US20210194805A1 - Dns (domain name server)-based application-aware routing on sd-wan (software-defined wide access network) - Google Patents
Dns (domain name server)-based application-aware routing on sd-wan (software-defined wide access network) Download PDFInfo
- Publication number
- US20210194805A1 US20210194805A1 US16/724,334 US201916724334A US2021194805A1 US 20210194805 A1 US20210194805 A1 US 20210194805A1 US 201916724334 A US201916724334 A US 201916724334A US 2021194805 A1 US2021194805 A1 US 2021194805A1
- Authority
- US
- United States
- Prior art keywords
- network
- application
- packet
- dns
- level domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H04L61/1511—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/04—Wireless resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the invention relates generally to computer networking, and more specifically, to improving network hardware performance by using DNS-based application awareness in a SD-WAN for link quality selection.
- SD-WAN Software-Defined WAN
- SD-WAN provides dynamic mechanisms for enterprises to optimally use their available WAN links. It can simplify the deployment, management and operation of WAN infrastructure and allow enterprises to build higher performance WAN using lower cost Internet connections, which can partially or wholly replace more expensive private WAN connections.
- SD-WAN should have the capabilities of application awareness/identification and giving bandwidth priority to the most business-critical applications. This includes dynamic WAN link selection, delivering an application on a faster link, or even splitting an application on two or more links to improve the delivery performance.
- IP/Port-based application detection there are two kinds of application awareness/identification techniques used by products on the market.
- One technique is the packet-content-based application detection, the other is the IP/Port-based application detection.
- DPI deep packet inspection
- Its advantage is that it can provide more accurate application identification because the application traffic detection is based on the predefined characteristics chosen from the application's packets.
- the vendor of this solution needs to build a predefined application signature database for its products and update it regularly to keep its effectiveness due to the application changes or the emerging of new applications. So, the effectiveness of this method is high.
- its weakness is that its performance is low because the content of each packet needs to be inspected against the predefined application signature database consisting of tens of thousands of signatures. So, this method isn't suitable for the networks which require high performance communication.
- the IP/Port-based application identification is simple. It assumes that the application runs on servers with fixed IP addresses and port numbers. Its advantage is that it can provide fast application identification because only packet header (destination IP address and port number) is checked against the predefined application database.
- the vendor of this solution needs to build a predefined application database consisting of fixed IP addresses and port numbers of the supported applications for its products and update it regularly to keep its effectiveness. So, the performance of this method is high. However, its weakness is that its effectiveness is low because it's hard to collect and build such application signature database with high quality due to CDN (Content Delivery Network) and Load Balancing techniques being used for online applications by many companies.
- CDN Content Delivery Network
- Load Balancing techniques being used for online applications by many companies.
- CDN is a geographically distributed network of proxy servers. Its goal is to distribute service using the server spatially close to end-users to provide high availability and high performance user experience. CDNs serve a large portion of the Internet content today. For the vendor of the IP/Port-based application identification solution, it's impossible to know/collect all the IP addresses of the application using global CDN.
- Load Balancing technique aims to optimize resource use, maximize throughput, minimize response time, and avoid overload of any single resource. It distributes workloads across multiple computing resources. Some vendors like Google implement more complicated Load Balancing technique. Its HTTP and HTTPS traffic can be balanced across multiple backend instances, across multiple regions. This means that different applications can share the same IP addresses. Their Load Balancing server can differentiate them by the domain name. For the vendor of the IP/Port-based application identification solution, it's very hard to differentiate the applications with fixed IP addresses.
- network data packets generated from cloud-based application communication between a station on the Wi-Fi network and an application server located remote from the Wi-Fi network are received.
- the application associated with the network data packet is identified by parsing the network data packet header of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain.
- the network data packet comprises a DNS packet or a non-DNS packet.
- a second-level domain database in real-time is updated by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application.
- a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application is identified.
- the network packet transmissions are routed over the data communication network corresponding to the DNS determination.
- network performance is improved with better performance towards QoS requirements. Additionally, network computer hardware performance, and network performance, are improved within more efficient processing of network packets.
- FIG. 1 is a high-level block diagram illustrating a system for DNS-based application-awareness routing, according to one embodiment.
- FIGS. 2A-B are more detailed block diagram illustrating an example access point of the system of FIG. 1 , according to one embodiment.
- FIGS. 3A-3B are example screenshots of processing for destination IP addresses, according to some embodiments.
- FIG. 4 is a high-level flow diagram illustrating a method for DNS-based application-awareness routing, according to one embodiment.
- FIG. 5 is a more detailed flow diagram illustrating a step of DNS-based identification of applications, from the method of FIG. 4 , according to one embodiment.
- FIG. 6 is a block diagram illustrating an example computing device, according to one embodiment.
- FIG. 1 is a high-level block diagram illustrating a system for DNS-based application-awareness routing, according to one embodiment.
- the system 100 includes an enterprise LAN 101 and cloud-based application servers 102 A-C.
- the enterprise LAN 101 has cloud-based SD-WAN controller 110 , access point 120 , and stations 130 A-C.
- Other embodiments of the system 100 can include additional network components that are not shown in FIG. 1 .
- the stations 130 A-C access resources on the cloud-based application severs 102 A-C.
- a mobile phone can access G-Mail, a San Jose office of an entity can access files at the Chicago office.
- the enterprise LAN 101 is communicatively coupled to the cloud-based application servers 102 A-C over the network 199 , along with the cloud-based SD-WAN controller 110 .
- the access point 120 is also preferably connected by wire to the network 199 and connected wirelessly to the stations 130 A-C.
