`
`(12)
`
`United States Patent
`Jungck et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,114,008 B2
`Sep. 26, 2006
`
`(54) EDGE ADAPTER ARCHITECTURE
`APPARATUS AND METHOD
`
`(75) Inventors: Peder J. Jungck, San Carlos, CA (US);
`Zahid Najam, San Jose, CA (US):
`Andrew T. Nguyen, San Jose, CA
`(US); Ramachandra-Rao Penke
`Cupertino, CA (US)
`(73) Assignee: Cloudshield Technologies, Inc.,
`Sunnyvale, CA (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 792 days.
`
`(21) Appl. No.: 09/858,323
`
`(22) Filed:
`
`May 15, 2001
`
`(65)
`
`Prior Publication Data
`US 2002fOO65938 A1
`May 30, 2002
`
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 09/602,129,
`filed on Jun. 23, 2000, now Pat. No. 6,829,654.
`
`(51) Int. Cl.
`(2006.01)
`G06F 5/16
`(2006.01)
`G06F 5/00
`(2006.01)
`G06F 9/30
`(2006.01)
`G06F 9/40
`709/246: 709/205: 712/201
`(52) U.S. Cl
`(58) Field of Classification Search s
`s
`None
`See application file for complete search history
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`9, 1987 Elliott et al. ................ 370/401
`4,692.918 A
`1/1993 Turner
`5,179,556 A
`3/1993 Bryant et al. ............... 709,215
`5, 195,181 A
`5,566,170 A 10, 1996 Bakke et al. ............... 370,392
`5,784,582 A
`7/1998 Hughes ...................... 71 Of 117
`
`
`
`9, 1998 Bellowin et al. ....... 395.200.55
`5,805,820 A
`2, 1999 Tanaka et al. .............. T18, 105
`5,867,704 A
`8/1999 Smallcomb et al. ........ 709/247
`5,938,737 A
`9, 1999 Mitzenmacher
`et
`al.
`5,953,503 A
`... . . .
`.
`. . . . . . . . . . . . . . . . . . . . .
`. . . . . . . . . . . . . . . . . . . . . 395.200.33
`5.991,713 A 11/1999 Unger et al. ................... TO4/9
`6,006,264 A 12, 1999 Colby et al. .................. TO9/26
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`O 865 180 A2
`3, 1998
`
`EP
`
`(Continued)
`OTHER PUBLICATIONS
`3.com Virtual Lan Tutorial, obtained from http://munshi.Sonoma.
`edu/s97/bus420/vlan.html, Jul. 21, 2003, pp. 1-21.
`
`(Continued)
`Primary Examiner Patrice Winder
`Assistant Examiner—Azizul Choudhury
`(74) Attorney, Agent, or Firm—Brinks, Hofer Gilson &
`Li
`1O
`(57)
`
`ABSTRACT
`
`Anarchitecture for intercepting and processing packets from
`a network is disclosed. The architecture provides both
`stateful and stateless processing of packets in the bi-direc
`tional network flow. Further, stateless processing is provided
`by a parallel arrangement of network processors while
`stateful processing is provided by a serial arrangement of
`network processors. The architecture permits leveraging
`existing bi-directional devices to process packets in a uni
`directional flow, thereby increasing the throughput of the
`device. The ability to share state among the stateless pro
`cessor, among the stateful processors of each packet flow
`direction and between the stateless and Stateful processors
`provides for dynamic adaptability and analysis of both
`historical and bi-directional packet activity.
`
`40 Claims, 9 Drawing Sheets
`
`Cloudflare - Exhibit, page 1
`
`
`
`US 7,114,008 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`1/2000 Lim et al. ...................... 707/3
`6,014,660 A
`1/2000 Huitema .....
`709/245
`6,016,512 A
`4/2000 Packer ....
`370,230
`6,046,980 A
`4/2000 Gifford .......
`709,219
`6,052,718 A
`5/2000 Hughes et al. .
`... 709,229
`6,065,055 A
`5, 2000 Narendran et al. ......... 709/226
`6,070,191 A
`6/2000 Mighdoll et al. ........... 709/217
`6,073,168 A
`7/2000 Crayford et al. .....
`... 370,389
`6,084,878 A
`8, 2000 Schneider et al.
`6,105,027 A
`8/2000 Leighton et al. ............ TO9,226
`6,108,703 A
`6,167.438 A 12/2000 Yates et al. .......
`... TO9,216
`6,178,505 B1
`1/2001 Schneider et al.
`6,226,642 B1
`5, 2001 Beranek et al.
`6,247,059 B1
`6/2001 Johnson et al. ............. 709/237
`6.256,671 B1
`7/2001 Strentzsch et al.
