WO2021014204A1

WO2021014204A1 - Domain name system-over-hypertext transfer protocol secure with edge cloud or content delivery network localization

Info

Publication number: WO2021014204A1
Application number: PCT/IB2019/061454
Authority: WO
Inventors: Jari Arkko; Ari KERÄNEN
Original assignee: Telefonaktiebolaget Lm Ericsson (Publ)
Priority date: 2019-07-22
Filing date: 2019-12-31
Publication date: 2021-01-28

Abstract

A method and system to support localization with domain name system (DNS) over hyper-text transfer protocol secure (HTTPS) (DoH) or transport layer security (TLS) (DoT) sessions. The method includes receiving a DNS request from a client device, determining location information for the client device, forwarding the DNS request to an authoritative DNS service with the location information, receiving a DNS response including a server address for the authoritative DNS service, and responding to the client device with the server address.

Description

DOMAIN NAME SYSTEM-OVER-HYPERTEXT TRANSFER PROTOCOL SECURE WITH EDGE CLOUD OR CONTENT DELIVERY NETWORK LOCALIZATION

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the benefit of U.S. Provisional Application No. 62/877,208 filed July 22, 2019, which is hereby incorporated by reference.

TECHNICAL FIELD

[0002] Embodiments of the invention relate to the field of domain name resolution in networking; and more specifically, to extending centralized domain name system (DNS)-over- hypertext transfer protocol secure (HTTPS) (DoH) or DNS-over-transport layer security (TLS) (DoT) service to pass received location information for localization purposes to an authoritative DNS server of an application.

BACKGROUND

[0003] The Domain Name System (DNS) stores information about domain names for the Internet. DNS servers receive queries from computing devices connected to the Internet to determine what the Internet Protocol (IP) address is that is associated with a particular uniform resource locator (URL) and/or domain name (e.g., a DNS query for www.example.com can return a specific IPv4 or IPv6 address). The DNS protocol, as defined by the Internet

Engineering Task Force (IETF) Request for Comments (RFC) 1035 can be used for the DNS query.

[0004] DNS queries are sent to a local“recursive” DNS server, e.g., a DNS server running at the Internet Service Provider (ISP) or in a corporate network. However, while the recursive DNS server caches information (i.e., IP address and domain/URL information) from previous queries, the DNS server will not have the information to service all received queries. In cases where the information is not locally available, the recursive DNS server re-sends a DNS query to the Internet hierarchy of domain name servers, for instance to determine first what servers can respond for a“.com” domain, then to find out what servers can respond for“example.com” and finally to determine the answer to the complete DNS query (e.g., for www.example.com).

Ultimately, a DNS query arrives at the website or application owner’s authoritative DNS server (i.e., the authoritative DNS server for the URL/domain), and the appropriate IP address is sent back to the computing device that originated the query. [0005] Since many client applications that are executed on end user computing devices access resources from highly distributed server farms or cloud computing environments, it is a common practice for an application provider’s DNS server to respond to different application clients with a different IP address to provide access to the requested resources in the most efficient manner. The efficiency of servicing application clients can be based on localization. If the application client is accessing resources from a particular location (as determined by the source IP address of the DNS query), then the requested resources can be most efficiently utilized (in terms of latency and similar metrics) from an application server that is proximate to the application client. The DNS server can provide an IP address of a copy or instance of a requested resource that is closest to the location that the DNS query was sent from. For instance, a DNS query sent from Finland should return an application server instance IP address that is nearby in Finland, not one in the United States. In this manner the application client’s requests can be served with a smaller latency. However, the DNS system has limitations in terms of privacy and security. Addressing privacy and security issues can be in tension with preserving information necessary for localization and the efficiencies gained therefrom.

SUMMARY

[0006] In one embodiment, a method and system support localization with domain name system (DNS) over hyper-text transfer protocol secure (HTTPS) (DoH) or DNS over transport layer security (TLS) (DoT) sessions. The method includes receiving a DNS request from a client device, determining location information for the client device, forwarding the DNS request to an authoritative DNS service with the location information, receiving a DNS response including a server address for the authoritative DNS service, and responding to the client device with the server address. A non-transitory machine readable medium can store instructions to enable execution of the method of localization support for DoH or DoT sessions. An electronic device can store and execute a location service to implement the method of localization support for DoH or DoT sessions.

[0007] In another embodiment, a method and system support localization by a localization service in an internet service provider (ISP) network. The method includes receiving a location information query for the client device from a domain name system (DNS) server, determining location information for the client device, and sending the location information to the DNS server. A non-transitory machine readable medium can store instructions to enable execution of the another method of localization support for DoH or DoT sessions. An electronic device can store and execute a location service to implement the another method of localization support for DoH or DoT sessions. BRIEF DESCRIPTION OF THE DRAWINGS

[0008] The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:

[0009] Figure l is a diagram of one example embodiment that illustrates how location information flows from a client application in an Internet Service Provider (ISP) or mobile network to the domain name system (DNS) over hypertext transfer protocol secure (DoH) service and to an application service.

[0010] Figure 2 is a diagram of one example embodiment that illustrates a client application communicating with an application server running in a close-by edge cloud server.

[0011] Figure 3 is a diagram of one example embodiment that illustrates an arrangement for providing location information to the DoH server from the DoH client.

[0012] Figure 4 is a diagram of one embodiment that illustrates messaging flow for providing location information to the DoH server from the DoH client.

[0013] Figure 5 is a diagram of one embodiment that illustrates an arrangement for providing location information to the DoH server from the ISP network.

[0014] Figure 6A is a diagram of one embodiment that illustrates messaging flow for providing location information to the DoH server from the ISP network.

[0015] Figure 6B is a flowchart of one embodiment of a process of a DoH server to obtain location information and to provide location information to the authoritative DNS server.

[0016] Figure 6C is a flowchart of one embodiment of a process of an ISP network to provide location information to a DoH server and facilitate a DNS query from a DoH client.

[0017] Figure 7 is a diagram of one example embodiment that illustrates one implementation example for a network device in operation with a communication network.

[0018] Figure 8A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some

embodiments of the invention.

[0019] Figure 8B illustrates an exemplary way to implement a special-purpose network device according to some embodiments of the invention.

[0020] Figure 8C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled according to some embodiments of the invention.

[0021] Figure 8D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.

[0022] Figure 8E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments of the invention.

[0023] Figure 8F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments of the invention.

[0024] Figure 9 illustrates a general purpose control plane device with centralized control plane (CCP) software 950), according to some embodiments of the invention.

DETAILED DESCRIPTION

[0025] The following description describes methods and apparatus for utilizing domain name system (DNS) over hyper-text transfer protocol secure (HTTPS) (DoH) services to support the sharing of location information with an authoritative Domain Name System (DNS) server and the use of services in a network with edge computing. In the following description, numerous specific details such as logic implementations, opcodes, means to specify operands, resource partitioning/sharing/duplication implementations, types and interrelationships of system components, and logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.