- the network 199 can comprise a data communication network such as the Internet, WAN (wide area network), VLAN (virtual local access network), a LAN (local access network), a cellular network (e.g., 3G, 4G or 5G), or a hybrid network.
- a data communication network such as the Internet, WAN (wide area network), VLAN (virtual local access network), a LAN (local access network), a cellular network (e.g., 3G, 4G or 5G), or a hybrid network.
- the access point 120 routes application traffic for stations 130 A-C utilizing cloud-based application. For instance, G-Mail and Office365 may be assigned high quality WAN link 1 while other traffic may be assigned to a lower quality WAN link 2.
- Routing in SD-WAN is application-aware, and is governed in part by network policies implemented by the access point. The network policies can be set by network administrators or automatically by applications. Once an application has been identified using up-to-date DNS information, the network policy can discriminate better services for business-critical applications relative to non-critical applications, such as social media.
- the DNS information is constantly updated by extracting destination IP information from DNS-packets and storing the extracted destination IP information in association with a second-level domain. In this way, the second-level domain is an abstraction of multiple and dynamic IP addresses for applications run over the cloud.
- the access point 120 operates SD-WAN without a higher-level cloud-based SD-WAN controller 110 . Other embodiments have varying levels of cooperation and off-loading.
- the access point 120 can be any of the computing devices, such as a personal computer, a server blade, any computing environment as shown in FIG. 6 .
- the AP 101 can be an Access Point—Model 101 or an Access Point—Model 433 (modified as discussed herein) by Fortinet, Inc.
- the access point 120 is described in more detail in association with FIG. 2 .
- SD-WAN control functionality can also be implemented in a Wi-Fi controller (not pictured for simplicity, as an optional network device that manages multiple access points. Data received from the multiple access points allows the Wi-Fi controller to have a network-wide view of activity. Some decisions are applied by the Wi-Fi controller locally at the access points based on non-local data and non-local parameters.
- the Wi-Fi controller can also run applications (e.g., SDN or Software-Defined Networking applications).
- the Wi-Fi controller can be, for example, an MC1500 or MC6000 device by Fortinet, Inc. of Sunnyvale, Calif.
- the stations 130 A-C can be, for example, a personal computer, laptop computer, tablet computer, smart phone, mobile computing device, Internet appliance, end station or any other computing device as described in FIG. 6 .
- the stations 130 A-C wirelessly couple to APs using a radio and antenna. No pre-configuration or client is needed.
- the stations 130 A-C operate according to wireless standards such as IEEE 802.11a, b, g, n, ac, w or any other wireless standard.
- the stations 130 A-C can send and receive network packets for applications being executed.
- the cloud-based application servers 102 A-C can be data centers, such as AWS (Amazon Web Services).
- the application severs 102 A-C can be a SaaS (software-as-a-service) that offloads processing to resources in the cloud.
- SaaS software-as-a-service
- FIG. 2A is a more detailed block diagram illustrating the access point 120 of the system 100 of FIG. 1 , according to one embodiment.
- the access point 120 includes a DNS-based routing module 210 , an SD-WAN module 220 , a station management module 230 , an operating system 240 , and connection ports 250 .
- the components can be implemented in hardware, software, or a combination of both. Alternative implementations are possible.
- the DNS-based routing module 210 further comprises an application identifier 211 , a DNS controller 212 , a second-level domain to destination IP address database 213 , a second-level domain to application database 214 , and a network policy module 215 .
- the databases 213 , 214 are located on a remote server operated by a third-party.
- the application identifier 211 can determine an application by using a destination IP address extracted from a network packet, identifying a second-level domain associated with the destination IP address, and locating an application associated with the second-level domain.
- Network policies differentiate treatment of applications. In some cases, application identification fails.
- the DNS controller 212 examines data parsed from application data traffic handled by the access point 120 as shown in FIG. 3A .
- the DNS controller 212 after examining header data in a network packet, identifies a DNS response type of network packet, the destination IP (and machine identifier in some cases for more accuracy) is stored in the second-level domain to destination IP address database 213 .
- Destination IP addresses are collected under second-level domains as shown in FIG. 3B, 301, 302, 303 . As a result, variations in destination IP addresses will not hinder application identification.
- a network policy can be checked for managing transmission of the network data packet. For example, high priority applications can have more favorable network treatment than medium or low priority applications, with respect to bandwidth, contention window settings, QoS (quality of service), and the like. Some embodiments bypass this examination for network packets of an existing session that has already been assigned a policy-based link for cloud-based application traffic.
- the SD-WAN module 220 implements SD-WAN compatibility to the access point 120 .
- local control of the control plane layers of the network protocol are surrendered by the stations 110 A-C for centralized management.
- Network-wide considerations can be implemented into local routing decisions under the SD-WAN network architecture.
- the local control of the data plane layers of the network protocols are maintained by the stations 110 A-C for local management.
- the station management module 230 manages station connections by advertising beacons, receiving probe request, sending probe responses and other management frames. Further, individual stations can be tracked as to bandwidth usage, QoS, BSSID assignment, and the like. Beacons and probe responses can also be modified by the station management module 230 to include channel switch announcement information.
- the operating system 240 interfaces between the software and hardware of the access point 120 .
- the operating system 240 can also include integrated applications.
- the networking module 250 includes connection ports and networking hardware and software for exchanging network packets over the channel.
- FIG. 4 is a high-level flow diagram illustrating a method 400 for DNS-based application-awareness routing, according to one embodiment.
- the method 400 can be implemented by, for example, the access point 120 of FIG. 1 .
- network data packets are received from a plurality of sessions and associated with application traffic between a plurality of transmitting Wi-Fi stations on the Wi-Fi network and remotely-located application servers (or remotely-located LANs of a single enterprise).