`... 709,227
`6.256,739 B1
`7/2001 Skopp et al. .....
`... T13 201
`6,285,679 B1* 9/2001 Dally et al. ................. 370/413
`6,324,582 B1
`1 1/2001 Sridhar et al.
`6,324,585 B1
`11/2001 Zhang et al.
`707/10
`6,330,561 B1
`12/2001 Cohen et al.
`709,218
`6,389,462 B1
`5, 2002 Cohen et al. ..
`6,393,026 B1* 5/2002 Irwin ......................... 370/401
`6,408,336 B1
`6, 2002 Schneider et al.
`6.424,658 B1
`7/2002 Mathur ....................... 370,429
`6.425,003 B1
`7/2002 Herzog et al.
`6,480,508 B1
`1 1/2002 Mwikalo et al.
`6,502,135 B1
`12/2002 Munger et al. ............. 709,225
`6,546,423 B1
`4/2003 Dutta et al.
`6,574,666 B1
`6, 2003 Dutta et al.
`6,578,073 B1
`6/2003 Starnes et al. .............. TO9,219
`6,581,090 B1
`6, 2003 Lindbo et al.
`6,587,466 Bl
`7/2003 Bhattacharya et al. , 370/395.21
`6,598,034 B1
`7/2003 Kloth .......................... TO6/47
`6,611,875 B1
`8/2003 Chopra et al. .
`709/245
`6,662,213 B1
`12/2003 Xie et al. ...
`... 709,206
`6,772,347 B1
`8/2004 Xie et al. ................... T13 201
`6,785,728 B1
`8, 2004 Schneider et al.
`6,826,694 B1
`1 1/2004 Dutta et al.
`6,847,989 B1
`1/2005 Chastain et al.
`6,850,529 B1
`2/2005 Wong
`6,854,063 B1
`2/2005 Qu et al.
`2002fOOO9079 A1
`1/2002 Jungck et al. .............. 370,389
`2002/O112073 A1
`8/2002 Melampy et al. .......... TO9/240
`2002/0194291 Al 12/2002 Jungck et al. .............. TO9,213
`2003, OOO9651 A1
`1/2003 Najam et al. ................. T12/34
`2003, OO18796 A1
`1/2003 Chou et al. ................. TO9,231
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`
`WO 98,17039
`WO 99,05584
`WO 99/09725
`WO 99.27684
`WO 99,60459
`WOOOf 14938
`WOOOf 27092
`WOOO,28713
`
`4f1998
`2, 1999
`2, 1999
`6, 1999
`11, 1999
`3, 2000
`5, 2000
`5, 2000
`
`OTHER PUBLICATIONS
`Przygienda and Droz, Abstract “Proxy PNNI Augmented Routing
`(Proxy PAR), pp. 371-377, (C) 1998 IEEE.
`Stevenson and Julin, Abstract, “Client-Server Interactions in Multi
`Server Operating.” Sep. 1994, 16 pages.
`John Pescatore, Gartner Analyst, “Commentary: Digging into the
`DNS foundation,” obtained at internet address, http://news.cnet.
`com/news/0-1005-202-2080091.html, Jun. 15, 2000.
`Rainbow Technologies Products, “CryptoSwift eCommerce Accel
`erator,” obtained at internet address, http://isgrainbow.com/prod
`ucts/cs 1.html, Aug. 5, 2000.
`FlowWise Networks, Inc., “AutoRouteTM Automatic Configuration
`of Layer 3 Routing,” www.flow wise.com.
`
`Flow Wise, “Router Accelerator RA 7000 from Flow Wise.”
`obtained at internet address http://www.flowise.com/products/
`ra,000.htm.
`IntelR IXP1200 Network Processor, obtained at internet address,
`http://developerintel.com/design/network/ixp1200.htm.
`Marshall Brain, How Stuff Works, “How Web Servers and the
`Internet Work,” obtained at internet address http://www.
`howStuffworks.com/web-server.htm.
`Marshall Brain, How StuffWorks, “How Domain Name Servers
`Work,” obtained at internet address http://www.howstuffworks.
`com/dns.htm.
`Curt Franklin, How StuffWorks, “How Routers Work,” obtained at
`internet address http://www.howstuffworks.com/router.htm.
`Microsoft Corporation, Sep. 1998 “Introduction to TCP/IP.”
`obtained at internet address http://msdn.microsoft.com/library/
`backgrind.html/tcpipintro.htm.
`Robert Stone, “CenterTrack: An IP Overlay Network for Tracking
`DoS Floods.” Article Oct. 1, 1999, pp. 1-9.
