Communication apparatus, system, method, and non-transitory medium for securing network communication

US 10,601,632 B2
Filed: 05/11/2015
Issued: 03/24/2020
Est. Priority Date: 05/11/2015
Status: Active Grant

First Claim

Patent Images

1. A communication apparatus comprising:

a processor;

a memory storing therein program instructions executable by the processor; and

a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute;

a plurality of switch processes, each of the plurality of the switch processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing switch processing on a flow associated thereto; and

a dispatcher process that receives a packet from at least one of the plurality of the network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process,wherein the associated switch process, upon reception of the packet dispatched thereto by the dispatcher process, performs matching of header field information of the packet with a flow entry for handling a flow, and handling of the packet based on a result of the matching, wherein the flow entry includes a match field for being matched with header field information of a packet received; and

an action field to prescribe handling of a matching packet,wherein the communication apparatus further includes;

a transmitter that, when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sends a query for the dispatch rule for the first flow to a controller that controls the communication apparatus, andwherein the processor is configured to, on receipt of the dispatch rule for the first flow sent from the controller, create an isolated environment, invoke a first switch process associated with the first flow in the isolated environment, and cause the transmitter to send a response to the controller, whereinthe first switch process associated with the first flow, upon reception of a first flow entry for handling the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication apparatus comprising a plurality of communication processes, each of the communication processes configured to be executed in an environment allocated thereto and isolated from each of one or more environments arranged for remaining one or more processes, each of the communication processes performing communication processing on a flow associated thereto, a network interface connected to a network; a dispatcher that dispatches a packet to the communication process based on a dispatch rule that defines association of a flow with a communication process.

40 Citations

View as Search Results

18 Claims

1. A communication apparatus comprising:
- a processor;
  
  a memory storing therein program instructions executable by the processor; and
  
  a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute;
  
  a plurality of switch processes, each of the plurality of the switch processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing switch processing on a flow associated thereto; and
  
  a dispatcher process that receives a packet from at least one of the plurality of the network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process,wherein the associated switch process, upon reception of the packet dispatched thereto by the dispatcher process, performs matching of header field information of the packet with a flow entry for handling a flow, and handling of the packet based on a result of the matching, wherein the flow entry includes a match field for being matched with header field information of a packet received; and
  
  an action field to prescribe handling of a matching packet,wherein the communication apparatus further includes;
  
  a transmitter that, when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sends a query for the dispatch rule for the first flow to a controller that controls the communication apparatus, andwherein the processor is configured to, on receipt of the dispatch rule for the first flow sent from the controller, create an isolated environment, invoke a first switch process associated with the first flow in the isolated environment, and cause the transmitter to send a response to the controller, whereinthe first switch process associated with the first flow, upon reception of a first flow entry for handling the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry.
- View Dependent Claims (2, 4, 5)
- - 2. The communication apparatus according to claim 1, wherein the processor is configured to execute a switch process that performs an integrity control process that performs control to enable decryption of cipher text to plain text, when the integrity control process finds that a system integrity measured at a time of the decryption is identical as a system integrity measured at a time of encryption of the plain text.
  - 4. The communication apparatus according to claim 1, wherein the processor is further configured to execute:
    - an access control that controls access from a switch process to a shared resource shared by the plurality of the switch processes.
  - 5. The communication apparatus according to claim 1, wherein the communication apparatus is a switch apparatus.

3. A communication apparatus, comprising:
- a processor;
  
  a memory storing therein program instructions executable by the processor; and
  
  a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute;
  
  a plurality of management processes, each of the plurality of the management processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of management processes being isolated from each of one or more environments arranged for remaining one or more management processes, each management process performing communication with a controller that controls the communication apparatus; and
  
  a dispatcher process,wherein the communication apparatus further comprisesa packet processing hardware unit arranged between the plurality of the network interfaces and the dispatcher process, the packet processing hardware unit performing packet processing according to a flow entry for handling a flow, wherein a management process receives and deletes a flow entry to and from the packet processing hardware,wherein the dispatcher process monitors addition and deletion of each flow entry for handling a flow and on reception of a notification sent from the packet processing hardware unit when there is no flow entry matching a packet header of a received packet, the dispatcher process forwards the notification to a corresponding management process according to a dispatch rule.

6. A controller apparatus comprising:
- a processor;
  
  a memory storing therein program instructions executable by the processor; and
  
  a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute;
  
  a plurality of controller processes, each of the plurality of the controller processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the controller processes being isolated from each of one or more environments arranged for remaining one or more controller processes, each of the plurality of the controller processes performing control of one or more associated switch processes; and
  
  a dispatcher process that dispatches a message from a switch to an associated controller process, based on a dispatch rule that defines association of a switch with a controller process to which a message from the switch is dispatched.

7. A communication system comprising:
- a switch;
  
  a controller to control the switch, whereinthe switch comprises;
  
  a first processor;
  
  a memory storing therein program instructions executable by the first processor; and
  
  a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network,wherein the first processor is configured to execute;
  
  a plurality of switch processes, each of the plurality of the switch processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing switch processing on a flow associated thereto;
  
  anda dispatcher process that receives a packet from at least one of the plurality of the network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process,wherein the switch further includes;
  
  a transmitter that, when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sends a query for the dispatch rule for the first flow to the controller,wherein the first processor is configured to, on receipt of the dispatch rule for the first flow sent from the controller, create an isolated environment, invoke a first switch process associated with the first flow in the isolated environment, and cause the transmitter to send a response to the controller, andwherein the first switch process associated with the first flow, upon reception of a first flow entry for handling the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The communication system according to claim 7, wherein the associated switch process receives the packet dispatched from the dispatcher process, and performs matching of header field information of the packet dispatched from the dispatcher process with a flow entry for handling a flow and handling the packet dispatched from the dispatcher process based on a result of the matching, the flow entry including a match field for being matched with header field information of a packet and an action field to prescribe handling of a matching packet.
  - 9. The communication system according to claim 7, wherein the switch further comprises:
    - a packet processing hardware unit arranged between the plurality of the network interfaces and the dispatcher process, the packet processing hardware unit performing packet processing according to a flow entry for handling a flow, wherein the dispatcher process monitors the flow entry for handling a flow.
  - 10. The communication system according to claim 7, wherein the controller comprises:
    - a second processor;
      
      a memory storing therein program instructions executable by the second processor, wherein the second processor is configured to execute;
      
      a plurality of controller processes, each of the plurality of the controller processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the controller processes being isolated from each of one or more environments arranged for remaining one or more controller processes, each of the plurality of the controller processes performing control of one or more associated switch processes; and
      
      a first dispatcher process that dispatches a message from a switch process to an associated controller process, based on a first dispatch rule that defines association of a switch process with a dispatch destination controller process.
  - 11. The communication system according to claim 10, wherein the second processor included in the controller is configured to execute:
    - a first interface process between the first dispatcher process and the plurality of the controller processes, the message being dispatched to the associated controller process via the first interface process, the first interface process and the associated controller process being arranged in common in the isolated environment;
      
      a second dispatcher process that dispatches the message from an application to the associated controller process, based on a second dispatch rule that defines association of an application with a controller process to which the message from the application is dispatched; and
      
      a second interface process between the second dispatcher process and the plurality of the controller processes, the message being dispatched to the associated controller process via the second interface process, the second interface process and the associated controller process being arranged in common in the isolated environment.
  - 12. The communication system according to claim 10, wherein the second processor included in the controller is configured to:
    - upon reception of a predetermined message from the first switch process which is one of the plurality of the switch processes, generate a flow entry for handling the first flow that is applied for each of one or more switch processes inclusive of the first switch process on a path for the first flow, the flow entry including a match field for being matched with header field information of a packet received by the one or more switch processes and an action field to prescribe handling of a matching packet by the one or more switch processes;
      
      wherein the controller includesa transmitter that sends the flow entry to each of the one or more switch processes on the path for the first flow.
  - 13. The communication system according to claim 10, wherein the second processor included in the controller is configured to:
    - upon reception of a query sent from the switch when a dispatch rule for the first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present in the switch, create the first dispatch rule for the first flow; and
      
      wherein the controller includesa transmitter that sends the first dispatch rule for the first flow to the switch.
  - 14. The communication system according to claim 10, whereinwhen the dispatcher process of the switch receives a packet from at least one of the plurality of the network interfaces to find that the first flow indicated by header field information of the packet received is not registered in the dispatch rule, the switch sends the query for the dispatch rule for the first flow to the controller, whereinthe second processor included in the controller, upon reception of the query from the switch, creates the first dispatch rule for the first flow to cause a transmitter to send the first dispatch rule to the switch, whereinthe first processor included in the switch, upon reception of the first dispatch rule sent from the controller, creates the isolated environment and invokes the first switch process in the isolated environment and sends the response to the controller, whereinthe second processor included in the controller, upon reception of the response from the first switch process, creates the first flow entry including a match field for being matched with header field information of a packet and an action field to prescribe handling of matching packet to send the first flow entry to the first switch process invoked in the isolated environment, and whereinthe first switch process, upon reception of the first flow entry for the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry.
  - 15. The communication system according to claim 10, wherein at least one of the switch processes and the controller processes executes:
    - an integrity control process that performs control to enable decryption of cipher text to plain text, when the integrity control process finds that a system integrity measured at a time of the decryption is identical as a system integrity measured at a time of encryption of the plain text.
  - 16. The communication system according to claim 10, wherein the first dispatcher process included in the controller performs dispatching from a switch process to an associated controller process, using tenant information as the first dispatch rule.

17. A communication method for a communication system including a switch and a controller, the method comprising:
- dispatching a packet received by the switch to an associated switch process included in the switch, based on a dispatch rule that defines association of a flow with a dispatch destination switch process;
  
  the associated switch process, out of a plurality of switch processes included in the switch, performing switch processing on a flow associated thereto, each of the plurality of the switch processes being configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of other one or more environments arranged for remaining one or more switch processes;
  
  dispatching by the controller a message received from the associated switch process to an associated controller process, based on a dispatch rule that defines association of a switch process with a dispatch destination controller process; and
  
  the associated controller process which is one of a plurality of controller processes included in the controller, performing control processing for the associated switch process included in the switch, based on the message, each of the controller processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the controller processes being isolated from each of other one or more environments arranged for remaining one or more controller processes.

18. A non-transitory computer-readable recording medium storing therein a program to be executed by a computer, the program causing the computer to execute processes comprising:
- a plurality of switch processes, each of the plurality of the switch processes being executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being configured to be isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing communication processing on a flow associated thereto;
  
  a dispatching process that receives a packet from at least one of a plurality of network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process,wherein the associated switch process, upon reception of the packet dispatched thereto by the dispatching process, performs matching of header field information of the packet with a flow entry for handling a flow, and handling of the packet based on a result of the matching, wherein the flow entry includes a match field for being matched with header field information of a packet received; and
  
  an action field to prescribe handling of a matching packet;
  
  when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sending a query for the dispatch rule for the first flow to a controller;
  
  on receipt of the dispatch rule for the first flow sent from the controller, creating an isolated environment, invoking a first switch process associated with the first flow in the isolated environment, and sending a response to the controller; and
  
  the first switch process associated with the first flow, upon reception of a new flow entry for handling the first flow from the controller, handling one or more packets associated with the first flow, based on the new flow entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Sasaki, Takayuki, Perrig, Adrian, Capkun, Srdjan, Soriente, Claudio, Masti, Ramya Jayaram, Lee, Jason
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US15/572,871
Publication Number

US 20180159716A1
Time in Patent Office

1,779 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/42   using separate channels for...

G06F 21/53   by executing in a restricte...

H04L 45/64   using an overlay routing layer

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Communication apparatus, system, method, and non-transitory medium for securing network communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Communication apparatus, system, method, and non-transitory medium for securing network communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others