Identifying a source device in a software-defined network

US 10,129,125 B2
Filed: 12/18/2015
Issued: 11/13/2018
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus, comprising:

a network interface to communicatively couple to an overlay network of a software-defined network (SDN);

first one or more logic elements comprising an SDN controller engine to provide a control function for the SDN; and

second one or more logic elements comprising a route tracing engine to;

receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and

perform a backtracking traceroute operation to deterministically identify a source device for the network flow, wherein performing a backtracking traceroute comprises iteratively backtracking through a plurality of source virtual tunneling endpoints (VTEPs), comprising;

querying a first virtual tunneling endpoint (VTEP);

determining that the first VTEP is a security function container (SFC);

querying the SFC for its source VTEP for the network flow;

querying a second VTEP;

determining that the second VTEP is a network device (ND); and

designating the ND as a source device for the network flow.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is disclosed a computing apparatus, having: a network interface to communicatively couple to a software-defined network (SDN); first one or more logic elements providing an SDN controller engine to provide a control function for the SDN; and second one or more logic elements providing a route tracing engine to: receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and perform a backtracking traceroute operation to deterministically identify a source device for the flow. There is also disclosed a method of providing the foregoing, and one or more tangible, non-transitory computer-readable storage mediums for providing the foregoing.

Citations

24 Claims

1. A computing apparatus, comprising:
- a network interface to communicatively couple to an overlay network of a software-defined network (SDN);
  
  first one or more logic elements comprising an SDN controller engine to provide a control function for the SDN; and
  
  second one or more logic elements comprising a route tracing engine to;
  
  receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and
  
  perform a backtracking traceroute operation to deterministically identify a source device for the network flow, wherein performing a backtracking traceroute comprises iteratively backtracking through a plurality of source virtual tunneling endpoints (VTEPs), comprising;
  
  querying a first virtual tunneling endpoint (VTEP);
  
  determining that the first VTEP is a security function container (SFC);
  
  querying the SFC for its source VTEP for the network flow;
  
  querying a second VTEP;
  
  determining that the second VTEP is a network device (ND); and
  
  designating the ND as a source device for the network flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing apparatus of claim 1, wherein the backtracking traceroute operation is further to deterministically determine a path for the network flow.
  - 3. The computing apparatus of claim 1, wherein the SDN controller engine is further to identify a malicious or potentially malicious packet within the network flow, and to block the network flow at the source network device.
  - 4. The computing apparatus of claim 1, wherein the SDN controller engine is further to receive a route tracing request from a device via the network interface, and to provide via the network interface information regarding at least one security device that the network flow is to pass through.
  - 5. The computing apparatus of claim 1, wherein the route tracing engine is further configured to provide flow tags to enable tracking of source/destination and intermediate switches of the network flow.
  - 6. The computing apparatus of claim 5, wherein the SDN controller engine is to provide a reactive SDN network.
  - 7. The computing apparatus of claim 1, wherein the SDN controller engine is configured to provide an overlay network lacking explicit per-flow entries.
  - 8. The computing apparatus of claim 7, wherein the route tracing engine is further configured to insert an NFV service header (NSH) between a tunnel header and an original packet of the network flow.
  - 9. The computing apparatus of claim 8, wherein the NSH comprises information on a sequence of NFVs that the network flow is to traverse.
  - 10. The computing apparatus of claim 8, wherein the NSH comprises information sufficient to enable an NFV to determine a next-hop NVF for a packet of the network flow.

11. One or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to:
- communicatively couple to an overlay network of a software-defined network (SDN) via a network interface;
  
  provide an SDN controller engine to provide a control function for the SDN; and
  
  provide a route tracing engine to;
  
  receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and
  
  perform a backtracking traceroute operation to deterministically identify a source device for the network flow, wherein performing a backtracking traceroute comprises iteratively backtracking through a plurality of source virtual tunneling endpoints (VTEPs), comprising;
  
  querying a first virtual tunneling endpoint (VTEP);
  
  determining that the first VTEP is a security function container (SFC); and
  
  querying the SFC for its source VTEP for the network flow;
  
  querying a second VTEP;
  
  determining that the second VTEP is a network device (ND); and
  
  designating the ND as a source device for the network flow.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the backtracking traceroute operation is further to deterministically determine a path for the network flow.
  - 13. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the SDN controller engine is further to identify a malicious or potentially malicious packet within the network flow, and to block the network flow at the source network device.
  - 14. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the SDN controller engine is further to receive a route tracing request from a device via the network interface, and to provide via the network interface information regarding at least one security device that the network flow is to pass through.
  - 15. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the route tracing engine is further configured to provide flow tags to enable tracking of source/destination and intermediate switches of the network flow.
  - 16. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the SDN controller engine is to provide a reactive SDN network.
  - 17. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the SDN controller engine is configured to provide an overlay network lacking explicit per-flow entries.
  - 18. The one or more tangible, non-transitory computer-readable mediums of claim 17, wherein the route tracing engine is further configured to insert an NFV service header (NSH) between a tunnel header and an original packet of the network flow.
  - 19. The one or more tangible, non-transitory computer-readable mediums of claim 18, wherein the NSH comprises information on a sequence of NFVs that the network flow is to traverse.
  - 20. The one or more tangible, non-transitory computer-readable mediums of claim 18, wherein the NSH comprises information sufficient to enable an NFV to determine a next-hop NVF for a packet of the network flow.

21. A computer-implemented method, comprising:
- communicatively coupling to an overlay network of a software-defined network (SDN) via a network interface;
  
  providing an SDN controller engine to provide a control function for the SDN; and
  
  providing a route tracing engine to;
  
  receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and
  
  perform a backtracking traceroute operation to deterministically identify a source device for the network flow, wherein performing a backtracking traceroute comprises iteratively backtracking through a plurality of source virtual tunneling endpoints (VTEPs), comprising;
  
  querying a first virtual tunneling endpoint (VTEP);
  
  determining that the first VTEP is a security function container (SFC); and
  
  querying the SFC for its source VTEP for the network flow;
  
  querying a second VTEP;
  
  determining that the second VTEP is a network device (ND); and
  
  designating the ND as a source device for the network flow.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the backtracking traceroute operation is further to deterministically determine a path for the network flow.
  - 23. The method of claim 21, wherein the SDN controller engine is further to identify a malicious or potentially malicious packet within the network flow, and to block the network flow at the source network device.
  - 24. The method of claim 21, wherein the SDN controller engine is further to receive a route tracing request from a device via the network interface, and to provide via the network interface information regarding at least one security device that the network flow is to pass through.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Agrawal, Gopal, Mulka, Shivakrishna Anandam
Primary Examiner(s)
Dalencourt, Yves

Application Number

US14/974,756
Publication Number

US 20170180234A1
Time in Patent Office

1,061 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/20   the monitoring system or th...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Identifying a source device in a software-defined network

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying a source device in a software-defined network

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links