Community separation control in a closed multi-community node
First Claim
1. A method of community separation control in a Multi-Community Node (MCN), said method comprising:
- determining a first packet community set (PCS) of a first data packet;
discarding said first data packet in response to detecting said first PCS is null; and
processing said first data packet in response to detecting said first PCS is not null.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of enforcing, in a computer network, a community separation policy wherein the data of a particular user community should be accessible only by members of that community. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce the community separation policy. In a closed MCN, which runs only applications trusted to enforce the community separation policy, the method and mechanism performs a set of checks on packets received from and to be transmitted on a network, to ensure that all communications comply with the community separation policy. The checks (1) prevent communications from a network used by one community or communities to a network used by different communities; (2) ensure that packets sent by the MCN are output on an interface attached to a network for the intended community; and (3) detect when remote nodes communicating with the MCN spoof their source network address to masquerade as a node in another community. The enforcement method and mechanism use a database of associations of sets of communities corresponding to each network addresses of the MCN and each node with which it communicates, and of the set of communities associated with each network attached to the MCN.
19 Citations
81 Claims
-
1. A method of community separation control in a Multi-Community Node (MCN), said method comprising:
-
determining a first packet community set (PCS) of a first data packet;
discarding said first data packet in response to detecting said first PCS is null; and
processing said first data packet in response to detecting said first PCS is not null. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of community separation control in a closed Multi-Community Node (MCN), said method comprising:
-
validating a first and second network address of a first data packet;
discarding said first data packet in response to detecting said first network address is not validated or said second network address is not validated; and
processing said first data packet in response to detecting both said first and said second network addresses are validated. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 39, 40)
-
-
19. A multi-community node comprising:
-
a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said first PCS is null, and process said first data packet in response to detecting said first PCS is not null; and
a community information base coupled to said processing unit.
-
-
26. A multi-community node comprising:
-
a processing unit, wherein said processing unit is configured to validate a first and second network address of a first data packet, discard said first data packet in response to detecting said first network address is not validated or said second network address is not validated, and process said first data packet in response to detecting both said first and said second network addresses are validated; and
a community information base coupled to said processing unit.
-
-
34. A computer network comprising:
-
a multi-community node (MCN), wherein said node comprises;
a processing unit configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said first PCS is null, and process said first data packet in response to detecting said first PCS is not null, and a community information base coupled to said processing unit;
a first computer network coupled to said MCN; and
a second computer network coupled to said MCN.
-
-
41. A computer network comprising:
-
a multi-community node (MCN), wherein said node comprises;
a processing unit, wherein said processing unit is configured to validate a first and second network address of a first data packet, discard said first data packet in response to detecting said first network address is not validated or said second network address is not validated, and process said first data packet in response to detecting both said first and said second network addresses are validated, and a community information base coupled to said processing unit;
a first computer network coupled to said MCN; and
a second computer network coupled to said MCN. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
-
49. A method of community separation control in a Multi-Community Node (MCN), said method comprising:
-
ensuring routing table compliance with a community separation policy, wherein all routing table updates are validated to ensure said compliance; and
validating a data packet;
allowing further processing of said data packet in response to detecting said data packet is validated; and
discarding said data packet in response to detecting said data packet is not validated.
-
-
60. A multi-community node comprising:
-
a processing unit, wherein said processing unit is configured to ensure routing table compliance with a community separation policy, wherein all routing table updates are validated to ensure said compliance, validate a data packet, allow further processing of said data packet in response to detecting said data packet is validated, and discard said data packet in response to detecting said data packet is not validated; and
a community information base (CIB) coupled to said processing unit. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
-
71. A computer network comprising:
-
a multi-community node (MCN), wherein said node comprises;
a processing unit, wherein said processing unit is configured to ensure routing table compliance with a community separation policy, wherein all routing table updates are validated to ensure said compliance, validate a data packet, allow further processing of said data packet in response to detecting said data packet is validated, and discard said data packet in response to detecting said data packet is not validated; and
a community information base (CIB) coupled to said processing unit;
a first computer network coupled to said MCN; and
a second computer network coupled to said MCN. - View Dependent Claims (72, 73, 74, 75, 76, 77, 78, 79, 80, 81)
-
Specification