Patents Assigned to Nicira, Inc.
  • Patent number: 10979246
    Abstract: Example methods are provided for a host to perform multicast packet handling a software-defined networking (SDN) environment. One example method may comprise: in response to detecting, from a virtualized computing instance supported by the host, a request to join a first inner multicast group address, obtaining an outer multicast group address that is assigned to the first inner multicast group address and one or more second inner multicast group addresses; and generating and sending a request to join the outer multicast group address to one or more multicast-enabled network devices. In response to detecting an ingress encapsulated multicast packet that includes an outer header addressed to the outer multicast group address and an inner header addressed to the first inner multicast group address, the host may generate and send a decapsulated multicast packet to the virtualized computing instance that has joined the first inner multicast group address.
    Type: Grant
    Filed: July 24, 2018
    Date of Patent: April 13, 2021
    Assignee: NICIRA, INC.
    Inventors: Sami Boutros, Alexander Tessmer, Subin Cyriac Mathew, Chidambareswaran Raman
  • Patent number: 10979416
    Abstract: A system and method for managing a trusted connection within a public cloud comprises transmitting a first token and a second token from a cloud service manager to a public cloud controller, initializing a public cloud manager in response to receipt of the first token and the second token, and generate a cloud certificate, and transmitting the cloud certificate and the second token from the public cloud manager to a management plane. The method further comprises establishing a trusted connection between the public cloud controller and the management plane in response to receipt of the cloud certificate and the second token by the management plane.
    Type: Grant
    Filed: May 9, 2018
    Date of Patent: April 13, 2021
    Assignee: Nicira, Inc.
    Inventors: Vaibhav Kulkarni, Narendra Sharma, Aditya Gokhale, Ganesan Chandrashekhar, Vivek Agarwal, Akshay Katrekar, Rompicherla Sai Pavan Kumar
  • Patent number: 10977067
    Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.
    Type: Grant
    Filed: September 30, 2018
    Date of Patent: April 13, 2021
    Assignee: NICIRA, INC.
    Inventors: Amar Padmanabhan, Teemu Koponen, Ronghua Zhang, Pankaj Thakkar, Bruce Davie, Martin Casado
  • Patent number: 10956561
    Abstract: A security system for a distributed application obtains and, in effect, preserves provisioning information for the purpose of auto-populating whitelists used to protect the distributed application from intrusions. The provisioning information identifies allowable connections on a software-package level. Entries mapping processes to connection destinations are added to a whitelist if a process requesting a connection results from execution of an executable file installed as part of a software package for which the connection was allowed according to the provisioning information.
    Type: Grant
    Filed: February 27, 2019
    Date of Patent: March 23, 2021
    Assignee: Nicira, Inc.
    Inventors: Amit Chopra, Daniel G. Wing, Vijay Ganti, Christopher Corde, Amit Patil, Peixiao Lin
  • Patent number: 10958462
    Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.
    Type: Grant
    Filed: February 14, 2019
    Date of Patent: March 23, 2021
    Assignee: NICIRA, INC.
    Inventors: Sami Boutros, Alexander Tessmer, Subin Cyriac Mathew, Ganesan Chandrashekhar, Vivek Agarwal
  • Patent number: 10951584
    Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.
    Type: Grant
    Filed: July 31, 2017
    Date of Patent: March 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Mani Kancherla, Ronghua Zhang
  • Patent number: 10951744
    Abstract: A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.
    Type: Grant
    Filed: February 18, 2018
    Date of Patent: March 16, 2021
    Assignee: NICIRA, INC.
    Inventor: Anupam Dalal
  • Patent number: 10951656
    Abstract: Methods, apparatus and articles of manufacture to use artificial intelligence to define encryption and security policies in a software defined data center are disclosed. Example apparatus include a language parser to parse a natural language statement into a policy statement that defines a distributed network encryption policy or a distributed network security policy. Example apparatus also include a comparator to compare the policy statement to a set of reference policy templates and a template configurer to select a first policy template from the set of reference policy templates in response to the comparator determining the first policy template corresponds to the policy statement. A policy distributor distributes a policy rule defined by the first policy template for enforcement at network nodes of a software defined data center. The policy rule is a distributed network encryption policy rule or a security policy rule.
    Type: Grant
    Filed: August 16, 2017
    Date of Patent: March 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Gang Xu, Xinghua Hu, Yong Wang, Shadab Shah, Sharath Bhat, Yashika Narang
  • Patent number: 10949248
    Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller configures a first middlebox instance to obtain status of a set of servers and disseminate the obtained status to a second middlebox instance. The controller configures the second middlebox instance to use the status to select a server from the set of servers.
