WO2021014204A1 - Protocole de transfert de système de nom de domaine-sur-hypertexte sécurisé ayant une localisation de nuage de bord ou de réseau de distribution de contenu - Google Patents

Protocole de transfert de système de nom de domaine-sur-hypertexte sécurisé ayant une localisation de nuage de bord ou de réseau de distribution de contenu Download PDF

Info

Publication number
WO2021014204A1
WO2021014204A1 PCT/IB2019/061454 IB2019061454W WO2021014204A1 WO 2021014204 A1 WO2021014204 A1 WO 2021014204A1 IB 2019061454 W IB2019061454 W IB 2019061454W WO 2021014204 A1 WO2021014204 A1 WO 2021014204A1
Authority
WO
WIPO (PCT)
Prior art keywords
dns
doh
network
location information
server
Prior art date
Application number
PCT/IB2019/061454
Other languages
English (en)
Inventor
Jari Arkko
Ari KERÄNEN
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2021014204A1 publication Critical patent/WO2021014204A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1021Server selection for load balancing based on client or server locations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/69Types of network addresses using geographic information, e.g. room number

Definitions

  • Embodiments of the invention relate to the field of domain name resolution in networking; and more specifically, to extending centralized domain name system (DNS)-over- hypertext transfer protocol secure (HTTPS) (DoH) or DNS-over-transport layer security (TLS) (DoT) service to pass received location information for localization purposes to an authoritative DNS server of an application.
  • DNS domain name system
  • DoH hypertext transfer protocol secure
  • TLS DNS-over-transport layer security
  • DNS Domain Name System
  • IP Internet Protocol
  • URL uniform resource locator
  • IPv4 IPv6 address
  • DNS queries are sent to a local“recursive” DNS server, e.g., a DNS server running at the Internet Service Provider (ISP) or in a corporate network.
  • a local“recursive” DNS server e.g., a DNS server running at the Internet Service Provider (ISP) or in a corporate network.
  • the recursive DNS server caches information (i.e., IP address and domain/URL information) from previous queries, the DNS server will not have the information to service all received queries.
  • the recursive DNS server re-sends a DNS query to the Internet hierarchy of domain name servers, for instance to determine first what servers can respond for a“.com” domain, then to find out what servers can respond for“example.com” and finally to determine the answer to the complete DNS query (e.g., for www.example.com).
  • a DNS query arrives at the website or application owner’s authoritative DNS server (i.e., the authoritative DNS server for the URL/domain), and the appropriate IP address is sent back to the computing device that originated the query.
  • authoritative DNS server i.e., the authoritative DNS server for the URL/domain
  • IP address is sent back to the computing device that originated the query.
  • the application client is accessing resources from a particular location (as determined by the source IP address of the DNS query), then the requested resources can be most efficiently utilized (in terms of latency and similar metrics) from an application server that is proximate to the application client.
  • the DNS server can provide an IP address of a copy or instance of a requested resource that is closest to the location that the DNS query was sent from. For instance, a DNS query sent from Finland should return an application server instance IP address that is nearby in Finland, not one in the United States. In this manner the application client’s requests can be served with a smaller latency.
  • the DNS system has limitations in terms of privacy and security. Addressing privacy and security issues can be in tension with preserving information necessary for localization and the efficiencies gained therefrom.
  • a method and system support localization with domain name system (DNS) over hyper-text transfer protocol secure (HTTPS) (DoH) or DNS over transport layer security (TLS) (DoT) sessions.
  • DNS domain name system
  • DoH hyper-text transfer protocol secure
  • TLS transport layer security
  • the method includes receiving a DNS request from a client device, determining location information for the client device, forwarding the DNS request to an authoritative DNS service with the location information, receiving a DNS response including a server address for the authoritative DNS service, and responding to the client device with the server address.
  • a non-transitory machine readable medium can store instructions to enable execution of the method of localization support for DoH or DoT sessions.
  • An electronic device can store and execute a location service to implement the method of localization support for DoH or DoT sessions.
  • a method and system support localization by a localization service in an internet service provider (ISP) network.
  • the method includes receiving a location information query for the client device from a domain name system (DNS) server, determining location information for the client device, and sending the location information to the DNS server.
  • DNS domain name system
  • a non-transitory machine readable medium can store instructions to enable execution of the another method of localization support for DoH or DoT sessions.
  • An electronic device can store and execute a location service to implement the another method of localization support for DoH or DoT sessions.
  • Figure l is a diagram of one example embodiment that illustrates how location information flows from a client application in an Internet Service Provider (ISP) or mobile network to the domain name system (DNS) over hypertext transfer protocol secure (DoH) service and to an application service.
  • ISP Internet Service Provider
  • DNS domain name system
  • DoH hypertext transfer protocol secure
  • Figure 2 is a diagram of one example embodiment that illustrates a client application communicating with an application server running in a close-by edge cloud server.
  • Figure 3 is a diagram of one example embodiment that illustrates an arrangement for providing location information to the DoH server from the DoH client.
  • Figure 4 is a diagram of one embodiment that illustrates messaging flow for providing location information to the DoH server from the DoH client.
  • Figure 5 is a diagram of one embodiment that illustrates an arrangement for providing location information to the DoH server from the ISP network.
  • Figure 6A is a diagram of one embodiment that illustrates messaging flow for providing location information to the DoH server from the ISP network.
  • Figure 6B is a flowchart of one embodiment of a process of a DoH server to obtain location information and to provide location information to the authoritative DNS server.
  • Figure 6C is a flowchart of one embodiment of a process of an ISP network to provide location information to a DoH server and facilitate a DNS query from a DoH client.
  • Figure 7 is a diagram of one example embodiment that illustrates one implementation example for a network device in operation with a communication network.
  • Figure 8A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
  • Figure 8B illustrates an exemplary way to implement a special-purpose network device according to some embodiments of the invention.
  • FIG. 8C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled according to some embodiments of the invention.
  • VNEs virtual network elements
  • Figure 8D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
  • NE network element
  • Figure 8E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments of the invention.
  • Figure 8F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments of the invention.
  • Figure 9 illustrates a general purpose control plane device with centralized control plane (CCP) software 950), according to some embodiments of the invention.
  • CCP centralized control plane
  • DNS domain name system
  • DoH hyper-text transfer protocol secure
  • opcodes means to specify operands
  • resource partitioning/sharing/duplication implementations types and interrelationships of system components
  • logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.
  • references in the specification to“one embodiment,”“an embodiment,”“an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. [0027] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
  • dashed borders e.g., large dashes, small dashes, dot- dash, and
  • Coupled is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other.
  • Connected is used to indicate the establishment of communication between two or more elements that are coupled with each other.
  • An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals).
  • machine-readable media also called computer-readable media
  • machine-readable storage media e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory
  • machine-readable transmission media also called a carrier
  • carrier e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, inf
  • an electronic device e.g., a computer
  • hardware and software such as a set of one or more processors (e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding) coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data.
  • processors e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding
  • an electronic device may include non-volatile memory containing the code since the non-volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower non volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device.
