Method and apparatus for controlled access of requests from virtual private network devices to managed information objects using simple network management protocol and multi-topology routing

US 20050165834A1
Filed: 03/22/2005
Published: 07/28/2005
Est. Priority Date: 06/08/2001
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:

receiving a request to carry out a management protocol operation;

determining an identifier of a virtual private network in the request and a context name;

determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name;

identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and

providing the request with access to only the subset of object instances.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control approaches are disclosed wherein managed object in Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) are accessed on a per- Virtual Private Network (VPN)-basis, taking into account multiple topologies that may exist under multi-topology routing (MTR) deployments, with no modifications to existing MIBs. One approach involves determining an identifier of a virtual private network in the request and a context name; determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name; identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and providing the request with access to only the subset of object instances.

70 Citations

View as Search Results

17 Claims

1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
- receiving a request to carry out a management protocol operation;
  
  determining an identifier of a virtual private network in the request and a context name;
  
  determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name;
  
  identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and
  
  providing the request with access to only the subset of object instances.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, further comprising determining the one or more sub-contexts in response to a non-exact match of the context name.
  - 3. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances that are associated with one or more routing topologies.
  - 4. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances that are associated with one or more routing topologies, in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB Views.
  - 5. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 6. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances that are associated with one or more routing topologies, and wherein the steps of identifying a subset of object instances and providing the request with access comprise the steps of. determining whether the identifier from the request is in the mapping;
    - when the identifier from the request is in the mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the mapping, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 7. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances that are associated with one or more routing topologies, in the form of one or more entries in a view-based access control model table that associate security name values to corresponding MIB Views, and wherein the steps of identifying a subset of object instances and providing the request with access comprise the steps of. determining whether the identifier from the request is in the view-based access control model table;
    - when the identifier from the request is in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 8. A method as recited in claim 1, further comprising the steps of providing, at one of the network devices, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks, and wherein the steps of identifying a subset of object instances that are associated with one or more routing topologies and providing the request with access comprise the steps of. determining whether the identifier from the request is in the view-based access control model table;
    - when the identifier from the request is in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 9. A method as recited in claim 1, further comprising the steps of:
    - providing, at a network management station that is communicatively coupled to the network devices, a mapping of a plurality of virtual private network identifiers to SNMPv3 securityNames;
      
      providing, at the network management station, an executable process that associates a virtual private network identifier with each SNMP request that is issued by the network management station to the network devices.

10. A computer-readable medium carrying one or more sequences of instructions for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- determining an identifier of a virtual private network in the request and a context name;
  
  determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name;
  
  identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and
  
  providing the request with access to only the subset of object instances.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A computer-readable medium as recited in claim 10, further comprising determining the one or more sub-contexts in response to a non-exact match of the context name.
  - 12. A computer-readable medium as recited in claim 10, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances.
  - 13. A computer-readable medium as recited in claim 10, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances, in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB Views.
  - 14. A computer-readable medium as recited in claim 10, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at one of the network devices, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 15. A computer-readable medium as recited in claim 10, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at one of the network devices, a mapping of a plurality of identifiers of virtual private networks to corresponding views of subsets of managed object instances, and wherein the steps of identifying a subset of object instances and providing the request with access comprise the steps of. determining whether the identifier from the request is in the mapping;
    - when the identifier from the request is in the mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the mapping, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.

16. An apparatus for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
- means for determining an identifier of a virtual private network in the request and a context name;
  
  means for determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name;
  
  means for identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and
  
  means for providing the request with access to only the subset of object instances.

17. An apparatus controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  determining an identifier of a virtual private network in the request and a context name;
  
  determining, based on the context name, one or more sub-contexts that are either explicitly or implicitly specified in the context name;
  
  identifying, among a plurality of instances of managed objects that are associated with one or more routing topologies of a multi-topology routing system, a subset of object instances that requests associated with the virtual private network are permitted to access; and
  
  providing the request with access to only the subset of object instances.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Koushik, A. S. Kiran, Nadeau, Thomas D.

Granted Patent

US 7,526,480 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/28   Restricting access to netwo...

H04L 41/40   using virtualisation of net...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

Method and apparatus for controlled access of requests from virtual private network devices to managed information objects using simple network management protocol and multi-topology routing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for controlled access of requests from virtual private network devices to managed information objects using simple network management protocol and multi-topology routing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others