Determining security of local area network
US-2024372862-A1 · Nov 7, 2024 · US
Decentralized packet dispatch in network devices
US9258277B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9258277-B1 |
| Application number | US-201213534095-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jun 27, 2012 |
| Priority date | Jun 27, 2012 |
| Publication date | Feb 9, 2016 |
| Grant date | Feb 9, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In general, techniques are described for performing decentralized packet dispatch. A network device comprising one or more service processing units (SPUs) and an interface may implement the techniques. The interface receives a packet associated with a session and selects a first one of SPUs to dispatch the packet based on first information extracted from the packet. The first one of the SPUs dispatches the packet to a second one of the SPUs based on second information extracted from the packet. The second one of the SPUs performs first pass processing to configure the network security device to perform fast path processing of the packet such that second one of the SPUs applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packets by the first one of the service processing units.
First claim
Opening claim text (preview).
The invention claimed is: 1. A network security device comprising: two or more service processing units that each applies one or more services to packets received by the network security device; and at least one interface card that receives a packet associated with a session and selects any of the two or more service processing units as a first one of the two or more service processing units to dispatch the packet based on first information extracted from the packet, wherein the first one of the two or more service processing units receives the packet from the at least one interface card and dispatches the packet to a second one of the two or more service processing units based on second information extracted from the packet, and wherein the second one of the two or more service processing units performs first pass processing to configure the network security device to perform fast path processing of the packet such that the second one of the two or more service processing units applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packet and subsequent packets by the first one of the two or more service processing units. 2. The network security device of claim 1 , wherein the packet comprises a first packet, and wherein the at least one interface card receives a second packet associated with a different session and selects the second one of the two or more service processing units to dispatch the second packet based on first information extracted from the second packet, wherein the second one of the two or more service processing units receives the second packet from the at least one interface card and dispatches the second packet to the first one of the two or more service processing units based on second information extracted from the second packet, and wherein the first one of the two or more service processing units performs first pass processing to configure the network security device to perform fast path processing of the second packet such that the first one of the two or more service processing units applies one or more services to the second packet and subsequent packets associated with the different session. 3. The network security device of claim 1 , wherein the second one of the two or more service processing units applies a network address translation (NAT) service as one of the one or more services applied to the packet, wherein the NAT service replaces a source address of the packet with an address identifying the network security device and a source port of the packet with a port that the network security device associates with an end-user device identified by the source address of the packet, and wherein the second one of the two or more service processing units performs the first pass processing to configure a third one of the two or more service processing units to forward packets having a destination address identifying the network security device and the destination port that the network security device associated with the end-user device to the second one of the two or more service processing units. 4. The network security device of claim 3 , wherein the third one of the two or more service processing units comprises the first one of the two or more service processing units. 5. The network security device of claim 1 , wherein the second one of the two or more service processing units comprises the first one of the two or more service processing units. 6. The network security device of claim 1 , wherein the at least one interface card is configured to perform a hash on the first information extracted from the packet to select the first one of two or more service processing units. 7. The network security device of claim 1 , wherein the first one of the two or more service processing units is configured to perform a hash on the second information extracted from the packet to dispatch the packet to the second one of the two or more service processing units. 8. The network security device of claim 1 , wherein the first information extracted from the packet comprises a destination address, and wherein the second information extracted from the packet comprises a source address, a source port, a destination address, a destination port and a protocol. 9. The network security device of claim 1 , wherein the at least one interface card comprises a network processor, wherein the network processor comprises a flow table that is writable by any one of the two or more service processing units, wherein the second one of the two or more service processing units performs the first pass processing to configure the flow table of the network processor to direct the subsequent packets associated with the same session directly to the second one of the two or more service processing units without having the network processor first direct the subsequent packets to the first one of the two or more service processing units. 10. The network security device of claim 1 , wherein the second one of the two or more service processing units fails; wherein, when the second one of the two or more service processing units fails, the at least one interface card receives a subsequent packet associated with the same session and selects the first one of two or more service processing units to dispatch the subsequent packet based on first information extracted from the subsequent packet, wherein the first one of the two or more service processing units re-dispatches the subsequent packet associated with the same session to a third one of the two or more service processing units; and wherein the third one of the two or more service processing units performs first pass processing to configure the network security device to perform fast path processing of the packet such that third one of the two or more services processing units applies the one or more services to the subsequent packet and additional packets associated with the same session. 11. A method comprising: receiving a packet with an interface card of a network security device; selecting, with the interface card, any one of two or more service processing units of the network security device as a first one of the two or more service processing units to dispatch the packet based on first information extracted from the packet, wherein each of the two or more service processing units applies one or more services to packets received by the network security device; dispatching, with the first one of the two or more service processing units, the packet to a second one of the two or more service processing units based on second information extracted from the packet; and performing first pass processing with the second one of the two or more service processing units to configure the network security device to perform fast path processing of the packet such that the second one of the two or more service processing units applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packet and subsequent packets by the first one of the two or more service processing units. 12. The method of claim 11 , further comprising: after performing first pass processing with the second one of the two or more service processing units: receiving, with the interface card, the subsequent packets associated with the same session; and forwarding the subsequent packets of the same session directly to the second one of the two or more service processing units for application of services without forwarding the subsequent packets to the first one of the two or more service processing uni
Assignees
Inventors
Classifications
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
involving identification of individual flows · CPC title
Maintenance or indexing of mapping tables · CPC title
Hiding addresses; Keeping addresses anonymous · CPC title
using port numbers · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9258277B1 cover?
- In general, techniques are described for performing decentralized packet dispatch. A network device comprising one or more service processing units (SPUs) and an interface may implement the techniques. The interface receives a packet associated with a session and selects a first one of SPUs to dispatch the packet based on first information extracted from the packet. The first one of the SPUs di…
- Who is the assignee on this patent?
- Zhuang Yan, Zhu Xiao Ping, Gopala Krishnan Nair Rakesh Nair, and 5 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 09 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).