System and method for directing network traffic in tunneling applications

US 9,614,772 B1
Filed: 11/21/2003
Issued: 04/04/2017
Est. Priority Date: 10/20/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus for directing a packet to a tunnel in a network, comprising:

(a) a transceiver arranged to receive and forward each packet in a flow of packets; and

(b) a processor, coupled to the transceiver, that is arranged to perform actions, including;

receiving the packets from a network device;

extracting data from the packets, wherein the extraction comprises a deep packet inspection at multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol across data extracted from a plurality of the packets to provide a rule syntax for at least one symbolic variable that is employed to generate a flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;

buffering a defined amount of data from the plurality of packets to determine whether the flow criteria is satisfied, wherein the defined amount is based on a number of packets required to identify the flow criteria, and wherein the number of packets is selectable based on a request to access the at least one symbolic variable;

when the flow criteria is unsatisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;

when the flow criteria is satisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;

associating the packets with the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, and a load-balanced tunnel; and

forwarding the packets towards the selected tunnel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and system are directed to managing traffic towards a tunnel in a network. The invention enables a network device, to extract data from a received packet. A deep packet inspection is employed that enables examination of the extracted data at virtually any layer of an OSI layered protocol of the packet. If the extracted data does not satisfy the flow criteria, a second packet may be inspected at a deep packet level to determine whether the data of the first and second packet satisfies the flow criteria. If the extracted data satisfies the flow criteria a tunnel is determined based, in part, on the flow criteria. The packet is associated with and forwarded towards the determined tunnel.

Citations

43 Claims

1. An apparatus for directing a packet to a tunnel in a network, comprising:
- (a) a transceiver arranged to receive and forward each packet in a flow of packets; and
  
  (b) a processor, coupled to the transceiver, that is arranged to perform actions, including;
  
  receiving the packets from a network device;
  
  extracting data from the packets, wherein the extraction comprises a deep packet inspection at multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol across data extracted from a plurality of the packets to provide a rule syntax for at least one symbolic variable that is employed to generate a flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  buffering a defined amount of data from the plurality of packets to determine whether the flow criteria is satisfied, wherein the defined amount is based on a number of packets required to identify the flow criteria, and wherein the number of packets is selectable based on a request to access the at least one symbolic variable;
  
  when the flow criteria is unsatisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the flow criteria is satisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;
  
  associating the packets with the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, and a load-balanced tunnel; and
  
  forwarding the packets towards the selected tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the extracted data further comprises data associated with a pre-determined application.
  - 3. The apparatus of claim 1, wherein the extracted data further comprises a Session Initiation Protocol (SIP) header.
  - 4. The apparatus of claim 1, wherein the extracted data further comprises SSL protocol data.
  - 5. The apparatus of claim 1, wherein the extracted data further comprises an HTTP header.
  - 6. The apparatus of claim 1, wherein the extracted data further comprises an XML tag.
  - 7. The apparatus of claim 1, wherein buffering the defined amount of data is further based on the flow criteria seeking specific data content from the packets.
  - 8. The apparatus of claim 1, wherein selecting the tunnel further comprises determining the tunnel from a plurality of tunnels based in part on a load-balancing mechanism.
  - 9. The apparatus of claim 1, wherein associating the packets with the selected tunnel further comprises labeling the packet with an MPLS label.
  - 10. The apparatus of claim 1, wherein associating the packets with the selected tunnel further comprises encapsulating at least a portion of the packets.
  - 11. The apparatus of claim 1, wherein associating the packets with the selected tunnel further comprises sending a SOCKetS (SOCKS) proxy request.

12. An apparatus for directing a packet to a tunnel in a network, comprising:
- (a) a transceiver arranged to receive and forward each packet in a flow of packets; and
  
  (b) a processor, coupled to the transceiver, that is arranged to perform actions, including;
  
  receiving the packets from a network device;
  
  extracting data from the packets, wherein the extraction comprises;
  
  a deep packet inspection of multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol to provide a rule syntax for at least one symbolic variable that is employed to generate a flow criteria for selecting a tunnel from a plurality of different tunnels based on the extracted data from the packets, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  buffering a defined amount of data from the packets to determine whether the flow criteria is satisfied, wherein the defined amount is based on a number of packets required to identify the flow criteria, and wherein the number of packets is selectable based on a request to access the at least one symbolic variable;
  
  when the flow criteria is unsatisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the flow criteria is satisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;
  
  associating the packet with the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, and a load-balanced tunnel; and
  
  forwarding the packet towards the selected tunnel.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12, wherein the extracted data further comprises data from a first layer of the OSI layered protocol and a second layer of the OSI layered protocol of the packets.
  - 14. The apparatus of claim 12, wherein the multiple layers further comprises deep packet inspection of data from layer seven, an application layer, of the OSI layered protocol.