[0026] References in the specification to“one embodiment,”“an embodiment,”“an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. [0027] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.

[0028] In the following description and claims, the terms“coupled” and“connected,” along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other.“Connected” is used to indicate the establishment of communication between two or more elements that are coupled with each other.

[0029] An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals). Thus, an electronic device (e.g., a computer) includes hardware and software, such as a set of one or more processors (e.g., wherein a processor is a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, other electronic circuitry, a combination of one or more of the preceding) coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data. For instance, an electronic device may include non-volatile memory containing the code since the non-volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower non volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device. Typical electronic devices also include a set or one or more physical network interface(s) (NI(s)) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices. For example, the set of physical NIs (or the set of physical NI(s) in combination with the set of processors executing code) may perform any formatting, coding, or translating to allow the electronic device to send and receive data whether over a wired and/or a wireless connection. In some embodiments, a physical NI may comprise radio circuitry capable of receiving data from other electronic devices over a wireless connection and/or sending data out to other devices via a wireless connection. This radio circuitry may include transmitted s), received s), and/or transceiver(s) suitable for radiofrequency communication. The radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.). The radio signal may then be transmitted via antennas to the appropriate recipient(s). In some embodiments, the set of physical NI(s) may comprise network interface controlled s) (NICs), also known as a network interface card, network adapter, or local area network (LAN) adapter. The NIC(s) may facilitate in connecting the electronic device to other electronic devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC. One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.

[0030] A network device (ND) is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are“multiple services network devices” that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).

[0031] DNS and Location Determination

[0032] There is often a recursive DNS server between a client application and the authoritative DNS server. In these cases, determining the client application location can also be done indirectly. There are two approaches to this indirect location determination. First, the authoritative DNS server can look up the IP address of the recursive DNS server and make an approximate location determination based on that information.

[0033] In a second approach, the recursive DNS server passes the client’s IP address to the authoritative DNS server. The extension mechanism for DNS (EDNS) Client Subnet option, defined in IETF RFC 7871 allows sending the client IP address to the authoritative DNS server. This allows the authoritative DNS server to select a more accurate server address in the response, being aware of the locations of the client application and the application servers that exist. While this approach improves the accuracy over the first approach, it is still approximate, as IP addresses provide limited location or topology information. Also, caching in the recursive DNS servers affects results.

[0034] Modem DNS Query Mechanisms

[0035] Modem and more secure ways of handling DNS queries have been developed. The Domain Name System Security Extensions (DNSSEC) mechanisms (as described in IETF RFC 4035) are an extension of the original DNS data and protocols that prove that the query results are correct and have not been tampered with. However, security concerns have shifted more towards protecting the privacy of users, and ways of encrypting DNS queries. DNS-over- HTTPS (Hypertext Transfer Protocol Secure) (DoH, IETF RFC 8484) and DNS-over- TLS (Transport Layer Security) (DoT, IETF RFC 7858) provide protocols to address these concerns, and work by encrypting the queries and their results. With DoH, even the use of DNS becomes hidden, as the protocol exchanges look like regular web traffic, and do not use any special port numbers or other distinguishing marks. DoH and DoT encrypt the DNS traffic so that outsiders cannot determine what domains are being queried.

[0036] Once an IP address has been retrieved from the DNS, the client application can open a connection to that IP address. In some cases, opening the connection to the IP address still reveals what domain or service the client application uses. But in many cases a general-purpose cloud service serves many different domains and applications, so it is not clear from the connection to a particular IP address what domain is being accessed.

[0037] In some cases, a connection uses the TLS protocol to protect the communications. This is the case when using the HTTPS protocol, for instance. TLS as currently used sends the domain name of the network that the client wishes to connect to as a cleartext parameter in the TLS connection setup phase. However, a planned change to the TLS protocol will change this and encrypt this information in the TLS connection setup messages. A driver for the use of DoH and DoT has been circumventing governmental or ISP blocking of domains.

[0038] DNS queries are performed as an operating system function, in the same way for all applications running on the same machine. However, it is possible for DoH to be moved to an application-based DNS query model, where an application such as a browser implements DoH and chooses its own (sometimes even fixed) servers to send the queries to.

[0039] There are a number of privacy and operational issues with the new DNS query mechanisms. The privacy improvements come with some drawbacks. While the privacy against outsiders or on-path routers is improved, there is no improvement in privacy with relation to the entity that runs the DNS service. If the DNS service is run by a large entity, the DNS query information is in fact centralized in a far greater manner, and becomes susceptible to easier government, surveillance, or commercial use.

[0040] Outside the privacy and operational issues with centralized services, there are other problems. Practical issues are how services can be localized and how the most efficient service instance can be found, while using DoH or DoT.

[0041] DoH (or DoT) operators deploy their DoH services at certain locations. For example, this can be a DoH server replicated in various countries. Depending on what mechanisms are supported, there are two cases. In the first case, if the authoritative DNS server looks only at the source address of the query and not the options, this presents a limitation for localization. In this case, when the DoH operator asks for the actual application service for the IP address, that service does not know where the actual query came from, only that it came from the DoH service provider’s local server. However, had the query come from an ISP or enterprise DNS server, the actual application service would be able to know the location far more accurately, e.g., a specific company or city. As a result, the choice of a particular answer for IP address of the actual application service may be suboptimal. Without support for the Client Subnet option, a centralized DNS service can only provide localization with the same granularity as the centralized service has. For instance, if a DoH service provider has one data center in Finland, then the application services found via the DNS service can only infer that the client is somewhere near Finland, because the query came via a Finnish data center. In a second case, if the DoH operator passes information about the client IP address to the authoritative DNS server in the Client Subnet option, and the authoritative DNS supports this option, then the

authoritative DNS server can localize its answer based on the IP address information.

[0042] However, even in the second case, the localization is necessarily limited to IP-address based methods. However, IP addresses do not convey the entire situation, particularly in mobile networks where the IP address is typically bound to a border router between the mobile operator and the Internet. However, there might be edge cloud deployments much closer to the user than the border router is in. The application provider may want to use such deployments for further efficiency.

[0043] If no DoH or DoT server is used, the ISP DNS server can easily recognize specific applications from the domain name such as www.example.com, and the ISP server can communicate the desired location to the application’s authoritative DNS server and the application itself in some fashion. For instance, the queried domain name can be mapped to a localized one, e.g., locationl.www.example.com. Or the location can be passed to the application’s authoritative DNS server and the application using protocols other than DNS, given that the ISP and the application provider have an agreement to employ edge cloud services from the ISP network.

