Patents by Inventor Teemu Koponen

Teemu Koponen has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20220210067
    Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.
    Type: Application
    Filed: March 14, 2022
    Publication date: June 30, 2022
    Inventors: Jesse E. Gross, IV, Teemu Koponen, W. Andrew Lambeth
  • Patent number: 11372671
    Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.
    Type: Grant
    Filed: January 4, 2021
    Date of Patent: June 28, 2022
    Assignee: NICIRA, INC.
    Inventors: Teemu Koponen, Ronghua Zhang, Pankaj Thakkar, Martin Casado
  • Publication number: 20220173968
    Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.
    Type: Application
    Filed: December 11, 2021
    Publication date: June 2, 2022
    Inventors: Teemu Koponen, Martin Casado, Jeremy Stribling, Natasha Gude
  • Patent number: 11343204
    Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.
    Type: Grant
    Filed: May 27, 2020
    Date of Patent: May 24, 2022
    Assignee: NICIRA, INC.
    Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Xinhua Hong
  • Patent number: 11327815
    Abstract: Some embodiments provide a method for distributing a set of parameters associated with policies for authorizing Application Programming Interface (API) calls to an application. For a previously stored hierarchical first document that comprises a first set of elements in a first hierarchical structure, the method receives a hierarchical update second document that comprises a second set of elements in a second hierarchical structure corresponding to the first hierarchical structure, wherein at least a subset of elements in the first and the second documents correspond to the set of parameters for evaluating API calls. The method receives a first set of hash values for elements of the first document that are not specified in the second document, and generates a second set of hash values for a set of elements specified in the second document. The method generates an overall hash for the second document by using the received first set of hash values and the generated second set of hash values.
    Type: Grant
    Filed: July 15, 2020
    Date of Patent: May 10, 2022
    Assignee: STYRA, INC.
    Inventors: Teemu Koponen, Timothy L. Hinrichs
  • Publication number: 20220103452
    Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.
    Type: Application
    Filed: December 10, 2021
    Publication date: March 31, 2022
    Inventors: Igor Ganichev, Pankaj Thakkar, Paul Fazzone, Teemu Koponen, Daniel J Wendlandt
  • Patent number: 11277340
    Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.
    Type: Grant
    Filed: May 15, 2020
    Date of Patent: March 15, 2022
    Assignee: NICIRA, INC.
    Inventors: Jesse E. Gross, IV, Teemu Koponen, W. Andrew Lambeth
  • Patent number: 11258824
    Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.
    Type: Grant
    Filed: July 31, 2018
    Date of Patent: February 22, 2022
    Assignee: STYRA, INC.
    Inventors: Timothy L. Hinrichs, Teemu Koponen, Andrew Curtis, Torin Sandall, Octavian Florescu
  • Patent number: 11245728
    Abstract: Some embodiments provide a method for providing insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the policy includes two or more access rules. The method identifies a subset of unnecessary access rules in the received policy, based on a set of contextual data that is associated with the users, and filters the received policy by removing the identified subset of unnecessary access rules. The method receives a query regarding access to the service from a particular set of one or more users, and uses the filtered policy to provide a response to the query that describes access to the service for the particular user set.
    Type: Grant
    Filed: June 19, 2019
    Date of Patent: February 8, 2022
    Assignee: STYRA, INC.
    Inventors: Andrew Curtis, Mikol Graves, Bryan J. Fulton, Timothy L. Hinrichs, Marco Sanvido, Teemu Koponen
  • Patent number: 11223531
    Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.
    Type: Grant
    Filed: June 14, 2016
    Date of Patent: January 11, 2022
    Assignee: NICIRA, INC.
    Inventors: Teemu Koponen, Martin Casado, Jeremy Stribling, Natasha Gude
  • Patent number: 11201808
    Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.
    Type: Grant
    Filed: February 1, 2016
    Date of Patent: December 14, 2021
    Assignee: NICIRA, INC.
