公开(公告)号：US11349932B2

公开(公告)日：2022-05-31

申请号：US16917152

申请日：2020-06-30

Applicant: Cisco Technology, Inc.

Inventor： Paul Quinn ,  Kyle Andrew Donald Mestery

IPC: H04L29/08 ,  H04L29/12 ,  H04L67/141 ,  H04L61/4511

Abstract: Techniques for policy-based connection provisioning using Domain Name System (DNS) requests are described herein. The techniques may include receiving policy data associated with one or more headend nodes that manage connections to computing resources. Additionally, the techniques may include receiving a DNS request from a client device to establish a connection between the client device and a first headend node of the one or more headend nodes. The DNS request may include an attribute associated with the client device. A provisioning service may determine that the connection should be established between the client device and the first headend node based at least in part on evaluating the attribute with respect to the policy data. Additionally, the techniques may include sending an internet protocol (IP) address, which is associated with the first headend node, to the client device to facilitate establishment of the connection.

公开(公告)号：US11316936B2

公开(公告)日：2022-04-26

申请号：US17333716

申请日：2021-05-28

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Kyle Andrew Donald Mestery

IPC: H04L29/02 ,  H04L67/51 ,  H04L41/12 ,  H04L67/1019 ,  H04L67/56

Abstract: Methods and architecture for load-correcting requests for serverless functions to reduce latency of serverless computing are provided. An example technique exploits knowledge that a given server node does not have a serverless function ready to run or is overloaded. Without further processing overhead or communication, the server node shifts the request to a predetermined alternate node without assessing a current state of the alternate node, an efficient decision based on probability that a higher chance of fulfillment exists at the alternate node than at the current server, even with no knowledge of the alternate node. In an implementation, the server node refers the request but also warms up the requested serverless function, due to likelihood of repeated requests or in case the request is directed back. An example device has a front-end redirecting server and a backend serverless system in a single component.

公开(公告)号：US20210409496A1

公开(公告)日：2021-12-30

申请号：US16917152

申请日：2020-06-30

Applicant: Cisco Technology, Inc.

Inventor： Paul Quinn ,  Kyle Andrew Donald Mestery

IPC: H04L29/08 ,  H04L29/12

Abstract: Techniques for policy-based connection provisioning using Domain Name System (DNS) requests are described herein. The techniques may include receiving policy data associated with one or more headend nodes that manage connections to computing resources. Additionally, the techniques may include receiving a DNS request from a client device to establish a connection between the client device and a first headend node of the one or more headend nodes. The DNS request may include an attribute associated with the client device. A provisioning service may determine that the connection should be established between the client device and the first headend node based at least in part on evaluating the attribute with respect to the policy data. Additionally, the techniques may include sending an internet protocol (IP) address, which is associated with the first headend node, to the client device to facilitate establishment of the connection.

公开(公告)号：US20210314188A1

公开(公告)日：2021-10-07

申请号：US16842362

申请日：2020-04-07

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Grzegorz Boguslaw Duraj

IPC: H04L12/46 ,  H04L12/24 ,  H04L29/06

Abstract: Techniques for detecting inactive peers of a tunneled communication session, while allowing for a scalable tunneled protocol that includes split control plane nodes and data plane nodes are described herein. A method according to a technique described herein may include establishing a communication session between a first node and a second node in a network such that control plane traffic of the communication session flows through one or more control nodes and data plane traffic of the communication session flows through one or more data nodes different than the one or more control nodes. The method may also include receiving, at a control node, an indication from a data node that a probe message is to be generated. The probe message may be configured to determine data plane connectivity in the communication session. Additionally, the control node may generate the probe message and send it to the first node.

公开(公告)号：US11057480B1

公开(公告)日：2021-07-06

申请号：US16846111

申请日：2020-04-10

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Kyle Andrew Donald Mestery

IPC: H04L29/08 ,  H04L12/24

Abstract: Methods and architecture for load-correcting requests for serverless functions to reduce latency of serverless computing are provided. An example technique exploits knowledge that a given server node does not have a serverless function ready to run or is overloaded. Without further processing overhead or communication, the server node shifts the request to a predetermined alternate node without assessing a current state of the alternate node, an efficient decision based on probability that a higher chance of fulfillment exists at the alternate node than at the current server, even with no knowledge of the alternate node. In an implementation, the server node refers the request but also warms up the requested serverless function, due to likelihood of repeated requests or in case the request is directed back. An example device has a front-end redirecting server and a backend serverless system in a single component.

