Resilient TCP splicing for proxy services

US 9,319,476 B2
Filed: 05/28/2013
Issued: 04/19/2016
Est. Priority Date: 05/28/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an ingress of a transparent proxy device and from a first end device, a first request that includes a first initial sequence number and options, to establish a layer four connection with a second end device, wherein the ingress operates at a layer lower than an application layer of the transparent proxy device;

learning, by the ingress of the transparent proxy device, the first initial sequence number of the first request;

transmitting, by the ingress of the transparent proxy device, the first request, to an egress of the transparent proxy device, wherein the first request bypasses an application proxy of the transparent proxy device and wherein the application proxy operates at the application layer of the transparent proxy device;

receiving, by an egress of the transparent proxy device and from the ingress, the first request, wherein the egress operates at the layer lower than the application layer of the transparent proxy device;

learning, by the egress of the transparent proxy device, the first initial sequence number of the first request;

receiving, by the egress of the transparent proxy device and from the second end device, a first acknowledgement for the first request and options, wherein the first acknowledgement includes a second initial sequence number;

learning, by the egress of the transparent proxy device, the second initial sequence number;

transmitting, by the egress of the transparent proxy device, the first acknowledgement, to the ingress of the transparent proxy device, wherein the first acknowledgement bypasses the application proxy of the transparent proxy device;

learning, by the ingress of the transparent proxy device, the second initial sequence number;

transmitting, by the ingress to the application proxy of the transparent proxy device, a second request, which includes the first initial sequence number and options negotiated between the first end device and the second end device, to establish a layer four connection between the ingress and the application proxy, in response to receiving the first acknowledgement;

establishing a layer four connection between the ingress and the first end device based on a second acknowledgement from the first end device;

establishing the layer four connection, between the ingress and the application proxy, in response to receiving the second acknowledgement;

establishing a layer four connection between the application proxy and the egress; and

establishing the layer four connection between the egress and the second end device based on the second acknowledgement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A transparent proxy device includes an ingress, an egress, and an application proxy. The ingress and the egress operate up to a layer four communication layer. The transparent proxy device is configured to establish spliced connections in relation to end devices. The spliced connections include layer four connections between the ingress and the application proxy and the application proxy and the egress. The transparent proxy device is configured to maintain an end-to-end connection in relation to the end devices even when the application proxy fails.

Citations

20 Claims

1. A method comprising:
- receiving, by an ingress of a transparent proxy device and from a first end device, a first request that includes a first initial sequence number and options, to establish a layer four connection with a second end device, wherein the ingress operates at a layer lower than an application layer of the transparent proxy device;
  
  learning, by the ingress of the transparent proxy device, the first initial sequence number of the first request;
  
  transmitting, by the ingress of the transparent proxy device, the first request, to an egress of the transparent proxy device, wherein the first request bypasses an application proxy of the transparent proxy device and wherein the application proxy operates at the application layer of the transparent proxy device;
  
  receiving, by an egress of the transparent proxy device and from the ingress, the first request, wherein the egress operates at the layer lower than the application layer of the transparent proxy device;
  
  learning, by the egress of the transparent proxy device, the first initial sequence number of the first request;
  
  receiving, by the egress of the transparent proxy device and from the second end device, a first acknowledgement for the first request and options, wherein the first acknowledgement includes a second initial sequence number;
  
  learning, by the egress of the transparent proxy device, the second initial sequence number;
  
  transmitting, by the egress of the transparent proxy device, the first acknowledgement, to the ingress of the transparent proxy device, wherein the first acknowledgement bypasses the application proxy of the transparent proxy device;
  
  learning, by the ingress of the transparent proxy device, the second initial sequence number;
  
  transmitting, by the ingress to the application proxy of the transparent proxy device, a second request, which includes the first initial sequence number and options negotiated between the first end device and the second end device, to establish a layer four connection between the ingress and the application proxy, in response to receiving the first acknowledgement;
  
  establishing a layer four connection between the ingress and the first end device based on a second acknowledgement from the first end device;
  
  establishing the layer four connection, between the ingress and the application proxy, in response to receiving the second acknowledgement;
  
  establishing a layer four connection between the application proxy and the egress; and
  
  establishing the layer four connection between the egress and the second end device based on the second acknowledgement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the layer four connection between the ingress and the first end device is a Transport Control Protocol (TCP) connection, and wherein an end-to-end connection between the first end device and the second end device is a TCP spliced connection via the transparent proxy device.
  - 3. The method of claim 2, further comprising:
    - detecting that the application proxy is not available;
      