  • Typical electronic devices also include a set or one or more physical network interface(s) (NI(s)) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices.
  • NI(s) physical network interface
  • a physical NI may comprise radio circuitry capable of receiving data from other electronic devices over a wireless connection and/or sending data out to other devices via a wireless connection.
  • This radio circuitry may include transmitted s), received s), and/or transceiver(s) suitable for radiofrequency communication.
  • the radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.). The radio signal may then be transmitted via antennas to the appropriate recipient(s).
  • the set of physical NI(s) may comprise network interface controlled s) (NICs), also known as a network interface card, network adapter, or local area network (LAN) adapter.
  • NICs network interface controlled s
  • the NIC(s) may facilitate in connecting the electronic device to other electronic devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC.
  • One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
  • a network device is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices).
  • Some network devices are“multiple services network devices” that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).
  • the authoritative DNS server can look up the IP address of the recursive DNS server and make an approximate location determination based on that information.
  • the recursive DNS server passes the client’s IP address to the authoritative DNS server.
  • the extension mechanism for DNS (EDNS) Client Subnet option defined in IETF RFC 7871 allows sending the client IP address to the authoritative DNS server. This allows the authoritative DNS server to select a more accurate server address in the response, being aware of the locations of the client application and the application servers that exist. While this approach improves the accuracy over the first approach, it is still approximate, as IP addresses provide limited location or topology information. Also, caching in the recursive DNS servers affects results.
  • DNS-over- HTTPS Hypertext Transfer Protocol Secure
  • the client application can open a connection to that IP address. In some cases, opening the connection to the IP address still reveals what domain or service the client application uses. But in many cases a general-purpose cloud service serves many different domains and applications, so it is not clear from the connection to a particular IP address what domain is being accessed.
  • a connection uses the TLS protocol to protect the communications. This is the case when using the HTTPS protocol, for instance.
  • TLS as currently used sends the domain name of the network that the client wishes to connect to as a cleartext parameter in the TLS connection setup phase.
  • a planned change to the TLS protocol will change this and encrypt this information in the TLS connection setup messages.
  • a driver for the use of DoH and DoT has been circumventing governmental or ISP blocking of domains.
  • DNS queries are performed as an operating system function, in the same way for all applications running on the same machine. However, it is possible for DoH to be moved to an application-based DNS query model, where an application such as a browser implements DoH and chooses its own (sometimes even fixed) servers to send the queries to.
  • DoH (or DoT) operators deploy their DoH services at certain locations. For example, this can be a DoH server replicated in various countries. Depending on what mechanisms are supported, there are two cases. In the first case, if the authoritative DNS server looks only at the source address of the query and not the options, this presents a limitation for localization. In this case, when the DoH operator asks for the actual application service for the IP address, that service does not know where the actual query came from, only that it came from the DoH service provider’s local server. However, had the query come from an ISP or enterprise DNS server, the actual application service would be able to know the location far more accurately, e.g., a specific company or city.
  • a centralized DNS service can only provide localization with the same granularity as the centralized service has. For instance, if a DoH service provider has one data center in Finland, then the application services found via the DNS service can only infer that the client is somewhere near Finland, because the query came via a Finnish data center. In a second case, if the DoH operator passes information about the client IP address to the authoritative DNS server in the Client Subnet option, and the authoritative DNS supports this option, then the
  • authoritative DNS server can localize its answer based on the IP address information.
  • IP addresses do not convey the entire situation, particularly in mobile networks where the IP address is typically bound to a border router between the mobile operator and the Internet.
  • edge cloud deployments much closer to the user than the border router is in. The application provider may want to use such deployments for further efficiency.
  • the ISP DNS server can easily recognize specific applications from the domain name such as www.example.com, and the ISP server can communicate the desired location to the application’s authoritative DNS server and the application itself in some fashion. For instance, the queried domain name can be mapped to a localized one, e.g., locationl.www.example.com. Or the location can be passed to the application’s authoritative DNS server and the application using protocols other than DNS, given that the ISP and the application provider have an agreement to employ edge cloud services from the ISP network.
  • the ISP does not get the DNS request and would be unable to see or modify its contents even if it did.
  • the centralized DoH or DoT service does not have the same amount of knowledge that the ISP network has about the actual location of the user, as it only has topological information about the client’s externally visible IP address. That address does not reveal any local IP addresses that might have been used before a Network Address Translator (NAT) mapped the address to an externally visible one.
  • NAT Network Address Translator
  • the centralized DoH or DoT service also does not know anything about the mobile network location data. This problem is referred to herein as‘the localization problem.’
  • the localization problem affects mobile network operators and vendors, as the goal of the mobile industry is to be able to provide edge cloud services for different applications to reduce the latency for communications between the user’s device and the application servers. Many vendors have products in this space that are based on the ability to use DNS queries and provide accurate localization for the answers. Communication infrastructure providers’ products or product plans may also be affected. The localization problem also affects the centralized DoH or DoT providers, as they will not be able to offer best localization results through their service.
  • the embodiments overcome these disadvantages and limitations of the prior art.
  • the embodiments extend the centralized DoH or DoT service.
  • the centralized service gets additional location information from either the client application or the ISP/mobile network. This additional information allows the centralized DoH or DoT service to pass the information for localization purposes to the authoritative DNS server of the application.
  • Figure l is a diagram of one example embodiment that illustrates how location information flows from a client application in an Internet Service Provider (ISP) or mobile network to the domain name system (DNS) over hypertext transfer protocol secure (DoH) service and to an application service.
  • Figure 1 illustrates how location information flows from the client application/ISP/mobile network to the DoH service and to an application service according to one example for particular embodiments.
  • the authoritative DNS server can then make a determination of what is the closest application server instance that can be used when it constructs a reply to the DNS request.
  • the embodiments thereby ensure that the Edge Cloud Server close to the user is chosen as the location that the client application can connect to.
  • the connection of the client application to the application server instance at an edge cloud server is illustrated in Figure 2.
  • the client application communicates with an application server running in the close-by edge cloud, which is optimal for the low latency this application server instance would provide.
  • Figure 3 is a diagram of one embodiment.
  • the client application sends additional localization information to the centralized DoH or DoT service.
  • the DNS query sent over DoH is a standard Hypertext Transfer Protocol Secure (HTTPS) request.
  • the DNS query sent over DoT is a standard DNS query. In both cases TLS is utilized.
  • TLS is utilized.
  • the receiving DoH/DoT server can have more information about where the query came from.
  • the DoH or DoT server can then again pass the information for localization purposes to the authoritative DNS server of the application.
  • Figure 3 illustrates an arrangement for providing location information to the DoH server from the DoH client according to one implementation example for particular embodiments of the solution described herein.