[0044] However, none of this is possible when using a centralized DoH or DoT. The ISP does not get the DNS request and would be unable to see or modify its contents even if it did. The centralized DoH or DoT service does not have the same amount of knowledge that the ISP network has about the actual location of the user, as it only has topological information about the client’s externally visible IP address. That address does not reveal any local IP addresses that might have been used before a Network Address Translator (NAT) mapped the address to an externally visible one. The centralized DoH or DoT service also does not know anything about the mobile network location data. This problem is referred to herein as‘the localization problem.’

[0045] The localization problem affects mobile network operators and vendors, as the goal of the mobile industry is to be able to provide edge cloud services for different applications to reduce the latency for communications between the user’s device and the application servers. Many vendors have products in this space that are based on the ability to use DNS queries and provide accurate localization for the answers. Communication infrastructure providers’ products or product plans may also be affected. The localization problem also affects the centralized DoH or DoT providers, as they will not be able to offer best localization results through their service.

[0046] Overview

[0047] The embodiments overcome these disadvantages and limitations of the prior art. The embodiments extend the centralized DoH or DoT service. In the extension the centralized service gets additional location information from either the client application or the ISP/mobile network. This additional information allows the centralized DoH or DoT service to pass the information for localization purposes to the authoritative DNS server of the application.

[0048] Figure l is a diagram of one example embodiment that illustrates how location information flows from a client application in an Internet Service Provider (ISP) or mobile network to the domain name system (DNS) over hypertext transfer protocol secure (DoH) service and to an application service. Figure 1 illustrates how location information flows from the client application/ISP/mobile network to the DoH service and to an application service according to one example for particular embodiments. The authoritative DNS server can then make a determination of what is the closest application server instance that can be used when it constructs a reply to the DNS request.

[0049] The embodiments thereby ensure that the Edge Cloud Server close to the user is chosen as the location that the client application can connect to. The connection of the client application to the application server instance at an edge cloud server is illustrated in Figure 2. The client application communicates with an application server running in the close-by edge cloud, which is optimal for the low latency this application server instance would provide.

[0050] Figure 3 is a diagram of one embodiment.

[0051] In one embodiment, the client application sends additional localization information to the centralized DoH or DoT service. The DNS query sent over DoH is a standard Hypertext Transfer Protocol Secure (HTTPS) request. The DNS query sent over DoT is a standard DNS query. In both cases TLS is utilized. By including location information in either query, the receiving DoH/DoT server can have more information about where the query came from. The DoH or DoT server can then again pass the information for localization purposes to the authoritative DNS server of the application. This is depicted in Figures 3 and 4. Figure 3 illustrates an arrangement for providing location information to the DoH server from the DoH client according to one implementation example for particular embodiments of the solution described herein. Figure 4 illustrates messaging flow for providing location information to the DoH server from the DoH client according to one implementation example for particular embodiments of the solution described herein. As illustrated in Figure 4, in some embodiments, when the DoH server receives a query with location information from the DoH client, the DoH server determines if that received location information should be passed onwards to the authoritative DNS server of the application.

[0052] In another embodiment of this idea, a centralized DoH or DoT service provider works with the ISP or mobile network to determine location information. The centralized DoH or DoT service provider can have an agreement with a particular ISP or mobile network. The centralized DoH/DoT provider recognizes this ISP or mobile network through the client application’s IP address being within that network’s address range. The DoH/DoT server then sends a request to the ISP or mobile network to get some additional location information. The ISP or mobile network can then either provide this information directly or indirectly, for trusted DoH/DoT servers. A list of such trusted DoH/DoT servers can be configured in the ISP or mobile network.

[0053] In some embodiments, an ISP or mobile network may also only honor requests for which there has been a DoH/DoT query to the DoH/DoT server recently. The ISP or mobile network detects the DoH query based on the destination IP address (DoH/DoT server) and/or additional information in the request (e.g., Server Name Indication (SNI)). This request creates a temporary permission for the DoH service to query the network information about the location of the client application.

[0054] In the case of a mobile network, the DoH service can use the Service Capability Exposure Function (SCEF) interface's location application programming interface (API) to request the respective user's location. In other types of networks similar interfaces can be used.

If the user is behind a network address translation (NAT), the network queries the NAT for the IP address.

[0055] Figure 5 is a diagram that illustrates an arrangement for providing location information to the DoH server from the ISP. In the example illustrated, the centralized DoH/DoT services includes a DoH/DoT server that receives DoH/DoT requests from a client application in an ISP or mobile network. The DoH/DoT server queries the network of the client application to obtain further location information and provides this location information with the DNS request to an authoritative DNS server for the client application. The authoritative NDS server provides a DNS reply to the DoH/DoT server, which in turn replies to the query from the client application.

[0056] Figure 6A is a diagram that illustrates messaging flow for providing location information to an example DoH server from the mobile or ISP network. In the messaging flow a DoH request is sent by a DoH client application. The DoH server receives this DoH request and determines the network of the client application. The network of the client application is then queried to obtain additional location information using a location query. The network of the client application processes the location query and responds with a location response message.

[0057] The DoH server sends a DNS query to the authoritative DNS server including the location information obtained from the network of the client application. The authoritative DNS server sends a DNS response to the DoH server. The DoH server then sends a reply to the DoH client application with an IP address as a reply to the initial DoH request.

[0058] The embodiments provide advantages over the art. The advantages include that the embodiments provide an accurate localized answer for DNS queries. The improved location accuracy reduces latency for users and application providers, reduces overall network energy consumption, and enables local network operators to provide edge cloud services. By adding detailed local IP address, geographic location, or mobile network topology information it is possible to find an optimal choice for edge computing service selections.

[0059] The embodiments can also implement some mitigations for avoiding disclosure of location information for maintaining client application privacy. For instance, an ISP or mobile network may reveal location data only to an application service that uses their edge cloud service. The ISP or mobile network may also not reveal the location of a client application or a user, but rather simply point to a suitable edge cloud service location. In some embodiments, potential issues may be addressed in advance with informed consent from the affected parties (e.g., the user, or the client application). In some client-based embodiments disclosed herein, user preferences can control whether the client application should send location information to a DoH or DoT service, and whether it should do so for all or only for some applications.

[0060] Improved Localization Process

[0061] Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa.

Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.

[0062] The example of DoH requests and replies that are serviced by DoH servers are used herein by way of example and not limitation. One skilled in the art would appreciate that examples related to DoH are also applicable to DoT and similar protocols.

