US 9,813,343 B2
Virtual private network (VPN)-as-a-service with load-balanced tunnel endpoints
Brandon O. Williams, Revere, MA (US); Martin K. Lohner, Cambridge, MA (US); and Gowtham Boddapati, Belmont, MA (US)
Assigned to Akamai Technologies, Inc., Cambridge, MA (US)
Filed by Akamai Technologies, Inc., Cambridge, MA (US)
Filed on Dec. 3, 2014, as Appl. No. 14/559,745.
Claims priority of provisional application 61/911,117, filed on Dec. 3, 2013.
Prior Publication US 2015/0188823 A1, Jul. 2, 2015
Int. Cl. H04L 12/803 (2013.01); H04L 29/06 (2006.01); H04L 12/46 (2006.01); H04L 29/08 (2006.01)
CPC H04L 47/125 (2013.01) [H04L 12/4633 (2013.01); H04L 63/0272 (2013.01); H04L 67/1023 (2013.01); H04L 63/164 (2013.01)] 11 Claims
OG exemplary drawing
 
1. An apparatus operative within a virtual private network (VPN) cluster that comprises a set of machines that act as a single logical Internet Protocol Security (IPSec) endpoint sharing a security association, comprising:
one or more hardware processors;
computer memory holding computer program instructions executable by the one or more hardware processors and operative to:
establish and maintain a partitioned namespace, each partition in the partitioned namespace is established from an upper seven (7) bits of a thirty-two (32) bit Security Parameter Index (SPI) and includes a sequence number uniquely associated with a given one of the set of machines in the VPN cluster;
receive a set of data flows over a single logical tunnel connected between an external computing entity and the apparatus, the set of data flows including at least one data flow having associated therewith a flow identifier hash value;
upon being selected as a leader by a leader election routine executing across the set of machines, implement a load balancing routine with respect to the set of data flows, the flow identifier hash value determining a particular one of the set of machines in the VPN cluster to receive and process the at least one data flow; and
associate the sequence number with a response generated by the particular machine, the sequence number being from a set of sequence numbers that are unique for each of certain SPI values for the particular machine.