Search

US-12627746-B2 - QUIC and anycast proxy resiliency

US12627746B2US 12627746 B2US12627746 B2US 12627746B2US-12627746-B2

Abstract

Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

Inventors

  • Kyle Andrew Donald Mestery
  • Vincent E. Parla

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260512
Application Date
20240909

Claims (20)

  1. 1 . A method comprising: establishing, by a mesh network proxy service, a first mesh network protocol connection with a client device; establishing, by the mesh network proxy service, a second mesh network protocol connection with a first application node, wherein data is streamed between the client device and the first application node via the first mesh network protocol connection and the second mesh network protocol connection; storing, by the mesh network proxy service and in a data store, a mapping between first connection information associated with the client device and second connection information associated with an application executing on the first application node; detecting an event indicating that the client device is to communicate with a second application node executing the application; and establishing, by the mesh network proxy service and based at least in part on the mapping between the first connection information and the second connection information, a third mesh network protocol connection with the second application node, wherein the data is streamed between the client device and the second application node via the first mesh network protocol connection and the third mesh network protocol connection.
  2. 2 . The method of claim 1 , further comprising: identifying, by the second application node and based at least in part on the second connection information, the mapping between the first connection information and the second connection information in the data store; wherein establishing the third mesh network protocol connection with the second application node is based at least in part on the second application node identifying the mapping.
  3. 3 . The method of claim 1 , further comprising: prior to the event, advertising an anycast internet protocol (IP) address associated with the first application node by a first networking device; subsequent to the event, preventing the first networking device associated with the first application node from advertising the anycast IP address; and causing a second networking device associated with the second application node to advertise the anycast IP address.
  4. 4 . The method of claim 1 , wherein: the first connection information comprises at least one of: a first internet protocol (IP) address associated with the client device; a first port associated with the client device; a first connection identifier associated with the client device; or a second connection identifier associated with the first application node; and the second connection information comprises at least one of: a second IP address associated with the first application node; a second port associated with the first application node; a third connection identifier associated with the first application node; or a fourth connection identifier associated with the client device.
  5. 5 . The method of claim 1 , wherein the mesh network proxy service includes at least one of: an internet protocol security (IPsec) mesh; a service mesh; a transport layer security (TLS) mesh; a datagram TLS (DTLS) mesh; a multiprotocol label switching (MPLS) mesh; a Wi-Fi mesh; a WireGuard mesh; or a MASQUE mesh.
  6. 6 . The method of claim 1 , wherein the event is a first event and the mesh network proxy service is a first instance of the mesh network proxy service executing on a first proxy node, and the method further comprising: detecting a second event indicating that the client device is to communicate with a second proxy node; establishing, based at least in part on the first connection information, a fourth mesh network protocol connection between the client device and a second instance of the mesh network proxy service executing on the second proxy node; identifying, by the second instance of the mesh network proxy service and based at least in part on the first connection information, the mapping between the first connection information and the second connection information in the data store; and establishing, by the second instance of the mesh network proxy service and based at least in part on the mapping, a fifth mesh network protocol connection with the first application node, wherein data is streamed between the client device and the first application node via the fourth mesh network protocol connection and the fifth mesh network protocol connection.
  7. 7 . The method of claim 6 , wherein: the first event is based at least in part on at least one of: determining that the first application node is unreachable; or detecting an interruption associated with the second mesh network protocol connection; and the second event is based at least in part on at least one of: determining, based at least in part on a load balancing service executing on a networking node, that the first proxy node is executing above a threshold limit; or detecting an interruption associated with the first mesh network protocol connection.
  8. 8 . A system comprising: one or more processors; and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: establishing, by a first instance of a mesh network proxy service executing on a first proxy node, a first mesh network protocol connection between the first proxy node and a client device; establishing, by the first instance of the mesh network proxy service, a second mesh network protocol connection between the first proxy node and a first application node, wherein data is streamed between the client device and the first application node via the first mesh network protocol connection and the second mesh network protocol connection; storing, by the first instance of the mesh network proxy service and in a data store, a mapping between first connection information associated with the client device and second connection information associated with an application executing on the first application node; detecting an event indicating that the client device is to communicate with a second proxy node executing a second instance of the mesh network proxy service; identifying, by the second instance of the mesh network proxy service executing on the second proxy node and in the data store, the mapping between the first connection information and the second connection information; establishing, by the second instance of the mesh network proxy service, and based at least in part on the first connection information, a third mesh network protocol connection between the client device and the second proxy node; and establishing, by the second instance of the mesh network proxy service and based at least in part on the second connection information, a fourth mesh network protocol connection between the first application node and the second proxy node, wherein the data is streamed between the client device and the first application node via the third mesh network protocol connection and the fourth mesh network protocol connection.
