Determining violation of a network invariant
First Claim
1. A method, comprising, by a device implementing a verification module:
- receiving, by the verification module, a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event;
determining whether the flow rule matches any of a plurality of network invariants cached in the device;
if determined that the flow rule matches one of the plurality of network invariants, determining whether the flow rule violates the matched network invariant;
if determined that the flow rule does not match any of the plurality of network invariants, (1) reporting the event associated with the flow rule to a policy management module, (2) receiving a new network invariant related to the event from the policy management module, and (3) determining whether the flow rule violates the new network invariant; and
generating an alarm if determined that the flow rule violates any of the network invariants.
1 Assignment
0 Petitions
Accused Products
Abstract
Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.
12 Citations
15 Claims
-
1. A method, comprising, by a device implementing a verification module:
-
receiving, by the verification module, a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event; determining whether the flow rule matches any of a plurality of network invariants cached in the device; if determined that the flow rule matches one of the plurality of network invariants, determining whether the flow rule violates the matched network invariant; if determined that the flow rule does not match any of the plurality of network invariants, (1) reporting the event associated with the flow rule to a policy management module, (2) receiving a new network invariant related to the event from the policy management module, and (3) determining whether the flow rule violates the new network invariant; and generating an alarm if determined that the flow rule violates any of the network invariants. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A device implementing a verification module in a network, comprising:
-
a communication module to intercept a flow rule transmitted to a switch from an SDN controller; a computer-readable storage medium to store a plurality of network invariants received from a policy management module; a match determination module to determine whether the flow rule matches any of the network invariants, wherein if the flow rule does not match any of the network invariants, the communication module transmits an event associated with the flow rule to the policy management module to request a new network invariant associated with the event; a policy violation module to determine whether the flow rule violates a matched network invariant or the new network invariant; and an alarm generator to generate an alarm to send to the policy management module if any of the network invariants is violated. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to:
-
receive a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event; determine whether the flow rule matches any of a plurality of network invariants stored in the computer-readable storage medium; if determined that the flow rule matches one of the plurality of network invariants, determine whether the flow rule violates the matched network invariant; if determined that the flow rule does not match any of the plurality of network invariants, (1) report the event associated with the flow rule to a policy management module, (2) receive a new network invariant related to the event from the policy management module, and (3) determine whether the flow rule violates the new network invariant; and generate an alarm if determined that the flow rule violates any of the network invariants.
-
Specification