  • Figure 4 illustrates messaging flow for providing location information to the DoH server from the DoH client according to one implementation example for particular embodiments of the solution described herein.
  • the DoH server determines if that received location information should be passed onwards to the authoritative DNS server of the application.
  • a centralized DoH or DoT service provider works with the ISP or mobile network to determine location information.
  • the centralized DoH or DoT service provider can have an agreement with a particular ISP or mobile network.
  • the centralized DoH/DoT provider recognizes this ISP or mobile network through the client application’s IP address being within that network’s address range.
  • the DoH/DoT server then sends a request to the ISP or mobile network to get some additional location information.
  • the ISP or mobile network can then either provide this information directly or indirectly, for trusted DoH/DoT servers.
  • a list of such trusted DoH/DoT servers can be configured in the ISP or mobile network.
  • an ISP or mobile network may also only honor requests for which there has been a DoH/DoT query to the DoH/DoT server recently.
  • the ISP or mobile network detects the DoH query based on the destination IP address (DoH/DoT server) and/or additional information in the request (e.g., Server Name Indication (SNI)). This request creates a temporary permission for the DoH service to query the network information about the location of the client application.
  • SNI Server Name Indication
  • the DoH service can use the Service Capability Exposure Function (SCEF) interface's location application programming interface (API) to request the respective user's location.
  • SCEF Service Capability Exposure Function
  • API location application programming interface
  • similar interfaces can be used.
  • NAT network address translation
  • FIG. 5 is a diagram that illustrates an arrangement for providing location information to the DoH server from the ISP.
  • the centralized DoH/DoT services includes a DoH/DoT server that receives DoH/DoT requests from a client application in an ISP or mobile network.
  • the DoH/DoT server queries the network of the client application to obtain further location information and provides this location information with the DNS request to an authoritative DNS server for the client application.
  • the authoritative NDS server provides a DNS reply to the DoH/DoT server, which in turn replies to the query from the client application.
  • FIG. 6A is a diagram that illustrates messaging flow for providing location information to an example DoH server from the mobile or ISP network.
  • a DoH request is sent by a DoH client application.
  • the DoH server receives this DoH request and determines the network of the client application.
  • the network of the client application is then queried to obtain additional location information using a location query.
  • the network of the client application processes the location query and responds with a location response message.
  • the DoH server sends a DNS query to the authoritative DNS server including the location information obtained from the network of the client application.
  • the authoritative DNS server sends a DNS response to the DoH server.
  • the DoH server then sends a reply to the DoH client application with an IP address as a reply to the initial DoH request.
  • the embodiments provide advantages over the art.
  • the advantages include that the embodiments provide an accurate localized answer for DNS queries.
  • the improved location accuracy reduces latency for users and application providers, reduces overall network energy consumption, and enables local network operators to provide edge cloud services.
  • By adding detailed local IP address, geographic location, or mobile network topology information it is possible to find an optimal choice for edge computing service selections.
  • the embodiments can also implement some mitigations for avoiding disclosure of location information for maintaining client application privacy.
  • an ISP or mobile network may reveal location data only to an application service that uses their edge cloud service.
  • the ISP or mobile network may also not reveal the location of a client application or a user, but rather simply point to a suitable edge cloud service location.
  • potential issues may be addressed in advance with informed consent from the affected parties (e.g., the user, or the client application).
  • user preferences can control whether the client application should send location information to a DoH or DoT service, and whether it should do so for all or only for some applications.
  • DoH requests and replies that are serviced by DoH servers are used herein by way of example and not limitation.
  • examples related to DoH are also applicable to DoT and similar protocols.
  • the localization process and system provides an improved solution to the localization problem for client applications for DNS by using DoH, DoT, or similar technologies to provide more detailed location information to the DoH server and authoritative DNS server to enable the identification of an IP address for a DNS reply where the IP address for a requested service is local to the requesting client application.
  • the more detailed location information can include geographical location, e.g., coarse or fine-grained coordinate information (e.g., GPS coordinates), country, state/province, city/country level information, postal code and similar geographical location information, topological location, e.g., a client application’s public IP address (known by the DoH server, and can be passed to the authoritative DNS server), a client application’s internal IP address, where NATs are used in the ISP or mobile network, an identifier for the base station that the client application is served by, a cell identifier in a cellular network, a tracking area in 4G LTE or 5G networks, radio access network (RAN) area in 5G networks, routing area in older generation networks, or other topological information about the ISP or mobile network.
  • coarse or fine-grained coordinate information e.g., GPS coordinates
  • country state/province
  • city/country level information e.g., postal code and similar geographical location information
  • topological location e.g., a client application
  • a client application or client application network can collect this location information through different means.
  • the client application s network configuration provides some information (such as base station identifier or internal IP address). Some location information may be available in network messaging, such as in Dynamic Host Configuration Protocol (DHCP) or Router Advertisement options.
  • DHCP Dynamic Host Configuration Protocol
  • the client application can also perform location determination in independent ways, e.g., via the Global Positioning System (GPS).
  • GPS Global Positioning System
  • An ISP or mobile network has detailed knowledge about the topological and geographical location of a particular user equipment (UE) executing a client application, including, for instance, the internal IP addresses and currently used base station and topological location that is an anchor for the user equipment. For privacy and other reasons, providing the location of the closest edge cloud service may be the best choice for an ISP or mobile network, rather than revealing the client application’s (i.e., the user equipment) location.
  • location information can be encrypted using a public key of the authoritative DNS server so that the DoH/DoT server is not able to see the information, and in this way, privacy risks are reduced.
  • Figures 6B and 6C are flowcharts of one embodiment of a process for implementing the improved localization process.
  • Figure 6B is a flowchart of one embodiment of the operation of the DoH server.
  • Figure 6C is a flowchart of one embodiment of the operation of a process in the ISP or mobile network that provides location information to the DoH server. The process is described relative to the DoH server and the location services function of the ISP or mobile network.
  • Figure 6B describes the embodiment of the operation of the DoH server to support the improved localization information.
  • the operations to obtain and provide improved location information can be implemented by a location management function or similar aspect of the DoH server.
  • the process 650 can be triggered by the DoH server receiving a request to resolve a DNS query (i.e., to resolve a domain name (e.g., as part of a URL) by providing an IP address) from a client application (Block 651).
  • the DNS query can be received indirectly from the client application via any number of intermediate devices including from network devices of the ISP or mobile network, including those that can execute a location services function.
  • the DoH server can determine what, if any location information is to be passed to the authoritative DNS server (Block 653). If the request includes location information, the DoH server decides whether to pass that information along to the authoritative DNS server. If the information should be passed on, then the DoH server can set the location information to be sent to the information that was included in the request. The decision on what location information to forward can be based on, for instance, whether the queried domain is trusted or has an agreement with the DoH service provider.