  9. 9 . The system of claim 8 , wherein the mesh network proxy service includes at least one of: an internet protocol security (IPsec) mesh; a service mesh; a transport layer security (TLS) mesh; a datagram TLS (DTLS) mesh; a multiprotocol label switching (MPLS) mesh; a Wi-Fi mesh; a WireGuard mesh; or a MASQUE mesh.
  10. 10 . The system of claim 8 , wherein the data store is accessible by at least one of: the second proxy node; one or more third proxy nodes; the first application node; or one or more second application nodes.
  11. 11 . The system of claim 8 , wherein the event is a first event, and the operations further comprising: detecting a second event indicating that the client device is to communicate with a second application node; and establishing, by the second instance of the mesh network proxy service and based at least in part on the mapping between the first connection information and the second connection information, a fifth mesh network protocol connection with the second application node, wherein the data is streamed between the client device and the second application node via the third mesh network protocol connection and the fifth mesh network protocol connection.
  12. 12 . The system of claim 11 , the operations further comprising: identifying, by the second application node and based at least in part on the second connection information, the mapping between the first connection information and the second connection information in the data store; wherein establishing the fifth mesh network protocol connection with the second application node is based at least in part on the second application node identifying the mapping.
  13. 13 . The system of claim 11 , the operations further comprising: prior to the second event, advertising an anycast internet protocol (IP) address associated with the first application node by a first networking device; subsequent to the second event, preventing the first networking device associated with the first application node from advertising the anycast IP address; and causing a second networking device associated with the second application node to advertise the anycast IP address.
  14. 14 . The system of claim 11 , wherein: the second event is based at least in part on at least one of: determining that the first application node is unreachable; or detecting an interruption associated with the fourth mesh network protocol connection; and the first event is based at least in part on at least one of: determining, based at least in part on a load balancing service executing on a networking node, that the first proxy node is executing above a threshold limit; or detecting an interruption associated with the first mesh network protocol connection.
  15. 15 . A method comprising: establishing, by a mesh network proxy service executing on a first proxy node, a first mesh network protocol connection with a client device; establishing, by the mesh network proxy service, a second mesh network protocol connection with a first application node, wherein data is streamed between the client device and the first application node via the first mesh network protocol connection and the second mesh network protocol connection; storing, by the mesh network proxy service and in a data store, a mapping between first connection information associated with the client device and second connection information associated with an application executing on the first application node; detecting an event indicating an interruption associated with at least one of the first mesh network protocol connection or the second mesh network protocol connection; and establishing, by the mesh network proxy service and based at least in part on the mapping between the first connection information and the second connection information, at least one of: a third mesh network protocol connection with a second application node executing the application, wherein the data is streamed between the client device and the second application node via the first mesh network protocol connection and the third mesh network protocol connection; or a fourth mesh network protocol connection between a second proxy node and the client device; and a fifth mesh network protocol connection between the second proxy node and the first application node, wherein the data is streamed between the client device and the first application node via the fourth mesh network protocol connection and the fifth mesh network protocol connection.
  16. 16 . The method of claim 15 , wherein the event indicates the interruption associated with the first mesh network protocol connection, and the method further comprising: establishing, by the mesh network proxy service executing on the second proxy node, the fourth mesh network protocol connection with the client device; identifying, by the mesh network proxy service and based at least in part on the first connection information, the mapping between the first connection information and the second connection information in the data store; and establishing, by the mesh network proxy service executing on the second proxy node and based at least in part on the mapping, the fifth mesh network protocol connection with the first application node.
  17. 17 . The method of claim 15 , wherein the event indicates the interruption associated with the second mesh network protocol connection, and the method further comprising: identifying, by the second application node and based at least in part on the second connection information, the mapping between the first connection information and the second connection information in the data store; and establishing the third mesh network protocol connection with the second application node based at least in part on the second application node identifying the mapping.
