In-band, health-based assessments of service function paths
First Claim
Patent Images
1. A method, comprising:
- placing into a testing state, by a device in a network, a path of nodes in a computer network that a service function chain traverses;
causing, by the device, a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment;
analyzing, by the device, self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and
adjusting, by the device, a state of the path based on the analyzed self-assessment results, wherein adjusting includes;
placing, by the device, the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, andplacing, by the device, the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessment;
wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network places a path of a service function chain into a testing state. The device causes a self-assessment instruction to be propagated along the path while the path is in the testing state. The device analyzes self-assessment results from nodes along the path. The device adjusts a state of the path based on the analyzed self-assessment results.
54 Citations
12 Claims
-
1. A method, comprising:
-
placing into a testing state, by a device in a network, a path of nodes in a computer network that a service function chain traverses; causing, by the device, a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment; analyzing, by the device, self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and adjusting, by the device, a state of the path based on the analyzed self-assessment results, wherein adjusting includes; placing, by the device, the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, and placing, by the device, the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessment; wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; place into a testing state a path of nodes in a computer network that a service function chain traverses; cause a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment; analyze self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and adjust a state of the path based on the analyzed self-assessment results, wherein adjusting includes; placing the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, and placing the path into an active state, in response to at least determination that each of the nodes along the path passes both the security assessment and the health assessments; wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
place into a testing state a path of nodes in a computer network that a service function chain traverses; cause a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment; analyze self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and adjust a state of the path based on the analyzed self-assessment results, wherein adjusting includes; placing the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, and placing the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessments; wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction. - View Dependent Claims (12)
-
Specification