1007 results about "Overlay network" patented technology

Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses.

Content networking is an emerging technology, where the requests for content accesses are steered by "content routers" that examine not only the destinations but also content descriptors such as URLs and cookies. In the current deployments of content networking, "content routing" is mostly confined to selecting the most appropriate back-end server in virtualized web server clusters. This invention presents a novel content-based routing architecture that is suitable for global content networking. In this content-based routing architecture, a virtual overlay network called the "virtual content network" is superimposed over the physical network. The content network contains content routers as the nodes and "pathways" as links. The content-based routers at the edge of the content network may be either a gateway to the client domain or a gateway to the server domain whereas the interior ones correspond to the content switches dedicated for steering content requests and replies. The pathways are virtual paths along the physical network that connect the corresponding content routers. The invention is based on tagging content requests at the ingress points. The tags are designed to incorporate several different attributes of the content in the routing process. The path chosen for routing the request is the optimal path and is chosen from multiple paths leading to the replicas of the content.

A denial-of-service network attack detection system is deployable in single-homed and multi-homed stub networks. The detection system maintains state information of flows entering and leaving the stub domain to determine if exiting traffic exceeds traffic entering the system. Monitors perform simple processing tasks on sampled packets at individual routers in the network at line speed and perform more intensive processing at the routers periodically. The monitors at the routers form an overlay network and communicate pertinent traffic state information between nodes. The state information is collected and analyzed to determine the presence of an attack.

An aspect of the present invention is a method for routing content information to a mobile user or client application. The method preferably comprises re-directing a user request to one or more gateway servers provided via an overlay network. In another aspect, the present invention is an apparatus that includes a proxy service that intercepts content information requests to the Internet and re-directs the content requests to an overlay. Another aspect of the present invention comprises a location-based Uniform Resource Locator that includes a protocol semantic portion and a location-based resolver address portion that identifies one or more resources on a network based on the geographical location of the resources.

A system and methods for the migration of complex computer applications and the workloads comprising them between physical, virtual, and cloud servers that span a hybrid cloud environment comprising private local and remote customer data centers and public cloud data centers, without modification to the applications, their operational environments, or user access procedures. A virtual network manager securely extends the subnets and VLANS within the customer's various data center across the distributed, hybrid environment using overlay networks implemented with virtual network appliances at nodes of the overlay network. A server migrater migrates individual workloads of servers used by the complex application from one pool of server resources to another. A migration manager application provides a control interface, and also maps and manages the resources of the complex application, the hybrid environment, and the virtual network spanning the hybrid cloud environment.

A system and method for providing operator and customer services for automated telecommunications services on an intelligent overlay network (104) is disclosed. Operator and customer services are provided by an intelligent network (102). The intelligent network (102) comprises an automated call distributor (116); an application processor (118); an advanced intelligent network gateway (AIN Gateway) (120); a validation gateway (122); and enhanced operator consoles (126). The AIN Gateway provides the intelligent network with an interface to the intelligent overlay network. This allows components within the intelligent network to communicate with components in the intelligent overlay network, and vice-versa. The validation gateway provides the intelligent network with an interface to credit card validation systems (114), and is used to apply charges to customer credit cards. Enhanced operator consoles provide for efficient and seamless integration of operator and customer services to automated services running on the intelligent overlay network. Such enhanced operator consoles are provided in the form of customized application programs that are executed by the operator consoles based on the context of calls that are transferred from the intelligent overlay network.

An information handling system is provided. The information handling system includes a first hypervisor running on a first host and a second hypervisor running on a second host. The first hypervisor managing a first virtual switch, and the second hypervisor managing a second virtual switch. The information handling system also includes a plurality of virtual machines (VMs), including a first VM, which is part of a first tenant, running on the first host, and a second VM, part of a second tenant, running on the second host. The first virtual switch has a mapping in memory that maps a customer-specific multicast IP address, used by the plurality of VMs to indicate a multicast group that includes VMs on the first and second tenants, to a global multicast IP address used by the first and second hosts.

In a method of managing a content-based network, which is typically XML-based, and optionally may be overlaid on an underlying network having a plurality of network elements interconnected by links, a link state protocol maintains each network element's topological view of the overlay network from the underlying network. A subscription management protocol ensures dissemination of published content within the content-based network independently of the link state protocol.

An network of proxy servers overlaying a wide area network that comprises a plurality of autonomous systems establishes a hierarchial multicast tree overlay network structure for providing streaming live media from media sources to end users. The tree structure is constructed and maintained by peer-to-peer negotiations between proxy servers that identify proxy servers and data paths that optimize utilization of network resources based upon minimizing costs as a function of loadings. The proxy servers maintain information about the status of neighboring proxy servers, and exchange messages to redirect join requests to more suitable proxies, to redistribute portions of their own loads when they are overutilized, and to consolidate loads when they are underutilized.

A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport. According to another feature, data flows within the overlay directed to a particular edge region may be load-balanced while still preserving IPsec replay protection.

Described embodiments provide a method and apparatus for redirecting user equipment from a current serving cell of a first network to a corresponding target cell of a second network in a heterogeneous overlay network environment. A current serving base station of the first network may receive signal quality measurements from user equipment coupled to the current serving cell of the first network. Based on the received signal quality measurements, the current serving base station may determine whether signal quality of the user equipment is lower than predetermined reference quality based on at least one of the received signal quality measurements. When the signal quality of the user equipment is lower than the predetermined reference quality, the current serving base station may redirect the user equipment from the current serving cell of the first network to the corresponding target cell of the second network.

