Method and apparatus for providing network security using role-based access control

US 20050055573A1
Filed: 09/10/2003
Published: 03/10/2005
Est. Priority Date: 09/10/2003
Status: Active Grant

First Claim

Patent Images

1. A network device comprising:

an access control list, wherein said access control list comprises an access control list entry, and said access control list entry comprises a user group field.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

136 Citations

117 Claims

1. A network device comprising:
- an access control list, wherein said access control list comprises an access control list entry, and said access control list entry comprises a user group field.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1, wherein said access control list comprises a plurality of access control list entries, and said access control list entries comprise said access control list entry.
  - 3. The network device of claim 2, wherein said access control list entry further comprises:
    - a flow label field, wherein said flow label field allows said access control list entry to be identified as a role-based access control list (RBACL) entry.
  - 4. The network device of claim 2, wherein said access control list entry further comprises:
    - a plurality of user group fields, wherein said user group fields comprise said user group field.
  - 5. The network device of claim 4, wherein said user group fields further comprise:
    - a source user group field; and
      
      a destination user group field.
  - 6. The network device of claim 5, wherein said source user group field stores a source user group identifier, and said source user group identifier identifies a user group of a source of a packet processed using said access control list.
  - 7. The network device of claim 5, wherein said destination user group field stores a destination user group identifier, and said destination user group identifier identifies a user group of a destination of a packet processed using said access control list.

8. A network device comprising:
- a forwarding table, wherein said forwarding table comprises a plurality of forwarding table entries, and at least one forwarding table entry of said forwarding table entries comprises a user group field.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The network device of claim 8, wherein said at least one forwarding table entry further comprises:
    - a port identifier field, wherein a port identifier stored in said port identifier field identifies a port.
  - 10. The network device of claim 9, wherein a user group, identified by a user group identifier stored in said user group field, is associated with said port.
  - 11. The network device of claim 10, wherein said at least one forwarding table entry further comprises:
    - a media access control (MAC) address field configured to store a MAC address; and
      
      a virtual local area network (VLAN) identifier field, wherein a VLAN identifier stored in said VLAN identifier field identifies a VLAN, and a combination of said MAC address and said VLAN identifier identify said port and a user group identified by a user group identifier stored in said user group field.
  - 12. The network device of claim 10, wherein said at least one forwarding table entry further comprises:
    - a media access control (MAC) address field configured to store a MAC address, wherein said MAC address is associated with a user group identified by a user group identifier stored in said user group field.
  - 13. The network device of claim 8, wherein said at least one forwarding table entry further comprises:
    - a virtual local area network (VLAN) identifier field, wherein a VLAN identifier stored in said VLAN identifier field identifies a VLAN, and said VLAN is associated with a user group identified by a user group identifier stored in said user group field.

14. A method comprising:
- comparing a user group of a packet with a user group of a destination of said packet.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 15. The method of claim 14, wherein said user group of said destination of said packet is identified by a user group identifier, and said user group identifier is stored in a role-based access control list entry of an access control list.
  - 16. The method of claim 14, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
  - 17. The method of claim 16, wherein said source user group is assigned to a source of said packet based on a role of said source, and said destination user group is assigned to said destination based on a role of said destination.
  - 18. The method of claim 16, further comprising:
    - retrieving said destination user group from a forwarding information base.
  - 19. The method of claim 18, further comprising:
    - storing said destination user group in an access control list.
  - 20. The method of claim 16, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 21. The method of claim 16, further comprising:
    - determining said source user group; and
      