  • the DoH server can also determine which ISP or mobile network the received DoH request came from (Block 655). This can be based on the source address of the DoH request and whether it matches the known address range for a known ISP or mobile network. The results of this determination can also be saved for a given DoH session and reused for subsequent requests.
  • the DoH server can further decide whether additional location information is needed and should be passed on (Block 657). If further location information is not needed, then the process can proceed to send a DNS query to the authoritative DNS server. If additional location information is needed, then the process can obtain the additional information from the ISP or mobile network of the requesting client application. The decision can be based on, for instance, whether enough location information is already available, whether the ISP or mobile network that the DoH query came from is trusted or has an agreement with the DoH service provider, or whether the queried domain is trusted or has an agreement with the DoH service provider.
  • a check can be made whether there is recent location information already associated with the given DoH session (Block 661). If the additional location information is available locally (e.g., it has been cached from prior messaging related to the DoH session), then the location information is retrieved from locally stored information, and the process then proceeds to send the DNS query (Block 659).
  • the DoH server sends a request for location information to the ISP or mobile network, identifying the client application or the UE executing the client application by its public IP address and a five-tuple or similar value that identifies the DoH session (Block 663).
  • the ISP or mobile network of the client application is not determined until after the determination that the additional information is not locally available.
  • the DoH server receives a response from the ISP or mobile network with the requested location information (Block 665). If location information was available and the response came in expected time, the DoH server uses the returned location information in a DNS query to be sent to authoritative DNS server. A DNS request to the authoritative DNS server is generated with the location information to be sent (if any) and forwarded to the authoritative DNS server (Block 667). The DoH server receives a DNS response from the authoritative DNS server (Block 669). The DoH server forwards the DNS response to the client application via DoH protocol (Block 671).
  • Figure 6B describes the embodiment of the operation of a location management function of an ISP or mobile network.
  • the process 675 of the ISP or mobile network can be triggered by receiving a DoH request from a client application executed by a computing device managed by the ISP or mobile network (Block 676).
  • the ISP or mobile network can in some embodiments recognize and track outgoing DoH requests from client applications to DoH servers. This recognition and tracking can be based on, e.g., the destination address of a request being the address of the DoH server.
  • the ISP or mobile network forwards the received DoH request to the appropriate destination DoH server (Block 678).
  • the ISP or mobile network may receive a request from a DoH service for location information related to a client application (Block 680).
  • the DoH request identifies the DoH service provider making the request, the client application or related computing device whose location is needed, and the domain for which information is searched for by the client application.
  • the ISP or mobile network may determine if the DoH service provider is one that is authorized to access location information, e.g., the DoH service provider has an agreement with this ISP or mobile network to share location information (Block 682). If the DoH service provider is not authorized, then the ISP or mobile network can respond by declining the request or sending an error message (Block 690).
  • the ISP or the mobile network can determine if the domain is one that is authorized to be provided location information, e.g., the domain has an agreement with this ISP or mobile network for edge cloud services (Block 684). If the domain is not authorized for location information, then the ISP or mobile network can respond by declining the request or sending an error message (Block 690).
  • the ISP or the mobile network can determine whether the client application can be identified and authorized to share location information, e.g., the client application or the associated computing device can be uniquely identified from the information sent, and has settings that allow location information to be shared (Block 686).
  • the client application can be identified also by matching it to the outbound traffic observed when the corresponding DoH request was sent to the DoH server. If the client application cannot be identified and/or is determined to not allow identification, then the ISP or mobile network can respond by declining the DoH request or sending an error message (Block 690).
  • the ISP or mobile network can determine the current location of the client application or associated computing device (Block 688). Once the location of the client application or computing device executing the client application is determined, then the closest and/or most suitable (e.g., has sufficient capacity, lowest latency, sufficient bandwidth or similar characteristics) edge cloud service node is determined (Block 692). In some embodiments, if no suitable service node can be found, then the ISP or mobile network responds by declining the request or sending an error message.
  • the requested location information can be provided to the DoH server (Block 694).
  • the location information that is provided can be specific to a computing device executing the client application, the suitable edge cloud service node, or similar node in the ISP or mobile network.
  • the ISP or mobile network responds to the location information request positively and provides the address or name of the suitable edge cloud service node, computing device of the client application, or similar device as location information.
  • location information can be provided by other combinations of computing devices and entities.
  • the client application can participate in servicing the location request including providing the additional location information requested.
  • a location management function in the client application ’s network provides the additional information.
  • client applications can volunteer the additional information by including the information with a DoH request or similarly sending the information to the DoH server.
  • a client application can provide the additional location information in HTTP headers inside the DoH request.
  • the SCEF Service Capability Exposure Function
  • client applications and associated devices can be identified using different methods including the client application or associated device being identified by an IP address, the client application or the computing device being identified by a five-tuple identifying the DoH session from the client application, the client application or computing device being identified by a five-tuple that was used in a recent outgoing packet from the client application to the DoH server, the ISP or mobile network finding a client application by matching the five-tuple for the DoH session from the NAT session mapping table, or similar identification method.
  • the additional information can vary to include a location of the client application or associated computing device, a location of an edge cloud server near the client, or a location of similar node that is proximate to the client application. Privacy and security can be ensured using different techniques including only allowing location queries from a DoH server shortly after outgoing traffic to that server was observed from the client, encrypting the location information to the authoritative DNS server using public key encryption, so that the DoH server is unable to see the location, the DoH server deciding whether to forward the additional information based on the domain in question, the ISP or mobile network deciding to provide location information based on whether the network has been configured to provide this information for the DoH or DoT server in question, or for the domain in question.
  • FIG. 7 is a diagram of a network that illustrates one implementation example for particular embodiments described herein.
  • Network device (ND) 700 may, in some
  • network device 700 may include radio access features that provide wireless radio network access to other electronic devices (for example a“radio access network device” may refer to such a network device) such as user equipment devices (UEs).
  • network device 700 may be a base station, such as eNodeB in Long Term Evolution (LTE), NodeB in Wideband Code Division Multiple Access (WCDMA) or other types of base stations, as well as a Radio Network Controller (RNC), a Base Station Controller (BSC), or other types of control nodes.
  • LTE Long Term Evolution
  • WCDMA Wideband Code Division Multiple Access
  • RNC Radio Network Controller
  • BSC Base Station Controller
  • Processor 701 may be a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, any other type of electronic circuitry, or any combination of one or more of the preceding.
