Network service header used to relay authenticated session information

US 10,237,257 B2
Filed: 02/03/2016
Issued: 03/19/2019
Est. Priority Date: 02/03/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a first packet at a service function classifier node in a service topology layer, whereinthe service function classifier node comprises a cache, andthe first packet is received from a first client node in the service topology layer;

determining that a session has not been established for the first client node;

in response to determining that a session has not been established for the first client node, forwarding the first packet to an authentication node;

authenticating the first packet at the authentication node;

subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, whereinthe storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node;

in response to authenticating the first packet, setting a value in a header of the first packet, whereinthe value indicates that the first packet is authenticated in the service topology layer; and

forwarding the first packet to a first service node in the service topology layer, wherein the first service node is configured to perform a first service function, andthe first service node uses the value in the header to authenticate the first packet prior to performing the first service function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system, method, and computer program product are disclosed for authenticating a packet received from a client node, storing the results of the authentication in a cache memory of a service classifier node, and including the results of the authentication in a network service header of a packet before forwarding the packet to downstream service nodes. In one embodiment, the initial authentication is performed in conjunction with an authentication node.

25 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving a first packet at a service function classifier node in a service topology layer, whereinthe service function classifier node comprises a cache, andthe first packet is received from a first client node in the service topology layer;
  
  determining that a session has not been established for the first client node;
  
  in response to determining that a session has not been established for the first client node, forwarding the first packet to an authentication node;
  
  authenticating the first packet at the authentication node;
  
  subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, whereinthe storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node;
  
  in response to authenticating the first packet, setting a value in a header of the first packet, whereinthe value indicates that the first packet is authenticated in the service topology layer; and
  
  forwarding the first packet to a first service node in the service topology layer, wherein the first service node is configured to perform a first service function, andthe first service node uses the value in the header to authenticate the first packet prior to performing the first service function.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - establishing a session related to the first client node, whereinthe session comprises information about the first client node.
  - 3. The method of claim 2, wherein the authenticating comprisesdetermining whether a session has been established in the service topology layer for the first client node.
  - 4. The method of claim 3, wherein the authenticating further comprises:
    - in response to determining that the session has been established for the first client node, authenticating the first packet based, at least in part, on the information stored in the cache.
  - 5. The method of claim 1, wherein the authenticating further comprises:
    - in response to the forwarding the first packet to the authentication node, receiving an indication from the authentication node.
  - 6. The method of claim 1, wherein the forwarding comprises:
    - determining a service path associated with the first packet, wherein the determining is performed prior to the forwarding the first packet to the authentication node.
  - 7. The method of claim 1, further comprising:
    - subsequent to authenticating the first packet, receiving a second packet at the service function classifier node, whereinthe second packet is received from the first client node;
      
      authenticating the second packet by using the authentication information stored in the cache of the service function classifier node; and
      
      subsequent to authenticating the second packet, forwarding the second packet to a second service node in the service topology layer.

8. A system comprising:
- a service function classifier node, whereinthe service function classifier node comprisesa first microprocessor,a cache, anda non-transitory computer-readable storage medium, comprising computer instructions executable by the first microprocessor, wherein the computer instructions are configured to perform a method comprising the steps of;
  
  receiving a first packet, wherein
  
  the first packet is received from a first client node in a service topology layer,determining that a session has not been established for the first client node,in response to determining that a session has not been established for the first client node, forwarding the first packet to an authentication node,authenticating the first packet at the authentication node,subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, wherein
  
  the storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node,in response to authenticating the first packet, setting a value in a header of the first packet, wherein
  
  the value indicates that the first packet is authenticated in the service topology layer, andforwarding the first packet to a first service node in the service topology layer, wherein
  
  the first service node is configured to perform a first service function,
  
  the first service node uses the value in the header to authenticate the first packet prior to performing the first service function, and
  
  the first service node comprises at least a second processor.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the method further comprises:
    - establishing a session related to the first client node, whereinthe session comprises information about the first client node.
  - 10. The system of claim 9, wherein the authenticating further comprises:
    - determining whether a session has been established in the service topology layer for the first client node.
  - 11. The system of claim 10, wherein the authenticating of the first packet further comprises:
    - in response to determining that the session has been established for the first client node, authenticating the first packet based, at least in part, on the information stored in the cache.
  - 12. The system of claim 8, wherein the authenticating further comprises:
    - in response to forwarding the first packet to the authentication node, receiving an indication from the authentication node.
  - 13. The system of claim 8, wherein the forwarding comprises:
    - determining a service path associated with the first packet, wherein the determining is performed prior to the forwarding the first packet to the authentication node.

14. A non-transitory computer-readable storage medium comprising:
- a plurality of program instructions, comprisinga first set of instructions, executable on a computer system, configured toreceive a first packet at a service function classifier node, whereinthe service function classifier node comprises a cache, andthe first packet is received from a first client node in a service topology layer,determine that a session has not been established for the first client node, andin response to determining that a session has not been established for the first client node, forward the first packet to an authentication node;
  
  a second set of instructions, executable on the computer system, configured toauthenticate the first packet at the authentication node,subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, whereinthe storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node;
  
  in response to authenticating the first packet, set a value in a header of the first packet, whereinthe value indicates that the first packet is authenticated in the service topology layer; and
  
  a third set of instructions, executable on the computer system, configured toforward the first packet to a first service node in the service topology layer, whereinthe first service node is configured to perform a first service function, and
  
  the first service node uses the value in the header to authenticate the first packet prior to performing the first service function.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the plurality of program instructions further comprise:
    - a fourth set of instructions, executable on the computer system, configured toestablish a session related to the first client node, whereinthe session comprises information about the first client node.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the second set of instructions is further configured to:
    - determine whether a session has been established in the service topology layer for the first client node.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the second set of instructions is further configured to:
    - in response to determining that the session has been established for the first client node, authenticate the first packet based, at least in part, on the information stored in the cache.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the first set of instructions is further configured to:
    - in response to forwarding the first packet to the authentication node, receive an indication from the authentication node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Stites, Steven, Patil, Prashanth
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Tran, Vu V

Application Number

US15/014,724
Publication Number

US 20170222998A1
Time in Patent Office

1,140 Days
Field of Search

726 3
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 67/02   based on web technology, e....

H04L 67/141   Setup of application sessio...

H04L 69/22   Parsing or analysis of headers

Network service header used to relay authenticated session information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Network service header used to relay authenticated session information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others