15. An apparatus for directing a packet to a tunnel in a network, comprising:
- (a) a transceiver arranged to receive and forward each packet in a flow of packets; and
  
  (b) a processor, coupled to the transceiver, that is arranged to perform actions, including;
  
  receiving the packet from a network device;
  
  extracting data from the packet, wherein the extraction comprises;
  
  a deep packet inspection of multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol to provide a rule syntax for at least one symbolic variable that is employed to generate a flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  buffering a defined amount of data from the packets to determine whether the flow criteria is satisfied, wherein the defined amount is based on a number of packets required to identify the flow criteria, and wherein the number of packets is selectable based on a request to access the at least one symbolic variable;
  
  when the flow criteria is unsatisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the flow criteria is satisfied by the defined amount of buffered data, selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;
  
  associating the packet with the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, and a load-balanced tunnel; and
  
  forwarding the packet towards the selected tunnel.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 15, wherein the extraction further comprises the deep packet inspection of data from at least layer seven and of data from at least one other layer of the OSI layered protocol.
  - 17. The apparatus of claim 15, wherein the extracted data further comprises data associated with a pre-determined application.

18. A method for directing a packet towards a tunnel in a network, wherein a network device is arranged to perform actions, comprising:
- receiving the packet from a network device;
  
  buffering the received packet, wherein buffering the received packet further comprises buffering a number of packets based on the number of packets required to identify a flow criteria, wherein the number of packets is selectable based on a request to access at least one symbolic variable;
  
  extracting data from the buffered packet, wherein the extraction comprises performing a deep packet inspection at multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol to provide a rule syntax for the at least one symbolic variable that is employed to generate a flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data, and wherein the selected tunnel further comprises at least one of an MPLS tunnel, or a secure tunnel;
  
  modifying the packet for the selected tunnel; and
  
  forwarding the modified packet towards the selected tunnel.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The method of claim 18, wherein the extracted data further comprises data associated with a pre-determined application.
  - 20. The method of claim 18, wherein the extracted data further comprises an XML tag.
  - 21. The method of claim 18, wherein the extracted data further comprises an HTTP header.
  - 22. The method of claim 18, wherein the extracted data further comprises SSL protocol data.
  - 23. The method of claim 18, wherein the extracted data further comprises a Session Initiation Protocol (SIP) header.
  - 24. The method of claim 18, wherein selecting the tunnel further comprises determining the tunnel from a plurality of tunnels based in part on a load-balancing mechanism.
  - 25. The method of claim 18, wherein selecting the tunnel further comprises determining the tunnel from a plurality of tunnels based in part on the flow criteria being unsatisfied.
  - 26. The method of claim 18, wherein modifying the packet for the selected tunnel further comprises at least one of labeling the packet with a Multiprotocol Label Switching (MPLS) label, encapsulating at least a portion of the packet, and associating the packet with a SOCKetS (SOCKS) connection.
  - 27. The method of claim 18, wherein the method is operable in at least one a load-balancer, a router, a firewall, a proxy, a bridge and a network address translation device.
  - 28. The method of claim 18, further comprising:
    - determining when the data satisfies at least one flow criterion, and if the flow criteria is un-satisfied, buffering another packet in the plurality of packets, and extracting another data from the other packet.
  - 29. The method of claim 18, wherein performing a deep packet inspection further comprising evaluating the extracted data against at least one flow criterion.

30. A method for directing a packet towards a tunnel in a network, wherein a network device is arranged to perform actions, comprising:
- receiving packets from another network device;
  
  determining a number of packets to buffer based on a defined number of packets required to determine whether a flow criteria is satisfied, wherein the defined number of packets includes more than one packet and is selectable based on a request to access at least one symbolic variable;
  
  buffering the determined number of packets;
  
  extracting data from within the determined number of buffered packets, wherein the extraction comprises performing a deep packet inspection of multiple layers of the seven layers in an Open Systems Interconnection (OSI) layered protocol for specific application layer data content to provide a rule syntax for the at least one symbolic variable that is employed to generate the flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  when the flow criteria is unsatisfied in the determined number of buffered packets, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the flow criteria is satisfied in the determined number of buffered packets, selecting the tunnel from the plurality of different tunnels based in part on the extracted data, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;
  
  modifying the packets for the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, and a load-balanced tunnel; and
  
  forwarding the modified packets towards the selected tunnel.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30, wherein the multiple layers further comprises layer seven, an application layer, of the OSI layered protocol.
  - 32. The method of claim 30, wherein extracting data further comprises extracting data from at least two layers of the OSI layered protocol of the packet.