      receiving a packet, by the ingress; and
      
      transmitting, by the ingress, the packet directly to the egress, without traversing the application proxy, in response to the detecting.
  - 4. The method of claim 3, further comprising:
    - storing, by each of the ingress and the egress, traffic flow information pertaining to one or more traffic flows between the first end device and the second end device via the transparent proxy device; and
      
      deleting, by each of the ingress and the egress, the traffic flow information in response to the detecting.
  - 5. The method of claim 1, further comprising:
    - receiving, by a first intermediary device situated between the first end device and the transparent proxy device, a packet from the first end device that is to be routed to the second end device;
      
      detecting that the transparent proxy device is not available;
      
      transmitting the packet, by the first intermediary device to a second intermediary device, wherein the second intermediary device is situated between the second end device and the transparent proxy device; and
      
      receiving the packet by the second end device.
  - 6. The method of claim 1, wherein an end-to-end connection between the first end device and the second end device is a Transport Control Protocol (TCP) spliced connection via the transparent proxy device, and the method further comprises at least one of:
    - transmitting, by the transparent proxy device, data packets received from the first end device, via the TCP spliced connection, to the second end device;
      
      ortransmitting, by the transparent proxy device, data packets received from the second end device, via the TCP spliced connection, to the first end device.
  - 7. The method of claim 1, wherein each of the layer four connections is established based on a three-way handshake exchange of messages.
  - 8. The method of claim 1, wherein the establishing the layer four connection between the application proxy and the egress is in response to establishing the layer four connection between the ingress and the application proxy, and wherein the layer four connection between the application proxy and the egress is initiated by the application proxy.

9. A proxy device comprising:
- an ingress layer including a first transmitter and a first receiver, wherein the ingress layer operates up to a layer four communication layer;
  
  an egress layer including a second transmitter and a second receiver, wherein the egress layer operates up to a layer four communication layer;
  
  an application proxy, wherein the application proxy operates at an application communication layer;
  
  a memory, wherein the memory stores instructions; and
  
  a processor, wherein the processor executes the instructions to;
  
  receive, via the first receiver of the ingress layer and from a first end device, a first request that includes a first initial sequence number and options, to establish a layer four connection with a second end device;
  
  learn, by the ingress layer, the first initial sequence number of the first request;
  
  transmit, via the first transmitter of the ingress layer, the first request, to the egress layer, wherein the first request bypasses the application proxy;
  
  receive, via the second receiver of the egress layer and from the ingress layer, the first request;
  
  learn, by the egress layer, the first initial sequence number of the first request;
  
  receive, via the second receiver of the egress layer and from the second end device, a first acknowledgement for the first request and options, wherein the first acknowledgement includes a second initial sequence number;
  
  learn, by the egress layer, the second initial sequence number;
  
  transmit, via the second transmitter of the egress layer, the first acknowledgement, to the ingress layer, wherein the first acknowledgement bypasses the application proxy;
  
  learn, by the ingress layer, the second initial sequence number;
  
  transmit, via the first transmitter of the ingress layer to the application proxy, a second request, which includes the first initial sequence number and options negotiated between the first end device and the second end device, to establish a layer four connection between the ingress layer and the application proxy, in response to receiving the first acknowledgement;
  
  establish a first, layer four connection between the ingress layer and the first end device based on a second acknowledgement from the first end device;
  
  establish a second, layer four connection, between the ingress layer and the application proxy, in response to receiving the second acknowledgement;
  
  establish a third, layer four connection between the application proxy and the egress layer; and
  
  establish a fourth, layer four connection between the egress layer and the second end device based on the second acknowledgement.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The proxy device of claim 9, wherein each of the layer four connections is established based on a three-way handshake exchange of messages according to a Transport Control Protocol (TCP), and wherein the proxy device is a transparent proxy device.
  - 11. The proxy device of claim 9, wherein the ingress layer is configured to:
    - transform sequence numbers of packets received from the first end device, via the first, layer four connection, to different sequence numbers; and
      
      transmit the packets having the different sequence numbers, via the second, layer four connection, to the application proxy.
  - 12. The proxy device of claim 9, wherein the egress layer is configured to:
    - transform sequence numbers of packets received from the second end device, via the fourth, layer four connection, to different sequence numbers; and
      
      transmit the packets having the different sequence numbers, via the third, layer four connection, to the application proxy.
  - 13. The proxy device of claim 9, wherein the ingress layer is configured to:
    - receive a first data packet, via the first, layer four connection, from the first end device;
      
      transmit the first data packet, via the second, layer four connection, to the application proxy;
      
      detect that the application proxy is not available;
      
