SYSTEM AND METHOD OF TRAFFIC INSPECTION AND CLASSIFICATION FOR PURPOSES OF IMPLEMENTING SESSION ND CONTENT CONTROL

US 20080077705A1
Filed: 07/27/2007
Published: 03/27/2008
Est. Priority Date: 07/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising using, at a network device, sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) packet information to select traffic flows made up of various packets received at the network device for processing at OSI Layer 7 (L7) at the network device, and carrying classification information computed as a result of classifications based on the L2-L4 packet information with those of the traffic flows so selected so that the classification information is available during the traffic flow processing at L7.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Packets received at a network appliance are classified according to packet classification rules based on flow state information maintained by the network appliance and evaluated for each packet as it is received at the appliance on the basis of OSI Level 2-Level 4 (L2-L4) information retrieved from the packet. The received packets are acted upon according to outcomes of the classification; and the flow state information is updated according to actions taken on the received packets. The updated flow state information is then made available to modules performing additional processing of one or more of the packets at OSI Layer 7 (L7).

244 Citations

55 Claims

1. A method, comprising using, at a network device, sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) packet information to select traffic flows made up of various packets received at the network device for processing at OSI Layer 7 (L7) at the network device, and carrying classification information computed as a result of classifications based on the L2-L4 packet information with those of the traffic flows so selected so that the classification information is available during the traffic flow processing at L7.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the L2-L4 packet information includes one or more of:
    - source IP address, destination IP address, source port, and destination port.
  - 3. The method of claim 1, wherein the packets received at the network device are classified according to a most specific match process in which traffic flow information determined from the L2-L4 information retrieved from each received packet is compared with the matching criteria of the packet classification rules in order to find a classification rule with a longest match.
  - 4. The method of claim 1, wherein the packets received at a network device are classified with reference to state information for the traffic flows with which the received packets are associated.
  - 5. The method of claim 4, wherein classification of the packets received at the network device includes classification against rules for a transparent proxy session and against rules for an explicit proxy session.
  - 6. The method of claim 1, wherein as packets received at the network device are classified in accordance with the packet classification rules, state information associated with the traffic flows is dynamically updated at the network device.

7. A network device, comprising one or more network traffic processing modules configured to classify packets received at the network device by evaluating OSI Layer 2-Layer 4 (L2-L4) information retrieved from said packets against sets of packet classification rules having associated matching criteria, at least some of the matching criteria being stored in per-packet classification rule databases separate from the network traffic processing modules.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The network device of claim 7, wherein the network traffic processing modules are farther configured to store traffic flow state information tables, each traffic flow state information table including state information for traffic flows made up of packets received at the network device.
  - 9. The network device of claim 8, wherein the traffic flow state information tables are segregated according to actions to be taken with respect to packets associated with individual ones of the traffic flows.
  - 10. The network device of claim 7, wherein the matching criteria stored in the per-packet classification rule databases are updateable during runtime of the network device.
  - 11. The network device of claim 7, wherein the per-packet classification rule databases are updateable during runtime of the network device.

12. A method, comprising classifying packets received at a network device by evaluating OSI Layer 2-Layer 4 (L2-L4) information retrieved from said packets against sets of packet classification rules having associated matching criteria, the classifying being performed by one or more traffic processing modules according to matching criteria for the packet classification rules retrieved from per-packet classification rule databases separate from the network traffic processing modules.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, further comprising updating the matching criteria in the per-packet classification rule databases while continuing to classify packets received at the network device.
  - 14. The method of claim 13, wherein new packets received at the network device subsequent to the updating on the matching criteria are classified according to the updated matching criteria.
  - 15. The method of claim 13, wherein the updating of the matching criteria is performed without modifying the packet classification rules.
  - 16. The method of claim 12, further comprising recognizing a modification to one or more of the matching criteria and classifying new packets received at the network device in accordance with modified matching criteria immediately upon such recognition, regardless of whether or not the new packets received at the network device are associated with traffic flows previously classified by the network device.
  - 17. The method of claim 12, wherein the packet classification rules are processed in sequence to classify the packets.
  - 18. The method of claim 17, wherein the packet classification rules are processed in sequence to classify the packets, one or more of the packet classification rules producing partial classifications of the packets, and combining the partial classifications to arrive at final classifications for the packets.
  - 19. The method of claim 17, wherein the packet classification rules are processed in sequence to classify the packets, the sequence proceeding from rules associated with more specific matching criteria to less specific matching criteria.
  - 20. The method of claim 19, wherein if no prior one of the packet classification rules in the sequence produces a match for a subject one of the packets, classifying the subject one of the packets in accordance with a default classification rule for the network device.
  - 21. The method of claim 19, wherein the packet classification rules are further segregated into transparent proxy sections and explicit proxy sections and within each session the packet classification rules are processed in a sequence proceeding from rules associated with more specific matching criteria to less specific matching criteria.
  - 22. The method of claim 21, wherein within one or both of the segregated sections of the packet classification rules, if no prior one of the packet classification rules produces a match for a subject one of the packets, classifying the subject one of the packets in accordance with a default classification rule for the section.