- the received data packets contend for access for transmission on the data communication network and are processed based on a network policy for the application.
- applications associated with network packets are identified with DNS data such as destination IP address, as set forth in more detail below with respect to FIG. 5 .
- the application is only identified for non-DNS packets.
- DNS packets are DNS response-type packets or non-DNS response-type packets.
- DNS packets primarily use UDP (user datagram protocol) on port 53 to serve requests.
- DNS queries can consist of a single UDP request from a client followed by a single UDP reply (i.e., DNS-response) from a server.
- DNS response-type packet at step 440 , databases are updated to track the association between destination IP address in a database.
- databases are checked according to a destination IP address to identify cloud-based application.
- a network policy can be accessed for a particular one of the cloud-based applications, such as a firewall policy.
- FIG. 5 is a more detailed flow diagram illustrating an example of the step 420 of method 400 for identifying applications from destination IP address, according to one embodiment. Other embodiments are possible.
- a destination IP address is extracted from a network packet from a station to an application server.
- the source IP address is used as an index into a database to find an associated second-level domain.
- Each second-level domain can be referred to by multiple IP addresses.
- the second-level domain exposes an application.
- these associations are updated in real-time by DNS response packets processed by the same access point or other network devices under the same SD-WAN compatibility infrastructure.
- FIG. 6 is a block diagram illustrating an exemplary computing device 600 for use in the system 100 of FIG. 1 , according to one embodiment.
- the computing device 600 is an exemplary device that is implementable for each of the components of the system 100 , such as the cloud-based SD-WAN controller 110 , the access point 120 , and the stations 130 A-C. Additionally, the computing device 600 is merely an example implementation itself, since the system 100 can also be fully or partially implemented with laptop computers, tablet computers, smart cell phones, Internet appliances, and the like.
- the computing device 600 includes a memory 610 , a processor 620 , a hard drive 630 , and an I/O port 640 . Each of the components is coupled for electronic communication via a bus 699 . Communication can be digital and/or analog, and use any suitable protocol.
- the memory 610 further comprises network applications 612 and an operating system 614 .
- the network applications 612 can include the modules of network applications.
- Other network applications can include 612 a web browser, a mobile application, an application that uses networking, a remote application executing locally, a network protocol application, a network management application, a network routing application, or the like.
- the operating system 614 can be one of the Microsoft Windows® family of operating systems (e.g., Windows 96, 98, Me, Windows NT, Windows 2000, Windows XP, Windows XP x64 Edition, Windows Vista, Windows CE, Windows Mobile, Windows 6 or Windows 10), Linux, HP-UX, UNIX, Sun OS, Solaris, Mac OS X, Alpha OS, AIX, IRIX32, or IRIX64. Other operating systems may be used. Microsoft Windows is a trademark of Microsoft Corporation.
- the processor 620 can be a network processor (e.g., optimized for IEEE 802.11), a general-purpose processor, an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), a reduced instruction set controller (RISC) processor, an integrated circuit, or the like. Qualcomm Atheros, Broadcom Corporation, and Marvell Semiconductors manufacture processors that are optimized for IEEE 802.11 devices.
- the processor 620 can be single core, multiple core, or include more than one processing elements.
- the processor 620 can be disposed on silicon or any other suitable material.
- the processor 620 can receive and execute instructions and data stored in the memory 610 or the hard drive 630 .
- the storage device 630 can be any non-volatile type of storage such as a magnetic disc, EEPROM, Flash, or the like.
- the storage device 630 stores code and data for applications.
- the I/O port 640 further comprises a user interface 642 and a network interface 644 .
- the user interface 642 can output to a display device and receive input from, for example, a keyboard.
- the network interface 644 connects to a medium such as Ethernet or Wi-Fi for data input and output.
- the network interface 644 includes IEEE 802.11 antennae.
- Computer software products may be written in any of various suitable programming languages, such as C, C++, Oracle® Java, JavaScript, PHP, Python, Perl, Ruby, AJAX, and Adobe® Flash®.
- the computer software product may be an independent application with data input and data display modules.
- the computer software products may be classes that are instantiated as distributed objects.
- the computer software products may also be component software such as Java Beans (from Sun Microsystems) or Enterprise Java Beans (EJB from Sun Microsystems).
- the computer that is running the previously mentioned computer software may be connected to a network and may interface to other computers using this network.
- the network may be on an intranet or the Internet, among others.
- the network may be a wired network (e.g., using copper), telephone network, packet network, an optical network (e.g., using optical fiber), or a wireless network, or any combination of these.
- data and other information may be passed between the computer and components (or steps) of a system of the invention using a wireless network using a protocol such as Wi-Fi (IEEE standards 802.11, 802.11a, 802.11b, 802.11e, 802.11g, 802.11i, 802.11n, and 802.ac, just to name a few examples).
- Wi-Fi IEEE standards 802.11, 802.11a, 802.11b, 802.11e, 802.11g, 802.11i, 802.11n, and 802.ac, just to name a few examples.
- signals from a computer may be transferred, at least in part
- a user accesses a system on the World Wide Web (WWW) through a network such as the Internet.
- WWW World Wide Web
- the Web browser is used to download web pages or other content in various formats including HTML, XML, text, PDF, and postscript, and may be used to upload information to other parts of the system.
- the Web browser may use uniform resource identifiers (URLs) to identify resources on the Web and hypertext transfer protocol (HTTP) in transferring files on the Web.