`Chapter 1 TCP/IP Fundamentals, obtained at internet address http://
`webdocs. Sequent.com/docs/tcpoac01/ch 1.htm, pp. 1-28.
`Cheng Wu, “Web Switching: A New Generation of Networking.”
`pp. 1-3.
`ArrowPoint CommunicationsTM Article, “A Comparative Analysis
`of Web Switching Architectures,” pp. 1-11.
`ArrowPoint CommunicationsTM, Brochure, “The Top 12 Benefits of
`Content Intelligence.”.
`L. Peter Deutsch, "DEFLATE Compressed Data Format Specifica
`tion.” May 1996.
`Antaeus Feldspar, Article, “An Explanation of the Deflate Algo
`rithm.” Sep. 11, 1997.
`ArrowPoint CommunicationsTM CDDCenter Vendor Listing,
`“ArrowPoint CS-50 Highlights' obtained at internet address http://
`www.cddcenter.com/arrowpoint.htm, May 21, 2000.
`Peter Christy, Analyst Commentary, “When to Distribute
`Content. The Peters' Principles,” obtained at internet address
`http://www.cddcenter.com/index.html. May 21, 2000.
`Content Delivery 101: An Introduction to Content Distribution &
`Delivery.
`CDDCenter, “How Do Caching and Content Delivery Really Dif
`fer?” obtained at internet address http://www.cddcenter.com/
`cachingvcontent.htm, pp. 1-4, May 21, 2000.
`Internet Research Group “Infrastructure Application Service Pro
`viders.” Feb. 2000, pp. 1-7.
`Peter Christy, Internet Research Group, "Content Delivery Archi
`tectures: Why Doesn't One Size Fit All?” pp. 1-12.
`Steven Vonder Haar, Inter(active Week, Feb. 14, 2000, "Content
`Delivery Shifts. To Edge of Net,” obtained at internet address
`http://www.zdnet.com/intweek/stories/news/0,4164.2436865,00.
`html, Dated May 22, 2000.
`David Willis, Network Computing, “The Content-Delivery Edge.”
`obtained at internet address http://www.networkcomputing.com/
`1103/1103 colwillis.html, Dated May 22, 2000.
`Phrack Magazine, “IP-spoofing Demystified (Trust-Relationship
`Exploitation) vol. Seven, Issue Forty-Eight, File 14 of 18. pp. 1-9,
`obtained at internet address http://www.fc.net/phrack/files/p48/p48
`14.html, Dated Jun. 5, 2000.
`Eddie Mission, “What is Eddie?', obtained at internet address
`http://www.eddieware.org/what.html. Dated Apr. 21, 2000.
`Cisco Enterprise Solutions, “Quality of Service,” obtained at
`internet address http://www.cisco.com/warp public/779/largeent/
`learn technologies, qos?.
`Cisco White Paper, “Delivering End-to-End Security in Policy
`Based Networks,” obtained at internet address, http://www.cisco.
`com/warp/public/cc/pd/nemnSW/cap/tech/deesp wp.htm.
`Technology Packeteer, obtained at internet address, http://www.
`packeteer.com/technology/index.cfm.
`Overview Cisco Content Networking, obtained at internet address
`http://www.cisco.com/warp/public/cc/sofnesofieneSv/cxnef
`cc.nov ov.htm.
`Overview Cisco Secure Policy Manager 2.0, obtained at internet
`address
`http://www.cisco.com/warp/public/cc/pdfsqSW/sqppmn/
`prodlit? secmn ov.htm.
`
`Cloudflare - Exhibit, page 2
`
`
`
`US 7,114,008 B2
`Page 3
`
`Alteon Web Systems, White Paper "Optimizing ISP Networks and
`Services with DNS Redirection.” Aug. 1999.
`Alteon Web Systems, White Paper “Virtual Matrix Architecture
`Scaling Web Services for Performance and Capacity.” Apr. 2000.
`Alteon Web Systems, White Paper, Questions and Answers, pp. 1-3.
`3Com Technical Papers, Layer 3 Switching, May 1998.
`Web Cache Communication Protocol Version 2, pp. C-1 to C-54.
`RFC2267 Working Group—Denial of Service Counter Measures,
`Tele-conference Meeting Aug. 25, 2000, Moderator, Henry Teng of
`eBay.
`Track-back Architecture General Requirements Version 0.1. Initial
`Draft submitted to Counter-DoS Solutions Working Group, Jul. 31.
`2000, Edited by Bob Geiger, Recourse Technologies.
`SwitchOn Networks, Inc., ClassiPITM At-a-Glance.
`C-PortTM A Motorola Company, C-5TM Digital Communications
`Processor, Product Brief, pp. 1-8, May 4, 2000.
