System and method for network service path analysis
First Claim
1. A method of creating a directed graph comprising nodes and edges of an IP network topology so that each edge may be queried for the transmissibility of a selected subset of the IP packet space, comprising:
- creating a rule mask for each edge of a directed graph encoding a Boolean value for each partition of a decomposition of the IP packet space indicating the transmissibility across that edge of all packets contained in the partition; and
annotating the edges of the directed graph with said rule mask.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for network service path analysis analyze and manage the delivery of applications over a network. A program running on a computer utilizes a Layer 3 topology of a computer network to create a directed graph representing deliverability of packets across the network. By analyzing access control lists and firewall rule sets from the network, along with modeling routing protocol behavior and policy as packet filters, the program performs a series of matrix multiplications, using an optimized decomposition of the IP packet space. The resulting matrix contains all of the path information for all deliverable packets. The matrix populates a network path database that captures the set of packets deliverable between any pair of Internet Protocol addresses in the network.
105 Citations
13 Claims
-
1. A method of creating a directed graph comprising nodes and edges of an IP network topology so that each edge may be queried for the transmissibility of a selected subset of the IP packet space, comprising:
-
creating a rule mask for each edge of a directed graph encoding a Boolean value for each partition of a decomposition of the IP packet space indicating the transmissibility across that edge of all packets contained in the partition; and annotating the edges of the directed graph with said rule mask. - View Dependent Claims (2, 3)
-
-
4. A method of identifying the paths through an IP network over which selected packet sets may be delivered from a specified subnet to a specified subnet, comprising the steps of:
-
(a) creating a directed graph of the network topology comprising vertices, in which each directed graph vertex is selected from the set comprising a network device, an endpoint subnet, and a range of endpoint IP addresses, and in which each directed graph edge represents a nearest neighbor relation between a first device and a neighbor selected from the set comprising a second device, a subnet, and a range of endpoint IP addresses; (b) annotating each directed graph edge with a description of subsets of the IP address space that are configured to be transmissible across the edge; (c) creating a reachability matrix identifying for each vertex pair the subsets of the IP address space that are deliverable from one vertex to the other; (d) identifying edges of the graph that will permit the transmission of the packet set; (e) defining a head vertex and a tail vertex for a user-selected packet set transmission from a user-selected source device to a user-selected destination device; and (f) determining a path for the user-selected packet set transmission from the user-selected source device to the user-selected destination device. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of annotating edges of a directed graph of an IP network topology for the transmission of packets and sets of packets via routing rules and packet filters, wherein the network comprises network devices and interfaces between the network devices, so that each edge of the directed graph may be queried for the transmissibility of a selected subset of the IP packet space, comprising the steps of:
-
(a) decomposing the IP packet space into partitions, each partition having the property that the intersection of any collection of packet sets defined by packet filters and routing rules in configurations of the network devices will be expressible as the union of partitions in the decomposition; (b) defining a rule mask for each edge; and (c) encoding a Boolean value for each said partition indicating the transmissibility across the edge of all packets contained in the partition.
-
-
13. A method of network service path analysis comprising the steps of:
-
(a) obtaining a list of device interface-to-interface relationships for a computer network; (b) obtaining a set of access control lists and rule sets from devices for the computer network; (c) creating a Layer 3 topology model from the device interface-to-interface relationships and association of packet filters on interfaces that defines each interface'"'"'s packet filter configuration, each interface having an inbound and an outbound direction; (d) defining a set of vertices for each Layer 3 device; (e) defining a set of vertices for each endpoint subnet in the computer network; (f) defining a vertex representing the public Internet; (g) creating a directed graph comprising nodes for each device that routes traffic and/or performs packet filtering and for each subnet that contains host computers that are either providers or consumers of services where deliverability is to be analyzed, wherein the directed graph also comprises edges for each Layer 3 link between each device that routes traffic and the subnets that contain host computers that are either providers or consumers of services where deliverability is to be analyzed; (h) defining two set of hyper-rectangles for each interface, one for the inbound and one for the outbound direction, representing sets of packets the interface'"'"'s packet filter configuration will either permit or deny across the interface; (i) defining a set of hyper-rectangles for each interface representing sets of packets for which the routing configuration of the network permits outbound delivery; (j) intersecting the hyper-rectangles defined for all interfaces by steps (h) and (i) to decompose the IP packet space into all hyper-rectangles that may result from the intersection of the hyper-rectangles defined for all interfaces by (h) and (i); (k) representing the decomposition of a d-dimensional space as a set of hyper-rectangles and a directed acyclic graph describing their subset relations; (l) representing all subsets of a hyper-rectangle in the decomposition of step (k) by means of a subset mask; (m) representing the disposition, permit or deny, of sets of packets across an interface as rule masks encoding permit or deny values for each hyper-rectangle in the decomposition of step (k); (n) calculating rules masks from hyper-rectangles defined in steps (h) and (i) and their associated subset masks; (o) computing a rule mask for each edge of the directed graph of step (g) by performing Boolean operations on the rule masks defined by (m) by matching the inbound set for the leading vertex of the edge with the outbound sets computed for the trailing vertex of the edge; (p) annotating each edge of the directed graph of step (g) with rule masks representing the deliverability of packets across the edge; (q) determining the deliverability of packets by computing the transitive closure of the directed graph of step (p) where the Boolean operators of Warshall'"'"'s algorithm are applied to the arrays of Boolean values annotated at each edge; (r) retrieving reachability for specific packet flows by means of a matrix of rule masks referencing the primary decomposition of the IP packet space; (s) retrieving path information for specific packet flows by means of a directed graph annotated with rule masks and a reachability matrix of rule masks referencing the primary decomposition of the IP packet space; and (t) retrieving the specific network device configuration elements that determined the deliverability or non-deliverability of specific packet flows by means of a directed graph annotated with rule masks and a reachability matrix of rule masks referencing the primary decomposition of the IP packet space.
-
Specification