公开(公告)号：US12021963B2

公开(公告)日：2024-06-25

申请号：US17411988

申请日：2021-08-25

Applicant: Pensando Systems Inc.

Inventor： Varagur Chandrasekaran ,  Akshaya Nadahalli ,  Balakrishnan Raman ,  Chandrasekaran Swaminathan ,  John Cruz ,  Maruthi Ram Namburu ,  Pirabhu Raman ,  Vijay Sampath ,  Vipin Jain

IPC: H04L7/033 ,  G06F16/22 ,  G06F16/27 ,  H04L67/1095

CPC classification number: H04L7/033 ,  G06F16/22 ,  G06F16/27 ,  H04L67/1095

Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

公开(公告)号：US12015722B2

公开(公告)日：2024-06-18

申请号：US16958611

申请日：2018-12-20

Applicant: Pensando Systems Inc.

Inventor： Vipin Jain ,  Ravi Kumar Gadde ,  Enrico Schiattarella ,  Sukhesh Halemane

IPC: H04L9/32 ,  G06F9/455 ,  H04L9/08 ,  H04L9/40 ,  H04L29/06

CPC classification number: H04L9/3268 ,  G06F9/45558 ,  H04L9/0894 ,  H04L63/205 ,  G06F2009/45595

Abstract: Methods and network interface devices for establishing a secure and authenticated network connection are provided. The method comprises: receiving, from a requesting entity, a destination IP address and a first certificate that is used to establish a secure network connection, wherein the first certificate comprises a first security attribute that is associated with a source destination IP address; identifying, with aid of one or more processors, a stored second security attribute associated with the destination IP address; and determining, with aid of the one or more processors, a policy action based at least in part on the first security attribute and the second security attribute.

公开(公告)号：US10944576B2

公开(公告)日：2021-03-09

申请号：US16173441

申请日：2018-10-29

Applicant: Pensando Systems Inc.

Inventor： Enrico Schiattarella ,  Vipin Jain ,  Ravi Kumar Gadde

IPC: H04L9/32 ,  G06F21/33 ,  H04L29/06 ,  H04L29/00 ,  H04L9/00

Abstract: An authorization method using provisioned certificates is disclosed. The method includes writing security attributes to fields within a certificate and issuing the certificate to a software application on a principal node. The software application requests to perform actions on one or more resources on a resource node, sending one or more action requests along with a copy of its certificate. The resource node has an agent which verifies the permissions from the certificate and routes the request to its designated resource. The resource node returns one or more messages to the principal node, verifying whether or not complete the requests.

公开(公告)号：US12189640B2

公开(公告)日：2025-01-07

申请号：US17337360

申请日：2021-06-02

Applicant: Pensando Systems Inc.

Inventor： Shrey Ajmera ,  Enrico Schiattarella ,  Pirabhu Raman ,  Vipin Jain

IPC: G06F16/00 ,  G06F16/14 ,  G06F16/22 ,  G06F16/2455 ,  G06F16/2458

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

公开(公告)号：US11726957B2

公开(公告)日：2023-08-15

申请号：US17225060

申请日：2021-04-07

Applicant: Pensando Systems Inc.

Inventor： Shrey Ajmera ,  Vipin Jain ,  Enrico Schiattarella ,  Pirabhu Raman

IPC: G06F16/00 ,  G06F16/13 ,  G06F16/14 ,  H04L43/062

CPC classification number: G06F16/13 ,  G06F16/148 ,  H04L43/062

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

公开(公告)号：US20220335008A1

公开(公告)日：2022-10-20

申请号：US17225060

申请日：2021-04-07

Applicant: Pensando Systems Inc.

Inventor： Shrey Ajmera ,  Vipin Jain ,  Enrico Schiattarella ,  Pirabhu Raman

IPC: G06F16/13 ,  G06F16/14 ,  H04L12/26

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

公开(公告)号：US11374844B2

公开(公告)日：2022-06-28

申请号：US16990931

申请日：2020-08-11

Applicant: Pensando Systems Inc.

