Patents by Inventor Krishna Khanal
Krishna Khanal has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11647083Abstract: Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.Type: GrantFiled: July 20, 2021Date of Patent: May 9, 2023Assignee: Citrix Systems, Inc.Inventor: Krishna Khanal
-
Publication number: 20230027642Abstract: Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.Type: ApplicationFiled: July 20, 2021Publication date: January 26, 2023Applicant: Citrix Systems, Inc.Inventor: Krishna Khanal
-
Publication number: 20220394034Abstract: Reducing vulnerability to a server is provided. A device intermediary to a client and a server can receive a RPC message from the RPC based client to the RPC based server, the RPC message having a plurality of fields to execute one or more routines on the server. The device can detect that one or more fields of the plurality of fields exploits a vulnerability of the RPC based server. The device can modify the RPC message to remove the one or more fields from the RPC message. The device can forward the modified RPC message to the RPC server.Type: ApplicationFiled: June 7, 2021Publication date: December 8, 2022Applicant: Citrix Systems, Inc.Inventors: Seth K. Keith, Saravanakumar Annamalaisami, Krishna Khanal, Ratnesh Singh Thakur
-
Patent number: 10757146Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.Type: GrantFiled: January 22, 2018Date of Patent: August 25, 2020Assignee: Citrix Systems, Inc.Inventors: Saravana Annamalaisami, Krishna Khanal, Varun Taneja, Mahesh Mylarappa
-
Publication number: 20180146015Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.Type: ApplicationFiled: January 22, 2018Publication date: May 24, 2018Inventors: Saravana Annamalaisami, Krishna Khanal, Varun Taneja, Mahesh Mylarappa
-
Patent number: 9888042Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.Type: GrantFiled: May 20, 2014Date of Patent: February 6, 2018Assignee: Citrix Systems, Inc.Inventors: Saravana Annamalaisami, Krishna Khanal, Varun Taneja, Mahesh Mylarappa
-
Patent number: 9866529Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.Type: GrantFiled: April 4, 2014Date of Patent: January 9, 2018Assignee: Citrix Systems, Inc.Inventors: Krishna Khanal, Ashwin Jagadish, Saravana Annamalaisami
-
Patent number: 9497106Abstract: Systems and methods of propagating maximum segment size and path maximum transmission unit of network paths between an intermediary device of a cluster with a plurality of destinations are described. A first core of a node including multiple cores and intermediary to a client and a plurality of servers may receive a response to a packet transmitted to a destination indicating that the packet has a size greater than a MTU of a network path between the node and a destination. The first core identifies the MTU of the network path and determines that the identified MTU is different than an MTU used by the first core. The first core replaces the MTU stored in an entry corresponding to the destination in a PMTU table maintained with the identified MTU. The first core transmits, to other cores of the node, the identified MTU to update each core's PMTU table.Type: GrantFiled: April 4, 2014Date of Patent: November 15, 2016Assignee: CITRIX SYSTEMS, INC.Inventors: Krishna Khanal, Ashok Kumar Jagadeeswaran
-
Patent number: 9432399Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.Type: GrantFiled: May 26, 2015Date of Patent: August 30, 2016Assignee: CITRIX SYSTEMS, INC.Inventors: Meghashree Iyengar, Krishna Khanal, Saravana Annamalaisami, Shashidhara Nanjundaswamy
-
Patent number: 9369368Abstract: The present solution relates to systems and methods for capturing and consolidating packet tracing in a cluster system. A multi-nodal cluster processing network traffic contains multiple nodes each handling some of the processing. A node may initially receive a flow and transfer processing of the flow to another node for processing. A flow may therefore pass from one node to another, from two nodes to many nodes. In some instances, it is helpful to generate a trace of a flow. For example, in debugging a network communication flow, a trace of the flow through the cluster can be helpful. Each node has a packet engine (“PE”) which processes data packets and can, when trace is enabled, generate a trace file for the packets processed at the respective node. A trace aggregator merges these distinct trace files into an aggregate trace for the cluster.Type: GrantFiled: April 3, 2014Date of Patent: June 14, 2016Assignee: CITRIX SYSTEMS, INC.Inventors: Krishna Khanal, Shekhar Chandra, Saravana Annamalaisami