`Peder Jungck, "Building a Faster Cache Server' A Theoretical
`Whitepaper, Silicon Valley Internet Capital, pp. 1-19.
`IXF1002 Dual Port Gigabit Ethernet MAC, Product Brief, Level
`OneTM an Intel Company.
`NetLogic Microsystems Product Overview.
`Agere, Inc. “The Challenge for Next Generation Network Proces
`sors”, Sep. 10, 1999.
`Philips Semiconductors' VMS747 Security Processor Overview.
`Cisco Systems, Cisco 12000 Series GSR, "Performing Internet
`Routing and Switching at Gigabit Speeds,” obtained at internet
`address, http://www.cisco.com/warp/public/cc/pd/rt/ 12000/.
`Cisco Systems, "Cisco 10000 Edge Service Router,” obtained at
`internet
`address,
`http://www.cisco.com/warp/public/cc/pd/rt/
`10000.
`Nortel NetworksTM “Passport 8600 Routing Switch,” obtained at
`internet address, http://www.nortelnetworks.com/products/01/pass
`port/8600/index.html.
`Lucent Technologies, "InterNetworking Systems,” obtained at
`internet address, http://www.lucent.com/inst products/grf.
`Lucent Technologies, “InterNetworking Systems,” obtained at
`internet address, http://www.lucent.com/ins/products/grfgrf1600.
`html.
`Juniper Networks, “M20 Internet Backbone Router.” Datasheet,
`obtained at internet address, http://www.juniper.net/products/
`dsheet? 100009.html.
`Juniper Networks, “M40 Internet Backgbone Router.” Datasheet,
`obtained at internet address, http://www.juniper.net/products/
`dsheet? 100001.html.
`Juniper Networks, Inc., “M160 Internet Backbone Router'
`Datasheet, obtained at internet address, http://www.juniper.net/
`products/dsheet/10012.
`Rajeev Kumar, Intel Confidential, “IXP1200 Overview”.
`Intel “IXP1200 Network Processor.” Datasheet, pp. 1-109 (out of
`146 pages), May, 2000.
`Cisco 7500 Series Routers, pp. 1-2, obtained at internet address
`http://www.cisco.com/warp public/cc/pd/rt/7500/.
`Philips Semiconductors—I2C-bus, News and Events, obtained at
`internet address, http://www.semiconductors.philips.comi2c?, Jul.
`28, 2001.
`Comnet Booth #4421 “VHBTechnologies Introduces Breakthrough
`Appliance for High-Bandwidth Networks at Comnet” News
`Release, Jan. 29, 2001, VHB Technologies, Inc., Richardson, Texas.
`VHB Technologies, Inc. presents “The VIPRETM NPU.”.
`VHB Technologies News & Views, “Pioneering Gigabit-Speed
`Content-Intelligent Appliances'.
`VHB Technologies, A Security Technology Paper, Defending
`Against Denial-of-Service Attacks with the . . . VHB-2000 Network
`Security Appliance.
`Netlogic MicrosystemsTM Product Brief, obtained at internet
`address, http://www.netlogicmicro.com/html/datasheets/nse3128.
`html, pp. 1-2, May 11, 2001.
`
`Switch On Networks, Inc. “ClassiPI' Content Co-Processor, general
`content and features brochure, pp. 1-5.
`C-Port, “C-5TM Digital Communications Processor Product Brief,
`pp. 1-8, (C) 1999-2000 C-Port Corporation, May 4, 2000.
`NetLogic Microsystems.M. “Policy Co-ProcessorTM applications
`and features sheet, p. 1.
`NetLogic MicrosystemsTM “CIDR Co-ProcessorTM applications
`and features sheet, p. 1.
`NetLogic MicrosystemsTM “IPCAM(R) Ternary CAM” application
`and features sheets, pp. 1-2.
`NetLogic MicrosystemsTM “SynCAMR Binary CAM” application
`and features sheet, p. 1.
`NetLogic MicrosystemsTM “NCAM Binary CAM” application and
`features sheet, p. 1.
`NetLogic MicrosystemsTM product overview, pp. 1-2.
`Level OneTM an Intel Company “IXF1002 Dual Port Gigabit
`Ethernet MAC.” product brief, pp. 1-2, Copyright (C) 2000 Level
`One Communications, Inc.
`Agere, Inc., Agere White Paper, “Building Next Generation Net
`work Processors.” Sep. 10, 1999, pp. 1-8.
`Eric J. Rothfus, Agere, Inc., Agere White Paper, “The Case for A
`Classification Language.” Sep. 10, 1999, pp. 1-7.