    Type: Grant
    Filed: November 11, 2019
    Date of Patent: March 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Ronghua Zhang, Teemu Koponen, Pankaj Thakkar, Martin Casado
  • Patent number: 10944590
    Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting a chunk of data directly from an application executing on the first endpoint. The virtual adapter may emulate a transport protocol task offload to bypass transport protocol processing by a protocol stack of the first endpoint. The method may comprise processing the chunk of data to generate a chunk of processed data for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network and sending the chunk of processed data through a tunnel in a plurality of tunnel segments, wherein the gateway is configured to perform transport protocol processing to generate a plurality of transport protocol segments from the chunk of processed data for transfer to the second endpoint.
    Type: Grant
    Filed: March 14, 2016
    Date of Patent: March 9, 2021
    Assignee: NICIRA, INC.
    Inventors: Vasantha Kumar, Amit Chopra
  • Patent number: 10944722
    Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: March 9, 2021
    Assignee: NICIRA, INC.
    Inventors: Radha Popuri, Shadab Shah, James Joseph Stabile, Sameer Kurkure, Kaushal Bansal
  • Patent number: 10938966
    Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.
    Type: Grant
    Filed: June 15, 2020
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventors: Mohan Parthasarathy, Jayant Jain, Xinhua Hong, Anirban Sengupta
  • Patent number: 10938726
    Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.
    Type: Grant
    Filed: September 6, 2017
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventors: Russell Lu, Xin Qi, Shadab Shah, Sunitha Krishna, Yangyang Zhu, Subrahmanyam Manuguri, Raju Koganty
  • Patent number: 10938658
    Abstract: Some embodiments provide a method for a central network manager that stores desired state information for multiple logical network entities for a logical network. The method stores (i) a desired state configuration for a logical network entity and (ii) a first state tracking object that identifies a version of the desired state configuration for at least the logical network entity. The method propagates to a set of managed forwarding elements (i) configuration data for the logical network entity and (ii) a second state tracking object for the logical network entity that identifies a version of the propagated configuration data. The first and second state tracking objects are compared to determine whether the propagated configuration data is based on the most recent desired state configuration.
    Type: Grant
    Filed: June 28, 2018
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventor: Kapil Goyal
  • Patent number: 10938837
    Abstract: Some embodiments provide a novel method for monitoring network requests from a machine. The method captures the network request at various layers of a protocol stack. At a first layer of a protocol stack, the method tags a packet related to the network request with a tag value, maps the tag value to a set of tuples associated with the packet, and sends a first set of data related to the packet to a security engine. At a second layer of the network stack, the method determines whether the packet has been modified through the network stack, and sends an updated second set of data to the security engine when the packet has been modified.
    Type: Grant
    Filed: January 31, 2017
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventor: Vasantha Kumar
  • Patent number: 10938693
    Abstract: In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway. Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.
    Type: Grant
    Filed: December 20, 2019
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventors: Ajit Ramachandra Mayya, Parag Pritam Thakore, Stephen Craig Connors, Steven Michael Woo, Sunil Mukundan, Thomas Harold Speeter
  • Patent number: 10931600
    Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.
    Type: Grant
    Filed: February 23, 2017
    Date of Patent: February 23, 2021
    Assignee: NICIRA, INC.
    Inventors: Martin Casado, Paul Ingram, Keith E. Amidon, Peter J. Balland, III, Teemu Koponen, Benjamin L. Pfaff, Justin Pettit, Jesse E. Gross, IV, Daniel J. Wendlandt
  • Patent number: 10931481
    Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.
    Type: Grant
    Filed: January 15, 2019
    Date of Patent: February 23, 2021
    Assignee: NICIRA, INC.
    Inventors: Martin Casado, Teemu Koponen, Pankaj Thakkar
  • Patent number: 10922124
    Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.
    Type: Grant
    Filed: May 3, 2019
    Date of Patent: February 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Ronghua Zhang, Teemu Koponen, Pankaj Thakkar, Amar Padmanabhan, Martin Casado
  • Patent number: 10924431
    Abstract: Some embodiments provide a method for a managed first forwarding element executing on a first data compute node (DCN) that operates on a first host machine within a public datacenter. The managed first forwarding element is configured to implement a logical network. The method receives a data packet from an application, executing on the first data compute node, that sends and receives data packets through the logical network. When the data packet has a destination address that is not associated with the logical network, the method sends the packet directly to a second forwarding element configured by an administrator of the datacenter. When the data packet has a destination address associated with the logical network, the method sends the packet to a managed third forwarding element configured to implement the logical network. The managed third forwarding element executes on a second DCN on a second host machine within the datacenter.
    Type: Grant
    Filed: September 28, 2016
    Date of Patent: February 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Ganesan Chandrashekhar, Mukesh Hira, Jayant Jain, Ronghua Zhang