Rules engine for access control lists in network units

US 20060092947A1
Filed: 02/22/2005
Published: 05/04/2006
Est. Priority Date: 11/03/2004
Status: Active Grant

First Claim

Patent Images

1. A rules engine for the examination of selected fields in an addressed data packet, comprising:

an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and

an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;

(a) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;

(b) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet;

in the event of a matched access control list rule matched to said addressed data packet to prescribe;

(ci) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;

or (cii) the respective first action associated with said matched access control list rule in the absence of said correspondence.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rules engine for the examination of selected fields in an addressed data packet, has an access control list table of which the entries each define an access control list rule, an action and a chain identifier. The access control list rule is a basic rule which refers to a TCP flow. The engine also has an extension rule table of which the entries each define an extension rule, a respective action and a respective rule identifier. The extension rule may refer to a particular flag in a TCP header. When a packet arrives the engine searches both tales. This search is made independently of the usual address lookup. If there is a match in both tables, and the chain identifier matches the extension rule identifier the engine prescribes the action associated with the extension rule. If the chain identifier of a matched access control list rule does not match a rule identifier of a matched extension rule the engine prescribes the action associates with the access control list rule. In the absence of a match with any access control list rule the action on a packet is based on the result from a lookup engine.

17 Citations

View as Search Results

11 Claims

1. A rules engine for the examination of selected fields in an addressed data packet, comprising:
- an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and
  
  an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;
  
  (a) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;
  
  (b) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet;
  
  in the event of a matched access control list rule matched to said addressed data packet to prescribe;
  
  (ci) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;
  
  or (cii) the respective first action associated with said matched access control list rule in the absence of said correspondence.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A rules engine according to claim 1 wherein said access control list rules relate to fields in TCP (Transmission Control Protocol) segments and network address fields.
  - 3. A rules engine according to claim 1 or 2 wherein said extension rules relate to TCP flags.
  - 4. A rules engine according to any foregoing claim wherein said extension rule table is constituted by memory within an application specific integrated circuit and said access control list table is constituted by memory external to said application specific integrated circuit.
  - 5. A rules engine according to any foregoing claim wherein a chain identifier matches a plurality of rule identifiers.

6. A network unit comprising:
- (1) a multiplicity of ports for receiving and forwarding addressed data packets;
  
  (2) a lookup engine for producing forwarding data in response to address data in an addressed data packet;
  
  (3) a post-processing engine for executing a forwarding action based on said forwarding data;
  
  (4) a rules engine comprising;
  
  (a) an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and
  
  (b) an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;
  
  (i) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;
  
  (ii) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet; and
  
  in the event of a matched access control list rule matched to said addressed data packet to prescribe;
  
  (iiia) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;
  
  or (iiib) the respective first action associated with said matched access control list rule in the absence of said correspondence; and
  
  wherein said post-processing engine is operative to execute said respective action prescribed by said rules action.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. A network unit according to claim 6 wherein said post-processing engine executes said forwarding action in the absence of any action prescribed by said rules engine.
  - 8. A network unit according to claim 6 or 7 wherein said access control list rules relate to fields in TCP segments and network address fields.
  - 9. A network unit according to any of claims 6 to 8 wherein said extension rules relate to TCP flags.
  - 10. A network unit according to any of claims 6 to 9 wherein a chain identifier matches a plurality of rule identifiers.
  - 11. A network unit according to any of claims 6 to 10 wherein said extension rule table is constituted by memory within an application specific integrated circuit which includes said lookup engine and said post-processing engine and said access control list table is constituted by memory external to said application specific integrated circuit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
O'Keeffe, Daniel Martin, O'Neill, Eugene, Choi, Kam, O'Malley, Edele

Granted Patent

US 7,480,299 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.31
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/60   Router architectures

H04L 45/7453   using hashing

H04L 47/20   Traffic policing

Rules engine for access control lists in network units

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Rules engine for access control lists in network units

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links