`Philips “VMS747 Security Processor.” Overview and Features, pp.
`1-3, date of release Jan. 2000, (C) Philips Electronics N.V. 1999.
`Web Cache Communication Protocol Version 2, Appendix C, Cisco
`Cache Engine User Guide, Version 2.0.0, pp. C1-C54.
`CloudShield Technologies, Inc., White Paper, “Security at Optical
`Speed,” pp. 1-10, Jan. 21, 2001.
`NetLogic MicrosystemsTM Product Brief “NSE3128 Network
`Search Engine,” obtained at internet address http://209.10.226.214/
`html/datasheets/nse3128.html pp. 1-2, May 11, 2001.
`Listing of Well Known Port Numbers assigned by the Internet
`Assigned Numbers Authority, obtained at the internet address .
`http://www.iana.org/assignments/port-numbers pp. 1-55. Aug. 5,
`2000.
`PM2329 PMC-Sierra, “ClassiPITM Network Classification Proces
`sor.” Overview and Features sheet pp. 1-2, 2001 Copyright PMC
`Sierra, Inc. Jan. 2001.
`JISC JTAP Report “Network Delivery of High Quality MPEG-2
`Digital Video.” Oct. 1998, 58 pages.
`Steven D. Gribbler. "System Design Issues for Internet Middleware
`Services: Deductions from a Large Client Trace.” 1997. http.cs.
`berkeley.edu/~gribble?papers/msc thesis.ps.gZ.
`Gene H. Kim, Hilarie Orman, Sean O'Malley. “Implementing a
`Secure rlogin Environment: A Case Study of Using a Secure
`Network Layer Protocol.” 1995. ftp.cs.arizona.edu/xkernel/Papers/
`rlogin.ps.
`Claude Castelluccia. “A Hierarchical Mobility Management
`Scheme for IPv6.” ballesta.inrialpes.fr/Infos/Personnes/Claude.
`Castellucciaiscc98.ps.gZ.
`Corpus-Based Learning of Compound Noun Indexing Ung-Kwan
`Jee Hyub (2000) www.ai.mit.edu/people immylin/papers/Kwak00.
`pdf.
`The Role of Test Cases in Automated Knowledge
`Refinement—Palmer, Craw (1996) www.scnms.rgu.ac.uk/publica
`tions/96/96 4.ps.gZ.
`.
`The Policy Obstacle Course: The Realisation of Low-Level . .
`—Schema York July www.cs.york.ac.uk/-dim pubs/polobstc.ps.Z.
`Data Filter Architecture Pattern Robert Flanders and Eduardo . . .
`—Dept of Computer jerry.cs.uiuc.edu/~plop plop99/proceedings/
`Fernandez.5/Flanders3.PDF.
`
`* cited by examiner
`
`Cloudflare - Exhibit, page 3
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 1 of 9
`
`US 7,114,008 B2
`
`YLIOAA)3N
`
`| ||
`
`… -- - ~~
`
`
`
`
`
`
`
`90 I
`
`| "OIH
`
`ZO I
`
`Z QUQ ILO
`
`Cloudflare - Exhibit, page 4
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 2 of 9
`
`US 7,114,008 B2
`
`Í IÐA I3S
`
`
`
`
`
`Z * OIH
`
`Cloudflare - Exhibit, page 5
`
`
`
`U.S. Patent
`
`US 7,114,008 B2
`
`
`
`----Z08
`
`9. “OICH
`
`---- - - - - ~~).IN ‘IH
`
`(aldOd) ~ ?7 I I
`
`II º IV
`
`Cloudflare - Exhibit, page 6
`
`
`
`Sep. 26, 2006
`
`Sheet 4 of 9
`
`US 7,114,008 B2
`
`
`
`
`
`DOPTWIPOWIsanb9y
`
`U.S. Patent l‘v_ZOlLS|we
`
`t1t/vor”ZA
`
`
`
`POPJoydoor19yUTIsanbayy
`
`VPOW
`
`ZOpdalaodpy
`
`“807
`
`
`
`30psopremso.jysonboyy
`
`O‘H
`
`(VIdOd),
`
`vil
`
`vilwo0zI
`
`Cloudflare - Exhibit, page 7
`
`Cloudflare - Exhibit, page 7
`
`
`
`U.S. Patent
`
`
`
`
`
`
`
`C
`
`l
`
`
`
`S “OICHVS "?INH
`
`Cloudflare - Exhibit, page 8
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 6 of 9
`
`US 7,114,008 B2
`
`
`
`0
`
`
`
`Z JQAJOS
`
`
`
`
`
`
`
`
`
`
`
`(VIdOd)\
`
`Cloudflare - Exhibit, page 9
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 7 of 9
`
`US 7,114,008 B2
`
`OOT
`
`0OT
`
`SUTINOY
`
`S19PL
`
`SUTINOY
`
`31307
`
`ddaVaH
`
`VIVd
`
`NOILLVOl'TddV
`
`VLVd
`
`JozATeuy
`
`
`
`9CL
`
`cel
`
`Janoy
`
`LOW
`
`JIA]ordaa[eusoyxgjeurarxqWollaseuey||
`
`ested]
`PELvelv€
`jeusarxg||jeusayxg||°C(ujeulanxg
`a01A0qSOIANC]¢\cel
`
`joxoe807
`
`LasIOWd001
`
`PCL
`
`
`
`Cloudflare - Exhibit, page 10
`
`Cloudflare - Exhibit, page 10
`
`
`
`
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 8 of 9
`
`US 7,114,008 B2
`
`
`
`
`
`
`
`
`
`
`
`#7()08
`
`/www.#78(ZZZ) 755
`
`Cloudflare - Exhibit, page 11
`
`
`
`U.S. Patent
`
`Sep. 26, 2006
`
`Sheet 9 Of 9
`
`US 7,114,008 B2
`
`FIG. 9
`
`
`
`Processor
`
`Management Adapter
`
`914
`
`Cloudflare - Exhibit, page 12
`
`
`
`1.
