NETWORK ADAPTER BASED ZONING ENFORCEMENT

US 20090164630A1
Filed: 12/19/2007
Published: 06/25/2009
Est. Priority Date: 12/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing network zoning at an end point device connected to a network, the method comprising:

receiving a set of addresses to which the end-point device has access to by the end point device;

saving the set of addresses in a table at the end point device;

monitoring all communications sent and received by the end point device, the monitoring being performed by the end point device;

discarding communications that are received by the end point device and that do not include an address from the table as a source address; and

discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to enforcing zoning at a network adapter of an end point device. Thus, a network adapter can monitor the communications that are sent and/or received by the adapter and discard communications that are prohibited based on the zoning rules applicable to the adapter. In some embodiments, zoning configuration information can be defined and stored at a central entity and sent to the various network adapters. Alternatively, or in addition, each network adapter can also check outgoing communications to ensure that they include a proper source address. More specifically, outgoing communications may be checked to ensure that their source address is the address (or one of the addresses) that are associated with the network adapter. This can be used to detect and/or prevent malfunctions and/or intentional tampering or hacking.

Citations

33 Claims

1. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
- receiving a set of addresses to which the end-point device has access to by the end point device;
  
  saving the set of addresses in a table at the end point device;
  
  monitoring all communications sent and received by the end point device, the monitoring being performed by the end point device;
  
  discarding communications that are received by the end point device and that do not include an address from the table as a source address; and
  
  discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the network is connected to a plurality of end point devices, the plurality of end point devices including the end point device and each being associated with a respective address, the method further comprising:
    - assigning the plurality of end point devices to a plurality of zones, so that the end point device is a member of one or more zones;
      
      composing the set of addresses to which the end point device has access to, by selecting the addresses associated with all devices of the plurality of end point devices that are members of the one or more zones the end point device is a member of; and
      
      sending the set of addresses to which the end point device has access to to the end point device.
  - 3. The method of claim 2, wherein one or more of the plurality of end point devices are each associated with a plurality of addresses.
  - 4. The method of claim 2, wherein the sending of the set of addresses is performed through the network.
  - 5. The method of claim 4, wherein the composing and sending is personnel by a zoning database entity which is connected to the end point device through the network.
  - 6. The method of claim 2, further including performing the receiving, saving, monitoring and both discarding steps by every end point device of the plurality of end point devices.
  - 7. The method of claim 1, further including discarding communications that are attempted to be sent by the end point device and that do not include an address associated with the end point device as a source address.
  - 8. The method of claim 1, wherein the receiving, saving, monitoring and both discarding steps are performed by a network adapter of the end point device.
  - 9. The method of claim 8, wherein the network adapter is an HBA.
  - 10. The method of claim 9, wherein the network is a Fibre Channel network.
  - 11. The method of claim 9, wherein the network is an SAS network.
  - 12. The method of claim 8, wherein the network adapter is an FCoE adapter and the network is an FCoE network.

13. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
- receiving a set of addresses to which the end-point device has access to by the end point device;
  
  saving the set of addresses in a table at the end point device;
  
  monitoring all communications received by the end point device, the monitoring being performed by the end point device; and
  
  discarding communications that are received by the end point device and that do not include an address from the table as a source address.

14. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
- receiving a set of addresses to which the end-point device has access to by the end point device;
  
  saving the set of addresses in a table at the end point device;
  
  monitoring all communications sent by the end point device, the monitoring being performed by the end point device; and
  
  discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address.

15. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
- assigning an one or more addresses to the end point device;
  
  monitoring all communications sent by the end point device, the monitoring being performed by the end point device; and
  
  discarding communications that are attempted to be sent by the end point device but do not include an address that is among the one or more assigned addresses as a source address.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the monitoring and discarding are performed by a network adapter.
  - 17. The method of claim 16, where the network is an FCoE network and the address is an N_Port_ID address.

18. A network adapter comprising:
- a network processing module connected to a network, including a memory and configured to process, send and receive network communications;
  
  a zoning enforcement module connected to the network processing module and configured to;
  
  receive a set of addresses to which the network adapter has access to;
  
  save the set of addresses in a table in the memory;
  
  monitor all communications sent and received by the network processing module;
  
  discard communications that are received by the network processing module and that do not include an address from the table as a source address; and
  
  discard communications that are attempted to be sent by the network processing module but do not include an address from the table as a destination address.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. A device including the network adapter of claim 18, wherein the device utilizes the network adapter for network communications and the set of devices the network adapter has access to is also a set of devices the device has access to.
  - 20. The device of claim 19, wherein the device is a computer.
  - 21. A network comprising:
    - a plurality of end point devices, one of the plurality of end point devices being the device of claim 19 (the device), wherein each end point device is associated with a respective address; and
      