- URLs uniform resource identifiers
- HTTP hypertext transfer protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Applications associated with the network data packet are identified by parsing the network data packet of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain. It is determined whether the network data packet comprises a DNS packet or a non-DNS packet. Responsive to the network data packet comprising a DNS packet, a second-level domain database in real-time is updated by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application. Responsive to the network data packet comprising a non-DNS packet, a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application is identified.
Description
- The invention relates generally to computer networking, and more specifically, to improving network hardware performance by using DNS-based application awareness in a SD-WAN for link quality selection.
- SD-WAN (Software-Defined WAN) provides dynamic mechanisms for enterprises to optimally use their available WAN links. It can simplify the deployment, management and operation of WAN infrastructure and allow enterprises to build higher performance WAN using lower cost Internet connections, which can partially or wholly replace more expensive private WAN connections.
- To maximize the performance of application traffic delivery with SD-WAN, SD-WAN should have the capabilities of application awareness/identification and giving bandwidth priority to the most business-critical applications. This includes dynamic WAN link selection, delivering an application on a faster link, or even splitting an application on two or more links to improve the delivery performance.
- Generally speaking, there are two kinds of application awareness/identification techniques used by products on the market. One technique is the packet-content-based application detection, the other is the IP/Port-based application detection.
- DPI (deep packet inspection) technique is often used in the packet-content-based application identification. Its advantage is that it can provide more accurate application identification because the application traffic detection is based on the predefined characteristics chosen from the application's packets. The vendor of this solution needs to build a predefined application signature database for its products and update it regularly to keep its effectiveness due to the application changes or the emerging of new applications. So, the effectiveness of this method is high. However, its weakness is that its performance is low because the content of each packet needs to be inspected against the predefined application signature database consisting of tens of thousands of signatures. So, this method isn't suitable for the networks which require high performance communication.
- The IP/Port-based application identification is simple. It assumes that the application runs on servers with fixed IP addresses and port numbers. Its advantage is that it can provide fast application identification because only packet header (destination IP address and port number) is checked against the predefined application database. The vendor of this solution needs to build a predefined application database consisting of fixed IP addresses and port numbers of the supported applications for its products and update it regularly to keep its effectiveness. So, the performance of this method is high. However, its weakness is that its effectiveness is low because it's hard to collect and build such application signature database with high quality due to CDN (Content Delivery Network) and Load Balancing techniques being used for online applications by many companies.
- A CDN is a geographically distributed network of proxy servers. Its goal is to distribute service using the server spatially close to end-users to provide high availability and high performance user experience. CDNs serve a large portion of the Internet content today. For the vendor of the IP/Port-based application identification solution, it's impossible to know/collect all the IP addresses of the application using global CDN.
- Load Balancing technique aims to optimize resource use, maximize throughput, minimize response time, and avoid overload of any single resource. It distributes workloads across multiple computing resources. Some vendors like Google implement more complicated Load Balancing technique. Its HTTP and HTTPS traffic can be balanced across multiple backend instances, across multiple regions. This means that different applications can share the same IP addresses. Their Load Balancing server can differentiate them by the domain name. For the vendor of the IP/Port-based application identification solution, it's very hard to differentiate the applications with fixed IP addresses.
- What is needed is a robust technique for selecting link quality for SD-WAN from DNS-based application-awareness.
- To meet the above-described needs, methods, computer program products, and systems for selecting link quality for SD-WAN from DNS-based application-awareness.
- In one embodiment, network data packets generated from cloud-based application communication between a station on the Wi-Fi network and an application server located remote from the Wi-Fi network are received. The application associated with the network data packet is identified by parsing the network data packet header of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain.
- It is determined whether the network data packet comprises a DNS packet or a non-DNS packet. Responsive to the network data packet comprising a DNS packet, a second-level domain database in real-time is updated by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application. Responsive to the network data packet comprising a non-DNS packet, a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application is identified.
- The network packet transmissions are routed over the data communication network corresponding to the DNS determination.
- Advantageously, network performance is improved with better performance towards QoS requirements. Additionally, network computer hardware performance, and network performance, are improved within more efficient processing of network packets.
- In the following drawings, like reference numbers are used to refer to like elements. Although the following figures depict various examples of the invention, the invention is not limited to the examples depicted in the figures.
-
FIG. 1 is a high-level block diagram illustrating a system for DNS-based application-awareness routing, according to one embodiment. -
FIGS. 2A-B are more detailed block diagram illustrating an example access point of the system ofFIG. 1 , according to one embodiment. -
FIGS. 3A-3B are example screenshots of processing for destination IP addresses, according to some embodiments. -
FIG. 4 is a high-level flow diagram illustrating a method for DNS-based application-awareness routing, according to one embodiment. -
FIG. 5 is a more detailed flow diagram illustrating a step of DNS-based identification of applications, from the method ofFIG. 4 , according to one embodiment. -
FIG. 6 is a block diagram illustrating an example computing device, according to one embodiment. - Methods, computer program products, and systems for DNS-based application-awareness routing.
- To solve the problems existing in the packet-content-based and IP/Port-based application identification techniques, we bring up the DNS-based application identification method. In this solution, only all DNS response packets which contain domain name and its corresponding IP address are inspected. By parsing the DNS response packets, a database can be built dynamically and it consists of many domain-IP pairs. In this solution, applications are identified by their domains. Based on the dynamic domain-IP database, applications are finally identified by their IP addresses.
- Compared with the packet-content-based application identification method, the performance of this new solution is much higher since only DNS response packets are inspected in depth. Compared with the IP/Port-based application identification method, the effectiveness of this new solution is much higher since the destination IP addresses are obtained from the real-time traffic in current network. Furthermore, the application signature package used by this new solution could be much smaller than the ones used by other solutions.
