Patents Assigned to Juniper Network, Inc.
-
Patent number: 9258272Abstract: Stateless deterministic network address translation (NAT) within a service provider network is described. A plurality of customer premise equipment (CPEs) positioned within customer networks and a NAT device positioned within a service provider network operate as ingress and egress for tunnels having network packets of a first network transport protocol that encapsulate inner network packets of a second network transport protocol. The NAT device stores a mapping table that maps, for each of the CPEs, a public network address of the first transport protocol to a public network address and restricted port range of the second transport protocol. The NAT device outputs control messages to communicate the respective restricted port range to each of the CPEs, and the CPEs provide network address translation within the customer networks at the ingress of the tunnels based on the restricted port range received from the NAT device of the service provider network.Type: GrantFiled: June 27, 2012Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Alain Durand, Reinaldo Penno
-
Patent number: 9258328Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.Type: GrantFiled: April 17, 2015Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Oskar Ibatullin, Kyle Adams, Daniel J. Quinlan
-
Patent number: 9258210Abstract: In general, techniques are described for dynamically filtering, at area border routers (ABRs) of a multi-area autonomous system, routes to destinations external to an area by advertising to routers of the area only those routes associated with a destination address requested by at least one router of the area. In one example, a method includes receiving, by an ABR that borders a backbone area and a non-backbone area of a multi-area autonomous system that employs a hierarchical link state routing protocol to administratively group routers of the autonomous system into areas, a request message from the non-backbone area that requests the ABR to provide routing information associated with a service endpoint identifier (SEI) to the non-backbone area. The request message specifies the SEI. The method also includes sending, in response to receiving the request and by the ABR, the routing information associated with the SEI to the non-backbone area.Type: GrantFiled: October 1, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Raveendra Torvi
-
Patent number: 9258313Abstract: A network device is configured to receive network traffic associated with an application executing on a user device; identify, based on the network traffic, an application identifier associated with the application; determine whether the application identifier matches one of a set of application identifiers stored by the network device; identify a policy based on the application identifier when the application identifier matches one of the set of application identifiers; and apply the policy to the network traffic associated with the application. The policy may be obtained from another network device, in communication with the network device, when the application identifier does not match one of the set of application identifiers.Type: GrantFiled: September 28, 2012Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Michael E. Knappe, Joe Tomasello, Krishna Narayanaswamy, Alexander S. Waterman
-
Patent number: 9258211Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. As described herein, a PE router receives a packet from a multi-homed VPLS customer site, and processes the packet to determine a portion of a MAC domain to which the packet corresponds. When the packet is determined to correspond to a portion associated with the PE router, the PE router forwards the packet to the destination in accordance with forwarding protocols executing on the PE router. When the packet is determined to correspond to a portion associated with a second PE router, the PE router forwards the packet to the second PE router via a pseudowire that is external to the VPLS domain, and the second PE router forwards the packet to the destination in accordance with forwarding protocols executing on the second PE router.Type: GrantFiled: April 21, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Safaa S. Hasan
-
Patent number: 9258056Abstract: In some embodiments, an apparatus includes an optical detector that can sample asynchronously an optical signal from an optical component that can be either an optical transmitter or an optical receiver. In such embodiments, the apparatus also includes a processor operatively coupled to the optical detector, where the processor can calculate a metric value of the optical signal without an extinction ratio of the optical signal being measured. The metric value is proportional to the extinction ratio of the optical signal. In such embodiments, the processor can define an error signal based on the metric value of the optical signal and the processor can send the error signal to the optical transmitter such that the optical transmitter modifies an output optical signal.Type: GrantFiled: January 8, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Christian Malouin, Roberto Marcoccia, George R. Sosnowski, Theodore J. Schmidt
-
Patent number: 9258228Abstract: Methods and devices for processing packets are provided. The processing device may Include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.Type: GrantFiled: November 3, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Dennis C. Ferguson, Rajiv Patel, Gerald Cheung, Pradeep Sindhu
-
Patent number: 9258234Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.Type: GrantFiled: December 28, 2012Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Meher Aditya Kumar Addepalli, Prashant Singh
-
Patent number: 9258329Abstract: A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.Type: GrantFiled: October 28, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Krishna Narayanaswamy
-
Patent number: 9258323Abstract: A firewall coordinates with devices in a network to create a distributed filtering system. The firewall detects an attack in the network, such as a distributed denial of service attack, and creates attack information defining characteristics of malicious packets used in the attack. The attack information is forwarded to the devices in the network. The devices use the attack information to configure themselves to detect packets having the characteristics of the malicious packets. After configuration, the devices detect and discard malicious packets.Type: GrantFiled: July 8, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Ross W Callon
-
