Establishment and enforcement of policies in packet-switched networks

US 20050047412A1
Filed: 08/25/2003
Published: 03/03/2005
Est. Priority Date: 08/25/2003
Status: Abandoned Application

First Claim

Patent Images

1. A system for synchronizing a plurality of network policies amongst a plurality of network nodes, the plurality of network policies operative of the plurality of nodes to regulate data traffic through the plurality of nodes, the system comprising:

an ordered plurality of classifications of the plurality of network policies, the ordered plurality of classifications including a first one or more classifications identifying policies enabling collusion between the plurality of network nodes to support a common database of network policies, a second one or more classifications identifying policies for compressing or expanding information passed amongst the plurality of nodes, a third one or more classifications including policies for route distribution and selection in the plurality of nodes;

a plurality of local policy databases, each of the plurality of local policy databases residing on a respective node in the plurality of nodes, each of the local policy databases further including a plurality of policy instances operative on the respective node; and

a plurality of synchronization processes resident on the plurality of nodes, the plurality of synchronization processes operative to minimize a convergence time between the plurality of local databases and the common database of network policies, wherein the plurality of synchronization processes are further operative to map network policies received at the respective node to the ordered plurality of classifications.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy domains are introduced, which include methods and algorithms for ensuring policy consistency within defined regions of one or more communications networks. Examples of such policies include network functions such as routing, filtering, security, authentication, information summarization and expansion. These policies may be organized into hierarchies of policy categories. The policy domains include mechanisms for adding and deleting policies while preserving consistency, as well a mechanisms for allowing fast synchronization and convergence of policies between local databases resident different nodes/peers in the networks. Policy domains may be delineated by pre-existing logical topologies, such as autonomous systems, or may have evolving boundaries.

Citations

39 Claims

1. A system for synchronizing a plurality of network policies amongst a plurality of network nodes, the plurality of network policies operative of the plurality of nodes to regulate data traffic through the plurality of nodes, the system comprising:
- an ordered plurality of classifications of the plurality of network policies, the ordered plurality of classifications including a first one or more classifications identifying policies enabling collusion between the plurality of network nodes to support a common database of network policies, a second one or more classifications identifying policies for compressing or expanding information passed amongst the plurality of nodes, a third one or more classifications including policies for route distribution and selection in the plurality of nodes;
  
  a plurality of local policy databases, each of the plurality of local policy databases residing on a respective node in the plurality of nodes, each of the local policy databases further including a plurality of policy instances operative on the respective node; and
  
  a plurality of synchronization processes resident on the plurality of nodes, the plurality of synchronization processes operative to minimize a convergence time between the plurality of local databases and the common database of network policies, wherein the plurality of synchronization processes are further operative to map network policies received at the respective node to the ordered plurality of classifications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the plurality of nodes are distributed across one or more wide area networks.
  - 3. The system of claim 1, wherein the plurality of nodes are at least partially packet-switched.
  - 4. The system of claim 1, wherein the plurality of nodes are at least partially cell-switched.
  - 5. The system of claim 1, wherein the plurality of nodes at least partially overlap one or more autonomous systems.
  - 6. The system of claim 1, wherein the plurality of nodes at least partially overlap two or more autonomous systems.
  - 7. The system of claim 1, wherein the plurality of nodes communicate at least partially via an Interior Gateway Protocol.
  - 8. The system of claim 1, wherein the plurality of nodes communicate at least partially via an Exterior Gateway Protocol.
  - 9. The system of claim 1, wherein the plurality of nodes communicate at least partially via Border Gateway Protocol (BGP)
  - 10. The system of claim 1, wherein the first one or more classifications further identifies policies for validating network information exchanged amongst the plurality of nodes.
  - 11. The system of claim 1, wherein the first one or more classifications further identifies policies for validating information exchanged amongst the plurality of nodes for security.
  - 12. The system of claim 11, wherein the first one or more classifications further identifies policies for validating information exchanged amongst the plurality of nodes for conformance to syntax.
  - 13. The system of claim 11, wherein the first one or more classifications further identifies policies for validating information exchanged amongst the plurality of nodes for appropriate syntax.
  - 14. The system of claim 11, wherein the first one or more classifications further identifies policies for ensuring that information received at the respective node has arrived intact from a trusted source.
  - 15. The system of claim 1, wherein the first one or more classifications further identifies policies for validating security of information exchanged amongst the plurality of nodes.
  - 16. The system of claim 1, further comprising:
    - a plurality of consistency enforcement processes resident on the plurality of nodes, the plurality of consistent enforcement processes ensuring internal consistency of the plurality of local databases.
  - 17. The system of claim 1, wherein each of the plurality of nodes includes one or more routers.

