Patents by Inventor Sourabh Bhattacharya
Sourabh Bhattacharya has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12113773Abstract: Some embodiments provide a method that identifies multiple paths between a first site and a second site. A security association (SA) is established for transmitting encrypted payload from the first site to the second site in a virtual private network (VPN) session. The method selects a path based on metrics that are obtained for the paths. The selected path is defined by a first endpoint address of the first site and a second endpoint address of the second site. The method sends a message from the first site to the second site to update the SA to switch from using an original path to using the selected path. The message indicates the first and second endpoint addresses. The method transmits a packet including a payload that is encrypted according to the updated SA.Type: GrantFiled: January 6, 2022Date of Patent: October 8, 2024Assignee: VMware LLCInventors: Deepika Solanki, Awan Kumar Sharma, Yong Wang, Sourabh Bhattacharya, Sarthak Ray
-
Patent number: 12107834Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.Type: GrantFiled: January 6, 2022Date of Patent: October 1, 2024Assignee: VMware LLCInventors: Yong Wang, Awan Kumar Sharma, Sourabh Bhattacharya, Deepika Solanki, Sarthak Ray
-
Patent number: 12095736Abstract: A method for IPSec communication between a source machine and a destination machine is provided. The method includes receiving, at the destination machine, first and second packets from the source machine through first and second VPN tunnels established between a first VTI of the source machine and a second VTI of the destination machine; determining the first packet corresponds to a first SA and the second packet corresponds to a second SA; processing, by a first processing core, the first packet based on the first SA, and processing, by a second processing core, the second packet based on the second SA; and updating, at the second VTI, states of one or more flows based on the first and second packets, the second VTI providing one or more stateful services for the one or more packet flows based on the one or more states.Type: GrantFiled: March 26, 2021Date of Patent: September 17, 2024Assignee: VMware LLCInventors: Awan Kumar Sharma, Yong Wang, Sourabh Bhattacharya, Bhargav Puvvada, Sarthak Ray, Mayur Katke
-
Patent number: 11929920Abstract: Described herein are systems, methods, and software to manage processing queue allocation based on addressing attributes of an inner packet. In one implementation, a first gateway identifies processing queues at a second gateway and assigns a unique flow label to each of the processing queues. The first gateway further receives a packet from a computing node that is directed toward the second gateway. The first gateway hashes addressing information in the packet to select a flow label, encapsulates the packet with the flow label in the outer encapsulation header for the encapsulated packet, and forwards the packet toward the second gateway.Type: GrantFiled: September 7, 2021Date of Patent: March 12, 2024Assignee: VMware LLCInventors: Bhargav Puvvada, Sourabh Bhattacharya, Awan Kumar Sharma
-
Patent number: 11770389Abstract: Certain embodiments described herein are relate to a method for dynamically rekeying a security association. The method includes establishing, by a destination tunnel endpoint (TEP), an in-bound security association with a source TEP, with a first security parameter index (SPI) value, for encrypting data packets communicated between the source TEP and the destination TEP. The method further includes rekeying, by the destination TEP, the in-bound security association, the rekeying including generating a second SPI value for replacing the first SPI value based on a trigger event relating to at least one of a real-time security score of the in-bound security association, a number of security associations assigned to a compute resource that the in-bound security resource is assigned to, an amount of load managed by the compute resource that the in-bound security resource is assigned to, and an indication received from an administrator.Type: GrantFiled: September 4, 2020Date of Patent: September 26, 2023Assignee: VMWARE, INC.Inventors: Sourabh Bhattacharya, Yong Wang, Awan Kumar Sharma, Bhargav Puvvada, Mayur Katke
-
Publication number: 20230020509Abstract: Described herein are systems, methods, and software to manage replay windows in multipath connections between gateways. In one implementation, a first gateway may receive a packet directed toward a second gateway and identify a path from a plurality of paths to the second gateway. Once identified, the first gateway may increment a sequence number associated with the path and encapsulate the packet with a unique identifier for the path in the header with the incremented sequence number. The first gateway the communicates the encapsulated packet to the second gateway.Type: ApplicationFiled: October 4, 2021Publication date: January 19, 2023Inventors: AWAN KUMAR SHARMA, YONG WANG, SOURABH BHATTACHARYA, DEEPIKA KUNAL SOLANKI, SARTHAK RAY, JOCHEN BEHRENS