  • the processor 701 may comprise one or more processor cores.
  • some or all of the functionality described herein as being provided by network device 700 may be implemented by processor 701 executing software instructions, either alone or in conjunction with other network device 700 components, such as memory 702.
  • Memory 702 may store code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using non- transitory machine-readable (e.g., computer-readable) media, such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals).
  • machine-readable storage media e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory
  • machine-readable transmission media e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals.
  • memory 702 may comprise non-volatile memory containing code to be executed by processor 701.
  • memory 702 is non-volatile
  • the code and/or data stored therein can persist even when the network device is turned off (when power is removed).
  • the processor(s) 701 may be copied from non-volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of network device 700.
  • DRAM dynamic random access memory
  • SRAM static random access memory
  • aspect of the location manager functions can be implemented as code stored in the memory 702.
  • Interface 703 may be used in the wired and/or wireless communication of signaling and/or data to or from network device 700.
  • interface 703 may perform any formatting, coding, or translating to allow network device 700 to send and receive data whether over a wired and/or a wireless connection.
  • interface 703 may comprise radio circuitry capable of receiving data from other devices in the network over a wireless connection and/or sending data out to other devices via a wireless connection.
  • This radio circuitry may include transmitted s), receiver(s), and/or transceiver(s) suitable for radiofrequency communication.
  • the radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.).
  • interface 703 may comprise network interface controlled s) (NICs), also known as a network interface card, network adapter, local area network (LAN) adapter or physical network interface.
  • NICs network interface controlled s
  • the NIC(s) may facilitate in connecting the network device 700 to other devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC.
  • processor 701 may represent part of interface 703, and some or all of the functionality described as being provided by interface XI 03 may be provided more specifically by processor 701.
  • network device 700 The components of network device 700 are each depicted as separate boxes located within a single larger box for reasons of simplicity in describing certain aspects and features of network device 700 disclosed herein. In practice however, one or more of the components illustrated in the example network device 700 may comprise multiple different physical elements (e.g., interface 703 may comprise terminals for coupling wires for a wired connection and a radio transceiver for a wireless connection).
  • interface 703 may comprise terminals for coupling wires for a wired connection and a radio transceiver for a wireless connection).
  • the embodiments of the improved location services of the DoH server and the ISP or mobile network may be implemented in the network device 700 by means of a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the actions according to any of the above features and embodiments, where appropriate.
  • modules are illustrated as being implemented in software stored in memory 702, other embodiments implement part or all of each of these modules in hardware.
  • Figure 8A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
  • Figure 8A shows NDs 800A-H, and their connectivity by way of lines between 800A-800B, 800B-800C, 800C-800D, 800D-800E, 800E-800F, 800F-800G, and 800A-800G, as well as between 800H and each of 800A, 800C, 800D, and 800G.
  • These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link).
  • NDs 800A, 800E, and 800F An additional line extending from NDs 800A, 800E, and 800F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs).
  • ASICs application-specific integrated-circuits
  • OS special-purpose operating system
  • COTS common off-the-shelf
  • the special-purpose network device 802 includes networking hardware 810 comprising a set of one or more processor(s) 812, forwarding resource(s) 814 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 816 (through which network connections are made, such as those shown by the connectivity between
  • networking software 820 may be executed by the networking hardware 810 to instantiate a set of one or more networking software instance(s) 822.
  • Each of the networking software instance(s) 822, and that part of the networking hardware 810 that executes that network software instance form a separate virtual network element 830A-R.
  • Each of the virtual network element(s) (VNEs) 830A- R includes a control communication and configuration module 832A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 834A-R, such that a given virtual network element (e.g., 830A) includes the control communication and configuration module (e.g., 832A), a set of one or more forwarding table(s) (e.g., 834A), and that portion of the networking hardware 810 that executes the virtual network
  • the special-purpose network device 802 is often physically and/or logically considered to include: 1) a ND control plane 824 (sometimes referred to as a control plane) comprising the processor(s) 812 that execute the control communication and configuration module(s) 832A-R; and 2) a ND forwarding plane 826 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 814 that utilize the forwarding
  • the ND control plane 824 (the processor(s) 812 executing the control communication and configuration module(s) 832A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 834A-R, and the ND forwarding plane 826 is responsible for receiving that data on the physical NIs 816 and forwarding that data out the appropriate ones of the physical NIs 816 based on the forwarding table(s) 834A-R.
  • data e.g., packets
  • the ND forwarding plane 826 is responsible for receiving that data on the physical NIs 816 and forwarding that data out the appropriate ones of the physical NIs 816 based on the forwarding table(s) 834A-R.
  • Figure 8B illustrates an exemplary way to implement the special-purpose network device 802 according to some embodiments of the invention.
  • Figure 8B shows a special-purpose network device including cards 838 (typically hot pluggable). While in some embodiments the cards 838 are of two types (one or more that operate as the ND forwarding plane 826
  • a service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)).
  • Layer 4 to Layer 7 services e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)).
  • IPsec Internet Protocol
  • a service card may be used to terminate IPsec tunnels and execute the attendant authentication and encryption algorithms. These cards are coupled together through one or more interconnect mechanisms illustrated as backplane 836 (e.g., a first full mesh coupling the line cards and a second full mesh coupling all of the cards).
  • backplane 836 e.g., a first full mesh coupling the line cards and a second full mesh coupling all of the cards.
  • the general purpose network device 804 includes hardware 840 comprising a set of one or more processor(s) 842 (which are often COTS processors) and physical NIs 846, as well as non-transitory machine readable storage media 848 having stored therein software 850.
  • the processor(s) 842 execute the software 850 to instantiate one or more sets of one or more applications 864A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization.
  • the virtualization layer 854 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 862A-R called software containers that may each be used to execute one (or more) of the sets of applications 864A-R; where the multiple software containers (also called virtualization engines, virtual private servers, or jails) are user spaces (typically a virtual memory space) that are separate from each other and separate from the kernel space in which the operating system is run; and where the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes.
  • the multiple software containers also called virtualization engines, virtual private servers, or jails
  • user spaces typically a virtual memory space
  • the virtualization layer 854 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 864A-R is run on top of a guest operating system within an instance 862A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a“bare metal” host electronic device, or through para-virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes.
  • a hypervisor sometimes referred to as a virtual machine monitor (VMM)
  • VMM virtual machine monitor
  • one, some or all of the applications are implemented as unikemel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS sendees) that provide the particular OS sendees needed by the application.
  • libraries e.g., from a library operating system (LibOS) including drivers/libraries of OS sendees
  • unikernel can be implemented to run directly on hardware 840, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container