      receive a second data packet; and
      
      transmit the second data packet directly to the egress layer, without traversing the application proxy, in response to a detection that the application proxy is not available.
  - 14. The proxy device of claim 9, wherein the egress layer is configured to:
    - receive a first data packet, via the fourth, layer four connection, from the second end device;
      
      transmit the first data packet, via the third, layer four connection, to the application proxy;
      
      detect that the application proxy is not available;
      
      receive a second data packet; and
      
      transmit the second data packet directly to the ingress layer, without traversing the application proxy, in response to a detection that the application proxy is not available.
  - 15. The proxy device of claim 14, wherein the egress layer is further configured to:
    - store traffic flow information pertaining to one or more traffic flows between the first end device and the second end device via the proxy device; and
      
      delete the traffic flow information in response to the detection, wherein the traffic flow information includes traffic flow information pertaining to the first data packet.
  - 16. The proxy device of claim 9, wherein an end-to-end connection between the first end device and the second end device is a Transport Control Protocol (TCP) spliced connection via the proxy device, and the proxy device is configured to:
    - transmit data packets, via the TCP spliced connection, from the first end device to the second end device and from the second end device to the first end device, wherein the TCP spliced connection includes the second, layer four connection and the third, layer four connection.

17. A non-transitory computer-readable storage medium that stores instructions, executable by a processor of a computational device that includes an ingress layer that operates up to a layer four communication layer, an egress layer that operates up to a layer four communication layer, and an application proxy that operates at an application communication layer, which when executed cause the computational device to:
- receive, by the ingress layer and from a first end device, a first request that includes a first initial sequence number and options, to establish a layer four connection with a second end device;
  
  learn, by the ingress layer, the first initial sequence number of the first request;
  
  transmit, by the ingress layer, the first request, to the egress layer, wherein the first request bypasses the application proxy;
  
  receive, by the egress layer and from the ingress layer, the first request;
  
  learn, by the egress layer, the first initial sequence number of the first request;
  
  receive, by the egress layer and from the second end device, a first acknowledgement for the first request and options, wherein the first acknowledgement includes a second initial sequence number;
  
  learn, by the egress layer, the second initial sequence number;
  
  transmit, by the egress layer, the first acknowledgement, to the ingress layer, wherein the first acknowledgement bypasses the application proxy;
  
  learn, by the ingress layer, the second initial sequence number;
  
  transmit, by the ingress layer to the application proxy, a second request, which includes the first initial sequence number and options negotiated between the first end device and the second end device, to establish a layer four connection between the ingress layer and the application proxy, in response to receiving the first acknowledgement;
  
  establish a first, layer four connection between the ingress layer and the first end device based on a second acknowledgement from the first end device;
  
  establish a second, layer four connection, between the ingress layer and the application proxy, in response to receiving the second acknowledgement;
  
  establish a third, layer four connection between the application proxy and the egress layer; and
  
  establish a fourth, layer four connection between the egress layer and the second end device based on the second acknowledgement.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions to:
    - receive a first data packet, via the first, layer four connection, from the first end device;
      
      transmit the first data packet, via the second, layer four connection, to the application proxy;
      
      detect that the application proxy is not available;
      
      receive a second data packet; and
      
      transmit the second data packet directly to the egress layer, without traversing the application proxy, in response to a detection that the application proxy is not available.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions to:
    - receive a first data packet, via the fourth, layer four connection, from the second end device;
      
      transmit the first data packet, via the third, layer four connection, to the application proxy;
      
      detect that the application proxy is not available;
      
      receive a second data packet; and
      
      transmit the second data packet directly to the ingress layer, without traversing the application proxy, in response to a detection that the application proxy is not available.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions to:
    - transform sequence numbers of packets received from the first end device, via the first, layer four connection, to different sequence numbers;
      
      transmit the packets having the different sequence numbers, via the second, layer four connection, to the application proxy;
      
      transform sequence numbers of packets received from the second end device, via the fourth, layer four connection, to different sequence numbers; and
      
      transmit the packets having the different sequence numbers, via the third, layer four connection, to the application proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Joachimpillai, Damascene, Chung, Jae Won, Richardson, Mark
Primary Examiner(s)
Tran, Jimmy H

Application Number

US13/903,046
Publication Number

US 20140359052A1
Time in Patent Office

1,057 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/0293   for accessing web services ...

H04L 67/56   Provisioning of proxy servi...

H04L 69/08   Protocols for interworking;...

H04L 69/16   Implementation or adaptatio...

Resilient TCP splicing for proxy services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Resilient TCP splicing for proxy services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links