-
FIG. 1 is a high-level block diagram illustrating a system for DNS-based application-awareness routing, according to one embodiment. Thesystem 100 includes anenterprise LAN 101 and cloud-basedapplication servers 102A-C.The enterprise LAN 101 has cloud-based SD-WAN controller 110,access point 120, andstations 130A-C. Other embodiments of thesystem 100 can include additional network components that are not shown inFIG. 1 . For example, there can be multiple enterprise LANs, a Wi-Fi controller managing access points and a different number of application servers, more access points, and more stations. There can also be network devices such as switches, routers, fire walls, proxy servers, and other network architectures. - In an embodiment, the
stations 130A-C access resources on the cloud-based application severs 102A-C. For instance, a mobile phone can access G-Mail, a San Jose office of an entity can access files at the Chicago office. To accommodate these services, theenterprise LAN 101 is communicatively coupled to the cloud-basedapplication servers 102A-C over thenetwork 199, along with the cloud-based SD-WAN controller 110. Theaccess point 120 is also preferably connected by wire to thenetwork 199 and connected wirelessly to thestations 130A-C. Thenetwork 199 can comprise a data communication network such as the Internet, WAN (wide area network), VLAN (virtual local access network), a LAN (local access network), a cellular network (e.g., 3G, 4G or 5G), or a hybrid network. - In one embodiment, the
access point 120 routes application traffic forstations 130A-C utilizing cloud-based application. For instance, G-Mail and Office365 may be assigned highquality WAN link 1 while other traffic may be assigned to a lowerquality WAN link 2. Routing in SD-WAN is application-aware, and is governed in part by network policies implemented by the access point. The network policies can be set by network administrators or automatically by applications. Once an application has been identified using up-to-date DNS information, the network policy can discriminate better services for business-critical applications relative to non-critical applications, such as social media. The DNS information is constantly updated by extracting destination IP information from DNS-packets and storing the extracted destination IP information in association with a second-level domain. In this way, the second-level domain is an abstraction of multiple and dynamic IP addresses for applications run over the cloud. - Some embodiments of the
access point 120 operates SD-WAN without a higher-level cloud-based SD-WAN controller 110. Other embodiments have varying levels of cooperation and off-loading. Theaccess point 120 can be any of the computing devices, such as a personal computer, a server blade, any computing environment as shown inFIG. 6 . For example, theAP 101 can be an Access Point—Model 101 or an Access Point—Model 433 (modified as discussed herein) by Fortinet, Inc. Theaccess point 120 is described in more detail in association withFIG. 2 . - SD-WAN control functionality can also be implemented in a Wi-Fi controller (not pictured for simplicity, as an optional network device that manages multiple access points. Data received from the multiple access points allows the Wi-Fi controller to have a network-wide view of activity. Some decisions are applied by the Wi-Fi controller locally at the access points based on non-local data and non-local parameters. The Wi-Fi controller can also run applications (e.g., SDN or Software-Defined Networking applications). The Wi-Fi controller can be, for example, an MC1500 or MC6000 device by Fortinet, Inc. of Sunnyvale, Calif.
- The
stations 130A-C (or mobile station, STA, client or wireless device) can be, for example, a personal computer, laptop computer, tablet computer, smart phone, mobile computing device, Internet appliance, end station or any other computing device as described inFIG. 6 . Thestations 130A-C wirelessly couple to APs using a radio and antenna. No pre-configuration or client is needed. Thestations 130A-C operate according to wireless standards such as IEEE 802.11a, b, g, n, ac, w or any other wireless standard. Thestations 130A-C can send and receive network packets for applications being executed. - Located remotely from the
enterprise network 101, the cloud-basedapplication servers 102A-C can be data centers, such as AWS (Amazon Web Services). The application severs 102A-C can be a SaaS (software-as-a-service) that offloads processing to resources in the cloud. Mobile apps executing on smart phones, for example, can log into bank accounts or stock trading accounts to perform important tasks from a small portal. -
FIG. 2A is a more detailed block diagram illustrating theaccess point 120 of thesystem 100 ofFIG. 1 , according to one embodiment. Theaccess point 120 includes a DNS-basedrouting module 210, an SD-WAN module 220, astation management module 230, anoperating system 240, andconnection ports 250. The components can be implemented in hardware, software, or a combination of both. Alternative implementations are possible. - The DNS-based
routing module 210, as shown inFIG. 2B , further comprises anapplication identifier 211, aDNS controller 212, a second-level domain to destinationIP address database 213, a second-level domain toapplication database 214, and anetwork policy module 215. In other embodiments, thedatabases - In operation, the
application identifier 211 can determine an application by using a destination IP address extracted from a network packet, identifying a second-level domain associated with the destination IP address, and locating an application associated with the second-level domain. Network policies differentiate treatment of applications. In some cases, application identification fails. - Additionally, the
DNS controller 212 examines data parsed from application data traffic handled by theaccess point 120 as shown inFIG. 3A . In an implementation, if theDNS controller 212, after examining header data in a network packet, identifies a DNS response type of network packet, the destination IP (and machine identifier in some cases for more accuracy) is stored in the second-level domain to destinationIP address database 213. Destination IP addresses are collected under second-level domains as shown inFIG. 3B, 301, 302, 303 . As a result, variations in destination IP addresses will not hinder application identification. On the other hand, if theDNS controller 212 identifies a non-DNS response type of network packet, such as a data packet passing application data, a network policy can be checked for managing transmission of the network data packet. For example, high priority applications can have more favorable network treatment than medium or low priority applications, with respect to bandwidth, contention window settings, QoS (quality of service), and the like. Some embodiments bypass this examination for network packets of an existing session that has already been assigned a policy-based link for cloud-based application traffic. - Next in
