Identity brokering in a network element
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
logic comprising one or more stored instructions which when executed by the one or more processors are operable to cause;
receiving over the network an application-layer message comprising one or more of the packets;
receiving a message identity policy that defines any one or more of;
first identity information in a transport-layer protocol header of the application-layer message and whether to extract the first identity information from the transport-layer protocol header;
second identity information in an application-layer protocol header of the application-layer message and whether to extract the second identity information from the application-layer protocol header; and
third identity information in a message body of the application-layer message and whether to extract the third identity information from the message body;
extracting any one or more of the first identity information, second identity information, and third identity information as specified in the message identity policy;
determining one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information;
performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
performing a responsive operation using the received application-layer message and the one or more message sender identity attributes.
1 Assignment
0 Petitions
Accused Products
Abstract
A network infrastructure element such as a router or switch performs brokering network user identity and credential information. An application or administrative user can declare a policy for user identity information extraction, authentication and authorization. Based on the policy, the network element extracts user identity information or credentials from a transport-layer message header, application-layer message header, and message body. Based on the policy, the network element performs one or more authentication or authorization operations with the user identity information or credentials. As a result, a network element can broker identity information among incompatible applications and perform identity operations for the applications.
-
Citations
35 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
logic comprising one or more stored instructions which when executed by the one or more processors are operable to cause;
receiving over the network an application-layer message comprising one or more of the packets;
receiving a message identity policy that defines any one or more of;
first identity information in a transport-layer protocol header of the application-layer message and whether to extract the first identity information from the transport-layer protocol header;
second identity information in an application-layer protocol header of the application-layer message and whether to extract the second identity information from the application-layer protocol header; and
third identity information in a message body of the application-layer message and whether to extract the third identity information from the message body;
extracting any one or more of the first identity information, second identity information, and third identity information as specified in the message identity policy;
determining one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information;
performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
performing a responsive operation using the received application-layer message and the one or more message sender identity attributes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 31, 32, 35)
-
-
10. A computer-readable storage medium encoded with logic to perform identity brokering in a network element, the logic comprising one or more stored instructions which when executed by one or more processors are operable to cause:
-
receiving over a network an application-layer message comprising one or more packets;
receiving a message identity policy that defines any one or more of;
first identity information in a transport-layer protocol header of the application-layer message and whether to extract the first identity information from the transport-layer protocol header;
second identity information in an application-layer protocol header of the application-layer message and whether to extract the second identity information from the application-layer protocol header; and
third identity information in a message body of the application-layer message and whether to extract the third identity information from the message body;
extracting any one or more of the first identity information, second identity information, and third identity information as specified in the message identity policy;
determining one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information;
performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
creating an outbound application-layer message that includes the message sender identity attributes;
forwarding the outbound application-layer message to a next endpoint.
-
-
11. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
means for receiving over the network an application-layer message comprising one or more of the packets;
means for receiving a message identity policy that defines any one or more of;
first identity information in a transport-layer protocol header of the application-layer message and whether to extract the first identity information from the transport-layer protocol header;
second identity information in an application-layer protocol header of the application-layer message and whether to extract the second identity information from the application-layer protocol header; and
third identity information in a message body of the application-layer message and whether to extract the third identity information from the message body;
means for extracting any one or more of the first identity information, second identity information, and third identity information as specified in the message identity policy;
means for determining one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information;
means for performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
means for performing a responsive operation using the received application-layer message and the one or more message sender identity attributes. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 33, 34)
-
-
20. A computer-implemented method, comprising:
-
receiving over a network an application-layer message comprising one or more packets;
receiving a message identity policy that defines any one or more of;
first identity information in a transport-layer protocol header of the application-layer message and whether to extract the first identity information from the transport-layer protocol header;
second identity information in an application-layer protocol header of the application-layer message and whether to extract the second identity information from the application-layer protocol header; and
third identity information in a message body of the application-layer message and whether to extract the third identity information from the message body;
extracting any one or more of the first identity information, second identity information, and third identity information as specified in the message identity policy;
determining one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information;
performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
creating an outbound application-layer message that includes the message sender identity attributes;
performing a responsive operation using the received application-layer message and the one or more message sender identity attributes. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification