System and method for transport-layer level identification and isolation of container traffic

US 10,382,597 B2
Filed: 07/20/2016
Issued: 08/13/2019
Est. Priority Date: 07/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a component in a network, a packet having a data field;

extracting, at a network layer, container identification data from the data field, the container identification data identifying a software destination container on the network; and

applying a policy to the packet at the component based on the container identification data;

wherein the container identification data includes at least a unique container ID and/or a container name;

wherein the data field comprises one of an IPv6 extension header and an option field of an IPv4 packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system and method of providing transport-level identification and isolation of container traffic. The method includes receiving, at a component in a network, a packet having a data field, extracting, at a network layer, container identification data from the data field and applying a policy to the packet at the component based on the container identification data. The data field can include one of a header, an IPv6 extension header, a service function chaining container identification, a network service header, and an optional field of an IPv4 packet.

425 Citations

18 Claims

1. A method comprising:
- receiving, at a component in a network, a packet having a data field;
  
  extracting, at a network layer, container identification data from the data field, the container identification data identifying a software destination container on the network; and
  
  applying a policy to the packet at the component based on the container identification data;
  
  wherein the container identification data includes at least a unique container ID and/or a container name;
  
  wherein the data field comprises one of an IPv6 extension header and an option field of an IPv4 packet.
- View Dependent Claims (2, 3, 4, 5, 16)
- - 2. The method of claim 1, wherein applying the policy to the packet comprises applying the policy on a per-container basis or a per-container-flow basis.
  - 3. The method of claim 1, wherein the policy is associated with at least one of QoS, prioritization, accounting, billing, cloud-based classification, a container-based policy, and a workload-based policy.
  - 4. The method of claim 1, wherein the applying a policy to the packet at the component based on the container identification data further comprises applying the policy to a workload associated with the packet.
  - 5. The method of claim 1, wherein the component comprises a virtual switch.
  - 16. The method of claim 1, wherein the container identification data includes a container name.

6. A system comprising:
- one or more processors; and
  
  a computer-readable medium, storing instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, at a component in a network, a packet having a data field;
  
  extracting, at a network layer, container identification data from the data field, the container identification data identifying a software destination container on the network; and
  
  applying a policy to the packet at the component based on the container identification data;
  
  wherein the container identification data includes at least a unique container ID and/or a container name;
  
  wherein the data field comprises one of an IPv6 extension header and an option field of an IPv4 packet.
- View Dependent Claims (7, 8, 9, 10, 17)
- - 7. The system of claim 6, wherein applying the policy to the packet comprises applying the policy on a per-container basis or a per-container-flow basis.
  - 8. The system of claim 6, wherein the policy is associated with at least one of QoS, prioritization, accounting, billing, cloud-based classification, a container-based policy, a workload-based policy.
  - 9. The system of claim 6, wherein the applying a policy to the packet at the component based on the container identification data further comprises applying the policy to workload associated with the packet.
  - 10. The system of claim 6, wherein the component comprises a virtual switch.
  - 17. The system of claim 6, wherein the container identification data includes a container name.

11. A non-transitory computer-readable storage media storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
- receiving, at a component in a network, a packet having a data field;
  
  extracting, at a network layer, container identification data from the data field, the container identification data identifying a software destination container on the network; and
  
  applying a policy to the packet at the component based on the container identification data;
  
  wherein the container identification data includes at least a unique container ID and/or a container name;
  
  wherein the data field comprises one of an IPv6 extension header and an option field of an IPv4 packet.
- View Dependent Claims (12, 13, 14, 15, 18)
- - 12. The computer-readable storage media of claim 11, wherein applying the policy to the packet comprises applying the policy on a per-container basis or a per-container-flow basis.
  - 13. The computer-readable storage media of claim 11, wherein the policy is associated with at least one of QoS, prioritization, accounting, billing, cloud-based classification, a container-based policy, a workload-based policy.
  - 14. The computer-readable storage media of claim 11, wherein the applying a policy to the packet at the component based on the container identification data further comprises applying the policy to workload associated with the packet.
  - 15. The computer-readable storage media of claim 11 wherein the component comprises a virtual switch.
  - 18. The computer-readable storage media of claim 11, wherein the container identification data includes a container name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Jeuk, Sebastian, Salgueiro, Gonzalo
Primary Examiner(s)
Ko, Sithu

Application Number

US15/215,503
Publication Number

US 20180027100A1
Time in Patent Office

1,119 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 2101/659   Internet protocol version 6...

H04L 47/20   Traffic policing

H04L 49/70   Virtual switches

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04L 69/22   Parsing or analysis of headers

H04L 69/326   in the transport layer [OSI...

System and method for transport-layer level identification and isolation of container traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

425 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for transport-layer level identification and isolation of container traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

425 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links