33. A system for directing a packet towards a tunnel in a network, comprising:
- a router, configured to receive a packet and to route the packet; and
  
  a tunnel manager, in communication with the router, that is configured to perform actions, comprising;
  
  receiving packets from a network device;
  
  determining a number of packets to buffer based on a defined number of packets required to determine whether a flow criteria is satisfied, wherein the defined number of packets includes more than one packet and is selectable based on a request to access at least one symbolic variable;
  
  buffering the determined number of packets;
  
  extracting data from within the determined number of buffered packets;
  
  performing a deep packet inspection on the extracted data, wherein the deep packet inspection comprises examining data from multiple layers of the seven layers of the OSI layered protocol for specific application layer data content to provide a rule syntax for the at least one symbolic variable that is employed to generate the flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (TCP) content;
  
  when the flow criteria is unsatisfied by the extracted data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the extracted data satisfies the flow criteria, selecting the tunnel from the plurality of different tunnels based in part on the satisfied flow criteria, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data, and wherein the selected tunnel further comprises at least one of an MPLS tunnel, or a secure tunnel;
  
  modifying the packets for the selected tunnel, andforwarding the modified packets to the router, wherein the router is configured to route the packets towards the selected tunnel.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The system of claim 33, wherein the extracted data further comprises data associated with a pre-determined application.
  - 35. The system of claim 33, wherein the extracted data further comprises an XML tag.
  - 36. The system of claim 33, wherein the extracted data further comprises an HTTP header.
  - 37. The system of claim 33, wherein the extracted data further comprises SSL protocol data.
  - 38. The system of claim 33, wherein modifying the packet for the selected tunnel further comprises at least one of labeling the packet with an MPLS label, encapsulating at least a portion of the packet, and associating the packet with a SOCKetS (SOCKS) connection.
  - 39. The system of claim 33, wherein the tunnel manager is further configured to operate as at least one of a load-balancer, a router, a firewall, a proxy, a bridge and a network address translation device.

40. A system for directing a packet towards a tunnel in a network, comprising:
- a router, configured to receive a packet and to route the packet; and
  
  a tunnel manager, in communication with the router, that is configured to perform actions, comprising;
  
  receiving packets from a network device;
  
  determining a number of packets to buffer based on a defined number of packets required to determine whether a flow criteria is satisfied, wherein the defined number of packets includes more than one packet and is selectable based on a request to access at least one symbolic variable;
  
  buffering the determined number of packets;
  
  extracting data from within the determined number of buffered packets;
  
  performing a deep packet inspection on the extracted data, wherein the deep packet inspection comprises examining data from multiple layers of the seven layers of the OSI layered protocol for specific application layer data content to provide a rule syntax for the at least one symbolic variable that is employed to generate the flow criteria for selecting a tunnel from a plurality of different tunnels, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content;
  
  when the flow criteria is unsatisfied by the extracted data, selecting the tunnel from the plurality of different tunnels based on the flow criteria being unsatisfied;
  
  when the extracted data satisfies the flow criteria, selecting the tunnel from the plurality of different tunnels based in part on the satisfied flow criteria, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data;
  
  modifying the packets for the selected tunnel, wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, or a load-balanced tunnel; and
  
  forwarding the modified packets to the router, wherein the router is configured to route the packets towards the selected tunnel.
- View Dependent Claims (41, 42)
- - 41. The system of claim 40, wherein the at least layer seven further comprises layer seven and at least one other layer above layer three of the OSI layered protocol.
  - 42. The system of claim 40, wherein extracting data further comprises extracting data from at least two layers of the OSI layered protocol of the packet.

43. A network device for directing a packet towards a tunnel in a network, comprising:
- a receiver configured to receive packets from another network device;
  
  a processor that is arranged to perform actions, including;
  
  buffering a defined number of packets required to determine whether a flow criteria is satisfied, wherein the defined number of packets includes more than one packet and is selectable based on a request to access the at least one symbolic variable;
  
  extracting specific application layer data content from within the defined number of buffered packets using deep packet inspection at an application layer to provide a rule syntax for the at least one symbolic variable that is employed to generate the flow criteria for selecting a tunnel from a plurality of different tunnels;
  
  selecting the tunnel from the plurality of different tunnels when the flow criteria is unsatisfied in the defined number of buffered packets, wherein the tunnel is selected based on the flow criteria being unsatisfied; and
  
  selecting the tunnel from the plurality of different tunnels when the flow criteria is satisfied in the defined number of buffered packets, wherein the tunnel is selected based in part on the deep packet inspection at multiple layers of the seven layers in the OSI layered protocol, wherein the selected tunnel is pre-designated for a tunneling protocol that is associated with the extracted data, and wherein the selected tunnel further comprises at least one of an MPLS tunnel, an IPSec tunnel, a SOCKS tunnel, a secure tunnel, or a load-balanced tunnel, wherein the at least one symbolic variable includes Transmission Control Protocol (TCP) data content and one or more of a client address, server address, client port, server port, or Hypertext Transfer Protocol (HTTP) content; and
  
  a logic device that is configured to associate the packets with the selected tunnel; and
  
  a transmitter configured to forward the packets towards the selected tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Bradfield, Christopher James
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
NAJEE-ULLAH, TARIQ S

Application Number

US10/719,375
Time in Patent Office

4,883 Days
Field of Search

709238, 709232, 709233, 709234, 709235, 710 29, 370229, 370230, 370231, 370232, 370233, 370234, 370235
US Class Current
CPC Class Codes

H04L 47/2441 relying on flow classificat...

H04L 47/2491 Mapping quality of service ...

System and method for directing network traffic in tunneling applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for directing network traffic in tunneling applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links