      a zoning database entity configured toassign the plurality of end point devices to a plurality of zones, so that the device is a member of one or more zones,compose the set of addresses to which the device has access to, by selecting the addresses of all devices of the plurality of end point devices that are members of the one or more zones the device is a member of, andsend the set of addresses to which the device has access to to the device.
  - 22. The network of claim 21, wherein one or more of the plurality of end point devices are each associated with a plurality of addresses.
  - 23. The network of claim 21, wherein the zoning database entity sends the set of addresses the device has access to to the device through the network.
  - 24. The network adapter of claim 18, wherein the zoning enforcement module is further configured to discard communications that are attempted to be sent by the network processing module and that do not include an address associated with the network adapter as a source address.
  - 25. The network adapter of claim 18, wherein the network adapter is an HBA.
  - 26. The network adapter of claim 25, wherein the network is a Fibre Channel network.
  - 27. The network adapter of claim 25, wherein the network is an SAS network.
  - 28. The network adapter of claim 18, wherein the network adapter is an ECoB adapter and the network is an FCoE network.

29. A network adapter comprising:
- a network processing module connected to a network, including a memory and configured to process, send and receive network communications;
  
  a zoning enforcement module connected to the network processing module and configured to;
  
  receive a set of addresses to which the network adapter has access to;
  
  save the set of addresses in a table in the memory;
  
  monitor all communications sent by the network processing module; and
  
  discard communications that are attempted to be sent by the network processing module but do not include an address from the table as a destination address.

30. A network adapter comprising:
- a network processing module connected to a network, including a memory and configured to process, send and receive network communications;
  
  a zoning enforcement module connected to the network processing module and configured to;
  
  receive a set of addresses to which the network adapter has access to;
  
  save the set of addresses in a table in the memory;
  
  monitor all communications received by the network processing module; and
  
  discard communications that are received by the network processing module and that do not include an address from the table as a source address.

31. A network adapter associated with one or more addresses and comprising:
- a network processing module connected to a network, including a memory and configured to process, send and receive network communications;
  
  a self checking module connected to the network processing module and configured to;
  
  monitor all communications sent by the network processing module; and
  
  discard communications that are attempted to be sent by the network processing module but do not include an address among the one or more addresses associated with the network adapter as a source address.

32. A method for enforcing network zoning at a network comprising a plurality of end point devices, each end point device being associated with one or more addresses, at least one end point device being associated with two or more addresses, each combination of an end point device and an address associated therewith defining an effective device, the plurality of end point devices thus defining a plurality of effective devices, the method comprising:
- assigning the plurality of effective devices to a plurality of zones, so that the each effective device is a member of one or more zones;
  
  composing a plurality of sets of addresses each set of addresses being associated with a respective effective device and including the addresses of all effective devices which are members of at least one zone the respective effective device is a member of;
  
  sending each set of addresses to its respective effective device; and
  
  for each effective devicereceiving a set of addresses to which the effective device has access to,saving the set of addresses in a table,monitoring all communications sent and received by the effective device,discarding communications that are received by the effective device and that do not include an address from the table as a source address, anddiscarding communications that are attempted to be sent by the effective device but do not include an address from the table as a destination address.

33. A network comprising:
- a plurality of end point devices, each end point device being associated with one or more addresses, at least one end point device being associated with two or more addresses, each combination of an end point device and an address associated therewith defining an effective device, the plurality of end point devices thus defining a plurality of effective devices; and
  
  a zoning database entity configured toassign the plurality of effective devices to a plurality of zones, so that the each effective device is a member of one or more zones,compose a plurality of sets of addresses each set of addresses being associated with a respective effective device and including the addresses of all effective devices which are members of at least one zone the respective effective device is a member of, andsend each set of addresses to its respective effective device,wherein each effective device is configured to;
  
  receive a set of addresses to which the effective device has access to,save the set of addresses in a table,monitor all communications sent and received by the effective device,discard communications that are received by effective device and that do not include an address from the table as a source address, anddiscard communications that are attempted to be sent by the effective device but do not include an address from the table as a destination address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Emulex Design & Manufacturing Corp. (Broadcom, Inc.)
Inventors
Nixon, Robert Harvey, HIRATA, Kenneth Hiroshi

Granted Patent

US 8,762,513 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 45/74   Address processing for routing

H04L 47/70   Admission control; Resource...

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

NETWORK ADAPTER BASED ZONING ENFORCEMENT

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK ADAPTER BASED ZONING ENFORCEMENT

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links