Method and apparatus for managing packet flows for multiple network services

US 20040122967A1
Filed: 12/23/2002
Published: 06/24/2004
Est. Priority Date: 12/23/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for simultaneously managing network data traffic for multiple network services, comprising:

receiving flow rules for network data traffic from multiple network services, wherein the flow rules from the multiple network services can possibly conflict; and

collapsing the flow rules from the multiple network services into a consistent set of flow rules in a low-level form that can be efficiently applied to a packet flow; and

installing the consistent set of flow rules into a flow enforcement device, which applies the consistent set of flow rules to a packet flow received from a high-speed network connection;

whereby the flow rules from the multiple network services can be simultaneously applied to packet flow, instead of being applied separately by each network service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates managing network data traffic for multiple network services. During operation, the system receives flow rules for network data traffic from multiple network services, wherein the flow rules can possibly conflict. Next, the system collapses the flow rules from the multiple network services into a consistent set of flow rules in a low-level form that can be efficiently applied to a packet flow. The system subsequently installs the consistent set of flow rules into a flow enforcement device, which applies the consistent set of flow rules to a packet flow received from a high-speed network connection. In this way, the flow rules from the multiple network services can be simultaneously applied to packet flow, instead of being applied separately by each network service.

Citations

24 Claims

1. A method for simultaneously managing network data traffic for multiple network services, comprising:
- receiving flow rules for network data traffic from multiple network services, wherein the flow rules from the multiple network services can possibly conflict; and
  
  collapsing the flow rules from the multiple network services into a consistent set of flow rules in a low-level form that can be efficiently applied to a packet flow; and
  
  installing the consistent set of flow rules into a flow enforcement device, which applies the consistent set of flow rules to a packet flow received from a high-speed network connection;
  
  whereby the flow rules from the multiple network services can be simultaneously applied to packet flow, instead of being applied separately by each network service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein each of the low-level flow rules specifies:
    - a filter that defines a class of packets in the packet flow; and
      
      an action that defines an operation to be applied to the class of packets.
  - 3. The method of claim 2, wherein an operation defined by a low-level flow rule can include:
    - dropping a packet;
      
      gathering statistical information about the packet;
      
      controlling timer functions associated with the packet;
      
      modifying the packet; and
      
      passing the packet on.
  - 4. The method of claim 1, further comprising:
    - detecting a new flow at the flow enforcement device; and
      
      in response to detecting the new flow, creating a new rule for the new flow, and integrating the new rule into the consistent set of flow rules installed in the flow enforcement device, so that the flow enforcement device can handle the new flow.
  - 5. The method of claim 1, wherein the multiple network services can include:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service;
      
      a transport matching service;
      
      a failover service; and
      
      a high availability service.
  - 6. The method of claim 1, further comprising:
    - receiving environment information from an environment agent; and
      
      using the environment information to update the consistent set of flow rules.
  - 7. The method of claim 1, further comprising:
    - receiving information from an application; and
      
      using the information to update the consistent set of flow rules.
  - 8. The method of claim 1, wherein collapsing the flow rules from the multiple network services into a consistent set of flow rules involves prioritizing the flow rules received from the multiple network services.

9. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for simultaneously managing network data traffic for multiple network services, the method comprising:
- receiving flow rules for network data traffic from multiple network services, wherein the flow rules from the multiple network services can possibly conflict; and
  
  collapsing the flow rules from the multiple network services into a consistent set of flow rules in a low-level form that can be efficiently applied to a packet flow; and
  
  installing the consistent set of flow rules into a flow enforcement device, which applies the consistent set of flow rules to a packet flow received from a high-speed network connection;
  
  whereby the flow rules from the multiple network services can be simultaneously applied to packet flow, instead of being applied separately by each network service.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, wherein each of the low-level flow rules specifies:
    - a filter that defines a class of packets in the packet flow; and
      
      an action that defines an operation to be applied to the class of packets.
  - 11. The computer-readable storage medium of claim 10, wherein an operation defined by a low-level flow rule can include:
    - dropping a packet;
      
      gathering statistical information about the packet;
      
      controlling timer functions associated with the packet;
      
      modifying the packet; and
      
      passing the packet on.
  - 12. The computer-readable storage medium of claim 9, wherein the method further comprises:
    - detecting a new flow at the flow enforcement device; and
      
      in response to detecting the new flow, creating a new rule for the new flow, and integrating the new rule into the consistent set of flow rules installed in the flow enforcement device, so that the flow enforcement device can handle the new flow.
  - 13. The computer-readable storage medium of claim 9, wherein the multiple network services can include:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service;
      
      a transport matching service;
      
      a failover service; and
      
      a high availability service.
  - 14. The computer-readable storage medium of claim 9, wherein the method further comprises:
    - receiving environment information from an environment agent; and
      
      using the environment information to update the consistent set of flow rules.
  - 15. The computer-readable storage medium of claim 9, wherein the method further comprises:
    - receiving information from an application; and
      
      using the information to update the consistent set of flow rules.
  - 16. The computer-readable storage medium of claim 9, wherein collapsing the flow rules from the multiple network services into a consistent set of flow rules involves prioritizing the flow rules received from the multiple network services.

17. An apparatus that simultaneously manages network data traffic for multiple network services, comprising:
- a rule receiving mechanism configured to receive flow rules for network data traffic from multiple network services, wherein the flow rules from the multiple network services can possibly conflict; and
  
  a collapsing mechanism configured to collapse the flow rules from the multiple network services into a consistent set of flow rules in a low-level form that can be efficiently applied to a packet flow; and
  
  an installing mechanism configured to install the consistent set of flow rules into a flow enforcement device, which applies the consistent set of flow rules to a packet flow received from a high-speed network connection;
  
  whereby the flow rules from the multiple network services can be simultaneously applied to packet flow, instead of being applied separately by each network service.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein each of the low-level flow rules specifies:
    - a filter that defines a class of packets in the packet flow; and
      
      an action that defines an operation to be applied to the class of packets.
  - 19. The apparatus of claim 18, wherein an operation defined by a low-level flow rule can include:
    - dropping a packet;
      
      gathering statistical information about the packet;
      
      controlling timer functions associated with the packet;
      
      modifying the packet; and
      
      passing the packet on.
  - 20. The apparatus of claim 17, further comprising:
    - a flow detecting mechanism within the flow enforcement device configured to detect a new flow; and
      
      a rule updating mechanism configured to, create a new rule for the new flow, and to integrate the new rule into the consistent set of flow rules installed in the flow enforcement device, so that the flow enforcement device can handle the new flow.
  - 21. The apparatus of claim 17, wherein the multiple network services can include:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service;
      
      a transport matching service;
      
      a failover service; and
      
      a high availability service.
  - 22. The apparatus of claim 17, further comprising a rule updating mechanism configured to:
    - receive environment information from an environment agent; and
      
      to use the environment information to update the consistent set of flow rules.
  - 23. The apparatus of claim 17, further comprising a rule updating mechanism configured to:
    - receive information from an application; and
      
      to use the information to update the consistent set of flow rules.
  - 24. The apparatus of claim 17, wherein the collapsing mechanism is configured to prioritize the flow rules received from the multiple network services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Bressler, Robert D., Schuba, Christoph L., Speer, Michael F.

Application Number

US10/329,016
Publication Number

US 20040122967A1
Time in Patent Office

Days
Field of Search
US Class Current

709/232
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/20   Traffic policing

H04L 47/2425   for supporting services spe...

H04L 47/2441   relying on flow classificat...

H04L 47/32   by discarding or delaying d...

Method and apparatus for managing packet flows for multiple network services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing packet flows for multiple network services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links