`EDGE ADAPTER ARCHITECTURE
`APPARATUS AND METHOD
`
`US 7,114,008 B2
`
`RELATED APPLICATIONS
`
`This application is a continuation-in-part under 37 C.F.R.
`S 1.53(b) of U.S. patent application Ser. No. 09/602,129,
`filed Jun. 23, 2000 now U.S. Pat. No. 6,829,654, the entire
`disclosure of which is hereby incorporated by reference.
`The following co-pending and commonly assigned U.S.
`Patent Applications have been filed on the same date as the
`present application. These applications relate to and further
`describe other aspects of the embodiments disclosed in the
`present application and are herein incorporated by reference:
`U.S. patent application Ser. No. 09/858.309, “EDGE
`ADAPTERAPPARATUS AND METHOD, filed herewith:
`U.S. patent application Ser. No. 09/858.324 “APPARA
`TUS AND METHOD FOR INTERFACING WITH A HIGH
`SPEED BI-DIRECTIONAL NETWORK, herewith.
`U.S. patent application Ser. No. 09/858.308, “APPARA
`TUS AND METHOD FOR INTERCONNECTING A PRO
`CESSOR TO CO-PROCESSORS USING SHARED
`MEMORY, filed herewith.
`
`10
`
`15
`
`BACKGROUND
`
`25
`
`30
`
`35
`
`40
`
`The Internet is growing by leaps and bounds. Everyday,
`more and more users log on to the Internet for the first time
`and these, and existing users are finding more and more
`content being made available to them. The Internet has
`become a universal medium for communications, commerce
`and information gathering.
`Unfortunately, the growing user base along with the
`growing content provider base is causing ever increasing
`congestion and strain on the Internet infrastructure, the
`network hardware and Software plus the communications
`links that link it all together. While the acronym “WWW is
`defined as “World Wide Web”, many users of the Internet
`have come to refer to it as the “World Wide Wait.
`These problems are not limited to the Internet either.
`Many companies provide internal networks, known as intra
`nets, which are essentially private Internets for use by their
`employees. These intranets can become overloaded as well.
`Especially, when a company's intranet also provides con
`nectivity to the Internet. In this situation, the intranet is not
`only carrying internally generated traffic but also Internet
`traffic generated by the employees.
`The growth of the Internet has also resulted in more and
`more malicious programmer activity. These “hackers'
`spread virus programs or attempt to hack into Web sites in
`order to steal valuable information such as credit card
`numbers. Further, there have been an increasing number of
`"Denial of Service' attacks where a hacker infiltrates mul
`tiple innocent computers connected to the Internet and
`coordinates them, without their owners knowledge, to bom
`55
`bard a particular Web site with an immense volume of traffic.
`This flood of traffic overwhelms the targets servers and
`literally shuts the Web site down.
`Accordingly, there is a need for an enhanced Internet
`infrastructure to more efficiently deliver content from pro
`viders to users and provide additional network throughput,
`reliability, security and fault tolerance.
