VPN for containers and virtual machines in local area networks

US 9,716,688 B1
Filed: 01/06/2017
Issued: 07/25/2017
Est. Priority Date: 05/13/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for combining Virtual Environments (VEs) into a Virtual Private Network (VPN), the method comprising:

connecting at least two host nodes into an Ethernet network;

launching at least two VEs on each of the hosts;

combining the VEs from both hosts into a VPN;

assigning a number to the VPN;

launching an additional VE on one of the hosts to perform network function virtualization (NFV) for the other VEs;

configuring a first switch on each of the hosts to route packets to VEs that subscribe to the VPN;

using a second switch connected to the first switches of the host nodes to join different host nodes into a segment of the Ethernet network;

analyzing an incoming broadcast packet by the first switch;

replacing a standard destination MAC address in a packet header by a number of the VPN to which a source VE belongs;

for each arriving packet, looking up which VEs belong to the VPN whose VPN number replaced the destination MAC address; and

for each such found VE, replacing the number of the VPN with the destination MAC address of the VE and delivering the packet to the found VE,wherein the host nodes receive VE-related traffic via a proxy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for a VPN for containers and VMs implemented on different network node. A number of network hardware nodes have containers and VMs running on them. The containers and VMs are aggregated into VPNs assembled across the hardware nodes. Each hardware node has a network edge programmable switch configured to route packets to containers and VMs only inside a particular VPN. The switch detects a number of the VPN inside the packet header, replaces this number by a standard broadcast header number and multi-casts the packet to the containers and the VMs inside the VPN.

24 Citations

View as Search Results

20 Claims

1. A computer-implemented method for combining Virtual Environments (VEs) into a Virtual Private Network (VPN), the method comprising:
- connecting at least two host nodes into an Ethernet network;
  
  launching at least two VEs on each of the hosts;
  
  combining the VEs from both hosts into a VPN;
  
  assigning a number to the VPN;
  
  launching an additional VE on one of the hosts to perform network function virtualization (NFV) for the other VEs;
  
  configuring a first switch on each of the hosts to route packets to VEs that subscribe to the VPN;
  
  using a second switch connected to the first switches of the host nodes to join different host nodes into a segment of the Ethernet network;
  
  analyzing an incoming broadcast packet by the first switch;
  
  replacing a standard destination MAC address in a packet header by a number of the VPN to which a source VE belongs;
  
  for each arriving packet, looking up which VEs belong to the VPN whose VPN number replaced the destination MAC address; and
  
  for each such found VE, replacing the number of the VPN with the destination MAC address of the VE and delivering the packet to the found VE,wherein the host nodes receive VE-related traffic via a proxy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising discarding the packet when it reaches a VE that is not associated with the VPN.
  - 3. The method of claim 1, wherein the number of the VPN identifies the VPN to which a source VE belongs.
  - 4. The method of claim 1, wherein the proxy is an ARP proxy.
  - 5. The method of claim 1, wherein the first switch is a software switch.
  - 6. The method of claim 1, wherein the first switch is a self-taught switch.
  - 7. The method of claim 1, wherein the NFV includes any of firewall, antivirus, anti-phishing, and antispam.
  - 8. The method of claim 1, wherein the NFV includes any of network monitoring, load balancing, proxying and caching.
  - 9. The method of claim 1, wherein each host node is encapsulated within a Container or a Virtual Machine.
  - 10. The method of claim 1, wherein each host node adds VLAN tags to the packets, in order to permit the VPN to vary the quality of service (QOS) within the VPN.
  - 11. The method of claim 1, wherein the Virtual Environments of the VPN include both VMs and Containers on the same host node.
  - 12. The method of claim 1, wherein the VEs are Virtual Machines, each Virtual Machine having its own guest operating system kernel.
  - 13. The method of claim 1, wherein the VEs are containers, wherein multiple containers share a host operating system of their host node.
  - 14. The method of claim 1, wherein the VEs on the same node belong to different VPNs.
  - 15. The method of claim 1, wherein the VPN comprises multiple VEs on each host node, and wherein at least one of the VEs on one node is a Virtual Machine and at least one of the VEs on the same node is a Container.
  - 16. The method of claim 1, wherein multiple VEs on each host node subscribe to multiple different VPNs, and wherein each of the different VPNs includes at least one Virtual Machine and at least one Container.
  - 17. The method of claim 1, wherein the VPN comprises multiple VEs on each host node, wherein the VEs on the same node belong to different VPNs.
  - 18. The method of claim 1, wherein the VPN comprises multiple VEs on each host node, and wherein at least one of the VEs on one node is a Virtual Machine and at least one of the VEs on the same node is a Container.

19. A computer program product comprising a non-transitory computer readable medium containing code for implementing the steps of:
- connecting at least two host nodes into an Ethernet network;
  
  launching at least two VEs on each of the hosts;
  
  combining the VEs from both hosts into a VPN;
  
  assigning a number to the VPN;
  
  launching an additional VE on one of the hosts to perform network function virtualization (NFV) for the other VEs;
  
  configuring a first switch on each of the hosts to route packets to VEs that subscribe to the VPN;
  
  using a second switch connected to the first switches of the host nodes to join different host nodes into a segment of the Ethernet network;
  
  analyzing an incoming broadcast packet by the first switch;
  
  replacing a standard destination MAC address in a packet header by a number of the VPN to which a source VE belongs;
  
  for each arriving packet, looking up which VEs belong to the VPN whose VPN number replaced the destination MAC address; and
  
  for each such found VE, replacing the number of the VPN with the destination MAC address of the VE and delivering the packet to the found VE,wherein the host nodes receive VE-related traffic via a proxy.

20. A system for combining Virtual Environments (VEs) into a Virtual Private Network (VPN), the system comprising:
- at least two host nodes connected into an Ethernet network;
  
  at least two VEs on each of the hosts;
  
  the VEs from both hosts combined into a VPN with an assigned number;
  
  an additional VE on one of the hosts that performs network function virtualization (NFV) for the other VEs;
  
  a first switch on each of the hosts configured to route packets to VEs that subscribe to the VPN;
  
  a second switch connected to the first switches of the host nodes configured to join different host nodes into a segment of the Ethernet network;
  
  wherein an incoming broadcast packet is analyzed by the first switch;
  
  wherein a standard destination MAC address in a packet header is replaced by a number of the VPN to which a source VE belongs;
  
  for each arriving packet, looking up which VEs belong to the VPN whose VPN number replaced the destination MAC address; and
  
  for each such found VE, replacing the number of the VPN with the destination MAC address of the VE and delivering the packet to the found VE,wherein the host nodes receive VE-related traffic via a proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virtuozzo International GmbH
Original Assignee
Parallels International GmbH (Corel Holdings LP)
Inventors
Bottomley, James, Emelyanov, Pavel
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/399,880
Time in Patent Office

200 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/1886   with traffic restrictions f...

H04L 12/4625   Single bridge functionality...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/16   Multipoint routing

H04L 47/32   by discarding or delaying d...

H04L 61/5069   for group communication, mu...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

H04L 65/1045   Proxies, e.g. for session i...

H04L 65/611   for multicast or broadcast ...

H04L 65/80   Responding to QoS

H04L 67/288   Distributed intermediate de...

H04L 67/565   Conversion or adaptation of...

VPN for containers and virtual machines in local area networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

VPN for containers and virtual machines in local area networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others