Service processing switch

US 9,967,200 B2
Filed: 03/15/2016
Issued: 05/08/2018
Est. Priority Date: 06/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;

receiving a packet at an input port of a line interface module of the VR-based network device;

the line interface module forwarding the packet to a virtual routing engine (VRE);

performing, by the VRE, flow-based packet classification on the packet;

attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification;

on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device;

on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning;

wherein the one or more appropriate packet transformations are associated with Network Address Translation (NAT) and comprise replacing one or more of an original IP source address, an original IP destination address, an original Transmission Control Protocol (TCP) source port, an original TCP destination port, an original User Datagram Protocol (UDP) source port and an original UDP destination port specified within a header of the packet;

wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and

wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a flow cache is established having multiple entries each identifying one of multiple VR flows through a VR-based network device and corresponding forwarding state information. A packet is received at an input port of a line interface module of the network device and forwarded to a VRE. Flow-based packet classification is performed by the VRE. An attempt is made to retrieve an entry of the flow cache based on a result of the flow-based packet classification. On a flow cache hit, one or more appropriate packet transformations are identified for application to the packet and it is determined whether to process the packet with a VSE based on the corresponding forwarding state information. On a flow cache miss, the new VR flow is added to the flow cache by performing flow learning.

256 Citations

9 Claims

1. A method comprising:
- establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;
  
  receiving a packet at an input port of a line interface module of the VR-based network device;
  
  the line interface module forwarding the packet to a virtual routing engine (VRE);
  
  performing, by the VRE, flow-based packet classification on the packet;
  
  attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification;
  
  on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device;
  
  on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning;
  
  wherein the one or more appropriate packet transformations are associated with Network Address Translation (NAT) and comprise replacing one or more of an original IP source address, an original IP destination address, an original Transmission Control Protocol (TCP) source port, an original TCP destination port, an original User Datagram Protocol (UDP) source port and an original UDP destination port specified within a header of the packet;
  
  wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and
  
  wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec).
  - 3. The method of claim 1, wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet.

4. A method comprising:
- establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;
  
  receiving a packet at an input port of a line interface module of the VR-based network device;
  
  the line interface module forwarding the packet to a virtual routing engine (VRE);
  
  performing, by the VRE, flow-based packet classification on the packet;
  
  attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification;
  
  on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device;
  
  on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning;
  
  wherein the one or more appropriate packet transformations comprise Differentiated Services (DiffServ) Type of Service (ToS) field marking;
  
  wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and
  
  wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4, wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec).
  - 6. The method of claim 4, wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet.

7. A method comprising:
- establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;
  
  receiving a packet at an input port of a line interface module of the VR-based network device;
  
  the line interface module forwarding the packet to a virtual routing engine (VRE);
  
  performing, by the VRE, flow-based packet classification on the packet;
  
  attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification;
  
  on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device;
  
  on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning;
  
  wherein the one or more appropriate packet transformations are associated with Generic Routing Encapsulation (GRE) tunneling and comprise encapsulation the packet within another packet;
  
  wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and
  
  wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec).
  - 9. The method of claim 7, wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Hussain, Zahid, Millet, Tim
Primary Examiner(s)
PHAN, MAN U

Application Number

US15/071,097
Publication Number

US 20160197836A1
Time in Patent Office

784 Days
Field of Search

370229-235, 370392-401, 709217-246
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/00   Routing or path finding of ...

H04L 45/20   Hop count for routing purpo...

H04L 45/586   of virtual routers

H04L 45/60   Router architectures

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/2408   for supporting different se...

H04L 47/2441   relying on flow classificat...

H04L 47/2491   Mapping quality of service ...

H04L 47/326   with random discard, e.g. r...

H04L 47/50   Queue scheduling

H04L 47/6215   Individual queue per QOS, r...

H04L 47/623   Weighted service order

H04L 49/70   Virtual switches

H04L 61/2503   Translation of Internet pro...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/101 : Access control lists [ACL]

H04L 63/164 : at the network layer

H04L 69/22 : Parsing or analysis of headers

H04L 69/24 : Negotiation of communicatio...

View All

Service processing switch

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

256 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Service processing switch

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

256 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links