-
Patent number: 11552878Abstract: Described herein are systems, methods, and software to manage replay windows in multipath connections between gateways. In one implementation, a first gateway may receive a packet directed toward a second gateway and identify a path from a plurality of paths to the second gateway. Once identified, the first gateway may increment a sequence number associated with the path and encapsulate the packet with a unique identifier for the path in the header with the incremented sequence number. The first gateway the communicates the encapsulated packet to the second gateway.Type: GrantFiled: October 4, 2021Date of Patent: January 10, 2023Assignee: VMware, Inc.Inventors: Awan Kumar Sharma, Yong Wang, Sourabh Bhattacharya, Deepika Kunal Solanki, Sarthak Ray, Jochen Behrens
-
Publication number: 20220394017Abstract: Some embodiments provide a method that receives an encapsulated packet for a virtual private network (VPN) session. The encapsulated packet incluides (i) a set of flow identifiers of a network traffic flow that includes a user datagram protocol (UDP) port number and (ii) a payload encrypted according to a security association (SA). The method hashes the set of flow identifiers of the network traffic flow to select a processor core from a plurality of processor cores. The method uses the selected processor core to decrypt the payload in the encapsulated packet according to the SA.Type: ApplicationFiled: January 6, 2022Publication date: December 8, 2022Inventors: Deepika Solanki, Awan Kumar Sharma, Yong Wang, Sarthak Ray, Sourabh Bhattacharya
-
Publication number: 20220394014Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.Type: ApplicationFiled: January 6, 2022Publication date: December 8, 2022Inventors: Yong Wang, Awan Kumar Sharma, Sourabh Bhattacharya, Deepika Solanki, Sarthak Ray
-
Publication number: 20220393981Abstract: Some embodiments provide a method that assigns, at a VPN client, a QoS class to each path of multiple paths based on performance metrics for paths. The paths are available for use by a VPN client to reach a VPN server. The method identifies a QoS class for a packet. The method selects a path based on the identified QoS class of the packet and the QoS class assigned to each path. The method transmits the packet using the selected path.Type: ApplicationFiled: January 6, 2022Publication date: December 8, 2022Inventors: Deepika Solanki, Awan Kumar Sharma, Yong Wang, Sarthak Ray, Sourabh Bhattacharya
-
Publication number: 20220394016Abstract: Some embodiments provide a method that identifies multiple paths between a first site and a second site. A security association (SA) is established for transmitting encrypted payload from the first site to the second site in a virtual private network (VPN) session. The method selects a path based on metrics that are obtained for the paths. The selected path is defined by a first endpoint address of the first site and a second endpoint address of the second site. The method sends a message from the first site to the second site to update the SA to switch from using an original path to using the selected path. The message indicates the first and second endpoint addresses. The method transmits a packet including a payload that is encrypted according to the updated SA.Type: ApplicationFiled: January 6, 2022Publication date: December 8, 2022Inventors: Deepika Solanki, Awan Kumar Sharma, Yong Wang, Sourabh Bhattacharya, Sarthak Ray
-
Publication number: 20220393967Abstract: Some embodiments provide a method that establishes multiple active uplinks for a VPN session with a VPN peer using a first uplink interface to access a first set of paths and a second uplink interface to access a second set of paths. The method selects a path from a pool of paths by using a hash value derived from data to be transmitted to a peer in the VPN session. The paths in the pool are identified from the first and second sets of paths based on performance metrics. When the selected path is accessible by the first uplink interface, the method transmits the data as an IPsec packet over the first uplink interface. When the selected path is accessible by the second uplink interface, the method transmits the data as an IPsec packet over the second uplink interface, wherein the data is encrypted according to a security association.Type: ApplicationFiled: January 6, 2022Publication date: December 8, 2022Inventors: Deepika Solanki, Awan Kumar Sharma, Sourabh Bhattacharya, Yong Wang, Sarthak Ray
-