-
Patent number: 9246940Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.Type: GrantFiled: April 4, 2014Date of Patent: January 26, 2016Assignee: CITRIX SYSTEMS, INC.Inventors: Krishna Khanal, Saravana Annamalaisami, Mahesh Mylarappa
-
Publication number: 20150281272Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.Type: ApplicationFiled: May 26, 2015Publication date: October 1, 2015Inventors: Meghashree Iyengar, Krishna Khanal, Saravana Annamalaisami, Shashidhara Nanjundaswamy
-
Patent number: 9055100Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.Type: GrantFiled: April 6, 2013Date of Patent: June 9, 2015Assignee: CITRIX SYSTEMS, INC.Inventors: Meghashree Iyengar, Krishna Khanal, Saravana Annamalaisami, Shashidhara Nanjundaswamy
-
Publication number: 20140351447Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.Type: ApplicationFiled: May 20, 2014Publication date: November 27, 2014Applicant: Citrix Systems, Inc.Inventors: Saravana Annamalaisami, Krishna Khanal, Varun Taneja, Mahesh Mylarappa
-
Publication number: 20140301395Abstract: Systems and methods of propagating maximum segment size and path maximum transmission unit of network paths between an intermediary device of a cluster with a plurality of destinations are described. A first core of a node including multiple cores and intermediary to a client and a plurality of servers may receive a response to a packet transmitted to a destination indicating that the packet has a size greater than a MTU of a network path between the node and a destination. The first core identifies the MTU of the network path and determines that the identified MTU is different than an MTU used by the first core. The first core replaces the MTU stored in an entry corresponding to the destination in a PMTU table maintained with the identified MTU. The first core transmits, to other cores of the node, the identified MTU to update each core's PMTU table.Type: ApplicationFiled: April 4, 2014Publication date: October 9, 2014Applicant: Citrix Systems, Inc.Inventors: Krishna Khanal, Ashok Kumar Jagadeeswaran
-
Publication number: 20140301213Abstract: The present solution relates to systems and methods for capturing and consolidating packet tracing in a cluster system. A multi-nodal cluster processing network traffic contains multiple nodes each handling some of the processing. A node may initially receive a flow and transfer processing of the flow to another node for processing. A flow may therefore pass from one node to another, from two nodes to many nodes. In some instances, it is helpful to generate a trace of a flow. For example, in debugging a network communication flow, a trace of the flow through the cluster can be helpful. Each node has a packet engine (“PE”) which processes data packets and can, when trace is enabled, generate a trace file for the packets processed at the respective node.Type: ApplicationFiled: April 3, 2014Publication date: October 9, 2014Applicant: Citrix Systems, Inc.Inventors: Krishna Khanal, Shekhar Chandra, Saravana Annamalaisami
-
Publication number: 20140304810Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.Type: ApplicationFiled: April 4, 2014Publication date: October 9, 2014Applicant: Citrix Systems, Inc.Inventors: Krishna Khanal, Saravana Annamalaisami, Mahesh Mylarappa
-
Publication number: 20140304798Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.Type: ApplicationFiled: April 6, 2013Publication date: October 9, 2014Applicant: Citrix Systems, Inc.Inventors: Meghashree Iyengar, Krishna Khanal, Saravana Annamalaisami, Shashidhara Nanjundaswamy
-
Publication number: 20140304325Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.Type: ApplicationFiled: April 4, 2014Publication date: October 9, 2014Applicant: Citrix Systems, Inc.Inventors: Krishna Khanal, Ashwin Jagadish, Saravana Annamalaisami