`
`45
`
`50
`
`60
`
`SUMMARY
`
`The present invention is defined by the following claims,
`and nothing in this section should be taken as a limitation on
`
`65
`
`2
`those claims. By way of introduction, the preferred embodi
`ments described below relate to an architecture for inter
`cepting and processing packets transmitted from a source to
`a destination over a network. The architecture includes a
`packet interceptor coupled with the network and operative to
`selectively intercept the packets prior to receipt by the
`destination and at least one stateless processor coupled with
`the packet interceptor and operative to perform stateless
`processing tasks on the intercepted packets. The at least one
`stateless processor includes at least two stateless packet
`processors coupled in parallel, the processing of the inter
`cepted packets being distributed among the at least two
`stateless packet processors. The architecture further includes
`at least one stateful processor coupled with the at least one
`stateless processor and operative to perform stateful pro
`cessing tasks on the intercepted packets. The at least one
`stateful processor includes at least two stateful packet pro
`cessors serially coupled with each other. Each of the at least
`two stateful packet processors is operative to perform a
`portion of the stateful processing tasks on the intercepted
`packets. The last of the two stateful packet processors being
`coupled with the network and operative to selectively
`release the intercepted packet back to the network.
`The preferred embodiments further relate to a method of
`intercepting and processing packets transmitted from a
`Source to a destination over a network. In one embodiment,
`the method includes intercepting, selectively, the packets
`prior to receipt by the destination, distributing the inter
`cepted packets to at least two stateless packet processors
`operative to perform stateless processing tasks on the inter
`cepted packets, performing the stateless processing task in
`parallel by the at least two stateless packet processors,
`receiving the intercepted packets from the at least two
`stateless packet processors by a first stateful packet proces
`sor operative to perform a first stateful packet processing
`task on the intercepted packets, receiving the intercepted
`packets from the first stateful packet processor by a second
`stateful packet processor operative to perform a second
`stateful processing task on the intercepted packets, and
`releasing, selectively, the intercepted packets.
`Further aspects and advantages of the invention are dis
`cussed below in conjunction with the preferred embodi
`mentS.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 depicts an exemplary network for use with the
`preferred embodiments.
`FIG. 2 depicts the operations of the Domain Name System
`of the exemplary network of FIG. 1.
`FIG. 3 depicts an exemplary content delivery system for
`use with the exemplary network of FIG. 1.
`FIG. 4 depicts a content delivery system for use with the
`network of FIG. 1 according to a first embodiment.
`FIG. 4A depicts a block diagram of the content delivery
`system of FIG. 4.
`FIG. 5 depicts a content delivery system for use with the
`network of FIG. 1 according to a second embodiment.
`FIG. 5A depicts a block diagram of the content delivery
`system of FIG. 5.
`FIG. 6 depicts a content delivery system for use with the
`network of FIG. 1 according to a third embodiment.
`FIG. 6A depicts a block diagram of the content delivery
`system of FIG. 6.
`FIG. 7 depicts an edge adapter and packet interceptor
`according a fourth embodiment.
`
`Cloudflare - Exhibit, page 13
`
`
`
`US 7,114,008 B2
`
`3
`FIG. 8 depicts a block diagram of the packet analyzer/
`adapter of FIG. 7.
`FIG. 9 depicts a block diagram of a packet interceptor/
`analyzer according to a fifth embodiment.
`
`DETAILED DESCRIPTION OF THE
`PRESENTLY PREFERRED EMBODIMENTS
`
`4
`Supports several applications protocols including the Hyper
`text Transfer Protocol (“HTTP) for facilitating the
`exchange of HTML/World Wide Web (“WWW) content,
`File Transfer Protocol (“FTP) for the exchange of data files,
`electronic mail exchange protocols, Telnet for remote com
`puter access and Usenet (“NNTP or Network News Trans
`fer Protocol) for the collaborative sharing and distribution of
`information. It will be appreciated that the disclosed
`embodiments are applicable to many different applications
`protocols both now and later developed.
`Logically, the Internet can be thought of as a web of
`intermediate network nodes 126 and communications paths
`128 interconnecting those network nodes 126 which provide
`multiple data transmission routes from any given point to
`any other given point on the network 100 (i.e. between any
`two computers connected to the network 100). Physically,
`the Internet can also be thought of as a collection of
`interconnected sub-networks wherein each sub-network
`contains a portion of the intermediate network nodes 126
`and communications paths 128. The division of the Internet
`into Sub-networks is typically geographically based, but can
`also be based on other factors such as resource limitations
`and resource demands. For example, a particular city may be
`serviced by one or more Internet sub-networks provided and
`maintained by competing Internet Service Providers
`(“ISPs') (discussed in more detail below) to support the
`service and bandwidth demands of the residents.