[0063] As discussed herein with relation to Figures 1 to 6A, the localization process and system provides an improved solution to the localization problem for client applications for DNS by using DoH, DoT, or similar technologies to provide more detailed location information to the DoH server and authoritative DNS server to enable the identification of an IP address for a DNS reply where the IP address for a requested service is local to the requesting client application. The more detailed location information can include geographical location, e.g., coarse or fine-grained coordinate information (e.g., GPS coordinates), country, state/province, city/country level information, postal code and similar geographical location information, topological location, e.g., a client application’s public IP address (known by the DoH server, and can be passed to the authoritative DNS server), a client application’s internal IP address, where NATs are used in the ISP or mobile network, an identifier for the base station that the client application is served by, a cell identifier in a cellular network, a tracking area in 4G LTE or 5G networks, radio access network (RAN) area in 5G networks, routing area in older generation networks, or other topological information about the ISP or mobile network.

[0064] A client application or client application network can collect this location information through different means. The client application’s network configuration provides some information (such as base station identifier or internal IP address). Some location information may be available in network messaging, such as in Dynamic Host Configuration Protocol (DHCP) or Router Advertisement options. The client application can also perform location determination in independent ways, e.g., via the Global Positioning System (GPS).

[0065] An ISP or mobile network has detailed knowledge about the topological and geographical location of a particular user equipment (UE) executing a client application, including, for instance, the internal IP addresses and currently used base station and topological location that is an anchor for the user equipment. For privacy and other reasons, providing the location of the closest edge cloud service may be the best choice for an ISP or mobile network, rather than revealing the client application’s (i.e., the user equipment) location. Optionally, location information can be encrypted using a public key of the authoritative DNS server so that the DoH/DoT server is not able to see the information, and in this way, privacy risks are reduced.

[0066] Figures 6B and 6C are flowcharts of one embodiment of a process for implementing the improved localization process. Figure 6B is a flowchart of one embodiment of the operation of the DoH server. Figure 6C is a flowchart of one embodiment of the operation of a process in the ISP or mobile network that provides location information to the DoH server. The process is described relative to the DoH server and the location services function of the ISP or mobile network.

[0067] Figure 6B describes the embodiment of the operation of the DoH server to support the improved localization information. The operations to obtain and provide improved location information can be implemented by a location management function or similar aspect of the DoH server. The process 650 can be triggered by the DoH server receiving a request to resolve a DNS query (i.e., to resolve a domain name (e.g., as part of a URL) by providing an IP address) from a client application (Block 651). The DNS query can be received indirectly from the client application via any number of intermediate devices including from network devices of the ISP or mobile network, including those that can execute a location services function.

[0068] The DoH server can determine what, if any location information is to be passed to the authoritative DNS server (Block 653). If the request includes location information, the DoH server decides whether to pass that information along to the authoritative DNS server. If the information should be passed on, then the DoH server can set the location information to be sent to the information that was included in the request. The decision on what location information to forward can be based on, for instance, whether the queried domain is trusted or has an agreement with the DoH service provider.

[0069] The DoH server can also determine which ISP or mobile network the received DoH request came from (Block 655). This can be based on the source address of the DoH request and whether it matches the known address range for a known ISP or mobile network. The results of this determination can also be saved for a given DoH session and reused for subsequent requests.

[0070] The DoH server can further decide whether additional location information is needed and should be passed on (Block 657). If further location information is not needed, then the process can proceed to send a DNS query to the authoritative DNS server. If additional location information is needed, then the process can obtain the additional information from the ISP or mobile network of the requesting client application. The decision can be based on, for instance, whether enough location information is already available, whether the ISP or mobile network that the DoH query came from is trusted or has an agreement with the DoH service provider, or whether the queried domain is trusted or has an agreement with the DoH service provider.

[0071] In some embodiments, a check can be made whether there is recent location information already associated with the given DoH session (Block 661). If the additional location information is available locally (e.g., it has been cached from prior messaging related to the DoH session), then the location information is retrieved from locally stored information, and the process then proceeds to send the DNS query (Block 659).

[0072] In the case where the additional information is not available locally, the DoH server sends a request for location information to the ISP or mobile network, identifying the client application or the UE executing the client application by its public IP address and a five-tuple or similar value that identifies the DoH session (Block 663). In some cases the ISP or mobile network of the client application is not determined until after the determination that the additional information is not locally available.

[0073] The DoH server receives a response from the ISP or mobile network with the requested location information (Block 665). If location information was available and the response came in expected time, the DoH server uses the returned location information in a DNS query to be sent to authoritative DNS server. A DNS request to the authoritative DNS server is generated with the location information to be sent (if any) and forwarded to the authoritative DNS server (Block 667). The DoH server receives a DNS response from the authoritative DNS server (Block 669). The DoH server forwards the DNS response to the client application via DoH protocol (Block 671).

[0074] Figure 6B describes the embodiment of the operation of a location management function of an ISP or mobile network. The process 675 of the ISP or mobile network can be triggered by receiving a DoH request from a client application executed by a computing device managed by the ISP or mobile network (Block 676). The ISP or mobile network can in some embodiments recognize and track outgoing DoH requests from client applications to DoH servers. This recognition and tracking can be based on, e.g., the destination address of a request being the address of the DoH server. The ISP or mobile network forwards the received DoH request to the appropriate destination DoH server (Block 678).

[0075] The ISP or mobile network may receive a request from a DoH service for location information related to a client application (Block 680). The DoH request identifies the DoH service provider making the request, the client application or related computing device whose location is needed, and the domain for which information is searched for by the client application. [0076] The ISP or mobile network may determine if the DoH service provider is one that is authorized to access location information, e.g., the DoH service provider has an agreement with this ISP or mobile network to share location information (Block 682). If the DoH service provider is not authorized, then the ISP or mobile network can respond by declining the request or sending an error message (Block 690). If the DoH service provider is authorized to access the location information, then the ISP or the mobile network can determine if the domain is one that is authorized to be provided location information, e.g., the domain has an agreement with this ISP or mobile network for edge cloud services (Block 684). If the domain is not authorized for location information, then the ISP or mobile network can respond by declining the request or sending an error message (Block 690).

[0077] If the DoH server and the domain are authorized to access the location information, then the ISP or the mobile network can determine whether the client application can be identified and authorized to share location information, e.g., the client application or the associated computing device can be uniquely identified from the information sent, and has settings that allow location information to be shared (Block 686). The client application can be identified also by matching it to the outbound traffic observed when the corresponding DoH request was sent to the DoH server. If the client application cannot be identified and/or is determined to not allow identification, then the ISP or mobile network can respond by declining the DoH request or sending an error message (Block 690). These authorization checks of the DoH server, domain, and client application can be performed in any order or in parallel.

[0078] If the DoH server is authorized to access location information, the domain is authorized to access location information, the client application allows identification and similar conditions are met, then the ISP or mobile network can determine the current location of the client application or associated computing device (Block 688). Once the location of the client application or computing device executing the client application is determined, then the closest and/or most suitable (e.g., has sufficient capacity, lowest latency, sufficient bandwidth or similar characteristics) edge cloud service node is determined (Block 692). In some embodiments, if no suitable service node can be found, then the ISP or mobile network responds by declining the request or sending an error message.