  • embodiments can be implemented fully with unikemels running directly on a hypervisor represented by virtualization layer 854, unikemels running within software containers represented by instances 862A-R, or as a combination of unikemels and the above-described techniques (e.g., unikemels and virtual machines both ran directly on a hypervisor, unikemels and sets of applications that are ran in different software containers).
  • the instantiation of the one or more sets of one or more applications 864A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 852.
  • the virtual network element(s) 860A-R perform similar functionality to the virtual network element(s) 830A-R - e.g., similar to the control communication and configuration module(s) 832A and forwarding table(s) 834A (this virtualization of the hardware 840 is sometimes referred to as network function virtualization (NFV)).
  • NFV network function virtualization
  • CPE customer premise equipment
  • the virtualization layer 854 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch.
  • this virtual switch forwards traffic between instances 862A-R and the physical NI(s) 846, as well as optionally between the instances 862A-R; in addition, this virtual switch may enforce network isolation between the VNEs 860A-R that by policy are not permitted to communicate with each other (e.g., by honoring virtual local area networks (VLANs)).
  • VLANs virtual local area networks
  • the third exemplary ND implementation in Figure 8A is a hybrid network device 806, which includes both custom ASICs/special-purpose OS and COTS processors/standard OS in a single ND or a single card within an ND.
  • a platform VM i.e., a VM that that implements the functionality of the special-purpose network device 802 could provide for para-virtualization to the networking hardware present in the hybrid network device 806.
  • NE network element
  • each of the VNEs receives data on the physical NIs (e.g., 816, 846) and forwards that data out the appropriate ones of the physical NIs (e.g., 816, 846).
  • the physical NIs e.g., 816, 846
  • a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where“source port” and“destination port” refer herein to protocol ports, as opposed to physical ports of a ND), transport protocol (e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), QUIC, and differentiated services code point (DSCP) values.
  • transport protocol e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), QUIC, and differentiated services code point (DSCP) values.
  • UDP user datagram protocol
  • TCP Transmission Control Protocol
  • QUIC differentiated services code point
  • Figure 8C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention.
  • Figure 8C shows VNEs 870A.1-870A.P (and optionally VNEs 870A.Q-870A.R) implemented in ND 800A and VNE 870H.1 in ND 800H.
  • VNEs 870A.1-P are separate from each other in the sense that they can receive packets from outside ND 800A and forward packets outside of ND 800A; VNE 870A.1 is coupled with VNE 870H.1, and thus they communicate packets between their respective NDs; VNE 870A.2-870A.3 may optionally forward packets between themselves without forwarding them outside of the ND 800A; and VNE 870A.P may optionally be the first in a chain of VNEs that includes VNE 870A.Q followed by VNE 870A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services). While Figure 8C illustrates various exemplary relationships between the VNEs, alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different V
  • the NDs of Figure 8 A may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet enabled household appliances) may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services.
  • VOIP Voice Over Internet Protocol
  • Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., usemame/password accessed webpages providing email services), and/or corporate networks over VPNs.
  • end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers.
  • one or more of the electronic devices operating as the NDs in Figure 8A may also host one or more such servers (e.g., in the case of the general purpose network device 804, one or more of the software instances 862A-R may operate as servers; the same would be true for the hybrid network device 806; in the case of the special-purpose network device 802, one or more such servers could also be run on a virtualization layer executed by the processor(s) 812); in which case the servers are said to be co-located with the VNEs of that ND.
  • the servers are said to be co-located with the VNEs of that ND.
  • a virtual network is a logical abstraction of a physical network (such as that in Figure 8A) that provides network services (e.g., L2 and/or L3 services).
  • a virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network).
  • IP Internet Protocol
  • a network virtualization edge sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network.
  • a virtual network instance is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND).
  • a virtual access point is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).
  • Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IPVPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)
  • Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing).
  • quality of service capabilities e.g., traffic classification marking, traffic conditioning and scheduling
  • security capabilities e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements
  • management capabilities e.g., full detection and processing
  • FIG. 8D illustrates a network with a single network element on each of the NDs of Figure 8A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
  • Figure 8D illustrates network elements (NEs) 870A-H with the same connectivity as the NDs 800A-H of Figure 8 A.
  • Figure 8D illustrates that the distributed approach 872 distributes responsibility for generating the reachability and forwarding information across the NEs 870A-H; in other words, the process of neighbor discovery and topology discovery is distributed.
  • the control communication and configuration module(s) 832A-R of the ND control plane 824 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RSVP-Traffic Engineering (TE): Extensions to RSVP for LSP Tunnels and Generalized Multi -Protocol Label Switching
  • Border Gateway Protocol BGP
  • IGP Interior Gateway Protocol
  • OSPF Open Shortest Path First
  • IS-IS Intermediate System to Intermediate System
  • RIP Routing Information Protocol
  • LDP Label Distribution Protocol
  • RSVP Resource Reservation
  • the NEs 870A-H e.g., the processor(s) 812 executing the control communication and configuration module(s) 832A-R
  • the NEs 870A-H perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by
  • Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 824.
  • the ND control plane 824 programs the ND forwarding plane 826 with information (e.g., adjacency and route information) based on the routing structure(s).
  • the ND control plane 824 programs the adjacency and route information into one or more forwarding table(s) 834A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 826.
  • the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 802, the same distributed approach 872 can be implemented on the general purpose network device 804 and the hybrid network device 806.
  • FIG. 8D illustrates that a centralized approach 874 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination.
  • the illustrated centralized approach 874 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 876 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized.
  • a centralized control plane 876 sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity
  • the centralized control plane 876 has a south bound interface 882 with a data plane 880 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 870A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes).
  • the centralized control plane 876 includes a network controller 878, which includes a centralized reachability and forwarding information module 879 that determines the reachability within the network and distributes the forwarding information to the NEs 870A-H of the data plane 880 over the south bound interface 882 (which may use the OpenFlow protocol).
  • the network intelligence is centralized in the centralized control plane 876 executing on electronic devices that are typically separate from the NDs.
  • each of the control communication and configuration module(s) 832A-R of the ND control plane 824 typically include a control agent that provides the V E side of the south bound interface 882.
  • the ND control plane 824 (the processor(s) 812 executing the control communication and configuration module(s) 832A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 876 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 879 (it should be understood that in some embodiments of the invention, the control communication and configuration module(s) 832A-R, in addition to communicating with the centralized control plane 876, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 874, but may also be considered a hybrid approach).
  • data e.g., packets
  • the control agent communicating with the centralized control plane 876 to receive the forwarding
  • the same centralized approach 874 can be implemented with the general purpose network device 804 (e.g., each of the VNE 860A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 876 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 879; it should be understood that in some embodiments of the invention, the VNEs 860A-R, in addition to communicating with the centralized control plane 876, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 806.
