one or more non-control packets of the Internet Protocol packet flow at the classifier; determining, by comparing at the classifier data contained in the one or more non-control packets of the Internet Protocol packet flow to the data stored at the security device, that the one or more non-control packets of the Internet Protocol packet flow are to be provided to the processing entity; providing the one or more non-control packets of the Internet Protocol packet flow to the processing entity in response to the determining; obtaining a control packet of the Internet Protocol packet flow at the classifier; identifying a control flag in the control packet that indicates a potential change in the flow state of the Internet Protocol packet flow; providing the control packet of the Internet Protocol packet flow to the firewall in response to identifying the control flag in the control packet; obtaining at the classifier an indication from the firewall that non-control packets of the Internet Protocol packet flow should no longer be provided to the processing entity; obtaining a non-control packet of the Internet Protocol packet flow at the classifier; and providing the non-control packet of the Internet Protocol packet flow to the firewall. 2. The method of claim 1 , wherein providing the control packet of the Internet Protocol packet flow to the firewall comprises providing the control packet of the Internet Protocol packet flow to the firewall to maintain the flow state of the Internet Protocol packet flow at the firewall. 3. The method of claim 1 , further comprising storing data maintaining the flow state of the Internet Protocol packet flow. 4. The method of claim 3 , further comprising providing, to the firewall from the classifier, data updating the flow state of the Internet Protocol packet flow. 5. The method of claim 1 , wherein the indication from the firewall that the non-control packets of the Internet Protocol packet flow should no longer be provided to the processing entity is obtained at the classifier in response to predetermined criteria evaluated by the firewall, wherein the predetermined criteria comprise one or more of a reputation change of a source device of the Internet Protocol packet flow, a posture change of the source device of the Internet Protocol packet flow, and/or timing of receipt of the Internet Protocol packet flow. 6. The method of claim 1 , wherein: the firewall applies services to the first packet via software instructions stored at the firewall; and the processing entity applies services to the one or more non-control packets via hardware of the security device. 7. The method of claim 6 , wherein the hardware of the security device executes packet rewrite instructions. 8. The method of claim 1 , further comprising: obtaining a non-control packet of the Internet Protocol packet flow at the classifier; determining at the classifier that an amount of data contained in the non-control packet exceeds a predetermined threshold; and providing the non-control packet to the firewall in response to determining that the amount of data contained in the non-control packet exceeds the predetermined threshold. 9. An apparatus comprising: one or more memories; one or more network interfaces configured to enable network communications; and one or more processors, wherein the one or more processors are configured to perform operations on behalf of a security device, the operations comprising: obtaining, via the one or more network interfaces, a first packet of an Internet Protocol packet flow at the security device; providing the first packet to a firewall of the security device; obtaining at a classifier of the security device an indication from the firewall that the Internet Protocol packet flow is to be split between a processing entity of the security device and the firewall of the security device such that non-control packets of the Internet Protocol packet flow are to be provided to the processing entity and control packets configured to indicate a potential change in a flow state of the Internet Protocol packet flow are to be provided to the firewall; storing, in the one or more memories, data that indicates that the non-control packets of the Internet Protocol packet flow are to be provided to the processing entity; obtaining, via the one or more network interfaces, one or more non-control packets of the Internet Protocol packet flow at the security device; determining, by comparing at the classifier data contained in the one or more non-control packets of the Internet Protocol packet flow to the data stored in the one or more memories, that the one or more non-control packets of the Internet Protocol packet flow are to be provided to the processing entity; providing the one or more non-control packets of the Internet Protocol packet flow to the processing entity in response to the determining; obtaining, via the one or more network interfaces, a control packet of the Internet Protocol packet flow at the security device; identifying a control flag in the control packet that indicates a potential change in the flow state of the Internet Protocol packet flow; providing the control packet of the Internet Protocol packet flow to the firewall in response to identifying the control flag in the control packet; obtaining at the classifier an indication from the firewall that non-control packets of the Internet Protocol packet flow should no longer be provided to the processing entity; obtaining a non-control packet of the Internet Protocol packet flow at the classifier; and providing the non-control packet of the Internet Protocol packet flow to the firewall. 10. The apparatus of claim 9 , wherein the one or more processors are further configured to provide the control packet of the Internet Protocol packet flow to the firewall by providing the control packet of the Internet Protocol packet flow to the firewall to maintain the flow state of the Internet Protocol packet flow at the firewall. 11. The apparatus of claim 9 , wherein the one or more processors are further configured to provide data to the firewall updating the flow state of the Internet Protocol packet flow. 12. The apparatus of claim 9 , wherein the indication from the firewall that the non-control packets of the Internet Protocol packet flow should no longer be provided to the processing entity is obtained at the classifier in response to predetermined criteria evaluated by the firewall, wherein the predetermined criteria comprise one or more of a reputation change of a source device of the Internet Protocol packet flow, a posture change of the source device of the Internet Protocol packet flow, and/or timing of receipt of the Internet Protocol packet flow. 13. The apparatus of claim 9 , wherein the one or mor
Assignees
Inventors
Classifications
- H04L63/0245Primary
Filtering by information in the payload · CPC title
using directory or table look-up (use of a directory or look-up table in file systems G06F16/13) · CPC title
relying on flow classification, e.g. using integrated services [IntServ] · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11949659B2 cover?
- A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet o…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0245. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 02 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).