Method and apparatus for best effort propagation of security group information

US 10,193,861 B2
Filed: 06/28/2016
Issued: 01/29/2019
Est. Priority Date: 11/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a packet from a sub-network at a network device, whereinthe packet comprises a source group identifier and a destination address, andthe network device is coupled to the sub-network and a core network;

determining whether the destination address is associated with any security group identifier; and

in response to a determination that the destination address is associated with a security group identifier,determining whether the security group identifier is a reserved group identifier,if the security group identifier is the reserved group identifier, forwarding the packet to another network device in the core network, andif the security group identifier is not the reserved group identifier, performing access control processing on the packet using the source group identifier, whereinthe access control processing comprisesidentifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,identifying a role-based access control list using information in the permissions matrix entry, anddetermining handling of the packet using information in the role-based access control list.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.

103 Citations

18 Claims

1. A method comprising:
- receiving a packet from a sub-network at a network device, whereinthe packet comprises a source group identifier and a destination address, andthe network device is coupled to the sub-network and a core network;
  
  determining whether the destination address is associated with any security group identifier; and
  
  in response to a determination that the destination address is associated with a security group identifier,determining whether the security group identifier is a reserved group identifier,if the security group identifier is the reserved group identifier, forwarding the packet to another network device in the core network, andif the security group identifier is not the reserved group identifier, performing access control processing on the packet using the source group identifier, whereinthe access control processing comprisesidentifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,identifying a role-based access control list using information in the permissions matrix entry, anddetermining handling of the packet using information in the role-based access control list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - in response to a determination that the destination address is not associated with any security group identifier, forwarding the packet to the another network device in the core network.
  - 3. The method of claim 2, further comprising:
    - receiving another packet from the another network device, whereinthe another packet comprises a destination group identifier,the destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group; and
      
      populating an entry in a forwarding table with the destination group identifier, whereinthe populating the entry associates the destination address with the destination group identifier.
  - 4. The method of claim 2, further comprising:
    - receiving another packet from the another network device, whereinthe another packet comprises a first destination group identifier that is associated with a destination security group of a destination at the destination address;
      
      identifying an entry in a forwarding table; and
      
      in response to the entry being populated with a second destination group identifier, populating the entry with the reserved group identifier.
  - 5. The method of claim 2, whereinthe reserved group identifier is one ofa reserved value, ora null value.
  - 6. The method of claim 1, wherein the determining whether the destination address is associated with the security group identifier comprises:
    - determining whether an entry associated with the destination address exists in a forwarding table, whereinthe entry comprises the security group identifier.
  - 7. The method of claim 1, wherein the determining whether the security group identifier is the reserved group identifier comprises:
    - retrieving the security group identifier from a forwarding table; and
      
      comparing a value of the security group identifier with at least one ofa reserved value, ora null value.
  - 8. The method of claim 7, wherein a determination that the security group identifier is not the reserved group identifier indicates that the destination address is associated with a destination group identifier.
  - 9. The method of claim 8, whereinthe destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group.
  - 10. The method of claim 1, whereinthe destination address identifies a destination of the packet,the destination is a member of a destination security group,the destination group identifier identifies the destination security group,a source of the packet is a member of a source security group, andthe source group identifier identifies the source security group.
  - 11. The method of claim 1, further comprising:
    - in response to a determination that the destination address is associated with a destination group identifier and the access control processing indicates that the packet should be forwarded to the another network device, forwarding the packet to the another network device, whereinthe destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group.
  - 12. The method of claim 1, further comprising:
    - prior to the receiving the packet,receiving another packet from the sub-network; and
      
      forwarding the another packet into the core network without performing the access control processing, if the another packet comprises another destination address, whereinthe another destination address is not associated with a destination security group by a destination group identifier stored in an entry of a forwarding table.

