| CPC H04L 47/2441 (2013.01) [H04L 45/38 (2013.01); H04L 47/32 (2013.01)] | 17 Claims |
|
14. A method implemented by one or more computing devices that implement a stateful network routing service, the method comprising:
intercepting a packet over a network, the packet corresponding to a flow of network traffic between a first computing device and a second computing device, wherein the packet includes first flow information identifying the flow of network traffic;
obtaining a first flow identifier corresponding to the first flow information;
adding the first flow identifier to the packet to generate a first enriched packet;
transmitting the first enriched packet to a network appliance;
receiving a second enriched packet from the network appliance; wherein the second enriched packet includes a second flow identifier and second flow information;
determining a validity of the second enriched packet by:
determining whether the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet, and
determining whether the first flow information of the packet and the second flow information of the second enriched packet correspond to the flow of network traffic;
determining, in response to determining whether the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet and determining whether the first flow information of the packet and the second flow information of the second enriched packet correspond to the flow of network traffic, whether to route the second enriched packet to the second computing device in accordance with the flow of network traffic or drop the second enriched packet, wherein determining whether to route the second enriched packet to the second computing device comprises:
detecting that validation of the second enriched packet failed in response to i) determining that the first flow identifier of the first enriched packet does not match the second flow identifier of the second enriched packet or ii) determining that the second flow information of the second enriched packet does not correspond to the flow of network traffic, and
determining that the second enriched packet corresponds to a session termination; and
transmitting the second enriched packet to the second computing device in accordance with the flow of network traffic in response to determining that the second enriched packet corresponds to the session termination.
|