  • the general purpose network device 804 e.g., each of the VNE 860A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for
  • NFV is able to support SDN by providing an infrastructure upon which the SDN software can be run
  • NFV and SDN both aim to make use of commodity server hardware and physical switches.
  • Figure 8D also shows that the centralized control plane 876 has a north bound interface 884 to an application layer 886, in which resides application(s) 888.
  • the centralized control plane 876 has the ability to form virtual networks 892 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 870A-H of the data plane 880 being the underlay network)) for the application(s) 888.
  • virtual networks 892 sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 870A-H of the data plane 880 being the underlay network)
  • the centralized control plane 876 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND component) failure, addition, or removal).
  • Figure 8D shows the distributed approach 872 separate from the centralized approach 874
  • the effort of network control may be distributed differently or the two combined in certain embodiments of the invention.
  • embodiments may generally use the centralized approach (SDN) 874, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree.
  • SDN centralized approach
  • Such embodiments are generally considered to fall under the centralized approach 874, but may also be considered a hybrid approach.
  • Figure 8D illustrates the simple case where each of the NDs 800A-H implements a single NE 870A-H, it should be understood that the network control approaches described with reference to Figure 8D also work for networks where one or more of the
  • NDs 800A-H implement multiple VNEs (e.g., VNEs 830A-R, VNEs 860A-R, those in the hybrid network device 806).
  • the network controller 878 may also emulate the implementation of multiple VNEs in a single ND.
  • the network controller 878 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 892 (all in the same one of the virtual network(s) 892, each in different ones of the virtual network(s) 892, or some combination).
  • the network controller 878 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 876 to present different VNEs in the virtual network(s) 892 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
  • a single VNE a NE
  • the network controller 878 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 876 to present different VNEs in the virtual network(s) 892 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
  • Figures 8E and 8F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 878 may present as part of different ones of the virtual networks 892.
  • Figure 8E illustrates the simple case of where each of the NDs 800A-H implements a single NE 870A-H (see Figure 8D), but the centralized control plane 876 has abstracted multiple of the NEs in different NDs (the NEs 870A-C and G-H) into (to represent) a single NE 8701 in one of the virtual network(s) 892 of Figure 8D, according to some
  • Figure 8E shows that in this virtual network, the NE 8701 is coupled to NE 870D and 870F, which are both still coupled to NE 870E.
  • Figure 8F illustrates a case where multiple VNEs (VNE 870A.1 and VNE 870H.1) are implemented on different NDs (ND 800A and ND 800H) and are coupled to each other, and where the centralized control plane 876 has abstracted these multiple VNEs such that they appear as a single VNE 870T within one of the virtual networks 892 of Figure 8D, according to some embodiments of the invention.
  • the abstraction of a NE or VNE can span multiple NDs.
  • the electronic device(s) running the centralized control plane 876 may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include processor(s), a set or one or more physical NIs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software.
  • Figure 9 illustrates, a general purpose control plane device 904 including hardware 940 comprising a set of one or more processor(s) 942 (which are often COTS processors) and physical NIs 946, as well as non-transitory machine readable storage media 948 having stored therein centralized control plane (CCP) software 950.
  • processor(s) 942 which are often COTS processors
  • NIs 946 physical NIs 946
  • CCP centralized control plane
  • the processor(s) 942 typically execute software to instantiate a virtualization layer 954 (e.g., in one embodiment the virtualization layer 954 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 962A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more applications; in another embodiment the virtualization layer 954 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 962A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ; in another embodiment, an application is implemented as a unikernel, which can be generated by compiling directly with an application only a
  • VMM virtual machine monitor
  • CCP instance 976A an instance of the CCP software 950 (illustrated as CCP instance 976A) is executed (e.g., within the instance 962A) on the virtualization layer 954.
  • CCP instance 976A is executed, as a unikemel or on top of a host operating system, on the“bare metal” general purpose control plane device 904.
  • instances 962A-R if implemented, are collectively referred to as software instance(s) 952.
  • the CCP instance 976A includes a network controller instance 978.
  • the network controller instance 978 includes a centralized reachability and forwarding information module instance 979 (which is a middleware layer providing the context of the network controller 878 to the operating system and communicating with the various NEs), and an CCP application layer 980 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces).
  • this CCP application layer 980 within the centralized control plane 876 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.
  • the centralized control plane 876 transmits relevant messages to the data plane 880 based on CCP application layer 980 calculations and middleware layer mapping for each flow.
  • a flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers.
  • Different NDs/NEs/VNEs of the data plane 880 may receive different messages, and thus different forwarding information.
  • the data plane 880 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.
  • Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets.
  • the model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address).
  • MAC media access control
  • Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched).
  • Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet.
  • TCP transmission control protocol
  • an unknown packet for example, a“missed packet” or a“match- miss” as used in OpenFlow parlance
  • the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 876.
  • the centralized control plane 876 will then program forwarding table entries into the data plane 880 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 880 by the centralized control plane 876, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.
  • a network interface may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI.
  • a virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface).
  • a NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address).
  • a loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a
  • IP addresses of that ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.
  • Next hop selection by the routing system for a given destination may resolve to one path (that is, a routing protocol may generate one next hop on a shortest path); but if the routing system determines there are multiple viable next hops (that is, the routing protocol generated forwarding solution offers more than one next hop on a shortest path - multiple equal cost next hops), some additional criteria is used - for instance, in a connectionless network, Equal Cost Multi Path (ECMP) (also known as Equal Cost Multi Pathing, multipath forwarding and IP multipath) may be used (e.g., typical implementations use as the criteria particular header fields to ensure that the packets of a particular packet flow are always forwarded on the same next hop to preserve packet flow ordering).
  • ECMP Equal Cost Multi Path
  • a packet flow is defined as a set of packets that share an ordering constraint.
  • the set of packets in a particular TCP transfer sequence need to arrive in order, else the TCP logic will interpret the out of order delivery as congestion and slow the TCP transfer rate down.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un système pour prendre en charge la localisation ayant un système de nom de domaine (DNS) sur des sessions de protocole de transfert hypertexte sécurisé (HTTPS) (DoH) ou de sécurité de couche de transport (TLS) (DoT). Le procédé consiste à recevoir une requête DNS en provenance d'un dispositif client, à déterminer des informations de localisation du dispositif client, à transmettre la demande DNS à un service DNS faisant autorité accompagnée des informations de localisation, à recevoir une réponse DNS comprenant une adresse de serveur du service DNS faisant autorité, et à répondre au dispositif client à l'aide de l'adresse de serveur.
PCT/IB2019/061454 2019-07-22 2019-12-31 Protocole de transfert de système de nom de domaine-sur-hypertexte sécurisé ayant une localisation de nuage de bord ou de réseau de distribution de contenu WO2021014204A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201962877208P 2019-07-22 2019-07-22
US62/877,208 2019-07-22

