Method and apparatus for best effort propagation of security group information
First Claim
Patent Images
1. A method comprising:
- receiving a packet from a sub-network at a network device, whereinthe packet comprises a source group identifier and a destination address, andthe network device is coupled to the sub-network and a core network;
determining whether the destination address is associated with any security group identifier; and
in response to a determination that the destination address is associated with a security group identifier,determining whether the security group identifier is a reserved group identifier,if the security group identifier is the reserved group identifier, forwarding the packet to another network device in the core network, andif the security group identifier is not the reserved group identifier, performing access control processing on the packet using the source group identifier, whereinthe access control processing comprisesidentifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,identifying a role-based access control list using information in the permissions matrix entry, anddetermining handling of the packet using information in the role-based access control list.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.
-
Citations
18 Claims
-
1. A method comprising:
-
receiving a packet from a sub-network at a network device, wherein the packet comprises a source group identifier and a destination address, and the network device is coupled to the sub-network and a core network; determining whether the destination address is associated with any security group identifier; and in response to a determination that the destination address is associated with a security group identifier, determining whether the security group identifier is a reserved group identifier, if the security group identifier is the reserved group identifier, forwarding the packet to another network device in the core network, and if the security group identifier is not the reserved group identifier, performing access control processing on the packet using the source group identifier, wherein the access control processing comprises identifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier, identifying a role-based access control list using information in the permissions matrix entry, and determining handling of the packet using information in the role-based access control list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A network device comprising:
-
one or more processors; one or more network interfaces coupled to the one or more processors, wherein the one or more network interfaces are configured to couple the network device to a sub-network and a core network; a non-transitory computer-readable storage medium coupled to the one or more processors; and a plurality of instructions, encoded in the non-transitory computer-readable storage medium and configured to cause the one or more processors to receive a packet from the sub-network via one of the one or more network interfaces, wherein the packet comprises a source group identifier and a destination address, determine whether the destination address is associated with any security group identifier, and in response to a determination that the destination address is associated with a security group identifier, determine whether the security group identifier is a reserved group identifier, if the security group identifier is the reserved group identifier, forward the packet to another network device in the core network, and if the security group identifier is not the reserved group identifier, perform access control processing on the packet using the source group identifier, wherein the plurality of instructions configured to cause the one or more processors to perform the access control processing is further configured to cause the one or more processors to
identify a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,
identify a role-based access control list using information in the permissions matrix entry, and
determine handling of the packet using information in the role-based access control list. - View Dependent Claims (14, 15, 16)
-
-
17. A computer program product comprising:
-
a plurality of instructions, comprising a first set of instructions, executable on a network device, configured to receive a packet from a sub-network at the network device, wherein the packet comprises a source group identifier and a destination address, and the network device is coupled to the sub-network and a core network, a second set of instructions, executable on the network device, configured to determine whether the destination address is associated with any security group identifier, and a third set of instructions, executable on the network device, configured to, in response to a determination that the destination address is associated with a security group identifier, determine whether the security group identifier is a reserved group identifier, if the security group identifier is the reserved group identifier, forward the packet to another network device in the core network, and if the security group identifier is not the reserved group identifier, perform access control processing on the packet using the source group identifier, wherein the access control processing comprises
identifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,
identifying a role-based access control list using information in the permissions matrix entry, and
determining handling of the packet using information in the role-based access control list; anda non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium. - View Dependent Claims (18)
-
Specification