公开(公告)号：US10764244B1

公开(公告)日：2020-09-01

申请号：US16439441

申请日：2019-06-12

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Jerome Tollet ,  Ian Wells ,  Aloÿs Christophe Augustin

IPC: H04L29/12 ,  G06F9/455 ,  H04L12/24

Abstract: A method includes, in a constellation of clients including a first client and a second client, receiving, at the first client, a connection request from the second client, retrieving endpoint reachability data associated with the second client and transmitting, to a server, a connection request based on the endpoint reachability data. The first client receives, from the server and based on the connection request, endpoint reachability information associated with the second client and starts a bidirectional connection with the second client. A direct or indirect tunnel is established between the first client and the second client. The tunnel is set up based on a table which maps a first connectivity option associated with the first client to a second connectivity option associated with the second client to determine whether to establish the direct tunnel or the indirect tunnel between the first client and the second client.

公开(公告)号：US12192186B2

公开(公告)日：2025-01-07

申请号：US18389417

申请日：2023-11-14

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L9/40 ,  H04L12/46

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

公开(公告)号：US12063282B2

公开(公告)日：2024-08-13

申请号：US17719867

申请日：2022-04-13

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Rajvardhan Somraj Deshmukh ,  Nancy Patricia Cam-Winget

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

CPC classification number: H04L67/561 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/42 ,  H04L45/66 ,  H04L61/103 ,  H04L61/4511 ,  H04L63/0236 ,  H04L63/0281 ,  H04L63/029 ,  H04L63/0435 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for encoding metadata representing a policy into a QUIC connection ID are described herein. A metadata-aware network including one or more enforcement nodes, a policy engine, and/or a connection datastore may be utilized to enforce a policy and route communications on a QUIC connection. The policy engine may be configured to encode metadata representing one or more network policies into a QUIC source connection ID (SCID) and/or may store a mapping between the SCID and a corresponding destination connection ID (DCID) in the connection datastore. The policy engine may communicate with a QUIC application server and/or one or more QUIC proxy nodes to encode the SCID into a QUIC packet. The enforcement nodes may access the metadata and enforce the policies via a connection ID included in a QUIC header of a QUIC packet or by performing a lookup in the connection datastore using the connection ID.

公开(公告)号：US12063269B2

公开(公告)日：2024-08-13

申请号：US18122571

申请日：2023-03-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/101 ,  H04L9/40 ,  H04L41/0803 ,  H04L41/0894 ,  H04L67/1008

CPC classification number: H04L67/101 ,  H04L41/0803 ,  H04L41/0894 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/20 ,  H04L67/1008

Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.

公开(公告)号：US12003424B2

公开(公告)日：2024-06-04

申请号：US18111075

申请日：2023-02-17

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Andree Toonk ,  Rahim Lalani ,  Ian James Wells

IPC: H04L47/726 ,  H04L9/40 ,  H04L45/12 ,  H04L45/125 ,  H04L45/42 ,  H04L45/7453 ,  H04L47/78 ,  H04L47/80 ,  H04L67/10 ,  H04L67/1027 ,  H04L67/1097 ,  H04L67/146

CPC classification number: H04L47/726 ,  H04L45/42 ,  H04L47/781 ,  H04L47/801 ,  H04L63/166 ,  H04L67/1097

Abstract: Techniques for load balancing communication sessions in a networked computing environment are described herein. The techniques may include establishing a first communication session between a client device and a first computing resource of a networked computing environment. Additionally, the techniques may include storing, in a data store, data indicating that the first communication session is associated with the first computing resource. The techniques may further include receiving, at a second computing resource of the networked computing environment, traffic associated with a second communication session that was sent by the client device, and based at least in part on accessing the data stored in the data store, establishing a traffic redirect such that the traffic and additional traffic associated with the second communication session is sent from the second computing resource to the first computing resource.