GUI and high-level API wrapper for software defined networking and software defined access for controlling network routing and rules

US 10,129,097 B2
Filed: 08/11/2017
Issued: 11/13/2018
Est. Priority Date: 06/02/2015
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

obtaining, with one or more processors, with a network controller, a current state of a network, wherein;

the network has a plurality of computing devices accessed by a plurality of users;

the private network is configured to provide network connectivity defined by a network graph;

the network graph includes vertices corresponding to users or computing devices;

the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and

the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices;

causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph;

receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and

in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification,wherein;

prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network;

the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network;

modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and

enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate;

enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices;

enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller;

the operating system is an operating system of a virtual private network server;

enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets;

enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices;

the operations comprise;

storing the modification in a cryptographically tamper-evident, immutable data store;

determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and

in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and

the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified;

the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and

the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process including: obtaining, with a network controller, a current state of a network; causing, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph; receiving, with the network controller, a request input to modify the network graph; and modifying, with the network controller, the network graph and enforcing the modification.

33 Citations

View as Search Results

20 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- obtaining, with one or more processors, with a network controller, a current state of a network, wherein;
  
  the network has a plurality of computing devices accessed by a plurality of users;
  
  the private network is configured to provide network connectivity defined by a network graph;
  
  the network graph includes vertices corresponding to users or computing devices;
  
  the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and
  
  the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices;
  
  causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph;
  
  receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and
  
  in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification,wherein;
  
  prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network;
  
  the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network;
  
  modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and
  
  enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate;
  
  enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices;
  
  enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller;
  
  the operating system is an operating system of a virtual private network server;
  
  enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets;
  
  enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices;
  
  the operations comprise;
  
  storing the modification in a cryptographically tamper-evident, immutable data store;
  
  determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and
  
  in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and
  
  the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified;
  
  the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and
  
  the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The medium of claim 1, wherein:
    - the network is a packet-based network configured to perform packet forwarding and routing across multiple hops between pairs of the computing devices; and
      
      the graphical user interface is a web-based graphical user interface or a native application graphical user interface presented on the network controller or on another computing device by which the network controller is accessed.
  - 3. The medium of claim 1, wherein:
    - the operating system is an operating system of a computing device corresponding to a vertex to which the modification applies.
  - 4. The medium of claim 1, wherein enforcing the modification or one of the set of other modifications comprises:
    - modifying or creating, or causing modifying or creating of, a rule or other policy of a third-party application to define or control access to a network-connectable resource via an application-program interface of the third-party application.
  - 5. The medium of claim 1, wherein enforcing the modification or one of the set of other modifications comprises:
    - modifying or creating a rule or policy accessible to, or created by, a third-party application to define or control access to a network element forward table.
  - 6. The medium of claim 1, wherein:
    - the graphical user interface includes a drag and drop input by which a user selects an icon representing the vertex, selects another icon representing the another vertex, and moves the icon representing the other vertex into a region of the graphical user interface that indicates an edge between the vertex and the other vertex in the network graph is to be modified.
  - 7. The medium of claim 6, wherein:
    - the graphical user interface comprises two regions, one by which a dropped icon in the respective region indicates network connections are to be permitted, and another by which a dropped icon in the respective region indicates network connections are to be prohibited.
  - 8. The medium of claim 6, wherein:
    - the graphical user interface comprises an input by which a group of edges of the network graph are selected concurrently for a given modification.
  - 9. The medium of claim 1, wherein the operations comprise:
    - steps for configuring software defined networking or software defined access.
  - 10. The medium of claim 1, wherein the operations comprise:
    - receiving a first packet at a computing device configured to forward the packet along a multi-hop route through the network;
      
      accessing a first rule configured by a command from the network controller;
      
      determining based on the first rule to not forward the first packet to a computing device to which the packet is addressed by a value in a header of the first packet;
      
      receiving a second packet at the computing device configured to forward the packet along a multi-hop route through the network;
      
      accessing second first rule configured by a command from the network controller; and
      
      determining based on the second rule to forward the first packet to a computing device to which the packet is addressed by a value in a header of the second packet.

11. A method, comprising:
- obtaining, with one or more processors, with a network controller, a current state of a network, wherein;
  
  the network has a plurality of computing devices accessed by a plurality of users;
  
  the private network is configured to provide network connectivity defined by a network graph;
  
  the network graph includes vertices corresponding to users or computing devices;
  
  the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and
  
  the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices;
  
  causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph;
  
  receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and
  
  in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification,wherein;
  
  prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network;
  
  the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network;
  
  modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and
  
  enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate;
  
  enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices;
  
  enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller;
  
  the operating system is an operating system of a virtual private network server;
  
  enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets;
  
  enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices;
  
  the operations comprise;
  
  storing the modification in a cryptographically tamper-evident, immutable data store;
  
  determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and
  
  in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and
  
  the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified;
  
  the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and
  
  the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein:
    - the network is a packet-based network configured to perform packet forwarding and routing across multiple hops between pairs of the computing devices; and
      
      the graphical user interface is a web-based graphical user interface or a native application graphical user interface presented on the network controller or on another computing device by which the network controller is accessed.
  - 13. The method of claim 11, wherein:
    - the operating system is an operating system of a computing device corresponding to a vertex to which the modification applies.
  - 14. The method of claim 11, wherein enforcing the modification or one of the set of other modifications comprises:
    - modifying or creating, or causing modifying or creating of, a rule or other policy of a third-party application to define or control access to a network-connectable resource via an application-program interface of the third-party application.
  - 15. The method of claim 11, wherein enforcing the modification or one of the set of other modifications comprises:
    - modifying or creating a rule or policy accessible to, or created by, a third-party application to define or control access to a network element forward table.
  - 16. The method of claim 11, wherein:
    - the graphical user interface includes a drag and drop input by which a user selects an icon representing the vertex, selects another icon representing the another vertex, and moves the icon representing the other vertex into a region of the graphical user interface that indicates an edge between the vertex and the other vertex in the network graph is to be modified.
  - 17. The method of claim 16, wherein:
    - the graphical user interface comprises two regions, one by which a dropped icon in the respective region indicates network connections are to be permitted, and another by which a dropped icon in the respective region indicates network connections are to be prohibited.
  - 18. The method of claim 16, wherein:
    - the graphical user interface comprises an input by which a group of edges of the network graph are selected concurrently for a given modification.
  - 19. The method of claim 11, comprising:
    - steps for configuring software defined networking or software defined access.
  - 20. The method of claim 11, comprising:
    - receiving a first packet at a computing device configured to forward the packet along a multi-hop route through the network;
      
      accessing a first rule configured by a command from the network controller;
      
      determining based on the first rule to not forward the first packet to a computing device to which the packet is addressed by a value in a header of the first packet;
      
      receiving a second packet at the computing device configured to forward the packet along a multi-hop route through the network;
      
      accessing second first rule configured by a command from the network controller; and
      
      determining based on the second rule to forward the first packet to a computing device to which the packet is addressed by a value in a header of the second packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altr Solutions, Inc.
Original Assignee
Altr Solutions, Inc.
Inventors
Beecham, James Douglas, Struttmann, Christopher Edward, Goldfarb, Scott Nathaniel, Martin, Gordon Earl
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
Raza, Muhammad

Application Number

US15/675,549
Publication Number

US 20170366416A1
Time in Patent Office

459 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 41/22   comprising specially adapte...

H04L 45/50   using label swapping, e.g. ...

H04L 67/02   based on web technology, e....

GUI and high-level API wrapper for software defined networking and software defined access for controlling network routing and rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

GUI and high-level API wrapper for software defined networking and software defined access for controlling network routing and rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links