    Inventors: Igor Ganichev, Pankaj Thakkar, Paul Fazzone, Teemu Koponen, Daniel J. Wendlandt
  • Publication number: 20210377186
    Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.
    Type: Application
    Filed: August 16, 2021
    Publication date: December 2, 2021
    Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Jia Yu, Xinhua Hong
  • Publication number: 20210377134
    Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.
    Type: Application
    Filed: August 15, 2021
    Publication date: December 2, 2021
    Inventors: Teemu Koponen, Justin Pettit, Martin Casado, Bruce Davie, W. Andrew Lambeth
  • Publication number: 20210365571
    Abstract: Some embodiments provide a method for evaluating a policy for authorizing an API (Application Programming Interface) call to an application. Based on a first set of parameters available before receiving the API call, the method evaluates only a portion of the policy to produce a partially evaluated policy. The method stores the partially evaluated policy in a cache. The method then receives an API call to authorize, and determines whether the API call should be authorized by fully evaluating the policy, using the partially evaluated policy retrieved from the cache first storage, and a second set of parameters associated with the API call. The method responds to the API call with a policy decision based on the fully evaluated authorization policy.
    Type: Application
    Filed: August 2, 2021
    Publication date: November 25, 2021
    Inventors: Torin Sandall, Timothy L. Hinrichs, Teemu Koponen
  • Patent number: 11170099
    Abstract: Some embodiments provide a method for limiting data passed between an application and a process virtual machine (VM) embedded in the application that authorizes API (Application Programming Interface) calls to the application. The method receives a policy code comprising references to a group of parameters. The method modifies the policy code to remove references in the policy code to a set of the parameters that are not used during evaluation of the policy. The method generates a set of binary instructions from the modified policy code, where the process VM does not use the set of parameters while executing the binary instructions to make an authorization decision for a particular API call.
    Type: Grant
    Filed: January 27, 2020
    Date of Patent: November 9, 2021
    Assignee: STYRA, INC.
    Inventors: Torin Sandall, Timothy L. Hinrichs, Teemu Koponen
  • Patent number: 11108828
    Abstract: Some embodiments provide a method for gaining insight into authorization policy enforcement for application programming interface (API) calls to at least one service that includes multiple resources. The method generates a permissions graph including nodes that represent the resources and multiple users, based on two or more received authorization policies that restrict access to the service for the users. The method receives a selection of a node that corresponds to a user, and in response to the received selection, modifies the graph to display connections between the node corresponding to the user and one or more nodes associated with resources of the service that the user is authorized to access based on the authorization policies.
    Type: Grant
    Filed: June 19, 2019
    Date of Patent: August 31, 2021
    Assignee: STYRA, INC.
    Inventors: Andrew Curtis, Mikol Graves, Bryan J. Fulton, Timothy L. Hinrichs, Marco Sanvido, Teemu Koponen
  • Publication number: 20210258269
    Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.
    Type: Application
    Filed: February 17, 2021
    Publication date: August 19, 2021
    Inventors: Martin Casado, Paul Ingram, Keith E. Amidon, Peter J. Balland, III, Teemu Koponen, Benjamin L. Pfaff, Justin Pettit, Jesse E. Gross, IV, Daniel J. Wendlandt
  • Publication number: 20210258397
    Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.
    Type: Application
    Filed: May 5, 2021
    Publication date: August 19, 2021
    Inventors: Igor Ganichev, Alexander Yip, Pankaj Thakkar, Teemu Koponen, Aayush Saxena
  • Patent number: 11095574
    Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.
    Type: Grant
    Filed: December 10, 2015
    Date of Patent: August 17, 2021
    Assignee: NICIRA, INC.
    Inventors: Ronghua Zhang, Yong Wang, Teemu Koponen, Jia Yu, Xinhua Hong
  • Patent number: 11095536
    Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.
    Type: Grant
    Filed: May 15, 2020
    Date of Patent: August 17, 2021
    Assignee: NICIRA, INC.
    Inventors: Teemu Koponen, Justin Pettit, Martin Casado, Bruce Davie, W. Andrew Lambeth