Policy gateway
First Claim
1. A network processing system for enforcing network policies on a network, the network consisting of multiple data packets, the data packets forming a plurality of flows, the network processing system comprising:
- a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and
a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow of which the data packet is part, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated.
7 Assignments
0 Petitions
Accused Products
Abstract
A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison. A quality of service processor in the processing engine then uses the treatment to modify and direct the data packets in a manner consistent with the network policies.
-
Citations
23 Claims
-
1. A network processing system for enforcing network policies on a network, the network consisting of multiple data packets, the data packets forming a plurality of flows, the network processing system comprising:
-
a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and
a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow of which the data packet is part, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network processing system for enforcing network policies on a network, the network consisting of a plurality of data packets, the plurality of data packets forming a plurality of flows, the network processing system comprising:
-
at least one left line interface operable to receive data packets from the network and to send processed data packets onto the network;
at least one right line interface operable to receive data packets from the network and to send processed data packets onto the network;
a right processing engine receiving data packets from the left interface, and sending processed data packets to the right line interface; and
a left processing engine receiving data packets from the right interface, and sending processed data packets to the left line interface;
each of the right and left processing engines further comprising;
a traffic flow processor processing the data packets to associate each data packet with a particular flow, to maintain state for a subset of flows, and to compare each flow to a database of network policies, the data base of network policies indicating a treatment for the data packets of each flow;
a quality of service processor communicating with the traffic flow processor and receiving the treatment from the traffic flow processor instructing the quality of service processor how to modify the contents of the data packet and which quality of service to give the data packet. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23)
-
-
19. A network processing system and management interface for enforcing network policies on a network, the network consisting of a plurality of data packets forming a plurality of flows, the network processing system comprising:
-
at least one network processing system operable to process network traffic, each network processing system further comprising;
a network interface operable to receive data packets from the network and further operable to send processed data packets back onto the network; and
a processing engine in communication with the network interface, the processing engine operable to associate each data packet with an identifier, wherein the identifier is associated with the flow to which the data packet belongs, the processing engine further operable to compare each flow to a database stored in the processing engine, the database storing information on a set of programmable network policies, the set of programmable network policies determining a treatment for each flow, such that the processing engine is able to modify and direct the data packets according to the treatment indicated; and
a management interface to control each network processing system programmed on a separate server in communication with each network processing system, the management interface including a programming interface to allow a user to program each network processing system, an image builder to convert the program into an image that can be loaded into the appropriate network processing system, and an interface program operable to communicate with and to send the image file to the appropriate network processing system.
-
Specification