Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

An example endpoint device includes one or more processors configured to allocate a range of IP addresses to use for fully qualified domain name (FQDN)-based tunnel splitting; send a DNS query to a DNS server; receive a DNS response from the DNS server; modify a first IP address in the DNS response to one of the allocated IP addresses; associate the first IP address and the one of the allocated IP addresses in a data table; change a destination address that corresponds to the one of the allocated IP addresses in a first TCP packet received from a user application to be the first IP address; and in response to receiving, from a gateway, a second TCP packet with a source address that corresponds to the first IP address, change a source address in a second TCP packet to be the one of the allocated IP addresses.

A data transceiver device in a repeater according to an exemplary embodiment includes: a radio unit assigned with a unique port number for uniquely identifying the radio unit and a layer splitter connected to the radio unit; a transfer unit configured to transfer an inbound packet to the layer splitter identified by the unique port number when the inbound packet including the unique port number as an internal port number is received; and the layer splitter configured to transfer the inbound packet to the radio unit corresponding to the unique port number when the inbound packet is received through transfer unit.

A wireless network adapter is connected to a computing device. A driver module of the wireless network adapter converts a wireless-protocol data packet received through the wireless network adapter into an Ethernet-protocol data packet. A network address translation (NAT) module determines a Socket associated with a source address and a destination address of the Ethernet-protocol data packet, and sends valid data of the Ethernet-protocol data packet through the Socket. Additionally or alternatively, the NAT module encapsulates data into the Ethernet-protocol data packet after receiving the data through the Socket, and the driver module converts the Ethernet-protocol data packet into the wireless-protocol data packet, and sends the wireless-protocol data packet through the wireless network adapter. The present disclosure can implement functions of a device hotspot and is not limited by an operating system framework.

Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a random IP address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a random IP address that cannot be used to identify the endpoint device or service. The client device may then communicate data packets to the server using the random IP address as the destination address, and a gateway that works in conjunction with DNS can convert the random IP address to the actual IP address of the server using NAT and forward the data packet onto the server.

An improved computer system for maintaining a network connection whereby a local computer stores a persistent address application, which adapts at least one processor to: receive a first request, from a requesting application, to send a first outbound data to a remote computer; and present a local persistent address as the local routable address; and/or a remote persistent address as the remote routable address; wherein the persistent address application utilizes network implementation details. A method for providing persistent network addressing by receiving, at a local computer a first request, from a requesting application, to send a first outbound data to a remote computer; sending the first outbound data to the remote computer; and presenting a local persistent address as the local routable address and/or a remote persistent address as the remote routable address; wherein the persistent address application utilizes network implementation details.

A system and method for monitoring network communications are provided. The method comprises capturing one or more packets of data in a networking stack of a computing device. Then, a unique identifier is associated with the computing device that uniquely identifies the computing device. The unique identifier and a sample of the contents of each of the one or more captured packets of data are then stored. The method may further comprise generating hybrid flow data by processing the stored unique identifier and the sample of the contents of each of the one or more captured packets of data. The hybrid data flow comprises the unique identifier, the sample of the contents of each of the one or more captured packets of data, derived network flow data, and derived statistical packet data.

Example methods and systems for virtual tunnel virtualized computing instance (VTEP) learning based on transport protocol information are described. In one example, a computer system may learn first mapping information and second mapping information. The first mapping information may associate (a) a first VTEP with (b) first transport protocol information and inner address information associated with a first virtualized computing instance. The second mapping information may associate (a) a second VTEP with (b) second transport protocol information and inner address information associated with a second virtualized computing instance. The computer system may detect an egress packet that is addressed to the inner address information. In response to determination that the egress packet specifies the first transport protocol information, a first encapsulated packet may be generated and sent towards the first VTEP. Otherwise, a second encapsulated packet may be generated and sent towards the second VTEP.

A middlebox system that maintains a load balancing configuration in a large scale IoT deployment is provided. The system performs reverse address translation for a first packet of a particular application from a first server to a first client according to a binding structure that couples a source address indicating the first client with (i) a destination addresses indicating the first server and (ii) an application client marker of the first client for the particular application. The system performs reverse address translation for a second packet of the particular application from a second server to the first client by using the application client marker in the binding structure to determine the source address indicating the first client.

Systems for high-performance computing. A storage control architecture is implemented by a plurality of nodes, where a node comprises combinations of executable containers that execute in cooperation with virtual machines running above a hypervisor. The containers run in a virtual machine above a hypervisor, and/or can be integrated directly into the operating system of a host node. Sensitive information such as credit card information may be isolated from the containers in a separate virtual machine that is configured to be threat resistant, and which can be accessed through a threat resistant interface module. One of the virtual machines of the node may be a node-specific control virtual machine that is configured to operate as a dedicated storage controller for a node. One of the virtual machines of the node may be a node-specific container service machine that is configured to provide storage-related and other support to a hosted executable container.