Architecture of networks with middleboxes

US 10,191,763 B2
Filed: 06/09/2017
Issued: 01/29/2019
Est. Priority Date: 11/15/2011
Status: Active Grant

First Claim

Patent Images

1. A system for implementing a logical network to communicatively connect a plurality of end machines, the logical network comprising (i) a set of logical forwarding elements collectively implemented by a set of managed forwarding elements and (ii) at least two logical middleboxes, the system comprising:

a plurality of host computers on each of which (i) a managed forwarding element executes to implement the set of logical forwarding elements and (ii) a middlebox element executes to implement a first logical middlebox of the logical network, wherein the middlebox elements collectively implement the first logical middlebox and each store state information for the first logical middlebox but do not communicate the state information with the other middlebox elements; and

a set of separate physical middleboxes for implementing a second logical middlebox of the logical network, wherein the second logical middlebox performs an operation that requires state information relating to packets between several different sets of end machines connected by the logical network and the set of separate physical middleboxes share the state information for the second logical middlebox with each other;

wherein the middlebox elements and the set of separate physical middleboxes perform middlebox services on packets between the end machines of the logical network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

277 Citations

18 Claims

1. A system for implementing a logical network to communicatively connect a plurality of end machines, the logical network comprising (i) a set of logical forwarding elements collectively implemented by a set of managed forwarding elements and (ii) at least two logical middleboxes, the system comprising:
- a plurality of host computers on each of which (i) a managed forwarding element executes to implement the set of logical forwarding elements and (ii) a middlebox element executes to implement a first logical middlebox of the logical network, wherein the middlebox elements collectively implement the first logical middlebox and each store state information for the first logical middlebox but do not communicate the state information with the other middlebox elements; and
  
  a set of separate physical middleboxes for implementing a second logical middlebox of the logical network, wherein the second logical middlebox performs an operation that requires state information relating to packets between several different sets of end machines connected by the logical network and the set of separate physical middleboxes share the state information for the second logical middlebox with each other;
  
  wherein the middlebox elements and the set of separate physical middleboxes perform middlebox services on packets between the end machines of the logical network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein each particular middlebox element stores state information regarding transport connections the packets of which are processed by the particular middlebox element.
  - 3. The system of claim 2, wherein the processing for a particular transport connection does not require any state information regarding other transport connections.
  - 4. The system of claim 1, wherein the set of separate physical middleboxes comprises a cluster of middleboxes that operate as a resource pool.
  - 5. The system of claim 4 further comprising a dedicated network connection between the cluster of middleboxes for sharing the state information between the physical middleboxes in the cluster.
  - 6. The system of claim 1, wherein the first logical middlebox comprises one of a firewall, a load balancer, and a source network address translator.
  - 7. The system of claim 1, wherein the second logical middlebox comprises an intrusion detection system that performs operations requiring state information for each packet processed.
  - 8. The system of claim 1, wherein the second logical middlebox comprises a wide area network optimizer.

9. A method for implementing a logical network to communicatively connect a plurality of end machines, the method comprising:
- receiving a logical network configuration, the logical network comprising (i) a set of logical forwarding elements collectively implemented by a set of managed forwarding elements, (ii) a first logical middlebox, and (iii) a second logical middlebox;
  
  distributing configuration data to configure middlebox elements, executing on a plurality of host computers, to collectively implement the first logical middlebox, wherein each of the middlebox elements stores state information for the first logical middlebox but does not communicate the state information with the other middlebox elements; and
  
  distributing configuration data to configure a set of separate physical middleboxes to implement a second logical middlebox comprising operations that require state information relating to packets between several different sets of end machines connected by the logical network, wherein the set of separate physical middleboxes share state information for the second logical middlebox with each other,wherein the configured middlebox elements and the set of separate physical middleboxes perform middlebox services on packets between the end machines of the logical network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein each particular middlebox element stores state information regarding transport connections the packets of which are processed by the particular middlebox element.
  - 11. The method of claim 10, wherein the processing by the first logical middlebox for a particular transport connection does not require state information regarding other transport connections.
  - 12. The method of claim 9, wherein the set of separate physical middleboxes comprises a cluster of middleboxes that operate as a resource pool to implement the second logical middlebox.
  - 13. The method of claim 12, wherein a dedicated network connection exists between the physical middleboxes of the cluster for sharing the state information regarding the second logical middlebox.
  - 14. The method of claim 9, wherein the first logical middlebox comprises one of a firewall, a load balancer, and a network address translator.
  - 15. The method of claim 9, wherein the second logical middlebox comprises an intrusion detection system that performs operations requiring state information for each packet processed.
  - 16. The method of claim 9, wherein the second logical middlebox comprises a wide area network optimizer.
  - 17. The method of claim 9, wherein the logical network is a first logical network, wherein the set of separate physical middleboxes also implements a third logical middlebox that belongs to a second logical network.
  - 18. The method of claim 9, wherein the logical network is a first logical network, wherein a subset of the middlebox elements also collectively implement a third logical middlebox that belongs to a second logical network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Koponen, Teemu, Zhang, Ronghua, Thakkar, Pankaj, Casado, Martin
Primary Examiner(s)
Wang, Liang Che A

Application Number

US15/618,951
Publication Number

US 20170277557A1
Time in Patent Office

599 Days
Field of Search

709220, 709221, 709222, 709223, 709238
US Class Current
CPC Class Codes

G06F 15/177   Initialisation or configura...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/08   Configuration management of...

H04L 41/0803   Configuration setting

H04L 41/0806   for initial configuration o...

H04L 41/0813   characterised by the condit...

H04L 41/0823   characterised by the purpos...

H04L 41/0889   Techniques to speed-up the ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 45/02   Topology update or discovery

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 49/15   Interconnection of switchin...

H04L 49/70 : Virtual switches

H04L 61/2503 : Translation of Internet pro...

H04L 61/2517 : using port numbers

H04L 61/2521 : Translation architectures o...

H04L 61/256 : NAT traversal

H04L 63/0218 : Distributed architectures, ...

H04L 67/1008 : based on parameters of serv...

View All

Architecture of networks with middleboxes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

277 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Architecture of networks with middleboxes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

277 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links