[0079] If a suitable edge cloud service node is found, then the requested location information can be provided to the DoH server (Block 694). Depending on the preferences of the client application, user, ISP, mobile network or combinations thereof the location information that is provided can be specific to a computing device executing the client application, the suitable edge cloud service node, or similar node in the ISP or mobile network. The ISP or mobile network responds to the location information request positively and provides the address or name of the suitable edge cloud service node, computing device of the client application, or similar device as location information.

[0080] In other embodiments, location information can be provided by other combinations of computing devices and entities. In some embodiments, the client application can participate in servicing the location request including providing the additional location information requested. In other embodiments, a location management function in the client application’s network provides the additional information.

[0081] In further embodiments, client applications can volunteer the additional information by including the information with a DoH request or similarly sending the information to the DoH server. A client application can provide the additional location information in HTTP headers inside the DoH request. Where the DoH server requests information from the client applications mobile network, the SCEF (Service Capability Exposure Function) node can interact with the DoH server.

[0082] In some embodiments, client applications and associated devices can be identified using different methods including the client application or associated device being identified by an IP address, the client application or the computing device being identified by a five-tuple identifying the DoH session from the client application, the client application or computing device being identified by a five-tuple that was used in a recent outgoing packet from the client application to the DoH server, the ISP or mobile network finding a client application by matching the five-tuple for the DoH session from the NAT session mapping table, or similar identification method.

[0083] In some embodiments, the additional information can vary to include a location of the client application or associated computing device, a location of an edge cloud server near the client, or a location of similar node that is proximate to the client application. Privacy and security can be ensured using different techniques including only allowing location queries from a DoH server shortly after outgoing traffic to that server was observed from the client, encrypting the location information to the authoritative DNS server using public key encryption, so that the DoH server is unable to see the location, the DoH server deciding whether to forward the additional information based on the domain in question, the ISP or mobile network deciding to provide location information based on whether the network has been configured to provide this information for the DoH or DoT server in question, or for the domain in question.

[0084] Figure 7 is a diagram of a network that illustrates one implementation example for particular embodiments described herein. Network device (ND) 700 may, in some

embodiments, be an electronic device that can be communicatively connected to other electronic devices on the network (e.g., other network devices, user equipment devices (UEs), radio base stations, etc.). In certain embodiments, network device 700 may include radio access features that provide wireless radio network access to other electronic devices (for example a“radio access network device" may refer to such a network device) such as user equipment devices (UEs). For example, network device 700 may be a base station, such as eNodeB in Long Term Evolution (LTE), NodeB in Wideband Code Division Multiple Access (WCDMA) or other types of base stations, as well as a Radio Network Controller (RNC), a Base Station Controller (BSC), or other types of control nodes. As depicted in Fig. 7, the example network device 700 comprises processor 701, memory 702, interface 703, and antenna 704. These components may work together to provide various network device functionality as disclosed herein.

[0085] Processor 701 may be a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application specific integrated circuit, field programmable gate array, any other type of electronic circuitry, or any combination of one or more of the preceding. The processor 701 may comprise one or more processor cores. In particular embodiments, some or all of the functionality described herein as being provided by network device 700 may be implemented by processor 701 executing software instructions, either alone or in conjunction with other network device 700 components, such as memory 702.

[0086] Memory 702 may store code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using non- transitory machine-readable (e.g., computer-readable) media, such as machine-readable storage media (e.g., magnetic disks, optical disks, solid state drives, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals). For instance, memory 702 may comprise non-volatile memory containing code to be executed by processor 701. Where memory 702 is non-volatile, the code and/or data stored therein can persist even when the network device is turned off (when power is removed). In some instances, while network device 700 is turned on that part of the code that is to be executed by the processor(s) 701 may be copied from non-volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of network device 700. In some embodiments, aspect of the location manager functions can be implemented as code stored in the memory 702.

[0087] Interface 703 may be used in the wired and/or wireless communication of signaling and/or data to or from network device 700. For example, interface 703 may perform any formatting, coding, or translating to allow network device 700 to send and receive data whether over a wired and/or a wireless connection. In some embodiments, interface 703 may comprise radio circuitry capable of receiving data from other devices in the network over a wireless connection and/or sending data out to other devices via a wireless connection. This radio circuitry may include transmitted s), receiver(s), and/or transceiver(s) suitable for radiofrequency communication. The radio circuitry may convert digital data into a radio signal having the appropriate parameters (e.g., frequency, timing, channel, bandwidth, etc.). The radio signal may then be transmitted via antennas 704 to the appropriate recipient(s). In some embodiments, interface 703 may comprise network interface controlled s) (NICs), also known as a network interface card, network adapter, local area network (LAN) adapter or physical network interface. The NIC(s) may facilitate in connecting the network device 700 to other devices allowing them to communicate via wire through plugging in a cable to a physical port connected to a NIC. As explained above, in particular embodiments, processor 701 may represent part of interface 703, and some or all of the functionality described as being provided by interface XI 03 may be provided more specifically by processor 701.

[0088] The components of network device 700 are each depicted as separate boxes located within a single larger box for reasons of simplicity in describing certain aspects and features of network device 700 disclosed herein. In practice however, one or more of the components illustrated in the example network device 700 may comprise multiple different physical elements (e.g., interface 703 may comprise terminals for coupling wires for a wired connection and a radio transceiver for a wireless connection).

[0089] The embodiments of the improved location services of the DoH server and the ISP or mobile network may be implemented in the network device 700 by means of a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the actions according to any of the above features and embodiments, where appropriate.

[0090] While the modules are illustrated as being implemented in software stored in memory 702, other embodiments implement part or all of each of these modules in hardware.

[0091] Figure 8A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some

embodiments of the invention. Figure 8A shows NDs 800A-H, and their connectivity by way of lines between 800A-800B, 800B-800C, 800C-800D, 800D-800E, 800E-800F, 800F-800G, and 800A-800G, as well as between 800H and each of 800A, 800C, 800D, and 800G. These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link). An additional line extending from NDs 800A, 800E, and 800F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs). [0092] Two of the exemplary ND implementations in Figure 8A are: 1) a special-purpose network device 802 that uses custom application-specific integrated-circuits (ASICs) and a special-purpose operating system (OS); and 2) a general purpose network device 804 that uses common off-the-shelf (COTS) processors and a standard OS.

