In-band, health-based assessments of service function paths

US 10,374,922 B2
Filed: 02/24/2016
Issued: 08/06/2019
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

placing into a testing state, by a device in a network, a path of nodes in a computer network that a service function chain traverses;

causing, by the device, a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment;

analyzing, by the device, self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and

adjusting, by the device, a state of the path based on the analyzed self-assessment results, wherein adjusting includes;

placing, by the device, the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, andplacing, by the device, the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessment;

wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network places a path of a service function chain into a testing state. The device causes a self-assessment instruction to be propagated along the path while the path is in the testing state. The device analyzes self-assessment results from nodes along the path. The device adjusts a state of the path based on the analyzed self-assessment results.

54 Citations

12 Claims

1. A method, comprising:
- placing into a testing state, by a device in a network, a path of nodes in a computer network that a service function chain traverses;
  
  causing, by the device, a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment;
  
  analyzing, by the device, self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and
  
  adjusting, by the device, a state of the path based on the analyzed self-assessment results, wherein adjusting includes;
  
  placing, by the device, the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, andplacing, by the device, the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessment;
  
  wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as in claim 1, wherein the self-assessment instruction is encapsulated in a network service header (NSH).
  - 3. The method as in claim 1, further comprising:
    - receiving, at the device, the self-assessment results from the nodes.
  - 4. The method as in claim 3, wherein the received self-assessment results indicate that a particular node along the path could not process the self-assessment instruction.
  - 5. The method as in claim 1, wherein the OVAL-based instruction is compressed using text compression or binary encoding.

6. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  place into a testing state a path of nodes in a computer network that a service function chain traverses;
  
  cause a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment;
  
  analyze self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and
  
  adjust a state of the path based on the analyzed self-assessment results, wherein adjusting includes;
  
  placing the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, andplacing the path into an active state, in response to at least determination that each of the nodes along the path passes both the security assessment and the health assessments;
  
  wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus as in claim 6, wherein the self-assessment instruction is encapsulated in a network service header (NSH).
  - 8. The apparatus as in claim 6, wherein the process when executed is further operable to:
    - receive the self-assessment results from the nodes.
  - 9. The apparatus as in claim 8, wherein the received self-assessment results indicate that a particular node along the path could not process the self-assessment instruction.
  - 10. The apparatus as in claim 6 wherein the OVAL-based instruction is compressed using text compression or binary encoding.

11. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- place into a testing state a path of nodes in a computer network that a service function chain traverses;
  
  cause a self-assessment instruction to be propagated along the path while the path is in the testing state, wherein the self-assessment instruction instructs each node along the path to perform a security posture assessment and a health assessment;
  
  analyze self-assessment results from each of the nodes along the path to determine whether the path is secure and healthy; and
  
  adjust a state of the path based on the analyzed self-assessment results, wherein adjusting includes;
  
  placing the path into an inactive state, in response to a determination that the security posture assessment indicates that one or more of the nodes along the path failed the security posture assessment or a determination that the path is not healthy, wherein in the inactive state traffic is not allowed to traverse the path, andplacing the path into an active state, in response to at least a determination that each of the nodes along the path passes both the security assessment and the health assessments;
  
  wherein the self-assessment instruction is an Open Vulnerability Assessment Language (OVAL)-based instruction.
- View Dependent Claims (12)
- - 12. The computer-readable media as in claim 11, wherein the self-assessment instruction is encapsulated in a network service header (NSH).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Salgueiro, Gonzalo, Clarke, Joseph Michael, Pignataro, Carlos M.
Primary Examiner(s)
Rubin, Blake J

Application Number

US15/051,809
Publication Number

US 20170244622A1
Time in Patent Office

1,259 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/0817   by checking functioning

H04L 43/091   Measuring contribution of i...

H04L 43/50   Testing arrangements

In-band, health-based assessments of service function paths

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

In-band, health-based assessments of service function paths

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links