The present invention relates to a P2P network system. The P2P network system includes: multiple local overlay networks, each comprising multiple proxy service peers; a global overlay network composed of the proxy service peers of all local overlay networks. The proxy service peer is adapted to respond to the request of the requesting peer, query the local overlay network or global overlay network, and return the address information of the requested peer or the requested proxy service peer to the requesting peer. The present invention also relates to a proxy service peer applicable to the foregoing network system, and a method of peer interworking between P2P overlay networks based on the foregoing system. The present invention relieves the load of the proxy service peer, avoids blindness of the requesting peer in selecting the proxy service peer, and achieves load balance between proxy service peers.

A method for providing support for multi-tenancy in single root input/out virtualization (SR-IOV) enabled physical network interface controller (NIC) is provided. The NIC is associated with a host. The SR-IOV provides a physical function (PF) and a set of virtual functions (VFs) for the NIC. The method at a VF of the physical NIC, receives a mapping table of an overlay network which associates an identification of each of a set of virtual machine (VM) of a tenant on the host to an identification of a tunnel end point on the overlay network. The method receives a transmit packet from a VM connected to the VF and performs a lookup in the mapping table to identify source and destination tunnel end points associated with source and destination VMs in the packet. The method encapsulates the packet, for transmission through the tunnel end point associated with the source VM.

A method for offloading packet encapsulation for an overlay network is provided. The method, at a virtualization software of a host, sends a mapping table of the overlay network to a physical network interface controller (NIC) associated with the host. The mapping table maps the identification of each of a set of virtual machine (VM) of a tenant on the host to an identification of a tunnel on the overlay network. The method, at the virtualization software, receives a packet from a VM of the tenant. The method sends the packet to the physical NIC. The method, at the physical NIC, encapsulates the packet for transmission over the overlay network by using the mapping table. The method of claim also tags the packet by the virtualization software as a packet that requires encapsulation for transmission in the overlay network prior to sending the packet to the physical NIC.

Some embodiments provide a novel way to insert a service (e.g., a third party service) in the path of a data message flow, between two machines (e.g., two VMs, two containers, etc.) in a public cloud environment. For a particular tenant of the public cloud, some embodiments create an overlay logical network with a logical overlay address space. To perform a service on data messages of a flow between two machines, the logical overlay network passes to the public cloud's underlay network the data messages with their destination address (e.g., destination IP addresses) defined in the logical overlay network. The underlay network (e.g., an underlay default downlink gateway) is configured to pass data messages with such destination addresses (e.g., with logical overlay destination addresses) to a set of one or more service machines. The underlay network (e.g., an underlay default uplink gateway) is also configured to pass to the particular tenant's public cloud gateway the processed data messages that are received from the service machine set and that are addressed to logical overlay destination addresses. The tenant's public cloud gateway is configured to forward such data messages to a logical forwarding element of the logical network, which then handles the forwarding of the data messages to the correct destination machine.

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Methods, systems, and computer programs for implementing private Ethernet overlay networks over a shared Ethernet infrastructure in a virtual environment are presented. In one embodiment, a method includes an operation for sending a packet on a private virtual network from a first virtual machine (VM) in a first host to a second VM. The first and second VMs are members of a fenced group of computers that have exclusive direct access to the private virtual network, where VMs outside the fenced group do not have direct access to the packets that travel on the private virtual network. Further, the method includes encapsulating the packet at the first host to include a new header as well as a fence identifier for the fenced group. If the encapsulated packet is too big for the underlying network, the packet is fragmented for transmission between hosts. The packet is received at a host where the second VM is executing and the packet is de-encapsulated to extract the new header and the fence identifier. Additionally, the method includes an operation for delivering the de-encapsulated packet to the second VM after validating that the destination address in the packet and the fence identifier correspond to the destination address and the fence identifier, respectively, of the second VM. The private virtual network scheme is transparent to the VM's operating system, and unicast messaging within the fenced group improves network efficiency.

A system and method are disclosed for forwarding data in hybrid wireless mesh networks. The method includes configuring a number of mesh network nodes as Potential Relay Nodes (PRNs) in an overlay network associated with a hybrid wireless mesh network, streaming data packets from a source node to a destination node using a native data forwarding algorithm of the hybrid wireless mesh network, dynamically identifying Relay Nodes (RNs) among PRNs in the overlay network, creating secondary paths for sending data packets towards selected RNs in the overlay network, and relaying data packets from RNs to the destination node using the overlay network.

A method selects multiple paths between a server and a client in an overlay network where nodes are connected by links. The nodes include the server and the client. Each path includes a set of selected links. First, in each node, Quality of service metrics are measured of each link directly connecting the node to an immediate neighboring node. The metrics are transmitted to the server. In the server, a link correlation matrix based on the metrics and a path correlation matrix based on the link correlation matrix are determined. Then, the multiple paths are selected based only on the metrics, the link correlation matrix, and the path correlation matrix.

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

A data compute node executes (i) a set of tenant applications connected to a third party overlay network, (ii) a set of network manager applications, and (iii) a managed forwarding element that includes a pair of overlay and underlay network virtual adapters. A packet that is received from a network manager application and addressed to an underlay network destination is sent to the underlay network destination address through a physical NIC of the host without network address translation or encapsulation. A packet that is received from a tenant application and addressed to an underlay network destination is subject to SNAT and is sent to the underlay network destination address. A packet that is received from a tenant application and is addressed an overlay destination address is encapsulated with the header of the overlay network and is sent to the overlay network destination address through the underlay virtual adapter.