FIG. 2 , the SD-WAN module 220 implements SD-WAN compatibility to theaccess point 120. To this end, local control of the control plane layers of the network protocol are surrendered by the stations 110A-C for centralized management. Network-wide considerations can be implemented into local routing decisions under the SD-WAN network architecture. However, the local control of the data plane layers of the network protocols are maintained by the stations 110A-C for local management. - The
station management module 230 manages station connections by advertising beacons, receiving probe request, sending probe responses and other management frames. Further, individual stations can be tracked as to bandwidth usage, QoS, BSSID assignment, and the like. Beacons and probe responses can also be modified by thestation management module 230 to include channel switch announcement information. - The
operating system 240 interfaces between the software and hardware of theaccess point 120. Theoperating system 240 can also include integrated applications. - Finally, for the embodiment of
FIG. 2 , thenetworking module 250 includes connection ports and networking hardware and software for exchanging network packets over the channel. -
FIG. 4 is a high-level flow diagram illustrating amethod 400 for DNS-based application-awareness routing, according to one embodiment. Themethod 400 can be implemented by, for example, theaccess point 120 ofFIG. 1 . - At
step 410, network data packets are received from a plurality of sessions and associated with application traffic between a plurality of transmitting Wi-Fi stations on the Wi-Fi network and remotely-located application servers (or remotely-located LANs of a single enterprise). The received data packets contend for access for transmission on the data communication network and are processed based on a network policy for the application. - Thus, at
step 420, applications associated with network packets are identified with DNS data such as destination IP address, as set forth in more detail below with respect toFIG. 5 . In other embodiments, the application is only identified for non-DNS packets. - It is determined, at
step 430, whether network packets are DNS response-type packets or non-DNS response-type packets. In general, DNS packets primarily use UDP (user datagram protocol) on port 53 to serve requests. DNS queries can consist of a single UDP request from a client followed by a single UDP reply (i.e., DNS-response) from a server. If a DNS response-type packet, atstep 440, databases are updated to track the association between destination IP address in a database. If not a DNS response-type packet, atstep 450, databases are checked according to a destination IP address to identify cloud-based application. Furthermore, a network policy can be accessed for a particular one of the cloud-based applications, such as a firewall policy. -
FIG. 5 is a more detailed flow diagram illustrating an example of thestep 420 ofmethod 400 for identifying applications from destination IP address, according to one embodiment. Other embodiments are possible. - At
step 510, a destination IP address is extracted from a network packet from a station to an application server. The source IP address is used as an index into a database to find an associated second-level domain. Each second-level domain can be referred to by multiple IP addresses. In turn, at step 520, the second-level domain exposes an application. In some embodiments, these associations are updated in real-time by DNS response packets processed by the same access point or other network devices under the same SD-WAN compatibility infrastructure. - This solution addresses weaknesses of both content-sniffing application identification as well as IP port application identification.
-
FIG. 6 is a block diagram illustrating anexemplary computing device 600 for use in thesystem 100 ofFIG. 1 , according to one embodiment. Thecomputing device 600 is an exemplary device that is implementable for each of the components of thesystem 100, such as the cloud-based SD-WAN controller 110, theaccess point 120, and thestations 130A-C. Additionally, thecomputing device 600 is merely an example implementation itself, since thesystem 100 can also be fully or partially implemented with laptop computers, tablet computers, smart cell phones, Internet appliances, and the like. - The
computing device 600, of the present embodiment, includes amemory 610, aprocessor 620, ahard drive 630, and an I/O port 640. Each of the components is coupled for electronic communication via abus 699. Communication can be digital and/or analog, and use any suitable protocol. - The
memory 610 further comprisesnetwork applications 612 and anoperating system 614. Thenetwork applications 612 can include the modules of network applications. Other network applications can include 612 a web browser, a mobile application, an application that uses networking, a remote application executing locally, a network protocol application, a network management application, a network routing application, or the like. - The
operating system 614 can be one of the Microsoft Windows® family of operating systems (e.g., Windows 96, 98, Me, Windows NT, Windows 2000, Windows XP, Windows XP x64 Edition, Windows Vista, Windows CE, Windows Mobile, Windows 6 or Windows 10), Linux, HP-UX, UNIX, Sun OS, Solaris, Mac OS X, Alpha OS, AIX, IRIX32, or IRIX64. Other operating systems may be used. Microsoft Windows is a trademark of Microsoft Corporation. - The
processor 620 can be a network processor (e.g., optimized for IEEE 802.11), a general-purpose processor, an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), a reduced instruction set controller (RISC) processor, an integrated circuit, or the like. Qualcomm Atheros, Broadcom Corporation, and Marvell Semiconductors manufacture processors that are optimized for IEEE 802.11 devices. Theprocessor 620 can be single core, multiple core, or include more than one processing elements. Theprocessor 620 can be disposed on silicon or any other suitable material. Theprocessor 620 can receive and execute instructions and data stored in thememory 610 or thehard drive 630. - The
storage device 630 can be any non-volatile type of storage such as a magnetic disc, EEPROM, Flash, or the like. Thestorage device 630 stores code and data for applications. - The I/
O port 640 further comprises a user interface 642 and anetwork interface 644. The user interface 642 can output to a display device and receive input from, for example, a keyboard. Thenetwork interface 644 connects to a medium such as Ethernet or Wi-Fi for data input and output. In one embodiment, thenetwork interface 644 includes IEEE 802.11 antennae. - Many of the functionalities described herein can be implemented with computer software, computer hardware, or a combination.
