PACKET ROUTING SYSTEM AND METHOD

US 20070121579A1
Filed: 09/12/2006
Published: 05/31/2007
Est. Priority Date: 09/13/2000
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

partitioning a plurality of virtual routers (VRs) of a service processing switch of a service provider between a first subscriber and a second subscriber of the service provider by associating a first processor element identifier (PEID) with a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second PEID with a second set of VRs of the plurality of VRs partitioned to the second subscriber;

configuring the first set of VRs to provide a first set of security services on behalf of the first subscriber by creating within the first set of VRs a first object group supportive of the first set of security services;

configuring the second set of VRs to provide a second set of security services on behalf of the second subscriber by creating within the second set of VRs a second object group supportive of the second set of security services;

the service processing switch providing appropriate security services for the first subscriber and the second subscriber by steering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate VR of the first set of VRs and an appropriate object within the first object group based on a value of the first PEID being associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group and steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate VR of the second set of VRs and an appropriate object within the second object group based on a value of the first PEID being associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system, a packet routing system and method is described that includes a processor identifier in each packet to route the packets to a physical processor, and a logical queue identifier to route the packets to the destination object within that processor.

Citations

12 Claims

1. A method comprising:
- partitioning a plurality of virtual routers (VRs) of a service processing switch of a service provider between a first subscriber and a second subscriber of the service provider by associating a first processor element identifier (PEID) with a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second PEID with a second set of VRs of the plurality of VRs partitioned to the second subscriber;
  
  configuring the first set of VRs to provide a first set of security services on behalf of the first subscriber by creating within the first set of VRs a first object group supportive of the first set of security services;
  
  configuring the second set of VRs to provide a second set of security services on behalf of the second subscriber by creating within the second set of VRs a second object group supportive of the second set of security services;
  
  the service processing switch providing appropriate security services for the first subscriber and the second subscriber by steering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate VR of the first set of VRs and an appropriate object within the first object group based on a value of the first PEID being associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group and steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate VR of the second set of VRs and an appropriate object within the second object group based on a value of the first PEID being associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - configuring the first set of VRs to provide a first set of router services on behalf of the first subscriber by creating within the first set of object groups one or more of a first routing object, a first packet filtering object and a first network address translation object; and
      
      configuring the second set of VRs to provide a second set of router services on behalf of the second subscriber by creating within the second set of object groups one or more of a second routing object, a second packet filtering object and a second network address translation object.
  - 3. The method of claim 2, further comprising providing the service processing switch within a point of presence (POP) of a service provider network.
  - 4. The method of claim 3, wherein the first set of security services include firewall inspection and access control functions.
  - 5. The method of claim 3, wherein the first set of security services include virtual private network (VPN) tunneling and encryption.
  - 6. The method of claim 3, wherein the second set of security services include firewall inspection and access control functions.
  - 7. The method of claim 3, wherein the second set of security services include virtual private network (VPN) tunneling and encryption.
  - 8. The method of claim 1, wherein a service management system (SMS) of the service provider performs said configuring the first set of VRs and said configuring the second set of VRs.
  - 9. The method of claim 1, wherein the service processing switch includes a plurality of nodes participating in a packet-passing ring, wherein each of the plurality of nodes has associated therewith a plurality of processor elements (PEs), wherein the first set of VRs are software entities running on a first PE of the plurality of PEs, wherein the second set of VRs are software entities running on a second PE of the plurality of PEs, and wherein:
    - said steering a first subscriber packet comprises a first node of the plurality of nodes upon which the first PE resides inspecting the first subscriber packet and determining the first subscriber packet is to be processed by the first PE; and
      
      said steering a second subscriber packet comprises a second node of the plurality of nodes upon which the second PE resides inspecting the second subscriber packet and determining the second subscriber packet is to be processed by the second PE.
  - 10. The method of claim 8, wherein a first Customer Network Management (CNM) system is installed at an information services (IS) headquarters site of the first subscriber, and wherein a second CNM system is installed at an IS headquarters site of the second subscriber, the method further comprising:
    - providing an information technology (IT) manager of the first subscriber with the ability to (i) initiate service provisioning and augmentation of the first set of VRs and (ii) obtain detailed network and service performance information via the first CNM; and
      
      providing an IT manager of the second subscriber with the ability to (i) initiate service provisioning and augmentation of the second set of VRs and (ii) obtain detailed network and service performance information via the second CNM.

11. An Internet Protocol (IP) service delivery architecture comprising:
- a Service Management System (SMS) residing in a Network Operations Center (NOC) of a service provider;
  
  an IP service processing switch located within a service provider'"'"'s Point of Presence (POP) and communicatively coupled to the service provider via a backbone of the service provider, the IP service processing switch providing customized security services to each of a plurality of subscribers of the service provider by (i) allocating one or more virtual routers (VRs) of a plurality of VRs to each of the plurality of subscribers based on processor element identifiers (PEIDs) associated with the plurality of VRs, (ii) instantiating object groups within the one or more VRs allocated to each subscriber based on security service needs of the subscriber, (iii) assigning logical queue identifiers (LQIDs) to objects of the object groups; and
  
  (iv) steering packets to appropriate objects of the object groups based on PEID values and LQID values associated with the packets;
  
  a Customer Network Management (CNM) system communicatively coupled with the IP service processing switch and located at a site within each subscriber;
  
  wherein the SMS enables centralized deployment, configuration and management of a managed network-based security service on behalf of the plurality of subscribers; and
  
  wherein the CMNs provide the respective subscribers with the ability to (i) initiate service provisioning and augmentation of the customized security services and (ii) obtain detailed network and service performance information.

12. An Internet Protocol (IP) service processing switch comprising:
- a plurality of blades each having a plurality of processor elements (PEs), each of the plurality of PEs running a plurality of virtual routers (VRs) configured to provide customized security services to a subscriber of a plurality of subscribers of a service provider by (i) creating object groups within the plurality of VRs in accordance with security service needs of respective subscribers and (ii) assigning logical queue identifiers (LQIDs) to objects of the object groups, the objects including one or more of a routing object, a packet filtering object a firewall object and a network address translation (NAT) object, each of the plurality of PEs being assigned a PE identifier (PEID) that is unique within the IP service processing switch;
  
  a packet-passing ring coupling the plurality of blades in communication; and
  
  wherein upon a blade of the plurality of blades receiving a packet, the blade inspects a PEID value associated with the packet and if the PEID value corresponds to a PE of the plurality of PEs on the blade, then the packet is steered to an object of the plurality of VRs running on the PE that corresponds to the LQID value, and if the PEID value does not correspond to any of the PEs of the plurality of PEs on the blade, then the packet is forwarded to the next blade of the plurality of blades on the packet-passing ring.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Matthews, Abraham, Weir, Steven

Granted Patent

US 8,260,918 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/351
CPC Class Codes

H04L 12/42   Loop networks

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

PACKET ROUTING SYSTEM AND METHOD

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

PACKET ROUTING SYSTEM AND METHOD

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links