23. A method, comprising using, at a first network device, sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) packet information and traffic flow state information stored at the network device to classify packets associated with traffic flows received at the first network device, and as a result of classifications based on the L2-L4 packet information and the traffic flow state information, forwarding one or more of the packets to a second network device identified as handling a subject one of the traffic flows associated with those of the packets so forwarded, without further processing the packets so forwarded at the first network device at higher OSI layers.

24. A method, comprising using, at a first network device, sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) packet information and traffic flow state information stored at the network device to classify packets associated with traffic flows received at the first network device, and as a result of classifications based on the L2-L4 packet information and the traffic flow state information, bypassing one or more of the packets to a client even though the packets so bypassed are associated with a subject one of the traffic flows identified as being handled by a second network device, without further processing the packets so bypassed at the first network device at higher OSI layers.

25. A method, comprising creating, at a network device, listeners for network traffic received at the network device using less than complete traffic flow configuration information, and classifying packets as being intended for handling by said listeners or not according to matching criteria for OSI Layer 2-Layer 4 (L2-L4) information from the packets.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, wherein the listeners are configured, at least in part, using port range information.
  - 27. The method of claim 25, wherein the listeners are configured, at least in part, using IP address ranges.

28. A method, comprising classifying a packet received at a first network device according to sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) information from the packet, and taking action on the packet in accordance with a matching one of the packet classification rules, wherein during the classifying evaluation of the packet against the packet classification rules is delayed for a period of time and then reinitiated again as if the packet had just been received at the first network device so as to provide time for a peer network device to notify the first network device that the peer network device is handling a traffic flow with which the packet is associated.

29. A computer-implemented method, comprising:
- classifying packets received at a network appliance according to packet classification rules based on flow state information maintained by the network appliance and evaluated for each packet as it is received at the appliance on the basis of OSI Level 2-Level 4 (L2-L4) information retrieved from the packet;
  
  acting on each of the received packets according to outcomes of the classification; and
  
  updating the flow state information according to actions taken on the received packets based on the L2-L4 information and making updated flow state information which reflects said actions taken on the packets available to modules performing additional processing of one or more of said packets at OSI Layer 7 (L7).
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The computer-implemented method of claim 29, wherein classifying the packets results in one or more of:
    - dropping some or all of the packets silently, dropping some or all of the packets with a notification to a sender thereof allowing some or all of the packets to proceed from the network appliance to a destination, intercepting some or all of the packets at the network device for further processing at L7, or forwarding some or all of the packets to another network device identified as being associated with a subject connection to which those of the packets so forwarded belong.
  - 31. The computer-implemented method of claim 29, wherein the L2-L4 information includes one or more of:
    - source IP address, destination IP address, source port, and destination port.
  - 32. The computer-implemented method of claim 29, wherein the packets received at the network appliance are classified according to a most specific match process in which flow information determined from the L2-L4 information retrieved from the packet is compared with information present in the packet classification rules in order to find a classification rule with a longest match.
  - 33. The computer-implemented method of claim 32, wherein results of the most specific match process are included in the updated flow state information made available to the modules performing processing at L7.
  - 34. The computer-implemented method of claim 29, wherein matching criteria for one or more of the packet classification rules is stored is a database separate from a processing module configured to classify the packets on the basis of the L2-L4 information retrieved from the packet, and the method further comprises evaluating said one or more rules using said matching criteria.
  - 35. The computer-implemented method of claim 29, wherein the flow state information includes information sufficient to determine whether the received packets are traveling from a client to a server or from a server to a client.
  - 36. The computer-implemented method of claim 35, wherein flow directionality is determined according to information derived from packets associated with TCP handshakes.
  - 37. The computer-implemented method of claim 29, wherein the updated flow state information is further provided to a module configured to classify the packets based on the L2-L4 information for use in classifying future packets received at the network device.
  - 38. The computer-implemented method of claim 29, wherein classifying the packets includes identifying individual flows to which individual ones of the packets belong.
  - 39. The computer-implemented method of claim 29, wherein if while classifying a packet said packet'"'"'s directionality cannot be determined, then evaluating whether or not said packet would be intercepted for processing at L7 by evaluating said each packet on the basis of said packet'"'"'s L2-L4 information as if it reflected a first directionality and as if it reflected a second directionality, and, if in either case said packet would be classified for processing at L7, then breaking a connection associated with said packet.
  - 40. The computer-implemented method of claim 29, wherein the packet classification rules are organized so that rules most likely to match received packet L2-L4 information are evaluated before other rules.
  - 41. The computer-implemented method of claim 40, wherein rules associated with previously classified flows are evaluated prior to other rules.
  - 42. The computer-implemented method of claim 29, wherein classifying packets comprises determining whether or not the packets are associated with previously classified flows and, if so, evaluating the packets according to rules associated with the previously classified flows, otherwise determining if the packets are associated with new connections and establishing flow state information for said new connections.