  18. 18 . The method of claim 17 , wherein the mesh network proxy service includes at least one of: an internet protocol security (IPsec) mesh; a service mesh; a transport layer security (TLS) mesh; a datagram TLS (DTLS) mesh; a multiprotocol label switching (MPLS) mesh; a Wi-Fi mesh; a WireGuard mesh; or a MASQUE mesh.
  19. 19 . The method of claim 15 , wherein: the first connection information comprises at least one of: a first internet protocol (IP) address associated with the client device; a first port associated with the client device; a first connection identifier associated with the client device; or a second connection identifier associated with the first application node; and the second connection information comprises at least one of: a second IP address associated with the first application node; a second port associated with the first application node; a third connection identifier associated with the first application node; or a fourth connection identifier associated with the client device.
  20. 20 . The method of claim 15 , wherein the data store is accessible by at least one of: the second proxy node; one or more third proxy nodes; the first application node; the second application node; or one or more third application nodes.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Provisional Patent Application No. 63/244,599, filed Sep. 15, 2021, U.S. Provisional al Patent Application No. 63/271,437, filed Oct. 25, 2021, U.S. Provisional Patent Application No. 63/272,985, filed Oct. 28, 2021, U.S. Provisional Patent Application No. 63/273,306, filed Oct. 29, 2021, U.S. patent application Ser. No. 17/719,829, filed Apr. 13, 2022, and U.S. patent application Ser. No. 18/542,094, filed Dec. 15, 2023, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The present disclosure relates generally to expressing network policies and establishing connection tunnels using QUIC and Multiplexed Application Substrate over QUIC Encryption (MASQUE) protocols to provide remote users with access to private application(s), handle connection migration(s), and enforce network flow policies. BACKGROUND Cloud-based service provider networks, often described as ‘hyperscalers’, offer cloud-based services to fulfill users' computing-service needs without the users having to invest in and maintain computing infrastructure required to implement the services. For example, cloud service providers may operate networks of data centers housing significant numbers of interconnected computing systems, such as public data centers, that are configured by the service provider to provide cloud-based services to users (or “customers”). These service provider networks may provide network-based computing resources on an as-needed basis. For example, a service provider network may permit users to purchase and utilize computing resources such as virtual machine (“VM”) instances, compute resources, data storage resources, database resources, networking resources, network services, and other types of computing resources. Users may configure the computing resources provided by a service provider network to implement desired functionality, such as to provide a network-based application or another type of functionality to an enterprise of users. While hyperscaler-based datacenters are growing in popularity, traditional enterprise-managed datacenters are still widely used. The combination of these deployments is usually described as ‘hybrid’ datacenters. Generally, remote users are able to connect to these network-based applications and/or enterprise functionalities using virtual private network (VPN) or proxy-based solutions. While there may be additional methods for remote users to connect to private enterprise applications, traditionally, VPN tunneling and reverse proxy technologies are among the most common. However, both approaches come with limitations. While VPN tunneling can work with any application and protocol, can open up a large attack surface within the network. Additionally, while proxy-based solutions allow for better edge controls, which results in a smaller attack surface, they generally don't work well with protocols that are not transmission control protocol (TCP)-based, and require additional solutions to convert from a non-TCP protocol to a TCP protocol or to encapsulate the non-TCP protocol in TCP, which may impact performance of the proxies themselves, among other things. Further, proxy nodes executing proxy solutions serve as a middle box into a connection (e.g., a TCP or UDP connection) and allow clients to connect to a public internet protocol (IP) address while the backend processing may be performed on nodes not connected to public IP addresses. Proxies typically achieve this by taking incoming connections, terminating them, and opening new connections on the backend. While these proxying techniques are traditionally performed on the TCP and (user datagram protocol) UDP protocols, these same proxying techniques may be performed on the QUIC protocol. However, since the QUIC protocol utilizes UDP as the underlying transport, it may be difficult to handle failover or replacement of a QUIC proxy node and provide the seamless user experience provided by TCP or UDP proxies. Moreover, the QUIC protocol was designed to not interoperate with version unaware middle boxes. Additionally, QUIC can migrate sessions in a manner in which only the endpoint and the QUIC server may be aware of such a change. However, it would be desirable for middleboxes to process QUIC streams differently from one another in a reliable and predictable manner. Additionally, the Multiplexed Application Substrate over QUIC Encryption (MASQUE) protocol provides a mechanism for proxying different types of protocols (e.g., HTTP proxying, DNS over HTTPS, QUIC proxying, UDP proxying, and IP proxying) using a single proxy solution. However, the MASQUE protocol does not provide a mechanism for proxying L2 ethernet packets over a MASQUE tunnel, such as, the tunneling protocol Ethernet over IP (EoIP). Thus, the solutions at hand tend to have a number of drawbacks, and it may be difficult to express network policies and establish secure conn