Creating and using remote device management attribute rule data store

US 10,397,275 B2
Filed: 11/01/2015
Issued: 08/27/2019
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method of processing rules at a network element, the method comprising:

receiving a larger, first set of rules with each rule in the first set comprising a rule identifierincluding a set of remote device management (RDM) attributes;

for a plurality of RDM attributes belonging to a plurality of rule identifiers of the first set of rules, generating an index structure that identifies the rules that are associated with the plurality of the RDM attributes;

in response to receiving from a remote device a data message associated with an RDM attribute set, using at the network element the index structure to identify, from the larger first set of rules, a smaller second set of rules that potentially match the data message by identifying and selecting for the second set of rules each rule in the first set that matches at least one RDM attribute of the RDM attribute set associated with the received data message;

comparing the RDM attribute set associated with the received data message with the RDM attribute set of at least one rule in the identified second rule set to determine that the rule matches the message and hence should be used to process the message; and

using the matching rule to perform a middlebox service operation on the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Citations

22 Claims

1. A method of processing rules at a network element, the method comprising:
- receiving a larger, first set of rules with each rule in the first set comprising a rule identifierincluding a set of remote device management (RDM) attributes;
  
  for a plurality of RDM attributes belonging to a plurality of rule identifiers of the first set of rules, generating an index structure that identifies the rules that are associated with the plurality of the RDM attributes;
  
  in response to receiving from a remote device a data message associated with an RDM attribute set, using at the network element the index structure to identify, from the larger first set of rules, a smaller second set of rules that potentially match the data message by identifying and selecting for the second set of rules each rule in the first set that matches at least one RDM attribute of the RDM attribute set associated with the received data message;
  
  comparing the RDM attribute set associated with the received data message with the RDM attribute set of at least one rule in the identified second rule set to determine that the rule matches the message and hence should be used to process the message; and
  
  using the matching rule to perform a middlebox service operation on the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22)
- - 2. The method of claim 1, wherein using the index structure to identify the smaller second set of rules comprises:
    - foregoing from the second set of rules each rule in the first set that does not match at least one RDM attribute of the RDM attribute set associated with the received data message.
  - 3. The method of claim 1, wherein each RDM attribute comprises an RDM attribute value, wherein generating the index structure comprises generating an index graph having a first plurality of nodes, each node corresponding to a different RDM attribute value belonging to a rule identifier of at least one rule in the received first set of rules, and each node identifying each rule in the first set of rules with a rule identifier that includes the node'"'"'s corresponding RDM attribute value.
  - 4. The method of claim 3 further comprising—
    - storing the received first set of rules in a storage, wherein a node identifies a rule by identifying a location at which the rule is stored in the storage.
  - 5. The method of claim 4, wherein each node identifies each rule in the first set that includes the node'"'"'s corresponding RDM attribute value by using a reference to the rule'"'"'s storage location.
  - 6. The method of claim 3, wherein each RDM attribute value is associated with an RDM attribute label, wherein the index graph has a second plurality of nodes, each node in the second plurality (i) representing a different RDM attribute label and (ii) serving as a parent node to at least one node in the first plurality that corresponds to an RDM attribute value associated with the RDM attribute label.
  - 7. The method of claim 1, wherein each received rule in the first set specifies an action, the method further comprising:
    - for the received data message, performing the action specified by the matching rule after determining that the rule matches the message based on the comparison of the RDM attribute set of the rule with the RDM attribute set associated with the data message.
  - 8. The method of claim 1, wherein comparing the RDM attribute sets comprises:
    - examining the rules in the identified second rule set according to a priority based on a sorted order so that higher priority rules are examined before lower priority rules in the identified second rule set; and
      
      once a rule is determined to match the data message, foregoing examination of any lower priority rule that is after the matching rule in the sorted order.
  - 9. The method of claim 1, wherein the rule identifier for at least one received rule specifies a plurality of RDM attribute labels, a set of one or more RDM attribute values for each RDM attribute label, and at least one operator that defines whether one specified RDM attribute label and its corresponding set of RDM attribute values have to be present in the RDM attribute set of a data message.
  - 10. The method of claim 9, wherein comparing the RDM attribute sets comprises using the operator to perform the comparison.
  - 21. The method of claim 1, wherein the middlebox service operation is one of a firewall operation, a load balancing operation, and a network address translation operation.
  - 22. The method of claim 2, wherein each RDM attribute comprises an RDM attribute value associated with an RDM attribute label, wherein a rule matches an RDM attribute when the rule matches both the RDM attribute value and the RDM attribute label of the RDM attribute and a rule does not match an RDM attribute when the rule does not match both the RDM attribute value and the RDM attribute label of the RDM attribute.