      determining said destination user group by looking up said destination user group in an access control list.
  - 22. The method of claim 21, wherein said destination user group is identified by a destination user group identifier, and said destination user group identifier is stored in a role-based access control list entry of said access control list.
  - 23. The method of claim 21, wherein said access control list is a role-based access control list.
  - 24. The method of claim 21, wherein said determining said source user group comprises:
    - extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
  - 25. The method of claim 24, further comprising:
    - populating said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
  - 26. The method of claim 25, wherein said destination user group is assigned to said destination based on a role of said destination.
  - 27. The method of claim 25, wherein said comparing and said populating are performed by a network device, and said populating comprises sending a request to another network device, and receiving a response from said another network device, wherein said response includes a destination user group identifier, and said destination user group identifier identifies said destination user group.
  - 28. The method of claim 14, further comprising:
    - populating a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
  - 29. The method of claim 28, wherein said source user group is assigned to said source based on a role of said source.
  - 30. The method of claim 28, wherein said user group is a source user group, and said user group identifier is a source user group identifier.
  - 31. The method of claim 30, wherein said comparing and said populating are performed by a network device, and said populating comprises determining said source user group.
  - 32. The method of claim 31, wherein said populating further comprises:
    - receiving an authentication message from another network device, wherein said response includes said source user group identifier.

33. A computer program product comprising:
- a first set of instructions, executable on a computer system, configured to compare a user group of a packet with a user group of a destination of said packet; and
  
  computer readable media, wherein said computer program product is encoded in said computer readable media.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 34. The computer program product of claim 33, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
  - 35. The computer program product of claim 34, further comprising:
    - a second set of instructions, executable on said computer system, configured to retrieve said destination user group from a forwarding information base.
  - 36. The computer program product of claim 35, further comprising:
    - a third set of instructions, executable on said computer system, configured to storing said destination user group in an access control list.
  - 37. The computer program product of claim 33, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 38. The computer program product of claim 34, further comprising:
    - a second set of instructions, executable on said computer system, configured to determine said source user group; and
      
      a third set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list.
  - 39. The computer program product of claim 38, wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to extract a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
  - 40. The computer program product of claim 39, further comprising:
    - a fourth set of instructions, executable on said computer system, configured to populate said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
  - 41. The computer program product of claim 33, further comprising:
    - a second set of instructions, executable on said computer system, configured to populate a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
  - 42. The computer program product of claim 41, wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to determine said source user group.
  - 43. The computer program product of claim 42, wherein said second set of instructions comprises:
    - a second subset of instructions, executable on said computer system, configured to receive an authentication message from another network device, wherein said response includes said source user group identifier.

44. An apparatus comprising:
- means for comparing a user group of a packet with a user group of a destination of said packet.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 45. The apparatus of claim 44, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
  - 46. The apparatus of claim 45, further comprising:
    - means for retrieving said destination user group from a forwarding information base.
  - 47. The apparatus of claim 46, further comprising:
    - means for storing said destination user group in an access control list.
  - 48. The apparatus of claim 45, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 49. The apparatus of claim 45, further comprising:
    - means for determining said source user group; and
      
      means for determining said destination user group by looking up said destination user group in an access control list.
  - 50. The apparatus of claim 49, wherein said means for determining said source user group comprises:
    - means for extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
  - 51. The apparatus of claim 50, further comprising:
    - means for populating said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
  - 52. The apparatus of claim 44, further comprising:
    - means for populating a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
  - 53. The apparatus of claim 52, wherein said means for comparing and said means for populating are included in a network device, and said means for populating comprises determining said source user group.
  - 54. The apparatus of claim 53, wherein said means for populating further comprises:
    - means for receiving an authentication message from another network device, wherein said response includes said source user group identifier.

55. A method comprising:
- populating an access control list with a destination user group identifier, wherein said destination user group identifier identifies a destination user group of a destination.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 56. The method of claim 55, wherein said destination user group is assigned to said destination based on a role of said destination.
  - 57. The method of claim 55, wherein said populating is performed by a network device and comprises sending a request to another network device, and receiving a response from said another network device, wherein said response includes said destination user group identifier, and said destination user group identifier identifies said destination user group.
  - 58. The method of claim 55, further comprising:
    - comparing a user group of a packet with said destination user group.
  - 59. The method of claim 58, wherein said user group of said packet is a source user group, said destination user group is a user group of a destination of said packet, and said destination is said destination of said packet.
  - 60. The method of claim 59, wherein said source user group is assigned to a source of said packet based on a role of said source, and said destination user group is assigned to said destination based on a role of said destination.
  - 61. The method of claim 59, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 62. The method of claim 59, further comprising:
    - determining said source user group; and
      
      determining said destination user group by looking up said destination user group in an access control list.
  - 63. The method of claim 62, wherein said access control list is a role-based access control list.
  - 64. The method of claim 62, wherein said determining said source user group comprises:
    - extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.