Inventor： Varagur Chandrasekaran ,  Vipin Jain ,  Swaminathan Narayanan ,  Raghava Kodigenahalli Sivaramu ,  Venkatesh Srinivasan

IPC: G06F15/173 ,  H04L43/12 ,  H04L43/16 ,  H04L43/0888 ,  H04L43/0817 ,  H04L43/067 ,  H04L43/08

Abstract: A network appliance having a control plane and a data plane can process substantially every input packet at wire speed in a programmable packet processing pipeline of the data plane. Sensors, which can be processes implemented within the pipeline, can measure parameters of the network traffic flows and of the network appliance in accordance with monitoring policies. Reporting policies can be triggered when any one of many criteria are met by the parameters. The reporting policy can result in a report being sent to an outside recipient. Alternatively, the reporting policy can result in the network appliance implementing additional monitoring or reporting policies.

公开(公告)号：US11841985B2

公开(公告)日：2023-12-12

申请号：US17011884

申请日：2020-09-03

Applicant: Pensando Systems Inc.

Inventor： Enrico Schiattarella ,  David Antony Clear ,  Vipin Jain

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/08 ,  G06F1/00 ,  H04L9/32 ,  H04L9/40 ,  G06F21/31 ,  G06F13/42 ,  G06F9/455

CPC classification number: G06F21/85 ,  G06F9/45533 ,  G06F13/4221 ,  G06F21/31 ,  G06F21/602 ,  H04L9/088 ,  H04L9/0897 ,  H04L9/3278 ,  H04L63/20 ,  G06F2213/0026

Abstract: Methods and systems for implementing security operations in an input/output (I/O) device are disclosed. In an embodiment, an I/O (Input/Output) device involves an I/O port, a host bus configured to be connected to a host, a data processing pipeline within the I/O device coupled to the I/O port and to the host bus to process and forward data between the I/O port and the host bus, and a hardware security module (HSM) within the I/O device coupled to the host bus and to the data processing pipeline, the HSM comprising a crypto engine configured to encrypt and decrypt data of the data processing pipeline, and a secure key storage coupled to the crypto engine containing encryption keys for use in encrypting and decrypting packets, wherein the secure key storage contains keys that are encrypted by the HSM and that are accessible through the HSM.

公开(公告)号：US20230069844A1

公开(公告)日：2023-03-09

申请号：US17411988

申请日：2021-08-25

Applicant: Pensando Systems Inc.

Inventor： Varagur Chandrasekaran ,  Akshaya Nadahalli ,  Balakrishnan Raman ,  Chandrasekaran Swaminathan ,  John Cruz ,  Maruthi Ram Namburu ,  Pirabhu Raman ,  Vijay Sampath ,  Vipin Jain

IPC: H04L7/033 ,  H04L29/08 ,  G06F16/22 ,  G06F16/27

Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

公开(公告)号：US11863467B2

公开(公告)日：2024-01-02

申请号：US17580367

申请日：2022-01-20

Applicant: Pensando Systems Inc.

Inventor： Michael Brian Galles ,  Vipin Jain

IPC: H04L49/00 ,  H04L69/22 ,  H04L47/32 ,  H04L41/5019 ,  H04L45/74 ,  H04L47/6295

CPC classification number: H04L49/3018 ,  H04L41/5019 ,  H04L47/32 ,  H04L69/22 ,  H04L45/74 ,  H04L47/6295

Abstract: A network appliance can have an input port that can receive network packets at line rate, two or more ingress queues, a line rate classification circuit that can place the network packets on the ingress queues at the line rate, a packet buffer that can store the network packets, and a sub line rate packet processing circuit that can process the network packets that are stored in the packet buffer. The line rate classification circuit can place a network packet on one of the ingress queues based on the network packet's packet contents. A buffer scheduler can select network packets for processing by a sub line rate packet processing circuit based on the priority levels of the ingress queues.