11. A non-transitory machine readable medium storing a program for processing rules at a network element, the program comprising sets of instructions for:
- receiving a larger, first set of rules with each rule in the first set comprising a rule identifier including a set of remote device management (RDM) attributes;
  
  for a plurality of RDM attributes belonging to a plurality of rule identifiers of the first set of rules, generating an index structure that identifies the rules that are associated with the plurality of the RDM attributes;
  
  in response to receiving from a remote device a data message associated with an RDM attribute set, using at the network element the index structure to identify, from the larger first set of rules, a smaller second set of rules that potentially match the data message based on a plurality of RDM attributes of the RDM attribute set associated with the received data message;
  
  comparing the RDM attribute set associated with the received data message with the RDM attribute set of at least one rule in the identified second rule set to determine that the rule matches the message and hence should be used to process the message; and
  
  using the matching rule to perform a middlebox service operation on the message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory machine readable medium of claim 11, wherein the set of instructions for using the index structure to identify the smaller second set of rules comprises a set of instructions for:
    - selecting for the second set of rules each rule in the first set that matches at least one RDM attribute of the RDM attribute set associated with the received data message; and
      
      foregoing from the second set of rules each rule in the first set that does not match at least one RDM attribute of the RDM attribute set associated with the received data message.
  - 13. The non-transitory machine readable medium of claim 11, wherein each RDM attribute comprises an RDM attribute value, wherein the set of instructions for generating the index structure comprises a set of instructions for generating an index graph having a first plurality of nodes, each node corresponding to a different RDM attribute value belonging to a rule identifier of at least one rule in the received first set of rules, and each node identifying each rule in the first set of rules with a rule identifier that includes the node'"'"'s corresponding RDM attribute value.
  - 14. The non-transitory machine readable medium of claim 13, wherein the program further comprises a set of instructions for storing the received first set of rules in a storage, wherein a node identifies a rule by identifying a location at which the rule is stored in the storage.
  - 15. The non-transitory machine readable medium of claim 14, wherein each node identifies each rule in the first set that includes the node'"'"'s corresponding RDM attribute value by using a reference to the rule'"'"'s storage location.
  - 16. The non-transitory machine readable medium of claim 13, wherein each RDM attribute value is associated with an RDM attribute label, wherein the index graph has a second plurality of nodes, each node in the second plurality (i) representing a different RDM attribute label and (ii) serving as a parent node to at least one node in the first plurality that corresponds to, an RDM attribute value associated with the RDM attribute label.
  - 17. The non-transitory machine readable medium of claim 11, wherein each received rule in the first set specifies an action, the program further comprising a set of instructions for:
    - performing, for the received data message, the action specified by the matching rule after determining that the rule matches the message based on the comparison of the RDM attribute set of the rule with the RDM attribute set associated with the data message.
  - 18. The non-transitory machine readable medium of claim 11, wherein the set of instructions for comparing the RDM attribute sets comprises sets of instructions for:
    - examining the rules in the identified second rule set according to a priority based on a sorted order so that higher priority rules are examined before lower priority rules in the identified second rule set; and
      
      once a rule is determined to match the data message, foregoing examination of any lower priority rule that is after the matching rule in the sorted order.
  - 19. The non-transitory machine readable medium of claim 11, wherein the rule identifier for at least one received rule specifies a plurality of RDM attribute labels, a set of one or more RDM attribute values for each RDM attribute label, and at least one operator that defines whether one specified RDM attribute label and its corresponding set of RDM attribute values have to be present in the RDM attribute set of a data message.
  - 20. The non-transitory machine readable medium of claim 19, wherein the set of instructions for comparing the RDM attribute sets comprises a set of instructions for using the operator to perform the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jain, Jayant, Sengupta, Anirban, Lund, Rick, Tiagi, Alok S., Zhou, Jingmin, Jain, Nishant
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Ahsan, Syed M

Application Number

US14/929,405
Publication Number

US 20170063794A1
Time in Patent Office

1,395 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/5045   Making service definitions ...

H04L 61/256   NAT traversal

H04L 61/2571   for identification, e.g. fo...

H04L 61/2585   through application level g...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/1004   Server selection for load b...

H04L 67/1097   for distributed storage of ...

H04L 69/22   Parsing or analysis of headers

H04W 12/08   Access security

H04W 76/12   Setup of transport tunnels

Creating and using remote device management attribute rule data store

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Creating and using remote device management attribute rule data store

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links