[0093] The special-purpose network device 802 includes networking hardware 810 comprising a set of one or more processor(s) 812, forwarding resource(s) 814 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 816 (through which network connections are made, such as those shown by the connectivity between

NDs 800A-H), as well as non-transitory machine readable storage media 818 having stored therein networking software 820. During operation, the networking software 820 may be executed by the networking hardware 810 to instantiate a set of one or more networking software instance(s) 822. Each of the networking software instance(s) 822, and that part of the networking hardware 810 that executes that network software instance (be it hardware dedicated to that networking software instance and/or time slices of hardware temporally shared by that networking software instance with others of the networking software instance(s) 822), form a separate virtual network element 830A-R. Each of the virtual network element(s) (VNEs) 830A- R includes a control communication and configuration module 832A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 834A-R, such that a given virtual network element (e.g., 830A) includes the control communication and configuration module (e.g., 832A), a set of one or more forwarding table(s) (e.g., 834A), and that portion of the networking hardware 810 that executes the virtual network

element (e.g., 830A).

[0094] The special-purpose network device 802 is often physically and/or logically considered to include: 1) a ND control plane 824 (sometimes referred to as a control plane) comprising the processor(s) 812 that execute the control communication and configuration module(s) 832A-R; and 2) a ND forwarding plane 826 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 814 that utilize the forwarding

table(s) 834A-R and the physical NIs 816. By way of example, where the ND is a router (or is implementing routing functionality), the ND control plane 824 (the processor(s) 812 executing the control communication and configuration module(s) 832A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 834A-R, and the ND forwarding plane 826 is responsible for receiving that data on the physical NIs 816 and forwarding that data out the appropriate ones of the physical NIs 816 based on the forwarding table(s) 834A-R. [0095] Figure 8B illustrates an exemplary way to implement the special-purpose network device 802 according to some embodiments of the invention. Figure 8B shows a special-purpose network device including cards 838 (typically hot pluggable). While in some embodiments the cards 838 are of two types (one or more that operate as the ND forwarding plane 826

(sometimes called line cards), and one or more that operate to implement the ND control plane 824 (sometimes called control cards)), alternative embodiments may combine

functionality onto a single card and/or include additional card types (e.g., one additional type of card is called a service card, resource card, or multi-application card). A service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)). By way of example, a service card may be used to terminate IPsec tunnels and execute the attendant authentication and encryption algorithms. These cards are coupled together through one or more interconnect mechanisms illustrated as backplane 836 (e.g., a first full mesh coupling the line cards and a second full mesh coupling all of the cards).

[0096] Returning to Figure 8A, the general purpose network device 804 includes hardware 840 comprising a set of one or more processor(s) 842 (which are often COTS processors) and physical NIs 846, as well as non-transitory machine readable storage media 848 having stored therein software 850. During operation, the processor(s) 842 execute the software 850 to instantiate one or more sets of one or more applications 864A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization. For example, in one such alternative embodiment the virtualization layer 854 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 862A-R called software containers that may each be used to execute one (or more) of the sets of applications 864A-R; where the multiple software containers (also called virtualization engines, virtual private servers, or jails) are user spaces (typically a virtual memory space) that are separate from each other and separate from the kernel space in which the operating system is run; and where the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes. In another such alternative embodiment the virtualization layer 854 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 864A-R is run on top of a guest operating system within an instance 862A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a“bare metal” host electronic device, or through para-virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes. In yet other alternative embodiments, one, some or all of the applications are implemented as unikemel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS sendees) that provide the particular OS sendees needed by the application. As a unikernel can be implemented to run directly on hardware 840, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container, embodiments can be implemented fully with unikemels running directly on a hypervisor represented by virtualization layer 854, unikemels running within software containers represented by instances 862A-R, or as a combination of unikemels and the above-described techniques (e.g., unikemels and virtual machines both ran directly on a hypervisor, unikemels and sets of applications that are ran in different software containers).

[0097] The instantiation of the one or more sets of one or more applications 864A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 852. Each set of applications 864A-R, corresponding virtualization construct (e.g., instance 862A-R) if implemented, and that part of the hardware 840 that executes them (be it hardware dedicated to that execution and/or time slices of hardware temporally shared), forms a separate virtual network element(s) 860A-R.

[0098] The virtual network element(s) 860A-R perform similar functionality to the virtual network element(s) 830A-R - e.g., similar to the control communication and configuration module(s) 832A and forwarding table(s) 834A (this virtualization of the hardware 840 is sometimes referred to as network function virtualization (NFV)). Thus, NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which could be located in Data centers, NDs, and customer premise equipment (CPE). While embodiments of the invention are illustrated with each instance 862A-R corresponding to one VNE 860A-R, alternative embodiments may implement this correspondence at a finer level granularity (e.g., line card virtual machines virtualize line cards, control card virtual machine virtualize control cards, etc.); it should be understood that the techniques described herein with reference to a correspondence of instances 862A-R to VNEs also apply to embodiments where such a finer level of granularity and/or unikemels are used. [0099] In certain embodiments, the virtualization layer 854 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch. Specifically, this virtual switch forwards traffic between instances 862A-R and the physical NI(s) 846, as well as optionally between the instances 862A-R; in addition, this virtual switch may enforce network isolation between the VNEs 860A-R that by policy are not permitted to communicate with each other (e.g., by honoring virtual local area networks (VLANs)).

[00100] The third exemplary ND implementation in Figure 8A is a hybrid network device 806, which includes both custom ASICs/special-purpose OS and COTS processors/standard OS in a single ND or a single card within an ND. In certain embodiments of such a hybrid network device, a platform VM (i.e., a VM that that implements the functionality of the special-purpose network device 802) could provide for para-virtualization to the networking hardware present in the hybrid network device 806.

[00101] Regardless of the above exemplary implementations of an ND, when a single one of multiple VNEs implemented by an ND is being considered (e.g., only one of the VNEs is part of a given virtual network) or where only a single VNE is currently being implemented by an ND, the shortened term network element (NE) is sometimes used to refer to that VNE. Also in all of the above exemplary implementations, each of the VNEs (e.g., VNE(s) 830A-R, VNEs 860A-R, and those in the hybrid network device 806) receives data on the physical NIs (e.g., 816, 846) and forwards that data out the appropriate ones of the physical NIs (e.g., 816, 846). For example, a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where“source port” and“destination port” refer herein to protocol ports, as opposed to physical ports of a ND), transport protocol (e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), QUIC, and differentiated services code point (DSCP) values.

[00102] Figure 8C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention. Figure 8C shows VNEs 870A.1-870A.P (and optionally VNEs 870A.Q-870A.R) implemented in ND 800A and VNE 870H.1 in ND 800H. In Figure 8C, VNEs 870A.1-P are separate from each other in the sense that they can receive packets from outside ND 800A and forward packets outside of ND 800A; VNE 870A.1 is coupled with VNE 870H.1, and thus they communicate packets between their respective NDs; VNE 870A.2-870A.3 may optionally forward packets between themselves without forwarding them outside of the ND 800A; and VNE 870A.P may optionally be the first in a chain of VNEs that includes VNE 870A.Q followed by VNE 870A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services). While Figure 8C illustrates various exemplary relationships between the VNEs, alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different VNEs).