13. A network device comprising:
- one or more processors;
  
  one or more network interfaces coupled to the one or more processors, whereinthe one or more network interfaces are configured to couple the network device to a sub-network and a core network;
  
  a non-transitory computer-readable storage medium coupled to the one or more processors; and
  
  a plurality of instructions, encoded in the non-transitory computer-readable storage medium and configured to cause the one or more processors toreceive a packet from the sub-network via one of the one or more network interfaces, whereinthe packet comprises a source group identifier and a destination address,determine whether the destination address is associated with any security group identifier, andin response to a determination that the destination address is associated with a security group identifier,determine whether the security group identifier is a reserved group identifier,if the security group identifier is the reserved group identifier, forward the packet to another network device in the core network, andif the security group identifier is not the reserved group identifier, perform access control processing on the packet using the source group identifier, whereinthe plurality of instructions configured to cause the one or more processors to perform the access control processing is further configured to cause the one or more processors to
  
  identify a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,
  
  identify a role-based access control list using information in the permissions matrix entry, and
  
  determine handling of the packet using information in the role-based access control list.
- View Dependent Claims (14, 15, 16)
- - 14. The network device of claim 13, wherein the plurality of instructions is further configured to cause the one or more processors to:
    - in response to a determination that the destination address is not associated with any security group identifier, forward the packet to the another network device in the core network;
      
      receive another packet from the another network device, whereinthe another packet comprises a destination group identifier,the destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group; and
      
      populate an entry in a forwarding table with the destination group identifier, whereinthe instructions configured to cause the one or more processors to populate the entry associates the destination address with the destination group identifier.
  - 15. The network device of claim 13, wherein the plurality of instructions configured to cause the one or more processors to determine whether the security group identifier is the reserved group identifier is further configured to cause the one or more processors to:
    - retrieve the security group identifier from a forwarding table; and
      
      compare a value of the security group identifier with at least one ofa reserved value, ora null value.
  - 16. The network device of claim 13, wherein the plurality of instructions is further configured to cause the one or more processors to:
    - in response to a determination that the destination address is associated with a destination group identifier and the access control processing indicates that the packet should be forwarded to the another network device, forward the packet to the another network device, whereinthe destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group.

17. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a network device, configured to receive a packet from a sub-network at the network device, whereinthe packet comprises a source group identifier and a destination address, andthe network device is coupled to the sub-network and a core network,a second set of instructions, executable on the network device, configured to determine whether the destination address is associated with any security group identifier, anda third set of instructions, executable on the network device, configured to, in response to a determination that the destination address is associated with a security group identifier,determine whether the security group identifier is a reserved group identifier,if the security group identifier is the reserved group identifier, forward the packet to another network device in the core network, andif the security group identifier is not the reserved group identifier, perform access control processing on the packet using the source group identifier, whereinthe access control processing comprises
  
  identifying a permissions matrix entry in a permissions matrix, using the source group identifier and a destination group identifier,
  
  identifying a role-based access control list using information in the permissions matrix entry, and
  
  determining handling of the packet using information in the role-based access control list; and
  
  a non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium.
- View Dependent Claims (18)
- - 18. The computer program product of claim 17, wherein the instructions further comprise:
    - a fourth set of instructions, executable on the network device, configured to, in response to a determination that the destination address is not associated with any security group identifier, forward the packet to the another network device in the core network;
      
      a fifth set of instructions, executable on the network device, configured to receive another packet from the another network device, whereinthe another packet comprises a destination group identifier,the destination address identifies a destination of the packet,the destination is a member of a destination security group, andthe destination group identifier identifies the destination security group; and
      
      a sixth set of instructions, executable on the network device, configured to populate an entry in a forwarding table with the destination group identifier, whereinthe sixth set of instructions associates the destination address with the destination group identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Bell, Kalish K

Application Number

US15/195,582
Publication Number

US 20160308831A1
Time in Patent Office

945 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 45/52   Multiprotocol routers

H04L 49/35   Switches specially adapted ...

H04L 61/10   of different types

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 67/00   Network arrangements or pro...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links