Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria

US 10,341,297 B2
Filed: 12/18/2015
Issued: 07/02/2019
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method of performing a service on a data message having a set of attributes, the method comprising:

selecting a service rule comprising (i) a rule identifier for matching against the set of attributes of the data message, the rule identifier defined by reference to a first template identifier that identifies a template for instantiating a multi-tier application deployment in a network, and (ii) a service parameter for performing a service on data messages, wherein an instantiation of the template comprises instantiating multiple data compute nodes (DCNs) with different DCNs implementing different applications in the multi-tier application deployment;

determining that the selected service rule is applicable to the data message, said determining comprising determining that (i) at least a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier and second template identifiers match, and (iii) the particular DCN was deployed by using the template; and

in response to the determination, performing the service on the data message based on the service parameter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

26 Citations

View as Search Results

19 Claims

1. A method of performing a service on a data message having a set of attributes, the method comprising:
- selecting a service rule comprising (i) a rule identifier for matching against the set of attributes of the data message, the rule identifier defined by reference to a first template identifier that identifies a template for instantiating a multi-tier application deployment in a network, and (ii) a service parameter for performing a service on data messages, wherein an instantiation of the template comprises instantiating multiple data compute nodes (DCNs) with different DCNs implementing different applications in the multi-tier application deployment;
  
  determining that the selected service rule is applicable to the data message, said determining comprising determining that (i) at least a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier and second template identifiers match, and (iii) the particular DCN was deployed by using the template; and
  
  in response to the determination, performing the service on the data message based on the service parameter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
- - 2. The method of claim 1, wherein the second template identifier is a first attribute of the data message, wherein determining that second template identifier is associated with the particular DCN further comprises using a second attribute of the data message to retrieve the second template identifier associated with the data message from a storage structure.
  - 3. The method of claim 2, wherein using the second attribute comprises:
    - using the second attribute of the data message to retrieve an identifier of the storage structure; and
      
      using the retrieved identifier to identify the storage structure to retrieve the second template identifier.
  - 4. The method of claim 3, wherein:
    - the storage structure is a first storage structure;
      
      the rule identifier is further defined by reference to a group identifier that identifies a second storage structure that stores identifiers for a group of DCNs; and
      
      using the second attribute to retrieve the first storage structure identifier comprises;
      
      determining that the second attribute matches one of the identifiers stored within the second storage structure; and
      
      retrieving the first storage structure identifier from the second storage structure.
  - 5. The method of claim 4 further comprising dynamically adding or removing identifiers to the second storage structure to account for DCNs that are dynamically added or removed from the group.
  - 6. The method of claim 5, wherein the DCNs execute on host computers.
  - 7. The method of claim 4, wherein the second attribute is one of an IP (Internet Protocol) address and a MAC (Media Access Control) address.
  - 8. The method of claim 3, wherein:
    - the storage structure identifies a group of DCNs;
      
      the rule identifier is further defined by reference to a group identifier that identifies the storage structure; and
      
      using the second attribute to retrieve the storage structure identifier comprises determining that the second attribute is stored within the storage structure.
  - 9. The method of claim 1, wherein the service rule is for use in processing data messages that are associated with a plurality of different instances of the template that are associated with a plurality of different deployments of the multi-tier application.
  - 19. The method of claim 1, wherein the instantiated DCNs comprise (1) a first DCN executing on a first host computer and implementing a first application in the multi-tier application and (2) a second DCN executing on a second host computer and implementing a second application in the multi-tier application.

10. A non-transitory machine readable medium storing a program for performing a service on a data message having a set of attributes, the program comprising sets of instructions for:
- selecting a service rule including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to the data message attribute set, said rule identifier defined by reference to at least a first template identifier that specifies a template for instantiating multi-tier applications in a datacenter, wherein an instantiation of the template comprises instantiating (i) a first DCN executing on a first host computer and implementing a first application in the multi-tier application, and (ii) a second DCN executing on a second host computer and implementing a second application in the multi-tier application;
  
  determining whether the data message'"'"'s attribute set matches the rule identifier, said determining comprising determining whether (i) a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier matches the second template identifier, and (iii) the particular DCN was deployed by using the template specified by the template identifier; and
  
  when the data message'"'"'s attribute set matches the rule'"'"'s identifier, performing the service on the data message based on the service parameter.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory machine readable medium of claim 10, wherein the service rule is a first service rule, the service is a first service, the rule identifier is a first rule identifier, the service parameter is a first service parameter, the particular DCN is a first DCN, and a rule data storage stores a plurality of service rules according to a rule precedence priority, wherein the program further comprises sets of instructions for:
    - when the data message'"'"'s attribute set does not match the first rule identifier, selecting a second service rule that is after the first service rule in the rule precedence priority, the second service rule including (1) a second service parameter for performing a second service on the data message and (2) a second rule identifier for matching to the data message attribute set, said second rule identifier of the second service rule defined by reference to at least a third template identifier;
      
      determining whether the data message'"'"'s attribute set matches the second rule identifier, said determining comprising determining whether (i) the second template identifier associated with the data message is associated with a second DCN, (ii) the third template identifier matches the second template identifier, and (iii) the second DCN was deployed by using the template specified by the third template identifier; and
      
      after determining that the data message'"'"'s attribute set matches the second rule identifier, performing the second service on the data message based on the second service parameter.
  - 12. The non-transitory machine readable medium of claim 10, wherein the rule identifier is defined by reference to a plurality of template identifiers.
  - 13. The non-transitory machine readable medium of claim 10, wherein the attribute set is a header parameter set of the data message.
  - 14. The non-transitory machine readable medium of claim 13, wherein the header parameter set comprises layers 3 and 4 parameters.
  - 15. The non-transitory machine readable medium of claim 13, wherein the header parameter set comprises a layer 2 parameter.
  - 16. The non-transitory machine readable medium of claim 10, wherein the DCN executes on a host computer, wherein the attribute set comprises at least one particular attribute associated with the DCN on the host computer.
  - 17. The non-transitory machine readable medium of claim 16, wherein the particular attribute comprises one of (i) an identifier associated with a software port switch connected to the DCN and (ii) an identifier associated with a virtual network interface of the DCN.
  - 18. The non-transitory machine readable medium of claim 10, wherein the set of instructions for determining whether the data message'"'"'s attribute set matches the rule identifier further comprises a set of instructions for determining whether the data message'"'"'s source and destination are from a same instance of the template.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Nimmagadda, Srinivas, Jain, Jayant, Sengupta, Anirban, Manuguri, Subrahmanyam, Tiagi, Alok S.
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/975,570
Publication Number

US 20170180319A1
Time in Patent Office

1,292 Days
Field of Search

726 14
US Class Current
CPC Class Codes

H04L 41/0843   based on generic templates

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 67/1031   Controlling of the operatio...

Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links