[00103] The NDs of Figure 8 A, for example, may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet enabled household appliances) may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services. Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., usemame/password accessed webpages providing email services), and/or corporate networks over VPNs. For instance, end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers. However, through compute and storage virtualization, one or more of the electronic devices operating as the NDs in Figure 8A may also host one or more such servers (e.g., in the case of the general purpose network device 804, one or more of the software instances 862A-R may operate as servers; the same would be true for the hybrid network device 806; in the case of the special-purpose network device 802, one or more such servers could also be run on a virtualization layer executed by the processor(s) 812); in which case the servers are said to be co-located with the VNEs of that ND.

[00104] A virtual network is a logical abstraction of a physical network (such as that in Figure 8A) that provides network services (e.g., L2 and/or L3 services). A virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network). [00105] A network virtualization edge (NVE) sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network. A virtual network instance (VNI) is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND). A virtual access point (VAP) is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).

[00106] Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IPVPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)). Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing).

[00107] Fig. 8D illustrates a network with a single network element on each of the NDs of Figure 8A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention. Specifically, Figure 8D illustrates network elements (NEs) 870A-H with the same connectivity as the NDs 800A-H of Figure 8 A.

[00108] Figure 8D illustrates that the distributed approach 872 distributes responsibility for generating the reachability and forwarding information across the NEs 870A-H; in other words, the process of neighbor discovery and topology discovery is distributed. [00109] For example, where the special-purpose network device 802 is used, the control communication and configuration module(s) 832A-R of the ND control plane 824 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RSVP-Traffic Engineering (TE): Extensions to RSVP for LSP Tunnels and Generalized Multi -Protocol Label Switching

(GMPLS) Signaling RSVP-TE)) that communicate with other NEs to exchange routes, and then selects those routes based on one or more routing metrics. Thus, the NEs 870A-H (e.g., the processor(s) 812 executing the control communication and configuration module(s) 832A-R) perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by

distributively determining the reachability within the network and calculating their respective forwarding information. Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 824. The ND control plane 824 programs the ND forwarding plane 826 with information (e.g., adjacency and route information) based on the routing structure(s). For example, the ND control plane 824 programs the adjacency and route information into one or more forwarding table(s) 834A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 826. For layer 2 forwarding, the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 802, the same distributed approach 872 can be implemented on the general purpose network device 804 and the hybrid network device 806.

[00110] Figure 8D illustrates that a centralized approach 874 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination. The illustrated centralized approach 874 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 876 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized. The centralized control plane 876 has a south bound interface 882 with a data plane 880 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 870A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes). The centralized control plane 876 includes a network controller 878, which includes a centralized reachability and forwarding information module 879 that determines the reachability within the network and distributes the forwarding information to the NEs 870A-H of the data plane 880 over the south bound interface 882 (which may use the OpenFlow protocol). Thus, the network intelligence is centralized in the centralized control plane 876 executing on electronic devices that are typically separate from the NDs.

[00111] For example, where the special-purpose network device 802 is used in the data plane 880, each of the control communication and configuration module(s) 832A-R of the ND control plane 824 typically include a control agent that provides the V E side of the south bound interface 882. In this case, the ND control plane 824 (the processor(s) 812 executing the control communication and configuration module(s) 832A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 876 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 879 (it should be understood that in some embodiments of the invention, the control communication and configuration module(s) 832A-R, in addition to communicating with the centralized control plane 876, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 874, but may also be considered a hybrid approach).

[00112] While the above example uses the special-purpose network device 802, the same centralized approach 874 can be implemented with the general purpose network device 804 (e.g., each of the VNE 860A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 876 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 879; it should be understood that in some embodiments of the invention, the VNEs 860A-R, in addition to communicating with the centralized control plane 876, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 806. In fact, the use of SDN techniques can enhance the NFV techniques typically used in the general purpose network device 804 or hybrid network device 806 implementations as NFV is able to support SDN by providing an infrastructure upon which the SDN software can be run, and NFV and SDN both aim to make use of commodity server hardware and physical switches.

[00113] Figure 8D also shows that the centralized control plane 876 has a north bound interface 884 to an application layer 886, in which resides application(s) 888. The centralized control plane 876 has the ability to form virtual networks 892 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 870A-H of the data plane 880 being the underlay network)) for the application(s) 888. Thus, the centralized control plane 876 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND component) failure, addition, or removal).

[00114] While Figure 8D shows the distributed approach 872 separate from the centralized approach 874, the effort of network control may be distributed differently or the two combined in certain embodiments of the invention. For example: 1) embodiments may generally use the centralized approach (SDN) 874, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree. Such embodiments are generally considered to fall under the centralized approach 874, but may also be considered a hybrid approach.

[00115] While Figure 8D illustrates the simple case where each of the NDs 800A-H implements a single NE 870A-H, it should be understood that the network control approaches described with reference to Figure 8D also work for networks where one or more of the

NDs 800A-H implement multiple VNEs (e.g., VNEs 830A-R, VNEs 860A-R, those in the hybrid network device 806). Alternatively or in addition, the network controller 878 may also emulate the implementation of multiple VNEs in a single ND. Specifically, instead of (or in addition to) implementing multiple VNEs in a single ND, the network controller 878 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 892 (all in the same one of the virtual network(s) 892, each in different ones of the virtual network(s) 892, or some combination). For example, the network controller 878 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 876 to present different VNEs in the virtual network(s) 892 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).

[00116] On the other hand, Figures 8E and 8F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 878 may present as part of different ones of the virtual networks 892. Figure 8E illustrates the simple case of where each of the NDs 800A-H implements a single NE 870A-H (see Figure 8D), but the centralized control plane 876 has abstracted multiple of the NEs in different NDs (the NEs 870A-C and G-H) into (to represent) a single NE 8701 in one of the virtual network(s) 892 of Figure 8D, according to some

embodiments of the invention. Figure 8E shows that in this virtual network, the NE 8701 is coupled to NE 870D and 870F, which are both still coupled to NE 870E.

[00117] Figure 8F illustrates a case where multiple VNEs (VNE 870A.1 and VNE 870H.1) are implemented on different NDs (ND 800A and ND 800H) and are coupled to each other, and where the centralized control plane 876 has abstracted these multiple VNEs such that they appear as a single VNE 870T within one of the virtual networks 892 of Figure 8D, according to some embodiments of the invention. Thus, the abstraction of a NE or VNE can span multiple NDs.

[00118] While some embodiments of the invention implement the centralized control plane 876 as a single entity (e.g., a single instance of software running on a single electronic device), alternative embodiments may spread the functionality across multiple entities for redundancy and/or scalability purposes (e.g., multiple instances of software running on different electronic devices).

