Distributed virtual network gateways

US 8,374,183 B2
Filed: 06/22/2010
Issued: 02/12/2013
Est. Priority Date: 06/22/2010
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage media excluding signals per se having computer-executable instructions embodied thereon that, when executed, perform a method for managing distribution of data packets between endpoints, the method comprising:

detecting one or more data packets at a first endpoint, wherein each of the one or more data packets include a header comprising a source address and a destination address;

sending to a directory service a request that carries the source address and the destination address;

receiving from the directory service a response that carries a forwarding path;

performing a routing decision comprising readdressing the one or more data packets based on the received forwarding path, wherein readdressing the one or more data packets based on, in part, the forwarding path comprises encapsulating the one or more data packets as inner data packets within respective outer data packets, wherein the outer data packets each include a header that exposes location-dependent addresses of a physical network; and

transmitting the one or more readdressed data packets to a second endpoint based on, in part, the location-dependent address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods, systems, and computer-readable media are provided for distributing virtualized gateway functionality to multiple nodes within a physical network. Initially, drivers that carry out the gateway functionality are provisioned to cooperate with endpoints instantiated on the network nodes, while a directory service is implemented to maintain a mapping between virtual internet protocol (IP) addresses and location-dependent addresses, as well as a table enumerating transformation actions according to known pathways connecting the endpoints within a network. In operation, the directory service replies to requests from the driver (carrying source and destination IP addresses of data packets) with the appropriate location-dependent addresses (utilizing the mapping) and the appropriate transformation action(s) (utilizing the table). The transformation action(s) include rewriting headers of the data packets to include the location-dependent addresses, encapsulating the data packets as inner data packets within respective outer data packets, or configuring the data packets with a tunneling protocol.

Citations

19 Claims

1. One or more computer-readable storage media excluding signals per se having computer-executable instructions embodied thereon that, when executed, perform a method for managing distribution of data packets between endpoints, the method comprising:
- detecting one or more data packets at a first endpoint, wherein each of the one or more data packets include a header comprising a source address and a destination address;
  
  sending to a directory service a request that carries the source address and the destination address;
  
  receiving from the directory service a response that carries a forwarding path;
  
  performing a routing decision comprising readdressing the one or more data packets based on the received forwarding path, wherein readdressing the one or more data packets based on, in part, the forwarding path comprises encapsulating the one or more data packets as inner data packets within respective outer data packets, wherein the outer data packets each include a header that exposes location-dependent addresses of a physical network; and
  
  transmitting the one or more readdressed data packets to a second endpoint based on, in part, the location-dependent address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The one or more computer-readable storage media of claim 1, wherein the method further comprises receiving from the directory service the response that carries a transformation action.
  - 3. The one or more computer-readable storage media of claim 2, wherein performing a routing decision further comprises transforming the one or more data packets based on the received transformation action.
  - 4. The one or more computer-readable storage media of claim 3, wherein transforming the one or more data packets occurs upon accessing a service model and determining that the service model instructs providing a layer of protection to secure connectivity between the first endpoint and the second endpoint.
  - 5. The one or more computer-readable storage media of claim 1, wherein the first endpoint represents an endpoint that originated the one or more data packets, and wherein the second endpoint represents an endpoint that is targeted by a header of the one or more readdressed data packets.
  - 6. The one or more computer-readable storage media of claim 1, wherein the first endpoint represents a network adapter running on a physical machine or a virtual machine (VM) that originated the one or more data packets.
  - 7. The one or more computer-readable storage media of claim 6, wherein the second endpoint represents a network adapter running on a physical machine or a VM that is targeted by a header of the one or more readdressed data packets.
  - 8. The one or more computer-readable storage media of claim 1, wherein the source address and the destination address represent respective, network-assigned, virtual internet protocol (IP) addresses of a virtual space.
  - 9. The one or more computer-readable storage media of claim 1, wherein readdressing the one or more data packets based on the forwarding path comprises:
    - removing the source address and the destination address within the header of the one or more data packets; and
      
      replacing the source address and destination address with respective location-dependent addresses of a physical network.
  - 10. The one or more computer-readable storage media of claim 9, wherein replacing the source address and destination address occurs upon identifying that the first endpoint and the second endpoint reside within a common data center and upon identifying that the source address and the destination address belong to a common virtual space.
  - 11. The one or more computer-readable storage media of claim 1, wherein encapsulating the one or more data packets occurs upon determining that the second endpoint is unable to translate the headers of the one or more data packets if the source address and the destination address are removed.
  - 12. The one or more computer-readable storage media of claim 1, wherein a driver is employed to perform the routing decision, and wherein the driver is installed on a node, within a data center, that hosts the first endpoint.
  - 13. The one or more computer-readable storage media of claim 12, wherein the driver performs a routing decision each time the first endpoint establishes a connection for transmitting data packets.
  - 14. The one or more computer-readable storage media of claim 13, wherein the driver includes a routing component that is configured to accept the one or more data packets and read the source address and the destination address from the header of the one or more data packets.
  - 15. The one or more computer-readable storage media of claim 14, wherein the driver is configured to communicate the source address and the network address to the directory service upon the first endpoint establishing a connection with the second endpoint.