- Computer software products (e.g., non-transitory computer products storing source code) may be written in any of various suitable programming languages, such as C, C++, Oracle® Java, JavaScript, PHP, Python, Perl, Ruby, AJAX, and Adobe® Flash®. The computer software product may be an independent application with data input and data display modules. Alternatively, the computer software products may be classes that are instantiated as distributed objects. The computer software products may also be component software such as Java Beans (from Sun Microsystems) or Enterprise Java Beans (EJB from Sun Microsystems).
- Furthermore, the computer that is running the previously mentioned computer software may be connected to a network and may interface to other computers using this network. The network may be on an intranet or the Internet, among others. The network may be a wired network (e.g., using copper), telephone network, packet network, an optical network (e.g., using optical fiber), or a wireless network, or any combination of these. For example, data and other information may be passed between the computer and components (or steps) of a system of the invention using a wireless network using a protocol such as Wi-Fi (IEEE standards 802.11, 802.11a, 802.11b, 802.11e, 802.11g, 802.11i, 802.11n, and 802.ac, just to name a few examples). For example, signals from a computer may be transferred, at least in part, wirelessly to components or other computers.
- In an embodiment, with a Web browser executing on a computer workstation system, a user accesses a system on the World Wide Web (WWW) through a network such as the Internet. The Web browser is used to download web pages or other content in various formats including HTML, XML, text, PDF, and postscript, and may be used to upload information to other parts of the system. The Web browser may use uniform resource identifiers (URLs) to identify resources on the Web and hypertext transfer protocol (HTTP) in transferring files on the Web.
- This description of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form described, and many modifications and variations are possible in light of the teaching above. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications. This description will enable others skilled in the art to best utilize and practice the invention in various embodiments and with various modifications as are suited to a particular use. The scope of the invention is defined by the following claims.
Claims (8)
1. A computer-implemented method in an access point communicatively coupled to a data communication network and also communicatively coupled to a Wi-Fi network, the method for routing network packets in an SD-WAN (software-defined wide area network) utilizing DNS v-based application-awareness, the method comprising the steps of:
receiving network data packets generated from cloud-based application communication between a station on the Wi-Fi network and an application server located remote from the Wi-Fi network, at a network interface of the access point, from the data communication network;
identifying, from a memory storing a second-level domain database, the application associated with the network data packet by parsing a header of the network data packet of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain; and
determining, using a processor of the access point, whether the network data packet comprises a DNS packet or a non-DNS packet:
responsive to the network data packet comprising a DNS packet, updating a second-level domain database in real-time by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application; and
responsive to the network data packet comprising a non-DNS packet, identifying a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application;
transmitting, from the network interface, the network packet routing over the data communication network corresponding to the DNS determination.
2. The method of claim 1 , wherein the network policy comprises a description of network resource usage.
3. The method of claim 1 , wherein the network policy is part of a plurality of network policies, each network policy corresponding to a specific application from a plurality of applications.
4. The method of claim 1 , wherein the application comprises at least one of: an e-mail application, a word processing application, and a social media application.
5. The method of claim 1 , further comprising:
determining, prior to the DNS determination step, whether the network packet belongs to an existing session or to a new session, and responsive to the network packet belonging to the existing session, identify the application from a session cache.
6. A method of claim 1 , wherein the application server is located on a second enterprise network, wherein the enterprise network and the second enterprise network are under control of a common entity.
7. A non-transitory computer-readable medium storing instructions that, when executed by a processor, perform a computer-implemented method in an access point communicatively coupled to a data communication network and also communicatively coupled to a Wi-Fi network, the method for selecting network links in an SD-WAN (software-defined wide area network) utilizing DNS (domain name server)-based application-awareness, the method comprising the steps of:
receiving network data packets generated from cloud-based application communication between a station on the Wi-Fi network and an application server located remote from the Wi-Fi network, at a network interface of the access point, from the data communication network;
identifying, from a memory storing a second-level domain database, the application associated with the network data packet by parsing the network data packet of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain;
determining, using a processor of the access point, whether the network data packet comprises a DNS packet or a non-DNS packet:
responsive to the network data packet comprising a DNS packet, updating a second-level domain database in real-time by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application;
responsive to the network data packet comprising a non-DNS packet, identifying a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application;
transmitting, from the network interface, the network packet routing over the data communication network corresponding to the DNS determination.