Patent number: 11424958Abstract: Described herein are systems, methods, and software to manage maximum segment size (MSS) values associated with multiple tunnels according to an implementation. In one implementation, a gateway may obtain a Transmission Control Protocol (TCP) synchronize (SYN) packet from a computing node. The gateway may identify a tunnel associated with the TCP SYN packet, determine a maximum segment size (MSS) value based on the overhead associated with the tunnel, and replace a first MSS value in the TCP SYN packet with the MSS value determined by the gateway. Once added, the gateway may encapsulate the TCP SYN packet and communicate the packet to a second gateway.Type: GrantFiled: May 5, 2020Date of Patent: August 23, 2022Assignee: VMware, Inc.Inventors: Sarthak Ray, Sourabh Bhattacharya, Awan Kumar Sharma, Yong Wang
-
Publication number: 20220231993Abstract: A method for IPSec communication between a source machine and a destination machine is provided. The method includes receiving, at the destination machine, first and second packets from the source machine through first and second VPN tunnels established between a first VTI of the source machine and a second VTI of the destination machine; determining the first packet corresponds to a first SA and the second packet corresponds to a second SA; processing, by a first processing core, the first packet based on the first SA, and processing, by a second processing core, the second packet based on the second SA; and updating, at the second VTI, states of one or more flows based on the first and second packets, the second VTI providing one or more stateful services for the one or more packet flows based on the one or more states.Type: ApplicationFiled: March 26, 2021Publication date: July 21, 2022Inventors: AWAN KUMAR SHARMA, YONG WANG, SOURABH BHATTACHARYA, BHARGAV PUVVADA, SARTHAK RAY, MAYUR KATKE
-
Patent number: 11336629Abstract: Certain embodiments described herein are generally directed to systems and methods for deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. For example, certain embodiments described herein relate to configuring a destination tunnel endpoint (TEP) with an encapsulating security payload (ESP) receive side scaling (RSS) mode to assign each incoming packet, received from a certain source endpoint (EP), to a certain RSS queue based on an identifier that is encoded in an SPI value included the packet.Type: GrantFiled: February 27, 2020Date of Patent: May 17, 2022Assignee: VMWARE, INC.Inventors: Yong Wang, Awan Kumar Sharma, Manmeet Khurana, Shailesh Urhekar, Sourabh Bhattacharya
-
Publication number: 20220021687Abstract: Certain embodiments described herein are relate to a method for dynamically rekeying a security association. The method includes establishing, by a destination tunnel endpoint (TEP), an in-bound security association with a source TEP, with a first security parameter index (SPI) value, for encrypting data packets communicated between the source TEP and the destination TEP. The method further includes rekeying, by the destination TEP, the in-bound security association, the rekeying including generating a second SPI value for replacing the first SPI value based on a trigger event relating to at least one of a real-time security score of the in-bound security association, a number of security associations assigned to a compute resource that the in-bound security resource is assigned to, an amount of load managed by the compute resource that the in-bound security resource is assigned to, and an indication received from an administrator.Type: ApplicationFiled: September 4, 2020Publication date: January 20, 2022Inventors: SOURABH BHATTACHARYA, YONG WANG, AWAN KUMAR SHARMA, BHARGAV PUVVADA, MAYUR KATKE
-
Publication number: 20210281442Abstract: Described herein are systems, methods, and software to manage maximum segment size (MSS) values associated with multiple tunnels according to an implementation. In one implementation, a gateway may obtain a Transmission Control Protocol (TCP) synchronize (SYN) packet from a computing node. The gateway may identify a tunnel associated with the TCP SYN packet, determine a maximum segment size (MSS) value based on the overhead associated with the tunnel, and replace a first MSS value in the TCP SYN packet with the MSS value determined by the gateway. Once added, the gateway may encapsulate the TCP SYN packet and communicate the packet to a second gateway.Type: ApplicationFiled: May 5, 2020Publication date: September 9, 2021Inventors: Sarthak Ray, Sourabh Bhattacharya, Awan Kumar Sharma, Yong Wang
-
Publication number: 20210136049Abstract: Certain embodiments described herein are generally directed to systems and methods for deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. For example, certain embodiments described herein relate to configuring a destination tunnel endpoint (TEP) with an encapsulating security payload (ESP) receive side scaling (RSS) mode to assign each incoming packet, received from a certain source endpoint (EP), to a certain RSS queue based on an identifier that is encoded in an SPI value included the packet.Type: ApplicationFiled: February 27, 2020Publication date: May 6, 2021Inventors: Yong Wang, Awan Kumar Sharma, Manmeet Khurana, Shailesh Urhekar, Sourabh Bhattacharya