Community separation control in a multi-community node
First Claim
1. A method of community separation control in a Multi-Community Node (MCN) comprising:
- determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of enforcing, in a computer network, a community separation policy wherein the data of a particular user community should be accessible only by members of that community. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce the community separation policy. In an open MCN, which may run both trusted and untrusted applications, the method and mechanism performs a set of checks on packets received from and to be transmitted on a network, and on application processes which correspond to those packets, to ensure that all communications comply with the community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to ports, applications, and other network addresses within the computer network. The method and mechanism includes determining a packet community set (PCS) of a data packet, discarding said data packet if the PCS is null, and allowing further processing if the PCS is not null.
6 Citations
53 Claims
-
1. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39, 40, 41, 42, 43)
-
-
12. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a first packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of a process which sent said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said PCS is not null.
-
-
18. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a packet community set (PCS) of a first data packet, wherein said PCS is encoded in a header of said first data packet, and wherein determining said PCS comprises decoding said PCS from said header;
discarding said first data packet in response to detecting said PCS is not a subset of the intersection of a source network address community set (NACS) and a destination NACS of said first data packet; and
processing said first data packet in response to detecting said PCS is a subset of said intersection of said source NACS and said destination NACS.
-
-
26. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to;
determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a sending process of said first data packet; and
a community information base (CIB) coupled to said processing unit.
-
-
38. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of the sending process of said first data packet; and
a community information base coupled to said processing unit.
-
-
44. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is encoded in a header of said first data packet, and wherein said PCS is determined by decoding said PCS from said header; and
a community information base coupled to said processing unit. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. A carrier medium comprising program instructions, wherein said program instructions are executable to:
-
determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discard said first data packet in response to detecting said PCS is null; and
process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.
-
Specification