Policy gateway

US 20020143948A1
Filed: 04/11/2001
Published: 10/03/2002
Est. Priority Date: 03/28/2001
Status: Active Grant

First Claim

Patent Images

1. A network processing system for enforcing network policies on a network, the network consisting of multiple data packets, the data packets forming a plurality of flows, the network processing system comprising:

a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and

a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow of which the data packet is part, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison. A quality of service processor in the processing engine then uses the treatment to modify and direct the data packets in a manner consistent with the network policies.

Citations

23 Claims

1. A network processing system for enforcing network policies on a network, the network consisting of multiple data packets, the data packets forming a plurality of flows, the network processing system comprising:
- a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and
  
  a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow of which the data packet is part, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network processing system of claim 1 further comprising a second processing engine, wherein each processing engine is unidirectional in the opposite direction thereby creating a bidirectional network processing system.
  - 3. The network processing system of claim 1 wherein the processing engine maintains a state for one or more flows, the state associated with each flow using the identifier.
  - 4. The network processing system of claim 3 wherein the state existing for the particular flow at the time a new packet belonging to the particular flow is examined is used in conjunction with the database to determine the treatment.
  - 5. The network processing system of claim 1 wherein the processing engine is able to examine the entire contents of each packet.
  - 6. The network processing system of claim 1 wherein the programmable network policies are programmed at a separate server and downloaded into the network processing system in the form of an image file.
  - 7. The network processing system of claim 1 wherein the set of programmable network policies are stored as signatures in a signature memory.
  - 8. The network processing system of claim 1 wherein the processing engine includes a header preprocessor for examining header information in the packet, a content processor for comparing the packet to the database and determining a treatment, and a quality of service processor for modifying the packet and directing the packet according to the treatment.
  - 9. The network processing system of claim 8 wherein each processing engine further includes a microprocessor for supplemental operations.

10. A network processing system for enforcing network policies on a network, the network consisting of a plurality of data packets, the plurality of data packets forming a plurality of flows, the network processing system comprising:
- at least one left line interface operable to receive data packets from the network and to send processed data packets onto the network;
  
  at least one right line interface operable to receive data packets from the network and to send processed data packets onto the network;
  
  a right processing engine receiving data packets from the left interface, and sending processed data packets to the right line interface; and
  
  a left processing engine receiving data packets from the right interface, and sending processed data packets to the left line interface;
  
  each of the right and left processing engines further comprising;
  
  a traffic flow processor processing the data packets to associate each data packet with a particular flow, to maintain state for a subset of flows, and to compare each flow to a database of network policies, the data base of network policies indicating a treatment for the data packets of each flow;
  
  a quality of service processor communicating with the traffic flow processor and receiving the treatment from the traffic flow processor instructing the quality of service processor how to modify the contents of the data packet and which quality of service to give the data packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23)
- - 11. The network processing system of claim 10 further comprising a management module connected with the left and the right processing engines through a bus interface, the management module including a microprocessor able to communicate with the left and the right processing engines.
  - 12. The network processing system of claim 10 wherein the left and the right processing engines exchange information concerning flows.
  - 13. The network processing system of claim 10 wherein the traffic flow processor is comprised of a header preprocessor and a content processor, the header preprocessor operable to examine header information for each packet, and the content processor operable to compare the packet with the database of network policies.
  - 14. The network processing system of claim 10 wherein the database of network policies is a memory image of signatures, the signatures forming the network policies.
  - 15. The network processing system of claim 10 wherein the state existing for the particular flow at the time a new packet belonging to the particular flow is examined is used in conjunction with the database to determine the treatment.
  - 16. The network processing system of claim 10 wherein the programmable network policies are programmed using a management interface on a separate server and downloaded into the network processing system in the form of an image file.
  - 17. The network processing system of claim 16 wherein the management interface also acts to retrieve statistical and event information from the network processing system.
  - 18. The network processing system of claim 10 wherein the left and right processing engines further comprise a microprocessor for supplemental processing operations.
  - 20. The network processing system and management interface of claim 19 wherein the management interface is further operable to retrieve statistical and event information from each of the network processing systems.
  - 21. The network processing system and management interface of claim 19 wherein the image includes source files used to create the image.
  - 22. The network processing system and management interface of claim 19 wherein the network processing system further includes a management module in communication with the processing engine and the management interface.
  - 23. The network processing system and management interface of claim 19 wherein the network processing system further comprises a second processing engine, wherein each processing engine is unidirectional in the opposite direction thereby creating a bi-directional network processing system.

19. A network processing system and management interface for enforcing network policies on a network, the network consisting of a plurality of data packets forming a plurality of flows, the network processing system comprising:
- at least one network processing system operable to process network traffic, each network processing system further comprising;
  
  a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and
  
  a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow to which the data packet belongs, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated; and
  
  a management interface to control each network processing system programmed on a separate server in communication with each network processing system, the management interface including a programming interface to allow a user to program each network processing system, an image builder to convert the program into an image that can be loaded into the appropriate network processing system, and an interface program operable to communicate with and to send the image file to the appropriate network processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AudioCodes, Inc. (Audiocodes Limited)
Original Assignee
Netrake Corp. (Audiocodes Limited)
Inventors
Maher, Robert Daniel III, Lie, Milton Andre, Rana, Aswinkumar Vishanji, Hervin, Mark Warden, Deerman, James Robert, Carman, John Raymond, Strother, Travis Ernest Jr., Maxwell, Larry Gene

Granted Patent

US 6,957,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/226
CPC Class Codes

H04L 41/0856   by backing up or archiving ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 45/302   Route determination based o...

H04L 45/306   Route determination based o...

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/22   Traffic shaping

H04L 47/2408   for supporting different se...

H04L 47/2441   relying on flow classificat...

H04L 47/2458   Modification of priorities ...

H04L 47/32   by discarding or delaying d...

Policy gateway

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Policy gateway

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links