8. An access point communicatively coupled to a data communication network and also communicatively coupled to a Wi-Fi network, for routing network packets in an SD-WAN (software-defined wide area network) utilizing DNS (domain name server)-based application-awareness, the access point comprising:
a processor;
a network interface, communicatively coupled to the processor and to the data communication network and the Wi-Fi network, to receive network data packets generated from cloud-based application communication between a station on the Wi-Fi network and an application server located remote from the Wi-Fi network over from the data communication network; and
a memory, communicatively coupled to the processor, to store a second-level domain database,
wherein the processor identifies, from the second-level domain database, the application associated with the network data packet by parsing a header of the network data packet of the received network data packets to identify a second-level domain from a destination IP address and searching the second-level domain database to identify the application associated with the second-level domain, and
wherein the processor determines whether the network data packet comprises a DNS packet or a non-DNS packet:
responsive to the network data packet comprising a DNS packet, updating a second-level domain database in real-time by storing the destination IP address in association with the second-level domain, the second-level domain associated with the application; and
responsive to the network data packet comprising a non-DNS packet, identifying a network policy for enforcement on the identified application and routing the network data packet in accordance with the network policy for the application;
transmitting, from the network interface, the network packet routing over the data communication network corresponding to the DNS determination
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/724,334 US11057304B1 (en) | 2019-12-22 | 2019-12-22 | DNS (domain name server)-based application-aware routing on SD-WAN (software-defined wide access network) |
US17/060,069 US11540142B2 (en) | 2019-12-22 | 2020-09-30 | AI-ARRP (artificial intelligence enabled automatic radio resource provisioning) for steering wireless stations on 6 GHz spectrum channels on wireless data communication networks |
US17/217,177 US11882467B2 (en) | 2019-12-22 | 2021-03-30 | Artificially intelligent WLAN uplink monitoring for steering wireless stations to selective access points on wireless data communication networks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/724,334 US11057304B1 (en) | 2019-12-22 | 2019-12-22 | DNS (domain name server)-based application-aware routing on SD-WAN (software-defined wide access network) |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/060,069 Continuation-In-Part US11540142B2 (en) | 2019-12-22 | 2020-09-30 | AI-ARRP (artificial intelligence enabled automatic radio resource provisioning) for steering wireless stations on 6 GHz spectrum channels on wireless data communication networks |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/060,069 Continuation-In-Part US11540142B2 (en) | 2019-12-22 | 2020-09-30 | AI-ARRP (artificial intelligence enabled automatic radio resource provisioning) for steering wireless stations on 6 GHz spectrum channels on wireless data communication networks |
US17/217,177 Continuation-In-Part US11882467B2 (en) | 2019-12-22 | 2021-03-30 | Artificially intelligent WLAN uplink monitoring for steering wireless stations to selective access points on wireless data communication networks |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210194805A1 true US20210194805A1 (en) | 2021-06-24 |
US11057304B1 US11057304B1 (en) | 2021-07-06 |
Family
ID=76439003
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/724,334 Active 2040-01-18 US11057304B1 (en) | 2019-12-22 | 2019-12-22 | DNS (domain name server)-based application-aware routing on SD-WAN (software-defined wide access network) |
Country Status (1)
Country | Link |
---|---|
US (1) | US11057304B1 (en) |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9807246B2 (en) * | 2015-06-30 | 2017-10-31 | At&T Intellectual Property I, L.P. | IP carrier peering |
US10841222B2 (en) * | 2016-07-05 | 2020-11-17 | Ologn Technologies Ag | Systems, apparatuses and methods for network packet management |
US11601466B2 (en) * | 2017-09-13 | 2023-03-07 | Comcast Cable Communications, Llc | Identifying malware devices with domain name system (DNS) queries |
US10666612B2 (en) * | 2018-06-06 | 2020-05-26 | Cisco Technology, Inc. | Service chains for inter-cloud traffic |
US11115344B2 (en) * | 2018-06-27 | 2021-09-07 | Oracle International Corporation | Computerized methods and systems for migrating cloud computer services |
US11444878B2 (en) * | 2019-09-04 | 2022-09-13 | Yahoo Ad Tech Llc | Intelligent dataflow-based service discovery and analysis |
US11245569B2 (en) * | 2019-09-20 | 2022-02-08 | T-Mobile Usa, Inc. | System and method for enhancing identification of network node initiator errors |
-
2019
- 2019-12-22 US US16/724,334 patent/US11057304B1/en active Active
Also Published As
Publication number | Publication date |
---|---|
US11057304B1 (en) | 2021-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10951495B2 (en) | Application signature generation and distribution | |
US11336696B2 (en) | Control access to domains, servers, and content | |
WO2018161850A1 (en) | System and method of network policy optimization | |
US9705694B2 (en) | Extension of Wi-Fi services multicast to a subnet across a Wi-Fi network using software-defined networking (SDN) to centrally control data plane behavior | |
US20130238782A1 (en) | Method and apparatus for identifying an application associated with an ip flow using dns data | |
US11665263B2 (en) | Network multi-path proxy selection to route data packets | |
US9794757B2 (en) | Extension of Wi-Fi services multicast to a subnet across a Wi-Fi network using software-defined network (SDN) to centrally control data plane behavior | |
Thomas et al. | Google QUIC performance over a public SATCOM access | |
US20240137853A1 (en) | Application based routing of data packets in multi-access communication networks | |
Chiha et al. | Network slicing cost allocation model | |
US10944650B2 (en) | Programmable, policy-based efficient wireless sniffing networks in WIPS (wireless intrusion prevention systems) | |
US20210152525A1 (en) | Generating an application-based proxy auto configuration | |
Caraguay et al. | Framework for optimized multimedia routing over software defined networks | |
CN107409047A (en) | Encrypt the coordinate packet delivering of session | |
US10341453B2 (en) | Facilitating in-network content caching with a centrally coordinated data plane | |
US11057304B1 (en) | DNS (domain name server)-based application-aware routing on SD-WAN (software-defined wide access network) | |
US11611933B2 (en) | Managing station connectivity in microcell Wi-Fi environment on a data communication network | |
US20210281656A1 (en) | Applying application-based policy rules using a programmable application cache | |
US11546291B1 (en) | FQDN (Fully Qualified Domain Name) routes optimization in SDWAN (Software-Defined Wide Area Networking) | |
Zeydan et al. | User plane acceleration service for next-generation cellular networks | |
US20240007435A1 (en) | Chassis system management through data paths | |
US20230135386A1 (en) | Remote cost based network traffic steering for heterogeneous links in a sdwan (software defined wide area network) | |
US20200213424A1 (en) | Increasing throuput density of tcp traffic on a hybrid data network having both wired and wireless connections by modifying tcp layer behaviour over the wireless connection while maintainig tcp protocol | |
Nový | Mobile network optimization exploiting Multi-Access Edge Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FORTINET, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LI, PEIXUE;REEL/FRAME:051351/0645 Effective date: 20191219 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |