Distributed service processing of network gateways using virtual machines

US 9,609,083 B2
Filed: 10/07/2015
Issued: 03/28/2017
Est. Priority Date: 02/10/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a packet at an ingress interface of a gateway device communicatively coupled to a local area network (LAN) and an external network;

determining a first service and a second service corresponding to a connections session, the first service and the second service determined using a policy;

identifying a first service processing module associated with the first service, the first service processing module being executed by a first virtual machine having a first guest operating system, the first virtual machine running on a first physical host being communicatively coupled to the gateway device, the first physical host having a first host operating system, the first host operating system providing a first hypervisor;

sending the packet to the first service processing module, the first service processing module performing the first service on the packet to produce a first processed packet;

determining whether the first service processing module has sufficient bandwidth to handle the first service;

when the first service processing module does not have sufficient bandwidth to perform the first service on the packet;

allocating and launching a third service processing module; and

alternatively sending the packet to the third service processing module, the third service processing module performing the first service on the packet to produce the first processed packet;

identifying a second service processing module associated with the second service, the second service processing module being executed by a second virtual machine having a second guest operating system, the second virtual machine running on a second physical host being communicatively coupled to the gateway device, the second physical host having a second host operating system, the second host operating system providing a second hypervisor;

sending the first processed packet to the second service processing module, the second service processing module performing the second service on the first processed packet to produce a second processed packet; and

forwarding the second processed packet at an egress interface of the gateway device to a destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding to a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.

164 Citations

15 Claims

1. A computer-implemented method, comprising:
- receiving a packet at an ingress interface of a gateway device communicatively coupled to a local area network (LAN) and an external network;
  
  determining a first service and a second service corresponding to a connections session, the first service and the second service determined using a policy;
  
  identifying a first service processing module associated with the first service, the first service processing module being executed by a first virtual machine having a first guest operating system, the first virtual machine running on a first physical host being communicatively coupled to the gateway device, the first physical host having a first host operating system, the first host operating system providing a first hypervisor;
  
  sending the packet to the first service processing module, the first service processing module performing the first service on the packet to produce a first processed packet;
  
  determining whether the first service processing module has sufficient bandwidth to handle the first service;
  
  when the first service processing module does not have sufficient bandwidth to perform the first service on the packet;
  
  allocating and launching a third service processing module; and
  
  alternatively sending the packet to the third service processing module, the third service processing module performing the first service on the packet to produce the first processed packet;
  
  identifying a second service processing module associated with the second service, the second service processing module being executed by a second virtual machine having a second guest operating system, the second virtual machine running on a second physical host being communicatively coupled to the gateway device, the second physical host having a second host operating system, the second host operating system providing a second hypervisor;
  
  sending the first processed packet to the second service processing module, the second service processing module performing the second service on the first processed packet to produce a second processed packet; and
  
  forwarding the second processed packet at an egress interface of the gateway device to a destination.
- View Dependent Claims (2, 3, 10, 11)
- - 2. The method of claim 1, wherein a public cloud communicatively coupled to the external network comprises at least one of the first physical host and the second physical host.
  - 3. The method of claim 1, wherein the first service and the second service include at least one of a network address translation (NAT) process, a virtual private network (VPN) process, a deep packet inspection (DPI) process, and an anti-virus process.
  - 10. The method of claim 1, further comprising:
    - determining whether the second service processing module has sufficient bandwidth to handle the second service.
  - 11. The method of claim 10, further comprising:
    - when the second service processing module does not have sufficient bandwidth to perform the second service on the packet;
      
      allocating and launching a fourth service processing module; and
      
      alternatively sending the first processed packet to the fourth service processing module, the fourth service processing module performing the second service on the first processed packet to produce the second processed packet.

4. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
- receiving a packet at an ingress interface of a gateway device communicatively coupled to a local area network (LAN) and an external network;
  
  determining a first service and a second service corresponding to a connections session, the first service and the second service determined using a policy;
  
  identifying a first service processing module associated with the first service, the first service processing module being executed by a first virtual machine using a first guest operating system, the first virtual machine running on a first physical host using a first host operating system, the first host operating system providing a first hypervisor, the first physical host being communicatively coupled to the gateway device;
  
  sending the packet to the first service processing module, the first service processing module performing the first service on the packet to produce a first processed packet;
  
  determining whether the first service processing module has sufficient bandwidth to handle the first service;
  
  when the first service processing module does not have sufficient bandwidth to perform the first service on the packet;
  
  allocating and launching a third service processing module; and
  
  alternatively sending the packet to the third service processing module, the third service processing module performing the first service on the packet to produce the first processed packet;
  