65. A computer program product comprising:
- a first set of instructions, executable on a computer system, configured to populate an access control list with a destination user group identifier, wherein said destination user group identifier identifies a destination user group of a destination; and
  
  computer readable media, wherein said computer program product is encoded in said computer readable media.
- View Dependent Claims (66, 67, 68, 69)
- - 66. The computer program product of claim 65, further comprising:
    - a second set of instructions, executable on said computer system, configured to compare a user group of a packet with said destination user group.
  - 67. The computer program product of claim 66, wherein said user group of said packet is a source user group, said destination user group is a user group of a destination of said packet, and said destination is said destination of said packet.
  - 68. The computer program product of claim 67, further comprising:
    - a third set of instructions, executable on said computer system, configured to determine said source user group; and
      
      a fourth set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list.
  - 69. The computer program product of claim 68, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.

70. An apparatus comprising:
- means for populating an access control list with a destination user group identifier, wherein said destination user group identifier identifies a destination user group of a destination.
- View Dependent Claims (71, 72, 73, 74)
- - 71. The apparatus of claim 70, further comprising:
    - means for comparing a user group of a packet with said destination user group.
  - 72. The apparatus of claim 71, wherein said user group of said packet is a source user group, said destination user group is a user group of a destination of said packet, and said destination is said destination of said packet.
  - 73. The apparatus of claim 72, further comprising:
    - means for determining said source user group; and
      
      means for determining said destination user group by looking up said destination user group in an access control list.
  - 74. The apparatus of claim 73, wherein said means for determining said source user group comprises:
    - means for extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.

75. A method comprising:
- populating a forwarding table with a user group identifier.
- View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
- - 76. The method of claim 75, wherein said user group identifier is a source user group identifier, and so identifies a source user group.
  - 77. The method of claim 76, wherein a source of a packet is in said source user group.
  - 78. The method of claim 77, wherein said source user group is assigned to said source based on a role of said source.
  - 79. The method of claim 77, wherein said populating comprises:
    - determining said source user group.
  - 80. The method of claim 79, wherein said populating is performed by a network device and further comprises:
    - receiving an authentication message from another network device, wherein said response includes said source user group identifier.
  - 81. The method of claim 77, wherein a destination of said packet is in a destination user group.
  - 82. The method of claim 81, wherein said destination user group is assigned to said destination based on a role of said destination.
  - 83. The method of claim 81, further comprising:
    - comparing a source user group of said packet with said destination user group.
  - 84. The method of claim 83, wherein said source user group of said packet is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device performing said comparison.
  - 85. The method of claim 81, further comprising:
    - determining said source user group; and
      
      determining said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
  - 86. The method of claim 85, wherein said determining said source user group comprises:
    - extracting said source user group identifier stored in said packet from said packet, wherein said source user group identifier stored in said packet identifies said source user group of said source of said packet.

87. A computer program product comprising:
- a first set of instructions, executable on a computer system, configured to populate a forwarding table with a user group identifier, wherein said user group identifier is a source user group identifier, and so identifies a source user group; and
  
  computer readable media, wherein said computer program product is encoded in said computer readable media.
- View Dependent Claims (88, 89, 90, 91, 92)
- - 88. The computer program product of claim 87, wherein said first set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to determine said source user group.
  - 89. The computer program product of claim 88, wherein said first set of instructions comprises:
    - a second subset of instructions, executable on said computer system, configured to receive an authentication message from another network device, wherein said response includes said source user group identifier.
  - 90. The computer program product of claim 87, wherein a destination of said packet is in a destination user group.
  - 91. The computer program product of claim 90, further comprising:
    - a second set of instructions, executable on said computer system, configured to determine said source user group; and
      
      a third set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
  - 92. The computer program product of claim 91, wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to extracting said source user group identifier stored in said packet from said packet, wherein said source user group identifier stored in said packet identifies said source user group of said source of said packet.

