Performing context-rich attribute-based services on a host

US 10,715,607 B2
Filed: 12/04/2017
Issued: 07/14/2020
Est. Priority Date: 12/06/2016
Status: Active Grant

First Claim

Patent Images

1. A method of configuring a set of service nodes on a host computer to provide a set of attribute-based services to data compute nodes (DCNs) on the host computer, the method comprising:

on the host computer;

collecting a first set of attributes associated with attribute-based service rules processed by the set of service nodes on the host computer;

collecting a second set of attributes associated with at least one data message flow of a DCN;

comparing the first and second sets of attributes to generate a service tag to represent a subset of attributes associated with the data message flow that are relevant for the service rules of the service node set; and

associating the service tag with the data message flow for the set of service nodes to use subsequently to retrieve the subset of attributes associated with the data message flow and to use the retrieved subset of attributes to process the attribute-based service rules for data messages of the data message flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a novel method for configuring a set of service one or more nodes on a host to perform context-rich, attribute-based services on the host computer, which executes several data compute nodes (DCNs) in addition to the set of service nodes. The method uses a context-filtering node on the host to collect a first set of attributes associated with service rules processed by the set of service nodes on the host computer. The context filter also collects a second set of attributes associated with at least one data message flow of a DCN (e.g., of a virtual machine (VM) or container) executing on the host. After collecting the first and second sets of attributes, the context filtering node on the host compares the first and second sets of attributes to generate a service tag to represent a subset of the first set of attributes associated with the data message flow. The method associates this service tag with the data message flow. This service tag can then be used to identify the subset of attributes associated with the data message flow when a service node needs to process its attribute-based service rules for the data message flow.

Citations

20 Claims

1. A method of configuring a set of service nodes on a host computer to provide a set of attribute-based services to data compute nodes (DCNs) on the host computer, the method comprising:
- on the host computer;
  
  collecting a first set of attributes associated with attribute-based service rules processed by the set of service nodes on the host computer;
  
  collecting a second set of attributes associated with at least one data message flow of a DCN;
  
  comparing the first and second sets of attributes to generate a service tag to represent a subset of attributes associated with the data message flow that are relevant for the service rules of the service node set; and
  
  associating the service tag with the data message flow for the set of service nodes to use subsequently to retrieve the subset of attributes associated with the data message flow and to use the retrieved subset of attributes to process the attribute-based service rules for data messages of the data message flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the subset of attributes represented by the service tag is a subset of the second set of attributes of the DCN data message flow that is part of the first set of attributes of the processed rules.
  - 3. The method of claim 1, whereinthe first set of attributes comprise group identifiers,comparing the first and second sets of attributes comprises comparing the second set of attributes with definitions of the group identifiers to identify one or more group identifiers associated with the second set of attributes, andthe subset of attributes represented by the service tag comprises the identified group identifiers.
  - 4. The method of claim 1, wherein associating the service tag comprises providing the service tag to the DCN for the DCN to forward with at least one data message of the data message flow.
  - 5. The method of claim 1, wherein associating the service tag comprises providing the service tag to the DCN for the DCN to forward through an out-of-band communication to an attribute-resolving engine executing on the host computer.
  - 6. The method of claim 5, wherein the attribute-resolving engine is part of a service node.
  - 7. The method of claim 5, wherein the attribute resolving engine is not part of a service node.
  - 8. The method of claim 1 further comprising:
    - supplying the service tag and the subset of attributes to an attribute-resolving engine that provides the subset of attributes to at least one service node when this service node (1) processes a data message of the data message flow and (2) provides the service tag to the attribute-resolving engine, the service node using the provided subset of attributes to process attribute-based service rules that are defined in terms of one or more attributes of the subset of attributes.
  - 9. The method of claim 8, whereineach attribute-based service rule comprises a rule identifier for matching with data message identifiers,the first set of attributes are attributes used in the rule identifiers of the attribute-based service rules of the set of service nodes,the set of service nodes is a set of one or more service nodes for processing data messages associated with the DCN, andthe first and second set of attributes comprise layer 7 parameters associated with the data messages.
  - 10. The method of claim 9, wherein the first and second set of attributes do not include layer 2, layer 3, and layer 4 parameters.
  - 11. The method of claim 9, wherein the service operations comprise at least one of firewall operations, load balancing operations, intrusion detection operations, intrusion prevention operations, and encryption operations.
  - 12. The method of claim 1, wherein collecting the second set of attributes comprises receiving the second set of attributes from an introspection agent operating within the DCN.
  - 13. The method of claim 1, wherein the second set of attributes is associated with more than one data message flow, and the service tag is stored by the DCN for associating with more than one data message flow.
  - 14. The method of claim 1 further comprising:
    - storing in the service tag an identifier that identifies the host computer; and
      
      transmitting a definition of the service tag with the subset of attributes and the host-computer identifier to other host computers for service nodes on other host computers to use to perform services on data messages sent by the DCN with the service tag.
  - 15. The method of claim 1, wherein collecting the first set of attributes comprises collecting the first set of attributes from the set of service nodes.

16. A non-transitory machine readable medium storing a program for performing a service at a host computer that executes data compute nodes (DCNs), the program comprising sets of instructions for:
- collecting a first set of attributes associated with attribute-based service rules processed by a set of service nodes on the host computer;
  
  collecting a second set of attributes associated with at least one data message flow of a DCN;
  
  comparing the first and second sets of attributes to generate a service tag to represent a subset of the attributes associated with the data message flow that are relevant for the service rules of the service node set; and
  
  associating the service tag with the data message flow for the set of service nodes to use subsequently to retrieve the subset of attributes associated with the data message flow and to use the retrieved subset of attributes to process the attribute-based service rules for data messages of the data message flow.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory machine readable medium of claim 16, wherein the subset of the attributes represented by the service tag is a subset of the second set of attributes of the DCN data message flow that is part of the first set of attributes of the processed rules.
  - 18. The non-transitory machine readable medium of claim 16, whereinthe first set of attributes comprise group identifiers,the set of instructions for comparing the first and second sets of attributes comprises a set of instructions for comparing the second set of attributes with definitions of the group identifiers to identify one or more group identifiers associated with the second set of attributes, andthe subset of attributes represented by the service tag comprises the identified group identifiers.
  - 19. The non-transitory machine readable medium of claim 16, wherein the set of instructions for associating the service tag comprises a set of instructions for providing the service tag to the DCN for the DCN to forward with at least one data message of the data message flow.
  - 20. The non-transitory machine readable medium of claim 16, wherein the first and second set of attributes include attributes other than layer 2, layer 3, and layer 4 message header parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Poon, Arnold, Gunda, Laxmikant, Jain, Jayant, Sengupta, Anirban, Vaidya, Sachin Mohan
Primary Examiner(s)
Zong, Ruolei

Application Number

US15/830,074
Publication Number

US 20180159733A1
Time in Patent Office

953 Days
Field of Search

709220
US Class Current
CPC Class Codes

G06F 9/4494   data driven

H04L 41/046   comprising network manageme...

H04L 41/0816   the condition being an adap...

H04L 41/0846   based on copy from other el...

H04L 41/40   using virtualisation of net...

H04L 43/028   by filtering

H04L 43/20   the monitoring system or th...

H04L 63/0263   Rule management

H04L 67/51   Discovery or management the...

H04L 67/63   Routing a service request d...

H04L 69/22   Parsing or analysis of headers

Performing context-rich attribute-based services on a host

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Performing context-rich attribute-based services on a host

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links