  identifying a second service processing module associated with the second service, the second service processing module being executed by a second virtual machine using a second guest operating system, the second virtual machine running on a second physical host using a second host operating system, the second host operating system providing a second hypervisor, the second physical host being communicatively coupled to the gateway device;
  
  sending the first processed packet to the second service processing module, the second service processing module performing the second service on the first processed packet to produce a second processed packet; and
  
  forwarding the second processed packet at an egress interface of the gateway device to a destination.
- View Dependent Claims (5, 6, 12, 13)
- - 5. The non-transitory computer-readable storage medium of claim 4, wherein a public cloud communicatively coupled to the external network comprises at least one of the first physical host and the second physical host.
  - 6. The non-transitory computer-readable storage medium of claim 4, wherein the first service and the second service include at least one of a network address translation (NAT) service, a virtual private network (VPN) service, a deep packet inspection (DPI) service, and an anti-virus service.
  - 12. The non-transitory computer-readable storage medium of claim 4, wherein the method further comprises:
    - determining whether the second service processing module has sufficient bandwidth to handle the second service.
  - 13. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises:
    - when the second service processing module does not have sufficient bandwidth to perform the second service on the packet;
      
      allocating and launching a fourth service processing module; and
      
      alternatively sending the first processed packet to the fourth service processing module, the fourth service processing module performing the second service on the first processed packet to produce the second processed packet.

7. A gateway device, comprising:
- an ingress interface;
  
  an egress interface; and
  
  a load balancing module coupled to the ingress and egress interfaces, the load balancing module comprising;
  
  at least one processor; and
  
  a memory coupled to the at least one processor, the memory storing instructions executable by the at least one processor to perform a method comprising;
  
  receiving a packet from the ingress interface;
  
  determining a first service and a second service corresponding to a connections session associated with the packet, the first service and the second service determined using a policy;
  
  identifying a first service processing module associated with the first service, the first service processing module being executed by a first virtual machine having a first guest operating system, the first virtual machine running on a first physical host being communicatively coupled to the gateway device, the first physical host having a first host operating system, the first host operating system providing a first hypervisor;
  
  sending the packet to the first service processing module, the first service processing module performing the first service on the packet to produce a first processed packet;
  
  determining whether the first service processing module has sufficient bandwidth to handle the first service;
  
  when the first service processing module does not have sufficient bandwidth to perform the first service on the packet;
  
  allocating and launching a third service processing module; and
  
  alternatively sending the packet to the third service processing module, the third service processing module performing the first service on the packet to produce the first processed packet;
  
  identifying a second service processing module associated with the second service, the second service processing module being executed by a second virtual machine having a second guest operating system, the second virtual machine running on a second physical host being communicatively coupled to the gateway device, the second physical host having a second host operating system, the second host operating system providing a second hypervisor;
  
  sending the first processed packet to the second service processing module, the second service processing module performing the second service on the first processed packet to produce a second processed packet; and
  
  forwarding the second processed packet at an egress interface of the gateway device to a destination.
- View Dependent Claims (8, 9, 14, 15)
- - 8. The gateway device of claim 7, wherein a public cloud associated with an external network comprises at least one of the first physical host and the second physical host.
  - 9. The gateway device of claim 7, wherein the first service and the second service include at least one of a network address translation (NAT) service, a virtual private network (VPN) service, a deep packet inspection (DPI) service, and an anti-virus service.
  - 14. The gateway device of claim 7, wherein the method further comprises:
    - determining whether the second service processing module has sufficient bandwidth to handle the second service.
  - 15. The gateway device of claim 14, wherein the method further comprises:
    - when the second service processing module does not have sufficient bandwidth to perform the second service on the packet;
      
      allocating and launching a fourth service processing module; and
      
      alternatively sending the first processed packet to the fourth service processing module, the fourth service processing module performing the second service on the first processed packet to produce the second processed packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw
Primary Examiner(s)
DUONG, CHRISTINE T

Application Number

US14/877,836
Publication Number

US 20160028851A1
Time in Patent Office

538 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/0896   Bandwidth or capacity manag...

H04L 47/125   by balancing the load, e.g....

H04L 47/20   Traffic policing

H04L 63/0209   Architectural arrangements,...

H04L 65/1033   Signalling gateways

H04L 67/10   in which an application is ...

H04L 67/14   Session management for real...

H04L 67/60   Scheduling or organising th...

H04W 28/20   Negotiating bandwidth

Distributed service processing of network gateways using virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

164 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Distributed service processing of network gateways using virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others