Method and apparatus for self-learning of VPNS from combination of unidirectional tunnels in MPLS/VPN networks

US 20070121615A1
Filed: 11/28/2005
Published: 05/31/2007
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for applying application-level policies to a plurality of unidirectional tunnels in a computer network, the method comprising:

receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;

receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;

determining whether the first and second data packets transport data in the same virtual private network (VPN); and

determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique is provided for implementing deep-packet inspection (DPI) services in a MPLS/VPN configured computer network. The technique employs a novel self-learning algorithm that analyzes data packets belonging to different unidirectional tunnels in the MPLS/VPN network and determines whether the analyzed data packets transport data in the same VPN. If so, the unidirectional tunnels containing the analyzed data packets are associated with a common layer-2 identification (L2ID) value. Unlike conventional flow-classification procedures, the inventive technique classifies a data packet by first associating the data packet with a L2ID value and then classifying the packet as belonging to a particular data flow based on a novel 6-tuple consisting of a conventional 5-tuple plus the packet'"'"'s L2ID value. Because unidirectional tunnels corresponding to the same application data flow transport data packets having the same set of 6-tuple values, DPI services can apply application-level policies to classified data packets consistent with their 6-tuple flow classifications.

249 Citations

21 Claims

1. A method for applying application-level policies to a plurality of unidirectional tunnels in a computer network, the method comprising:
- receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
  
  receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;
  
  determining whether the first and second data packets transport data in the same virtual private network (VPN); and
  
  determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - associating the first and second unidirectional tunnels with a set of application-level policies; and
      
      applying the set of application-level policies to data packets in the first and second unidirectional tunnels.
  - 3. The method of claim 2, further comprising:
    - using deep-packet inspection (DPI) services to apply the set of application-level policies to data packets in the first and second unidirectional tunnels.
  - 4. The method of claim 1, further comprising:
    - associating, in response to determining that the first and second data packets transport data in the same VPN, the first and second unidirectional tunnels with a common layer-2 identification (L2ID) value.
  - 5. The method of claim 4, further comprising:
    - receiving a third data packet;
      
      associating the third data packet with a corresponding L2ID value; and
      
      classifying the third data packet as belonging to a particular data flow based on the L2ID value associated with the third data packet.
  - 6. The method of claim 5, further comprising:
    - generating a 5-tuple associated with the third data packet, the 5-tuple consisting of a protocol identifier, a source address, a destination address, a source port number and a destination port number stored in the third data packet;
      
      combining the generated 5-tuple with the L2ID value associated with the third data packet, thereby creating a 6-tuple for the third data packet; and
      
      using the 6-tuple to classify the third data packet as belonging to the particular data flow.
  - 7. The method of claim 5, further comprising:
    - applying, in response to classifying the third data packet as belonging to the particular data flow, a set of application-level policies to the third data packet, the set of application-level policies being associated with the particular data flow.
  - 8. The method of claim 1, wherein the computer network is a Multi-Protocol Label Switching/Virtual Private Network (MPLS/VPN) configured computer network.
  - 9. The method of claim 1, wherein the first data packet is a Transmission Control Protocol (TCP) SYN data packet and the second data packet is a TCP SYN/ACK data packet.
  - 10. The method of claim 9, wherein the first and second protocol-specification information are TCP sequence numbers.

11. A network node configured to apply application-level policies to a plurality of unidirectional tunnels in a computer network, the network node comprising:
- means for receiving a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
  
  means for receiving a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information;
  
  means for determining whether the first and second data packets transport data in the same virtual private network (VPN); and
  
  means for determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The network node of claim 11, further comprising:
    - means for associating the first and second unidirectional tunnels with a set of application-level policies; and
      
      means for applying the set of application-level policies to data packets in the first and second unidirectional tunnels.
  - 13. The network node of claim 11, further comprising:
    - means for associating, in response to determining that the first and second data packets transport data in the same VPN, the first and second unidirectional tunnels with a common layer-2 identification (L2ID) value.
  - 14. The network node of claim 13, further comprising:
    - means for receiving a third data packet;
      
      means for associating the third data packet with a corresponding L2ID value; and
      
      means for classifying the third data packet as belonging to a particular data flow based on the L2ID value associated with the third data packet.
  - 15. The network node of claim 14, further comprising:
    - means for generating a 5-tuple associated with the third data packet, the 5-tuple consisting of a protocol identifier, a source address, a destination address, a source port number and a destination port number stored in the third data packet;
      
      means for combining the generated 5-tuple with the L2ID value associated with the third data packet, thereby creating a 6-tuple for the third data packet; and
      
      means for using the 6-tuple to classify the third data packet as belonging to the particular data flow.

16. A network node configured to apply application-level policies to a plurality of unidirectional tunnels in a computer network, the network node comprising:
- a first physical access unit adapted to receive a first data packet from a first unidirectional tunnel, the first data packet containing first protocol-specific information;
  
  a second physical access unit adapted to receive a second data packet from a second unidirectional tunnel, the second unidirectional tunnel established in an opposite direction relative to the first unidirectional tunnel, the second data packet containing second protocol-specific information; and
  
  a packet processor configured to perform the steps of;
  
  determining whether the first and second data packets transport data in the same virtual private network (VPN); and
  
  determining, in response to determining that the first and second data packets transport data in the same VPN, whether the first and second unidirectional tunnels are established for use by the same application based on the first and second data packets'"'"' contained first and second protocol-specific information.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The network node of claim 16, wherein the packet processor is further configured to perform the steps of:
    - associating the first and second unidirectional tunnels with a set of application-level policies; and
      
      applying the set of application-level policies to data packets in the first and second unidirectional tunnels.
  - 18. The network node of claim 16, wherein the packet processor is further configured to perform the step of:
    - associating, in response to determining that the first and second data packets transport data in the same VPN, the first and second unidirectional tunnels with a common layer-2 identification (L2ID) value.
  - 19. The network node of claim 16, further comprising:
    - a data path unit configured to identify layer-2 identification (L2ID) values for data packets received at the first and second physical access units.
  - 20. The network node of claim 19, further comprising:
    - a classifier configured to classify a received data packet as belonging to a particular data flow based on a L2ID value identified by the data path unit.
  - 21. The network node of claim 20, wherein the classifier is configured to classify the received data packet by performing the steps of:
    - generating a 5-tuple associated with the received data packet, the 5-tuple consisting of a protocol identifier, a source address, a destination address, a source port number and a destination port number stored in the received data packet;
      
      combining the generated 5-tuple with the L2ID value identified for the received data packet, thereby creating a 6-tuple for the received data packet; and
      
      using the 6-tuple to classify the received data packet as belonging to the particular data flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Abramovitz, Assi, Weill, Ofer

Granted Patent

US 8,270,413 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/306   Route determination based o...

H04L 45/308   Route determination based o...

H04L 45/38   Flow based routing

H04L 45/50   using label swapping, e.g. ...

H04L 45/74   Address processing for routing

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/2441   relying on flow classificat...

H04L 47/2483   involving identification of...

H04L 49/3009   Header conversion, routing ...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for self-learning of VPNS from combination of unidirectional tunnels in MPLS/VPN networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

249 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for self-learning of VPNS from combination of unidirectional tunnels in MPLS/VPN networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links