Publications (1)

Publication Number Publication Date
WO2021014204A1 true WO2021014204A1 (fr) 2021-01-28

Family

ID=69187829

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2019/061454 WO2021014204A1 (fr) 2019-07-22 2019-12-31 Protocole de transfert de système de nom de domaine-sur-hypertexte sécurisé ayant une localisation de nuage de bord ou de réseau de distribution de contenu

Country Status (1)

Country Link
WO (1) WO2021014204A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364684A (zh) * 2021-05-07 2021-09-07 联想(北京)有限公司 一种信息处理方法、边缘计算平台及存储介质
CN113361694A (zh) * 2021-06-30 2021-09-07 哈尔滨工业大学 一种应用差分隐私保护的分层联邦学习方法及系统
CN113438332A (zh) * 2021-05-21 2021-09-24 中国科学院信息工程研究所 一种DoH服务标识方法及装置
CN114430407A (zh) * 2022-04-06 2022-05-03 北京翼辉信息技术有限公司 一种基于doh的电子设备动态访问方法、装置及存储介质
US20220368725A1 (en) * 2021-05-17 2022-11-17 Charter Communications Operating, Llc Managing Client-Oriented Domain Name Service over Hypertext Transfer Protocol Secure
US11683286B2 (en) 2021-11-18 2023-06-20 Cisco Technology, Inc. Anonymizing server-side addresses
WO2023129477A1 (fr) * 2021-12-30 2023-07-06 Intel Corporation Déploiement de réseau informatique en périphérie pour systèmes de cinquième génération (5g)
CN117938808A (zh) * 2024-03-21 2024-04-26 北京火山引擎科技有限公司 用于边缘计算的域名解析方法、系统、装置、设备及介质
US12034707B2 (en) 2023-02-01 2024-07-09 Cisco Technology, Inc. Randomizing server-side addresses

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2482525A1 (fr) * 2011-01-28 2012-08-01 NTT DoCoMo, Inc. Procédé et appareil permettant de déterminer un serveur pouvant répondre à une requête de service

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2482525A1 (fr) * 2011-01-28 2012-08-01 NTT DoCoMo, Inc. Procédé et appareil permettant de déterminer un serveur pouvant répondre à une requête de service

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CONTAVALLI W VAN DER GAAST GOOGLE D LAWRENCE AKAMAI TECHNOLOGIES W KUMARI GOOGLE C: "Client Subnet in DNS Queries; rfc7871.txt", CLIENT SUBNET IN DNS QUERIES; RFC7871.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 20 May 2016 (2016-05-20), pages 1 - 30, XP015112866 *
HOFFMAN ICANN P MCMANUS MOZILLA P: "DNS Queries over HTTPS (DoH); rfc8484.txt", DNS QUERIES OVER HTTPS (DOH); RFC8484.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 19 October 2018 (2018-10-19), pages 1 - 21, XP015128219 *
HU L ZHU J HEIDEMANN USC/ISI A MANKIN INDEPENDENT D WESSELS VERISIGN LABS P HOFFMAN ICANN Z: "Specification for DNS over Transport Layer Security (TLS); rfc7858.txt", SPECIFICATION FOR DNS OVER TRANSPORT LAYER SECURITY (TLS); RFC7858.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 18 May 2016 (2016-05-18), pages 1 - 19, XP015112863 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364684A (zh) * 2021-05-07 2021-09-07 联想(北京)有限公司 一种信息处理方法、边缘计算平台及存储介质
CN113364684B (zh) * 2021-05-07 2023-01-17 联想(北京)有限公司 一种信息处理方法、边缘计算平台及存储介质
US20220368725A1 (en) * 2021-05-17 2022-11-17 Charter Communications Operating, Llc Managing Client-Oriented Domain Name Service over Hypertext Transfer Protocol Secure
US11943258B2 (en) * 2021-05-17 2024-03-26 Charter Communications Operating, Llc Managing client-oriented domain name service over Hypertext Transfer Protocol Secure
CN113438332A (zh) * 2021-05-21 2021-09-24 中国科学院信息工程研究所 一种DoH服务标识方法及装置
CN113438332B (zh) * 2021-05-21 2022-08-23 中国科学院信息工程研究所 一种DoH服务标识方法及装置
CN113361694B (zh) * 2021-06-30 2022-03-15 哈尔滨工业大学 一种应用差分隐私保护的分层联邦学习方法及系统
CN113361694A (zh) * 2021-06-30 2021-09-07 哈尔滨工业大学 一种应用差分隐私保护的分层联邦学习方法及系统
US11683286B2 (en) 2021-11-18 2023-06-20 Cisco Technology, Inc. Anonymizing server-side addresses
US11979366B2 (en) 2021-11-18 2024-05-07 Cisco Technology, Inc. Anonymizing server-side addresses
WO2023129477A1 (fr) * 2021-12-30 2023-07-06 Intel Corporation Déploiement de réseau informatique en périphérie pour systèmes de cinquième génération (5g)
CN114430407A (zh) * 2022-04-06 2022-05-03 北京翼辉信息技术有限公司 一种基于doh的电子设备动态访问方法、装置及存储介质
US12034707B2 (en) 2023-02-01 2024-07-09 Cisco Technology, Inc. Randomizing server-side addresses
CN117938808A (zh) * 2024-03-21 2024-04-26 北京火山引擎科技有限公司 用于边缘计算的域名解析方法、系统、装置、设备及介质

Similar Documents

Publication Publication Date Title
WO2021014204A1 (fr) Protocole de transfert de système de nom de domaine-sur-hypertexte sécurisé ayant une localisation de nuage de bord ou de réseau de distribution de contenu
US9629037B2 (en) Handover of a mobile device in an information centric network
WO2017037615A1 (fr) Procédé et appareil de modification d'états de réacheminement dans un dispositif de réseau d'un réseau défini par logiciel
US20200267051A1 (en) Remotely controlling network slices in a network
US9712649B2 (en) CCN fragmentation gateway
US11294730B2 (en) Process placement in a cloud environment based on automatically optimized placement policies and process execution profiles
EP3935814B1 (fr) Sélection de réseau d'accès dynamique sur la base d'informations d'orchestration d'application dans un système de nuage de périphérie
WO2021134434A1 (fr) Procédé et système de filtrage d'horizon divisé de réseau privé virtuel ethernet (evpn)
EP3456020B1 (fr) Mécanisme de génération de réponse de paquet en ligne dans des réseaux définis par logiciel
WO2017141076A1 (fr) Protocole multidiffusion sans état destiné aux réseaux avec perte et de faible puissance
WO2021009554A1 (fr) Procédé et système destinés à un échange d'informations sécurisé entre des nœuds intermédiaires et d'extrémité dans un réseau de communication
CN110431827B (zh) 使用位置标识符分离协议来实现分布式网关架构以用于3gpp移动性
US11671483B2 (en) In-band protocol-based in-network computation offload framework
US20220338279A1 (en) Multi-operator maritime mesh network
US20200358860A1 (en) A method for seamless migration of session authentication to a different stateful diameter authenticating peer
US11375405B2 (en) Identifier-locator network protocol (ILNP) coordinated multipoint (CoMP) and multiple connectivity
US11876881B2 (en) Mechanism to enable third party services and applications discovery in distributed edge computing environment
US20240007388A1 (en) Smart local mesh networks
WO2020165910A1 (fr) Technique destinée à fournir une mise en cache sensible à la priorité dans le trajet rapide d'un commutateur virtuel
EP4381724A1 (fr) Sécuriser un tcp à trajets multiples (mptcp) avec un protocole wireguard

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19842417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19842417

Country of ref document: EP

Kind code of ref document: A1