公开(公告)号：US11063877B1

公开(公告)日：2021-07-13

申请号：US16747571

申请日：2020-01-21

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin C. MacNeil

IPC: H04L12/805 ,  H04L12/935 ,  H04L12/861 ,  H04L12/879 ,  H04L12/841 ,  H04L29/06

Abstract: A socket-intercept layer in kernel space on a network device may intercept a packet destined to egress out of the network device. The socket-intercept layer may then query a routing daemon for the Maximum Transmission Unit (MTU) value of the interface out of which that packet is to egress from the network device. In response to this query, the routing daemon may provide the socket-intercept layer with the MTU value of that interface. A tunnel driver in kernel space may identify the size of the packet and fragment the packet into segments whose sizes are each less than or equal to the MTU value of the interface. The tunnel driver may then push the segments of the packet to a packet forwarding engine on the network device. In turn, the packet forwarding engine may forward the segments of the packet to the corresponding destination via the interface.

公开(公告)号：US10798062B1

公开(公告)日：2020-10-06

申请号：US16654915

申请日：2019-10-16

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam

IPC: H04L29/06

Abstract: A disclosed method for applying firewall rules on packets in kernel space on network devices may include (1) intercepting, via a socket-intercept layer in kernel space on a routing engine of a network device, a packet that is destined for a remote device and then, in response to intercepting the packet in kernel space on the routing engine, (2) identifying an egress interface index that specifies an egress interface that (A) is external to kernel space and (B) is capable of forwarding the packet from the network device to the remote device, and (3) applying, on the packet in kernel space, at least one firewall rule based at least in part on the egress interface index before the packet egresses from the routing engine. Various other apparatuses, systems, and methods are also disclosed.

公开(公告)号：US10594618B1

公开(公告)日：2020-03-17

申请号：US15615016

申请日：2017-06-06

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin C. MacNeil

IPC: H04L12/805 ,  H04L12/861 ,  H04L12/935 ,  H04L29/06 ,  H04L12/879 ,  H04L12/841

Abstract: The disclosed apparatus may include (1) a physical routing engine that comprises (A) a socket-intercept layer, stored in kernel space, that (I) intercepts a packet that is destined for a remote device and (II) queries, in response to intercepting the packet in kernel space, a routing daemon in user space for an MTU value of an egress interface that is to forward the packet from the network device to the remote device and (B) a tunnel driver, stored in kernel space, that fragments the packet into segments whose respective sizes each comply with the MTU value of the egress interface and (2) a physical packet forwarding engine that forwards the segments of the packet to the remote device by way of the egress interface. Various other apparatuses, systems, and methods are also disclosed.

公开(公告)号：US10127091B1

公开(公告)日：2018-11-13

申请号：US15388018

申请日：2016-12-22

Applicant: Juniper Networks, Inc.

Inventor： Erin C. MacNeil ,  Hariprasad Shanmugam ,  Sreekanth Rupavatharam

IPC: G06F9/54

Abstract: A device may receive, by a kernel of the device and from a loadable kernel module of the device, information that instructs the kernel to invoke a callback function associated with the loadable kernel module based on an execution of a hook of the kernel. The device may receive, by the kernel of the device and from an application of the device, a socket application programming interface (API) call. The socket API call may include control information. The device may execute, by the kernel of the device, the hook based on receiving the socket API call. The device may invoke, by the kernel of the device, the callback function associated with the loadable kernel module based on executing the hook to permit a functionality associated with the callback function to be provided. The kernel may provide the control information, associated with the socket API call, to the callback function as an argument.

公开(公告)号：US10887282B1

公开(公告)日：2021-01-05

申请号：US16166030

申请日：2018-10-19

Applicant: Juniper Networks, Inc.