93. An apparatus comprising:
- means for populating a forwarding table with a user group identifier, wherein said user group identifier is a source user group identifier, and so identifies a source user group.
- View Dependent Claims (94, 95, 96, 97, 98)
- - 94. The apparatus of claim 93, wherein said means for populating comprises:
    - means for determining said source user group.
  - 95. The apparatus of claim 94, wherein said means for populating is performed by a network device and further comprises:
    - means for receiving an authentication message from another network device, wherein said response includes said source user group identifier.
  - 96. The apparatus of claim 93, wherein a destination of said packet is in a destination user group.
  - 97. The apparatus of claim 94, further comprising:
    - means for determining said source user group; and
      
      means for determining said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
  - 98. The apparatus of claim 97, wherein said means for determining said source user group comprises:
    - means for extracting said source user group identifier stored in said packet from said packet, wherein said source user group identifier stored in said packet identifies said source user group of said source of said packet.

99. A method comprising:
- indexing a row of a permissions matrix with a first user group; and
  
  indexing a column of said permissions matrix with a second user group.
- View Dependent Claims (100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110)
- - 100. The method of claim 99, wherein said first user group is a source user group, and said second user group is a destination user group.
  - 101. The method of claim 100, wherein said permissions matrix comprises:
    - a plurality of permissions matrix entries.
  - 102. The method of claim 101, wherein each of said permissions matrix entries is a pointer to a data structure.
  - 103. The method of claim 102, wherein said data structure is a permission list.
  - 104. The method of claim 102, wherein said data structure is a permission list entry.
  - 105. The method of claim 102, wherein said data structure is a pointer to a permission list.
  - 106. The method of claim 105, wherein said data structure further comprises:
    - another pointer to another permission list.
  - 107. The method of claim 102, further comprising:
    - employing permission list chaining in said data structure.
  - 108. The method of claim 102, further comprising:
    - selecting a selected permissions matrix entry of said permissions matrix entries, wherein said selecting comprises identifying a row of said permissions matrix using a source user group identifier, identifying a column of said permissions matrix using a destination user group identifier, and identifying a permissions matrix entry of said permissions matrix entries in said row and said column as said selected permissions matrix entry.
  - 109. The method of claim 108, further comprising:
    - selecting a permission list from a plurality of permission lists using said selected permissions matrix entry.
  - 110. The method of claim 108, further comprising:
    - selecting a permission list entry from a permission list using said selected permissions matrix entry.

111. A network comprising:
- a first network device, wherein said first network device is configured to generate a packet, and said packet comprises a source user group identifier.
- View Dependent Claims (112, 113, 114, 115, 116, 117)
- - 112. The network of claim 111, wherein said source user group identifier identifies a user group of said first network device.
  - 113. The network of claim 111, further comprising:
    - a second network device, wherein said second network device is coupled to receive said packet, said second network device comprises an access control list, said access control list comprises an access control list entry, and said access control list entry comprises a user group field.
  - 114. The network of claim 113, wherein said second network device is configured to compare said source user group identifier with a destination user group of a destination of said packet said destination user group is identified by a destination user group identifier, and said destination user group identifier is stored in said user group field.
  - 115. The network of claim 114, wherein said access control list entry further comprises:
    - a plurality of user group fields, wherein said user group fields further comprise a source user group field, and a destination user group field, and said user group field is said destination user group field.
  - 116. The network of claim 113, further comprising:
    - a third network device, wherein said third network device is coupled between said first and said second network devices, said third network device comprises a forwarding table, said forwarding table comprises a plurality of forwarding table entries, and at least one forwarding table entry of said forwarding table entries comprises a user group field.
  - 117. The network device of claim 116, wherein said at least one forwarding table entry further comprises:
    - a port identifier field, wherein a port identifier stored in said port identifier field identifies a port, said packet is received on said port, and a user group, identified by a user group identifier stored in said user group field, is associated with said port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.

Granted Patent

US 7,530,112 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 12/4645   Details on frame tagging ro...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/54   Organization of routing tables

H04L 45/7453   using hashing

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and apparatus for providing network security using role-based access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

136 Citations

117 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security using role-based access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

117 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links