18. In an inter-network including a plurality of interconnected communications nodes, a method of colluding between the plurality of nodes, the method comprising:
- at a first node in the plurality of nodes, receiving a network policy instance from a second node in the plurality of nodes, the network policy instance regulating processing of data traversing the inter-network;
  
  determining consistency of the network policy instance with a local policy database resident in the first node, the local policy database regulating network processing in the first node, determining consistency of the network policy instance further including identifying the network policy instance in a hierarchy of network policies to determine a rank for the network policy instance; and
  
  if and only if the network policy is consistent with the local policy database, adding the network policy to the local policy database.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 19. The method of claim 18, wherein the plurality of network nodes are distributed across one or more autonomous systems.
  - 20. The method of claim 18, wherein the plurality of network nodes are distributed across two or more autonomous systems.
  - 21. The method of claim 18, wherein the plurality of network nodes are at least partially packet-switched.
  - 22. The method of claim 18 wherein the plurality of network nodes are at least partially cell-based.
  - 23. The method of claim 18, wherein the inter-network includes one or more Exterior Gateway Protocols.
  - 24. The method of claim 18, wherein the inter-network includes one or more interior gateway protocols.
  - 25. The method of claim 18, wherein the inter-network employs Border Gateway Protocol.
  - 26. The method of claim 18, wherein the network policy instance specifies which of the plurality of nodes are reachable from the first node.
  - 27. The method of claim 18, wherein the network policy instance specifies certificate authorities for authenticating information passed between the plurality of nodes.
  - 28. The method of claim 18, wherein the network policy instance specifies syntax rules for packets received by the first node.
  - 29. The method of claim 18, wherein the network policy instance specifies attestation policies for the first node.
  - 30. The method of claim 29, wherein the attestation policies are based on IPSec.
  - 31. The method of claim 29, wherein the attestation policies are based on MD-5.
  - 32. The method of claim 29, wherein the attestation policies are based on Public Key Infrastructure.
  - 33. The method of claim 18, wherein the network policy instance specifies policies for compressing information forwarded in the plurality of nodes.
  - 34. The method of claim 18, wherein the network policy instance specifies policies for expanding information traversing the plurality of nodes.
  - 35. The method of claim 18, wherein the network policy instance specifies route selection policies.
  - 36. The method of claim 18, wherein the network policy instance specifies route distribution policies.
  - 37. The method of claim 36, wherein the route distribution policies may be time-based.
  - 38. The method of claim 37, wherein the route distribution policies may be event-based.
  - 39. The method of claim 18, wherein the network policy instance includes peer policies, the peer policies determining at least one of a network information base supported by the peer and one or more protocol functions supported by the peer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nexthop Technologies
Original Assignee
Nexthop Technologies
Inventors
Hares, Susan

Application Number

US10/648,141
Publication Number

US 20050047412A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 45/02   Topology update or discovery

H04L 45/021   Ensuring consistency of rou...

H04L 45/033   by updating distance vector...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/308   Route determination based o...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Establishment and enforcement of policies in packet-switched networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Establishment and enforcement of policies in packet-switched networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links