`Contrasting the Internet with an intranet, an intranet is a
`private network contained within an enterprise, such as a
`corporation, which uses the TCP/IP and other Internet pro
`tocols, such as the World Wide Web, to facilitate commu
`nications and enhance the business concern. An intranet may
`contain its own Domain Name Server (“DNS) and may be
`connected to the Internet via a gateway, i.e., an intra-network
`connection, or gateway in combination with a proxy server
`or firewall, as are known in the art.
`Referring back to FIG. 1, clients 102,104,106 and servers
`108, 110, 112 are shown coupled with the network 100.
`Herein, the phrase “coupled with is defined to mean
`directly connected to or indirectly connected with, through
`one or more intermediate components. Such intermediate
`components may include both hardware and software based
`components. The network 100 facilitates communications
`and interaction between one or more of the clients 102, 104,
`106 and one or more of the servers 108, 110, 112 (described
`in more detail below). Alternatively, the network 100 also
`facilitates communications and interaction among one or
`more of the clients 102, 104, 106, e.g. between one client
`102,104,106 and another client 102,104,106 or among one
`or more of the servers 108, 110, 112, e.g. between one server
`108, 110, 112 and another server 108, 110, 112.
`A client 102, 104, 106 may include a personal computer
`workstation, mobile or otherwise, wireless device Such as a
`personal digital assistant or cellular telephone, an enterprise
`scale computing platform Such as a mainframe computer or
`server or may include an entire intranet or other private
`network which is coupled with the network 100. Typically,
`a client 102, 104, 106 initiates data interchanges with other
`computers, such as servers 108, 110, 112 coupled with the
`network 100. These data interchanges most often involve the
`client requesting data or content from the other computer
`and the other computer providing that data or content in
`response to the request. Alternatively, the other computer
`coupled with the network can “push data or content to the
`client 102, 104, 106 without it first being requested. For
`example, an electronic mail server 108, 110, 112 may
`automatically push newly received electronic mail over the
`
`10
`
`15
`
`35
`
`40
`
`FIG. 1 shows an exemplary network 100 for use with the
`presently preferred embodiments. It is preferred that the
`network 100 be a publicly accessible network, and in
`particular, the Internet. While, for the purposes of this
`disclosure, the disclosed embodiments will be described in
`relation to the Internet, one of ordinary skill in the art will
`appreciate that the disclosed embodiments are not limited to
`the Internet and are applicable to other types of public
`networks as well as private networks, and combinations
`thereof, and all Such networks are contemplated.
`I. Introduction
`As an introduction, a network interconnects one or more
`computers so that they may communicate with one another,
`whether they are in the same room or building (such as a
`Local Area Network or LAN) or across the country from
`each other (such as a Wide Area Network or WAN). A
`25
`network is a series of points or nodes 126 interconnected by
`communications paths 128. Networks can interconnect with
`other networks and can contain Sub-networks. A node 126 is
`a connection point, either a redistribution point or an end
`point, for data transmissions generated between the com
`30
`puters which are connected to the network. In general, a
`node 126 has a programmed or engineered capability to
`recognize and process or forward transmissions to other
`nodes 126. The nodes 126 can be computer workstations,
`servers, bridges or other devices but typically, these nodes
`126 are routers or switches.
`A router is a device or, in Some cases, Software in a
`computer, that determines the next network node 126 to
`which a piece of data (also referred to as a “packet' in the
`Internet context) should be forwarded toward its destination.
`The router is connected to at least two networks or sub
`networks and decides which way to send each information
`packet based on its current understanding of the state of the
`networks to which it is connected. A router is located at any
`juncture of two networks, Sub-networks orgateways, includ
`ing each Internet point-of-presence (described in more detail
`below). A router is often included as part of a network
`Switch. A router typically creates or maintains a table of the
`available routes and their conditions and uses this informa
`tion along with distance and cost algorithms to determine the
`best route for a given packet. Typically, a packet may travel
`through a number of network points, each containing addi
`tional routers, before arriving at its destination.
`The communications paths 128 of a network 100, such as
`the Internet, can be coaxial cable, fiber optic cable, tele
`phone cable, leased telephone lines such as T1 lines, satellite
`links, microwave links or other communications technology
`as is known in the art. The hardware and software which
`allows the network to function is known as the “infrastruc
`ture. A network 100 can also be characterized by the type
`of data it carries (voice, data, or both) or by the network
`protocol used to facilitate communications over the net
`work's 100 physical infrastructure.
`The Internet, in particular, is a publicly accessible world
`wide network 100 which primarily uses the Transport Con
`65
`trol Protocol and Internet Protocol (“TCP/IP”) to permit the
`exchange of information. At a higher level, the Internet
`
`45
`
`50
`
`55
`
`60
`
`Cloudflare - Exhibit, page 14
`
`
`
`US 7,114,0