[00119] Similar to the network device implementations, the electronic device(s) running the centralized control plane 876, and thus the network controller 878 including the centralized reachability and forwarding information module 879, may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include processor(s), a set or one or more physical NIs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software. For instance, Figure 9 illustrates, a general purpose control plane device 904 including hardware 940 comprising a set of one or more processor(s) 942 (which are often COTS processors) and physical NIs 946, as well as non-transitory machine readable storage media 948 having stored therein centralized control plane (CCP) software 950.

[00120] In embodiments that use compute virtualization, the processor(s) 942 typically execute software to instantiate a virtualization layer 954 (e.g., in one embodiment the virtualization layer 954 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 962A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more applications; in another embodiment the virtualization layer 954 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 962A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ; in another embodiment, an application is implemented as a unikernel, which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application, and the unikernel can run directly on hardware 940, directly on a hypervisor represented by virtualization layer 954 (in which case the unikemel is sometimes described as running within a LibOS virtual machine), or in a software container represented by one of instances 962A-R). Again, in embodiments where compute virtualization is used, during operation an instance of the CCP software 950 (illustrated as CCP instance 976A) is executed (e.g., within the instance 962A) on the virtualization layer 954. In embodiments where compute virtualization is not used, the CCP instance 976A is executed, as a unikemel or on top of a host operating system, on the“bare metal” general purpose control plane device 904. The

instantiation of the CCP instance 976A, as well as the virtualization layer 954 and

instances 962A-R if implemented, are collectively referred to as software instance(s) 952.

[00121] In some embodiments, the CCP instance 976A includes a network controller instance 978. The network controller instance 978 includes a centralized reachability and forwarding information module instance 979 (which is a middleware layer providing the context of the network controller 878 to the operating system and communicating with the various NEs), and an CCP application layer 980 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces). At a more abstract level, this CCP application layer 980 within the centralized control plane 876 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.

[00122] The centralized control plane 876 transmits relevant messages to the data plane 880 based on CCP application layer 980 calculations and middleware layer mapping for each flow.

A flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers. Different NDs/NEs/VNEs of the data plane 880 may receive different messages, and thus different forwarding information. The data plane 880 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.

[00123] Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets. The model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address).

[00124] Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched). Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet. Thus, a forwarding table entry for IPv4/IPv6 packets with a particular transmission control protocol (TCP) destination port could contain an action specifying that these packets should be dropped.

[00125] Making forwarding decisions and performing actions occurs, based upon the forwarding table entry identified during packet classification, by executing the set of actions identified in the matched forwarding table entry on the packet.

[00126] However, when an unknown packet (for example, a“missed packet” or a“match- miss” as used in OpenFlow parlance) arrives at the data plane 880, the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 876. The centralized control plane 876 will then program forwarding table entries into the data plane 880 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 880 by the centralized control plane 876, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.

[00127] A network interface (NI) may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI. A virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface). A NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address). A loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a

NE/VNE (physical or virtual) often used for management purposes; where such an IP address is referred to as the nodal loopback address. The IP address(es) assigned to the NI(s) of a ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.

[00128] Next hop selection by the routing system for a given destination may resolve to one path (that is, a routing protocol may generate one next hop on a shortest path); but if the routing system determines there are multiple viable next hops (that is, the routing protocol generated forwarding solution offers more than one next hop on a shortest path - multiple equal cost next hops), some additional criteria is used - for instance, in a connectionless network, Equal Cost Multi Path (ECMP) (also known as Equal Cost Multi Pathing, multipath forwarding and IP multipath) may be used (e.g., typical implementations use as the criteria particular header fields to ensure that the packets of a particular packet flow are always forwarded on the same next hop to preserve packet flow ordering). For purposes of multipath forwarding, a packet flow is defined as a set of packets that share an ordering constraint. As an example, the set of packets in a particular TCP transfer sequence need to arrive in order, else the TCP logic will interpret the out of order delivery as congestion and slow the TCP transfer rate down.

[00129] While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims.

The description is thus to be regarded as illustrative instead of limiting.

Claims

CLAIMS What is claimed is:

1. A method to support localization with domain name system (DNS) over hyper-text transfer protocol secure (HTTPS) (DoH) or DNS over transport layer security (TLS) (DoT) sessions, the method comprising:

receiving (651) a DNS request from a client device;

determining (653) location information for the client device;

forwarding (667) the DNS request to an authoritative DNS service with the location information;

receiving (669) a DNS response including a server address for the authoritative DNS service; and

responding (671) to the client device with the server address.

2. The method of claim 1, wherein determining location information further comprises: determining (655) an internet service provider for the client device; and

sending (663) a location query to the internet service provider.

3. The method of claim 1, wherein the DNS request received from the client device is a DoH or DoT request.

4. The method of claim 1, further comprising:

determining whether there is sufficient recent location information associated with the DoH session or DoT session with the client device; and

sending the recent location information to the authoritative DNS service.

5. The method of claim 2, wherein the location query identifies the client device by its public Internet Protocol (IP) address and information that identifies a DoH session or DoT session with the client device.

6. The method of claim 1, wherein the location information includes geographic location, the geographical location including any one or more of coordinates, country, state or province, city, or postal code.

7. The method of claim 1, wherein the location information includes topological information, the topological location including any one or more of base station identifier, cell identifier, tracking area, radio access network area, or routing area.

8. The method of claim 1, wherein the location information is encrypted using a public key of the authoritative DNS service.

9. A machine-readable medium comprising computer program code which when executed by a computer carries out the method steps of any of claims 1-8.

10. An electronic device configured to execute a location service to carry out the method of any of claims 1-8.

11. A method to support localization by a localization service in an internet service provider (ISP) network, the method comprising:

receiving (680) a location information query for a client device from a domain name system (DNS) server;

determining (688) location information for the client device; and sending (694) the location information to the DNS server.

12. The method of claim 11, further comprising:

recognizing an outgoing DNS over hyper-text transfer protocol secure (HTTPS) (DoH) or DNS over transport layer service (TLS) (DoT) request from the client device to the DNS server.

13. The method of claim 11, further comprising:

determining (682) if the DNS server is authorized to receive client device location

information.

14. The method of claim 11, further comprising:

determining (692) the closest and most suitable edge cloud service node for the client device to be used for the location information.

15. The method of claim 11, wherein the location information includes geographical location, the geographical location including any one or more of coordinates, country, state or province, city, or postal code.

16. The method of claim 11, wherein the location information includes topological information, the topological location including any one or more of base station identifier, cell identifier, tracking area, radio access network area, or routing area.

17. The method of claim 11, wherein the location information is encrypted using a public key of an authoritative DNS service.

18. A machine-readable medium comprising computer program code which when executed by a computer carries out the method steps of any of claims 11-17.

19. An electronic device configured to execute a location service to carry out the method of any of claims 11-17.