Inventor： Sreekanth Rupavatharam ,  Prashant Singh ,  Hariprasad Shanmugam

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26 ,  G06F16/22

Abstract: Filter synchronization across a restart of a firewall filter application for converting filter information for filters into corresponding iptables filter table rules, is ensured by (1) computing a hash value for filter information derived from a filter using the filter or information derived from the filter, (2) determining an iptables filter table rule using the filter information for the filter, (3) associating the hash value with the corresponding iptables filter table rule, and (4) adding the determined iptables filter table rule and the hash value to iptables filter table rules in a Linux kernel. When a restart of the firewall filter application is detected, (1) a current instance of filter information derived from a current instance of the filter is obtained, (2) a hash value for the current instance of filter information is computed using the current instance of the filter or information derived from the current instance of the filter, (3) the hash value for the filter information is obtained from the iptables rules, and (4) whether the hash value for the current instance of the filter information is the same as the hash value for the filter information is determined. If it is determined that the hash value for the current instance of the filter information is not the same as the hash value for the filter information, then (1) a new iptables rule for the current instance of the filter information is determined, and (2) the iptables filter rule and the hash value in the iptables rules is replaced with the new iptables rule and the hash value for the current instance of the filter information.

公开(公告)号：US10798059B1

公开(公告)日：2020-10-06

申请号：US15726718

申请日：2017-10-06

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin MacNeil

IPC: H04L29/06 ,  H04L29/08

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses systems, and methods are also disclosed.

公开(公告)号：US10740162B2

公开(公告)日：2020-08-11

申请号：US16176694

申请日：2018-10-31

Applicant: Juniper Networks, Inc.

Inventor： Erin C. MacNeil ,  Hariprasad Shanmugam ,  Sreekanth Rupavatharam

IPC: G06F9/54

Abstract: A device may receive, by a kernel of the device and from a loadable kernel module of the device, information that instructs the kernel to invoke a callback function associated with the loadable kernel module based on an execution of a hook of the kernel. The device may receive, by the kernel of the device and from an application of the device, a socket application programming interface (API) call. The socket API call may include control information. The device may execute, by the kernel of the device, the hook based on receiving the socket API call. The device may invoke, by the kernel of the device, the callback function associated with the loadable kernel module based on executing the hook to permit a functionality associated with the callback function to be provided. The kernel may provide the control information, associated with the socket API call, to the callback function as an argument.

公开(公告)号：US11388140B1

公开(公告)日：2022-07-12

申请号：US16940425

申请日：2020-07-28

Applicant: Juniper Networks, Inc.

Inventor： Prashant Singh ,  Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin MacNeil

IPC: H04L9/40 ,  H04L69/22 ,  H04L69/329

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses, systems, and methods are also disclosed.

公开(公告)号：US10742570B1

公开(公告)日：2020-08-11

申请号：US15447658

申请日：2017-03-02

Applicant: Juniper Networks, Inc.

Inventor： Sreekanth Rupavatharam ,  Erin C. MacNeil ,  Hariprasad Shanmugam

IPC: H04L12/935 ,  H04L12/713 ,  H04L12/741

Abstract: A device may receive, from the packet processing component and through an internal interface, a packet that includes a virtual routing and forwarding (VRF) interface identifier associated with a VRF interface of a virtual device. The internal interface may be associated with multiple external interfaces. The device may modify a value identifying an incoming interface via which the packet is received after receiving the packet that includes the VRF interface identifier. The modified value may be associated with the virtual device, and the modified value may allow an upper communication layer to determine that the packet is associated with the virtual device. The device may provide the packet to the upper communication layer after modifying the value identifying the incoming interface via which the packet is received to permit the upper communication layer to forward the packet to a destination.

公开(公告)号：US10362070B1

公开(公告)日：2019-07-23

申请号：US15241834

申请日：2016-08-19

Applicant: Juniper Networks, Inc.

Inventor： Sreekanth Rupavatharam ,  Hariprasad Shanmugam ,  Erin C. MacNeil

IPC: H04L29/06 ,  H04L5/00 ,  H04L29/08

Abstract: The disclosed method may include (1) receiving a synchronize message from a computing device to initiate synchronization between the computing device and a server with respect to a communication protocol, (2) notifying an application in user space on the server of the synchronize message such that the application in user space selects at least one attribute to be applied to a communication session resulting from the synchronization between the computing device and the server, (3) sending a synchronize acknowledgment that identifies the attribute selected by the application in user space to the computing device to further the synchronization between the computing device and the server, and then (4) establishing the communication session with the attribute selected by the application in user space upon receiving an acknowledgment message from the computing device to complete the synchronization. Various other methods, systems, and apparatuses are also disclosed.