16. A computer system for supporting and isolating communications between endpoints, the computer system comprising:
- a directory service that maintains a mapping between virtual internet protocol (IP) addresses and location-dependent addresses of a physical network;
  
  a first endpoint that generates one or more data packets structured with headers that include a source IP address and a destination IP address, wherein the source IP address points to the first endpoint, and wherein the destination IP address points to a second endpoint; and
  
  a driver that performs a routing decision per each connection made by the first endpoint, wherein performing the routing decision comprises;
  
  (a) communicating with the directory service to determine a forwarding path and a transformation action as a function of the source IP address and the destination IP address;
  
  (b) upon determining that the first endpoint and the second endpoint reside within a common data center, rewriting the source IP address and the destination IP address with respective location-dependent addresses of the forwarding path;
  
  (c) upon determining that the second endpoint is unable to translate the headers of the one or more data packets if the source IP address and the destination IP address are removed, encapsulating the one or more data packets as inner data packets within respective outer data packets, wherein the outer data packets each include a header that exposes the location-dependent addresses of the forwarding path; and
  
  (d) upon determining that the transformation action dictates a layer of protection to secure connectivity between the first endpoint and the second endpoint be provided, transforming the one or more data packets based on the received transformation action.
- View Dependent Claims (17, 18)
- - 17. The computer system of claim 16, wherein the source IP address and the destination IP address are assigned according to exposed functionality of the first endpoint and the second endpoint, respectively, wherein the location-dependent addresses are assigned according to locations of the first endpoint and the second endpoint, respectively, within the physical network.
  - 18. The computer system of claim 16, wherein the directory service maintains a table that imparts the appropriate transformation action to the driver based on a record of pre-established tunnels or network pathways that link the first endpoint and the second endpoint.

19. A computerized method for identifying a network pathway and transformation action in response to a request from a distributed, virtual network gateway, the method comprising:
- providing a directory service that maintains a mapping between virtual internet protocol (IP) addresses and location-dependent addresses, and maintains a table that recognizes an appropriate transformation action, wherein the table is designed according to communication policies that govern data-packet traffic across pathways that connect endpoints within a network;
  
  receiving a request from a virtual network gateway in communication with a recipient endpoint, wherein the request includes indicia of a source IP address and a destination IP address carried via a header of one or more data packets accepted by the recipient endpoint;
  
  inspecting the mapping with the source IP address and the destination IP address to identify corresponding location-dependent addresses constituting a forwarding path of the one or more data packets through a physical network;
  
  inspecting the table with the forwarding path to identify a corresponding transformation action, wherein the transformation action comprises at least one of the following;
  
  (a) rewriting the header of the one or more data packets to include the location-dependent addresses;
  
  (b) encapsulating the one or more data packets as inner data packets within respective outer data packets, wherein the outer data packets each include a header that carries the location-dependent addresses;
  
  or(c) configuring the one or more data packets with a tunneling protocol; and
  
  returning a response that delivers to the virtual network gateway indicia of the identified forwarding path and the identified transformation action, wherein the virtual network gateway communicates the response to the recipient endpoint, and wherein the recipient endpoint implements the identified forwarding path and the identified transformation action when transmitting the one or more data packets therefrom.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Alkhatib, Hasan, Outhred, Geoff
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
AMBAYE, MEWALE A

Application Number

US12/820,896
Publication Number

US 20110310899A1
Time in Patent Office

966 Days
Field of Search

709/238, 709/242, 370/392
US Class Current

370/392
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/66   Arrangements for connecting...

H04L 45/02   Topology update or discovery

H04L 45/74   Address processing for routing

H04L 45/745   Address table lookup; Addre...

H04L 49/70   Virtual switches

H04L 61/2503   Translation of Internet pro...

H04L 61/45   Network directories; Name-t...

H04L 61/5007   Internet protocol [IP] addr...

Distributed virtual network gateways

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed virtual network gateways

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links