Network policy conflict detection and resolution

US 10,411,951 B2
Filed: 02/10/2015
Issued: 09/10/2019
Est. Priority Date: 02/10/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a policy compilation engine to compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic;

a policy optimization engine to optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier;

a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format;

a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy; and

a translation engine to translate the resolution of the detected conflict to a protocol-specific format.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example implementations relate to network policy conflict detection and resolution. For example, a system for network policy conflict detection and resolution can include a policy compilation engine to compile a plurality of network policies based on an intent format, a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format, and a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy. Further, the system for network policy conflict detection and resolution can include a translation engine to translate the resolution of the detected conflict to a protocol-specific format.

21 Citations

View as Search Results

11 Claims

1. A system, comprising:
- a policy compilation engine to compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic;
  
  a policy optimization engine to optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier;
  
  a conflict detection engine to detect a conflict between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format;
  
  a conflict resolution engine to resolve the detected conflict between the first network policy and the second network policy; and
  
  a translation engine to translate the resolution of the detected conflict to a protocol-specific format.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising the conflict detection engine to compare a first policy space for the first network policy against a second policy space for the second network policy and determine if the first policy space and the second policy space overlap.
  - 3. The system of claim 1, further comprising the conflict detection engine to compare a first policy space for the first network policy against each of the plurality of network policies to identify overlapping policies among the plurality of network policies.
  - 4. The system of claim 1, further comprising the conflict resolution engine to resolve the detected conflict by reducing the detected conflict into a plurality of orthogonal derived policies.
  - 5. The system of claim 1, further including a policy optimization engine to optimize the plurality of network policies by generating a default network policy and removing any network policies from the plurality of network policies that match an action associated with the default network policy.

6. A non-transitory computer readable medium storing instructions executable by a processing resource to cause a computer to:
- compile a plurality of network policies based on an intent format, wherein the intent format specifies a classifier for network traffic, a context of the network traffic, an action of the network traffic, a source endpoint identifier for the network traffic and a destination endpoint identifier for the network traffic;
  
  optimize the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier;
  
  detect an overlap in application between a first network policy among the plurality of network policies and a second network policy among the plurality of network policies, using the intent format;
  
  separate the overlapping first network policy and second network policy into a plurality of orthogonal policies; and
  
  resolve the detected overlap between the first network policy and the second network policy, based on the plurality of orthogonal policies.
- View Dependent Claims (7, 8, 9)
- - 7. The medium of claim 6, wherein each of the plurality of orthogonal policies is a network policy selected from the group consisting of:
    - a first orthogonal network policy from a non-overlapping portion of the first network policy;
      
      a second orthogonal network policy from a non-overlapping portion of the second network policy; and
      
      a third orthogonal network policy from the overlap in application between the first network policy and the second network policy.
  - 8. The medium of claim 6, wherein:
    - each network policy among the plurality of network policies is generated by a respective application in a software-defined network (SDN); and
      
      each network policy among the plurality of network policies has a priority assigned to it by the respective application.
  - 9. The medium of claim 8, further including instructions to resolve a conflict between the first network policy and the second network policy by comparing the priority assigned to the first network policy and the priority assigned to the second network policy.

10. A method, comprising:
- compiling a plurality of network policies based on an intent format, wherein the intent format includes a classifier, a context, a source endpoint identifier, and a destination endpoint identifier for each network policy among the plurality of network policies;
  
  optimizing the plurality of network policies by removing any network policies from the plurality of network policies that lacks a destination endpoint identifier or a source endpoint identifier;
  
  detecting that a first network policy and a second network policy conflict in application within a software defined network (SDN), based on the intent format;
  
  separating the conflicting first network policy and second network policy into a plurality of orthogonal network policies;
  
  resolving the detected conflict between the first network policy and the second network policy using the plurality of orthogonal network policies; and
  
  translating the resolution of the detected conflict into a protocol-specific format for distribution to devices within the SDN.
- View Dependent Claims (11)
- - 11. The method of claim 10, further including marking the translation of the detected conflict with an identifier to identifying an orthogonal network policy among the plurality of orthogonal network policies from which the protocol specific message originated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Clark, Charles F., Mentze, Duane E., Wackerly, Shaun
Primary Examiner(s)
Guyton, Philip

Application Number

US15/507,748
Publication Number

US 20170288952A1
Time in Patent Office

1,673 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/08   Error detection or correcti...

H04L 41/0661   by reconfiguring faulty ent...

H04L 41/0866   Checking the configuration

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/342   between virtual entities, e...

Network policy conflict detection and resolution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Network policy conflict detection and resolution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links