43. A computer-implemented method, comprising classifying network traffic on a most specific match basis for OSI Layer-2 to Layer-4 (L2-L4) information obtained from packets, said L2-L4 information being evaluated for service listeners configured for a network appliance at which the traffic is received, and using results of classifications so obtained when processing the network traffic at OSI Layer-7.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
- - 44. The computer-implemented method of claim 43, wherein the most specific match basis evaluates packet L2-L4 information so as to find a listener having a smallest port range which contains a port number identified in the packet L2-L4 information.
  - 45. The computer-implemented method of claim 44, wherein the listener having the smallest port range comprises a listener having the same port number as identified in the packet L2-L4 information.
  - 46. The computer-implemented method of claim 43, wherein the most specific match basis evaluates OSI Layer-3 (L3) and L4 information included in the L2-L4 information as a single entity.
  - 47. The computer-implemented method of claim 43, wherein the network traffic is further classified according to flow-state directionality.
  - 48. The computer-implemented method of claim 47, wherein flow-state directionality is evaluated for both a forward direction flow state and a reverse direction flow state when a packet flow state cannot otherwise be determined.
  - 49. The computer-implemented method of claim 47, wherein flow-state directionality is evaluated when initial packets of a connection are received and processed at the network appliance.
  - 50. The computer-implemented method of claim 43, wherein classification decisions are informed, at least in pant, by rules which define network policies, each of said rules defined by matching criteria stored in per-rule databases.

51. A method, comprising classifying packets received at a network device according to sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) information obtained from the packets and taking action on the packets in accordance with matching ones of the packet classification rules, unless for a given interface of the network device on which one or more of the packets is received, the network device is configured to reject inbound packets, in which case for inbound ones of the packets received on the given network interface, dropping said inbound packets.

52. A method, comprising classifying packets received at a network device according to sets of packet classification rules having associated matching criteria for OSI Layer 2-Layer 4 (L2-L4) information obtained from the packets and taking action on the packets in accordance with matching ones of the packet classification rules, unless for a given interface of the network device on which one or more of the packets is received, the network device is configured to (i) not reject inbound packets and (ii) not allow interception of packets, in which case for those of the packets received on the given network interface, bypassing said one or more packets.

53. A method, comprising:
- at a network device configured to classify packets on the basis of OSI Layer 2-Layer 4 (L2-L4) information obtained from the packets and according to sets of packet classification rules having associated matching criteria, intercepting one or more of the packets for processing at OSI Layer 7 (L7) at the network device, provided for a given interface of the network device on which the one or more of the packets are received, the network device is configured to (i) not reject inbound packets and (ii) allow interception of packets.

54. A method, comprising classifying, at a network device, packets associated with traffic flows received at the network device according to (i) sets of packet classification rules having associated matching criteria for packet state information, and (ii) traffic flow state information stored at the network device;
- and taking action on the packets in accordance with matching ones of the packet classification rules and according to state information associated with the traffic flows to which the packets acted upon belong, wherein the packet state information includes some or all of OSI Layer 2-Layer 4 (L2-L4) information obtained from the packets, heuristics and/or statistical measures that can later aid in higher layer processing of the packets at the network device.
- View Dependent Claims (55)
- - 55. The method of claim 54, wherein taking action on the packets results in one or more of:
    - dropping some or all of the packets silently, dropping some or all of the packets with a notification to a sender thereof, allowing some or all of the packets to proceed from the network device to a destination, intercepting some or all of the packets at the network device for further processing at L7, or forwarding some or all of the packets to another network device identified as being associated with a subject connection to which those of the packets so forwarded belong.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Frederick, Ronald, Tomic, Gary, Li, Qing, Huang, Yusheng

Granted Patent

US 8,639,837 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/236
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/193   at the transport layer, e.g...

H04L 47/20   Traffic policing

H04L 47/2433   Allocation of priorities to...

H04L 47/2441   relying on flow classificat...

H04L 47/32   by discarding or delaying d...

H04L 63/0227   Filtering policies mail mes...

H04L 69/22   Parsing or analysis of headers

SYSTEM AND METHOD OF TRAFFIC INSPECTION AND CLASSIFICATION FOR PURPOSES OF IMPLEMENTING SESSION ND CONTENT CONTROL

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

244 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD OF TRAFFIC INSPECTION AND CLASSIFICATION FOR PURPOSES OF IMPLEMENTING SESSION ND CONTENT CONTROL

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

244 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others