Patents by Inventor Nicholas Alexander Wondra
Nicholas Alexander Wondra has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240107294Abstract: Traffic is received at a distributed cloud computing network. The traffic originates from a computing device using a mobile data connection. The traffic is associated with an identifier that identifies a SIM of the computing device. Using the SIM identifier, an identity for identity-based policy enforcement at the distributed cloud computing network is determined. The identity is uniquely associated with the SIM identifier. An identity-based policy that is applicable for the received traffic for the determined identity is determined. The identity-based policy is enforced.Type: ApplicationFiled: September 26, 2023Publication date: March 28, 2024Inventors: Matthew Silverlock, Christian Ehrig, Oliver Zi-gang Yu, Nicholas Alexander Wondra, Catarina Pires Mota
-
Publication number: 20240098061Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.Type: ApplicationFiled: November 28, 2023Publication date: March 21, 2024Inventor: Nicholas Alexander Wondra
-
Patent number: 11895009Abstract: A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.Type: GrantFiled: December 28, 2022Date of Patent: February 6, 2024Assignee: CLOUDFLARE, INC.Inventors: Braden Ehrat, Jay A. Kreibich, Jérôme Fleury, Michael Vanderwater, Nicholas Alexander Wondra, Richard Thompson
-
Patent number: 11894947Abstract: A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.Type: GrantFiled: December 18, 2022Date of Patent: February 6, 2024Assignee: CLOUDFLARE, INC.Inventors: Nicholas Alexander Wondra, Achiel Paul van der Mandele, Alexander Forster, Eric Reeves, Joaquin Madruga, Rustam Xing Lalkaka, Marek Przemyslaw Majkowski
-
Patent number: 11863655Abstract: A first transport protocol connection is established between a first proxy network element and a second proxy network element. The first proxy network element receives from a first Border Gateway Protocol (BGP) client, first BGP data destined to a second BGP client that is connected to the second proxy network element. The first BGP data is transmitted to the second proxy network element through the first transport protocol connection for delivery to the second BGP client. The first proxy network element receives second BGP data destined to the second BGP client. Responsive to determining that the first transport protocol connection is down, the first proxy network element stores the second BGP data and establishes a second transport protocol connection to the second proxy network element. The second BGP data is transmitted to the second proxy network element through the second transport protocol connection.Type: GrantFiled: November 1, 2022Date of Patent: January 2, 2024Assignee: CLOUDFLARE, INC.Inventors: Michael John Vanderwater, Nicholas Alexander Wondra
-
Patent number: 11831607Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.Type: GrantFiled: October 31, 2022Date of Patent: November 28, 2023Assignee: CLOUDFLARE, INC.Inventor: Nicholas Alexander Wondra
-
Publication number: 20230328001Abstract: A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.Type: ApplicationFiled: June 12, 2023Publication date: October 12, 2023Inventors: Nicholas Alexander WONDRA, Erich Alfred HEINE, Yan ZHAI
-
Patent number: 11784912Abstract: A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.Type: GrantFiled: May 13, 2020Date of Patent: October 10, 2023Assignee: CLOUDFLARE, INC.Inventors: Braden Ehrat, Jay A. Kreibich, Jérôme Fleury, Michael Vanderwater, Nicholas Alexander Wondra, Richard Thompson
-
Publication number: 20230308415Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.Type: ApplicationFiled: May 31, 2023Publication date: September 28, 2023Inventors: Nicholas Alexander Wondra, Igor Postelnik, Michael John Vanderwater, Adam Simon Chalmers, Nuno Miguel Lourenço Diegues, Arég Harutyunyan, Erich Alfred Heine
-
Patent number: 11677675Abstract: Path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device transmits, to a destination network device that is a second endpoint of the GRE tunnel, multiple GRE encapsulated packets that include multiple inner packets respectively, where each inner packet has an inner header used to deliver that inner packet to the source network device and a different payload, and where each of these GRE encapsulated packets has a different size. The source network device receives a first portion of the inner packets from the destination network device and does not receive a second portion of the inner packets. The source network device determines a path MTU to the destination network device based on the size of the GRE encapsulated packet with a largest size for which a corresponding inner packet is received at the source network device from the destination network device.Type: GrantFiled: October 25, 2021Date of Patent: June 13, 2023Assignee: CLOUDFLARE, INC.Inventors: Nicholas Alexander Wondra, Erich Alfred Heine, Yan Zhai
-
Patent number: 11677717Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.Type: GrantFiled: March 21, 2022Date of Patent: June 13, 2023Assignee: CLOUDFLARE, INC.Inventors: Nicholas Alexander Wondra, Igor Postelnik, Michael John Vanderwater, Adam Simon Chalmers, Nuno Miguel Lourenço Diegues, Arég Harutyunyan, Erich Alfred Heine
-
Publication number: 20230134974Abstract: A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.Type: ApplicationFiled: December 28, 2022Publication date: May 4, 2023Inventors: Braden Ehrat, Jay A. Kreibich, Jérôme Fleury, Michael Vanderwater, Nicholas Alexander Wondra, Richard Thompson
-
Publication number: 20230124628Abstract: A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.Type: ApplicationFiled: December 18, 2022Publication date: April 20, 2023Inventors: Nicholas Alexander Wondra, Achiel Paul van der Mandele, Alexander Forster, Eric Reeves, Joaquin Madruga, Rustam Xing Lalkaka, Marek Przemyslaw Majkowski
-
Publication number: 20230074300Abstract: An IPsec tunnel request for establishing an IPsec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPsec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.Type: ApplicationFiled: October 31, 2022Publication date: March 9, 2023Inventors: Michael John Vanderwater, Adam Simon Chalmers, Nuno Miguel Lourenço Diegues, Arég Harutyunyan, Erich Alfred Heine, Nicholas Alexander Wondra
-
Publication number: 20230052895Abstract: A first transport protocol connection is established between a first proxy network element and a second proxy network element. The first proxy network element receives from a first Border Gateway Protocol (BGP) client, first BGP data destined to a second BGP client that is connected to the second proxy network element. The first BGP data is transmitted to the second proxy network element through the first transport protocol connection for delivery to the second BGP client. The first proxy network element receives second BGP data destined to the second BGP client. Responsive to determining that the first transport protocol connection is down, the first proxy network element stores the second BGP data and establishes a second transport protocol connection to the second proxy network element. The second BGP data is transmitted to the second proxy network element through the second transport protocol connection.Type: ApplicationFiled: November 1, 2022Publication date: February 16, 2023Inventors: Michael John VANDERWATER, Nicholas Alexander WONDRA
-
Publication number: 20230045949Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.Type: ApplicationFiled: October 31, 2022Publication date: February 16, 2023Inventor: Nicholas Alexander Wondra
-
Patent number: 11533197Abstract: A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.Type: GrantFiled: September 21, 2021Date of Patent: December 20, 2022Assignee: CLOUDFLARE, INC.Inventors: Nicholas Alexander Wondra, Achiel Paul van der Mandele, Alexander Forster, Eric Reeves, Joaquin Madruga, Rustam Xing Lalkaka, Marek Przemyslaw Majkowski
-
Patent number: 11489948Abstract: Method and network elements (NEs) for enabling reliable application layer data transmission through an unreliable network are described. A proxy NE receives from a first NE through a first transport protocol connection first application layer data. The proxy NE transmits the first application layer data through a second transport protocol connection towards the second NE. The proxy NE receives from the first NE through the first transport protocol connection second application layer data that is destined to the second NE. Responsive to determining that there are no transport protocol connections for transmitting the second application layer date, the proxy NE stores the second application layer data in the first proxy NE. Responsive to determining that a third transport protocol connection is established towards the second NE, the proxy NE transmits the second application layer data through the third transport protocol connection towards the second NE.Type: GrantFiled: December 30, 2019Date of Patent: November 1, 2022Assignee: CLOUDFLARE, INC.Inventors: Michael John Vanderwater, Nicholas Alexander Wondra
-
Publication number: 20220303244Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.Type: ApplicationFiled: March 21, 2022Publication date: September 22, 2022Inventors: Nicholas Alexander Wondra, Igor Postelnik, Michael John Vanderwater, Adam Simon Chalmers, Nuno Miguel Lourenço Diegues, Arég Harutyunyan, Erich Alfred Heine
-
Publication number: 20220045963Abstract: A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.Type: ApplicationFiled: October 25, 2021Publication date: February 10, 2022Inventors: Nicholas Alexander WONDRA, Erich Alfred HEINE, Yan ZHAI