Patents by Inventor Teemu Koponen
Teemu Koponen has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20220210067Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.Type: ApplicationFiled: March 14, 2022Publication date: June 30, 2022Inventors: Jesse E. Gross, IV, Teemu Koponen, W. Andrew Lambeth
-
Patent number: 11372671Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.Type: GrantFiled: January 4, 2021Date of Patent: June 28, 2022Assignee: NICIRA, INC.Inventors: Teemu Koponen, Ronghua Zhang, Pankaj Thakkar, Martin Casado
-
Publication number: 20220173968Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.Type: ApplicationFiled: December 11, 2021Publication date: June 2, 2022Inventors: Teemu Koponen, Martin Casado, Jeremy Stribling, Natasha Gude
-
Patent number: 11343204Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.Type: GrantFiled: May 27, 2020Date of Patent: May 24, 2022Assignee: NICIRA, INC.Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Xinhua Hong
-
Patent number: 11327815Abstract: Some embodiments provide a method for distributing a set of parameters associated with policies for authorizing Application Programming Interface (API) calls to an application. For a previously stored hierarchical first document that comprises a first set of elements in a first hierarchical structure, the method receives a hierarchical update second document that comprises a second set of elements in a second hierarchical structure corresponding to the first hierarchical structure, wherein at least a subset of elements in the first and the second documents correspond to the set of parameters for evaluating API calls. The method receives a first set of hash values for elements of the first document that are not specified in the second document, and generates a second set of hash values for a set of elements specified in the second document. The method generates an overall hash for the second document by using the received first set of hash values and the generated second set of hash values.Type: GrantFiled: July 15, 2020Date of Patent: May 10, 2022Assignee: STYRA, INC.Inventors: Teemu Koponen, Timothy L. Hinrichs
-
Publication number: 20220103452Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.Type: ApplicationFiled: December 10, 2021Publication date: March 31, 2022Inventors: Igor Ganichev, Pankaj Thakkar, Paul Fazzone, Teemu Koponen, Daniel J Wendlandt
-
Patent number: 11277340Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.Type: GrantFiled: May 15, 2020Date of Patent: March 15, 2022Assignee: NICIRA, INC.Inventors: Jesse E. Gross, IV, Teemu Koponen, W. Andrew Lambeth
-
Patent number: 11258824Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.Type: GrantFiled: July 31, 2018Date of Patent: February 22, 2022Assignee: STYRA, INC.Inventors: Timothy L. Hinrichs, Teemu Koponen, Andrew Curtis, Torin Sandall, Octavian Florescu
-
Patent number: 11245728Abstract: Some embodiments provide a method for providing insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the policy includes two or more access rules. The method identifies a subset of unnecessary access rules in the received policy, based on a set of contextual data that is associated with the users, and filters the received policy by removing the identified subset of unnecessary access rules. The method receives a query regarding access to the service from a particular set of one or more users, and uses the filtered policy to provide a response to the query that describes access to the service for the particular user set.Type: GrantFiled: June 19, 2019Date of Patent: February 8, 2022Assignee: STYRA, INC.Inventors: Andrew Curtis, Mikol Graves, Bryan J. Fulton, Timothy L. Hinrichs, Marco Sanvido, Teemu Koponen
-
Patent number: 11223531Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.Type: GrantFiled: June 14, 2016Date of Patent: January 11, 2022Assignee: NICIRA, INC.Inventors: Teemu Koponen, Martin Casado, Jeremy Stribling, Natasha Gude
-
Patent number: 11201808Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.Type: GrantFiled: February 1, 2016Date of Patent: December 14, 2021Assignee: NICIRA, INC.Inventors: Igor Ganichev, Pankaj Thakkar, Paul Fazzone, Teemu Koponen, Daniel J. Wendlandt
-
Publication number: 20210377186Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.Type: ApplicationFiled: August 16, 2021Publication date: December 2, 2021Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Jia Yu, Xinhua Hong
-
Publication number: 20210377134Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.Type: ApplicationFiled: August 15, 2021Publication date: December 2, 2021Inventors: Teemu Koponen, Justin Pettit, Martin Casado, Bruce Davie, W. Andrew Lambeth
-
Publication number: 20210365571Abstract: Some embodiments provide a method for evaluating a policy for authorizing an API (Application Programming Interface) call to an application. Based on a first set of parameters available before receiving the API call, the method evaluates only a portion of the policy to produce a partially evaluated policy. The method stores the partially evaluated policy in a cache. The method then receives an API call to authorize, and determines whether the API call should be authorized by fully evaluating the policy, using the partially evaluated policy retrieved from the cache first storage, and a second set of parameters associated with the API call. The method responds to the API call with a policy decision based on the fully evaluated authorization policy.Type: ApplicationFiled: August 2, 2021Publication date: November 25, 2021Inventors: Torin Sandall, Timothy L. Hinrichs, Teemu Koponen
-
Patent number: 11170099Abstract: Some embodiments provide a method for limiting data passed between an application and a process virtual machine (VM) embedded in the application that authorizes API (Application Programming Interface) calls to the application. The method receives a policy code comprising references to a group of parameters. The method modifies the policy code to remove references in the policy code to a set of the parameters that are not used during evaluation of the policy. The method generates a set of binary instructions from the modified policy code, where the process VM does not use the set of parameters while executing the binary instructions to make an authorization decision for a particular API call.Type: GrantFiled: January 27, 2020Date of Patent: November 9, 2021Assignee: STYRA, INC.Inventors: Torin Sandall, Timothy L. Hinrichs, Teemu Koponen
-
Patent number: 11108828Abstract: Some embodiments provide a method for gaining insight into authorization policy enforcement for application programming interface (API) calls to at least one service that includes multiple resources. The method generates a permissions graph including nodes that represent the resources and multiple users, based on two or more received authorization policies that restrict access to the service for the users. The method receives a selection of a node that corresponds to a user, and in response to the received selection, modifies the graph to display connections between the node corresponding to the user and one or more nodes associated with resources of the service that the user is authorized to access based on the authorization policies.Type: GrantFiled: June 19, 2019Date of Patent: August 31, 2021Assignee: STYRA, INC.Inventors: Andrew Curtis, Mikol Graves, Bryan J. Fulton, Timothy L. Hinrichs, Marco Sanvido, Teemu Koponen
-
Publication number: 20210258269Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.Type: ApplicationFiled: February 17, 2021Publication date: August 19, 2021Inventors: Martin Casado, Paul Ingram, Keith E. Amidon, Peter J. Balland, III, Teemu Koponen, Benjamin L. Pfaff, Justin Pettit, Jesse E. Gross, IV, Daniel J. Wendlandt
-
Publication number: 20210258397Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.Type: ApplicationFiled: May 5, 2021Publication date: August 19, 2021Inventors: Igor Ganichev, Alexander Yip, Pankaj Thakkar, Teemu Koponen, Aayush Saxena
-
Patent number: 11095574Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.Type: GrantFiled: December 10, 2015Date of Patent: August 17, 2021Assignee: NICIRA, INC.Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Jia Yu, Xinhua Hong
-
Patent number: 11095536Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.Type: GrantFiled: May 15, 2020Date of Patent: August 17, 2021Assignee: NICIRA, INC.Inventors: Teemu Koponen, Justin Pettit, Martin Casado, Bruce Davie, W. Andrew Lambeth