Patent number: 9258742Abstract: In general, techniques are described for leveraging at least one of a policy control and charging or application detection architecture for an access network to dynamically control value-added services applied to packet flows. In some examples, a policy enforcement device receives a policy rule that defines at least one of policy control and application detection by an access network for a subscriber device. The policy rule includes a service chain identifier that identifies a service chain that defines one or more value-added services to be applied in a particular order to provide a composite service for application to packet flows associated to the service chain. The policy enforcement device receives a packet sourced by the subscriber device and destined to the packet data network, applies the policy rule to the packet to associate the packet to the service chain, and forwards the packet according to the service chain.Type: GrantFiled: September 30, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Jacopo Pianigiani, Rahul Suhas Vaidya
-
Patent number: 9258237Abstract: This disclosure describes techniques for provisioning a CMTS to re-direct customer traffic into virtualized network functions (NFVs) service chains. This disclosure describes, in one example, techniques for providing linkage between DOCSIS service flows and NFV service chains in the DOCSIS provisioning system by embedding information within cable modem boot files used to configured cable modems within the broadband system. In one example, the techniques facilitate the definition of an NFV service-chain in the DOCSIS cable modem boot file provisioning system. A supported CMTS, CCAP or Edge Router intercepts and interprets the configuration to install packet classifiers that steer specific subscriber flows, as detailed in the DOCSIS cable modem boot file, through the service-chain.Type: GrantFiled: September 25, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Andrew J. Smith, Jonathan C. Barth
-
Patent number: 9258135Abstract: A network device determines whether the network device has a local link for a link aggregation group (LAG), and identifies, when the network device has a local link for the LAG, the network device as a designated forwarder for the LAG. The network device also identifies, when the network device does not have a local link for the LAG, a closest network device to the network device, with a local link for the LAG, as the designated forwarder for the LAG.Type: GrantFiled: August 25, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Shankar Ramanathan, Srinivas Chinnam, Manish Singh, Harshad Nakil
-
Patent number: 9258277Abstract: In general, techniques are described for performing decentralized packet dispatch. A network device comprising one or more service processing units (SPUs) and an interface may implement the techniques. The interface receives a packet associated with a session and selects a first one of SPUs to dispatch the packet based on first information extracted from the packet. The first one of the SPUs dispatches the packet to a second one of the SPUs based on second information extracted from the packet. The second one of the SPUs performs first pass processing to configure the network security device to perform fast path processing of the packet such that second one of the SPUs applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packets by the first one of the service processing units.Type: GrantFiled: June 27, 2012Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Yan Zhuang, Xiao Ping Zhu, Rakesh Nair Gopala Krishnan Nair, Dongyi Jiang, Yong Tian, Jinfeng Yu, Haiyu Wang
-
Patent number: 9258227Abstract: A route for a data unit through a network may be defined based on a number of next hops. Exemplary embodiments described herein may implement a router forwarding table as a chained list of references to next hops. In one implementation, a device includes a forwarding table that includes: a first table configured to store, for each of a plurality of routes for data units in a network, a chain of links to next hops for the routes; and a second table configured to store the next hops. The device also includes a forwarding engine configured to assemble the next hops for the data units based on using the chain of links in the first table to retrieve the next hops in the second table and to forward the data units in the network based on the assembled next hops.Type: GrantFiled: August 19, 2013Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Kaushik Ghosh, Kireeti Kompella, Siva Gaggara, Nitin Kumar, Steven Lin
-
Patent number: 9258433Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors and a memory may be configured to perform the techniques. The one or more processors may be configured to establish a session by which a mobile device is to access a service of a mobile access network, and in response to receiving an incomplete indication to activate usage monitoring with respect to the service provided via the session, configuring the usage monitoring without activating the usage monitoring. The memory may be configured to store the usage monitoring configuration.Type: GrantFiled: September 29, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Jegan Kumar Somi Ramasamy Subramanian, Prasad Chigurupati
-
Patent number: 9258192Abstract: A multi-chassis network device may automatically detect whether cables connected between chassis devices are correctly inserted. The device may insert, into a first data stream output from a first port of the device, control information identifying the first port. The device may receive, from a second data stream received by the first port of the device, second control information identifying a second port, at another device connected to the device via a cable. The device may determine, based on the second control information, whether the connection of the first port to the second port, via the cable, is valid and cause, when the connection of the first port to the second port is determined to not be valid, the device to output an indication that the connection is not valid or to reconfigure the device to make the connection of the first port to the second port valid.Type: GrantFiled: January 3, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Philip A. Thomas, Anurag Agrawal
-
Patent number: 9258384Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.Type: GrantFiled: February 9, 2015Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventors: Bruno Rijsman, Usha Sharma, Prabhakaran Ganesan, Sankar Ramamoorthi
-
Patent number: 9258229Abstract: A device may include at least one processor which may access, using a lookup key, a ternary content addressable memory to acquire a lookup result that includes information identifying a group of addresses for accessing a group of static random access memories. The at least one processor may parse the lookup result to identify the group of addresses and may simultaneously access, using the group of addresses, the group of static random access memories, to simultaneously read data from the group of static random access memories. The at least one processor may process a group of packets based on the data.Type: GrantFiled: June 27, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Gunes Aybay
-
Patent number: 9258325Abstract: A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.Type: GrantFiled: January 10, 2014Date of Patent: February 9, 2016Assignee: Juniper Networks, Inc.Inventor: Moshe Litvin