Method and apparatus for self-learning of VPNS from combination of unidirectional tunnels in MPLS/VPN networks
First Claim
1. A method for applying application-level policies to a plurality of unidirectional tunnels in a computer network, the method comprising:
- receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;
determining whether the first and second data packets transport data in the same virtual private network (VPN); and
determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information.
1 Assignment
0 Petitions
Accused Products
Abstract
A technique is provided for implementing deep-packet inspection (DPI) services in a MPLS/VPN configured computer network. The technique employs a novel self-learning algorithm that analyzes data packets belonging to different unidirectional tunnels in the MPLS/VPN network and determines whether the analyzed data packets transport data in the same VPN. If so, the unidirectional tunnels containing the analyzed data packets are associated with a common layer-2 identification (L2ID) value. Unlike conventional flow-classification procedures, the inventive technique classifies a data packet by first associating the data packet with a L2ID value and then classifying the packet as belonging to a particular data flow based on a novel 6-tuple consisting of a conventional 5-tuple plus the packet'"'"'s L2ID value. Because unidirectional tunnels corresponding to the same application data flow transport data packets having the same set of 6-tuple values, DPI services can apply application-level policies to classified data packets consistent with their 6-tuple flow classifications.
249 Citations
21 Claims
-
1. A method for applying application-level policies to a plurality of unidirectional tunnels in a computer network, the method comprising:
-
receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;
determining whether the first and second data packets transport data in the same virtual private network (VPN); and
determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network node configured to apply application-level policies to a plurality of unidirectional tunnels in a computer network, the network node comprising:
-
means for receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
means for receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;
means for determining whether the first and second data packets transport data in the same virtual private network (VPN); and
means for determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A network node configured to apply application-level policies to a plurality of unidirectional tunnels in a computer network, the network node comprising:
-
a first physical access unit adapted to receive a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
a second physical access unit adapted to receive a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information; and
a packet processor configured to perform the steps of;
determining whether the first and second data packets transport data in the same virtual private network (VPN); and
determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification