DISTRIBUTED NETWORK CONNECTION POLICY MANAGEMENT
First Claim
1. A computer program on a computer readable medium for implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the computer program when executed being arranged to:
- determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andfor a given message for a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised.
4 Assignments
0 Petitions
Accused Products
Abstract
A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898) and others of the nodes (computers B, C, filters B1, B2, C1, C2, hosts 890, 892) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorised as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised. This can provide reassurance that changes in versions of the connection policy won'"'"'t transiently open a risk of undetected unwanted communication.
288 Citations
19 Claims
-
1. A computer program on a computer readable medium for implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the computer program when executed being arranged to:
-
determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and for a given message for a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the method having the steps of:
-
determining, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and for a given message for a given path between two of the nodes having their own local connection policies, determining at both of these nodes whether the given path is currently dual authorised.
-
-
17. A data center having a number of physical host machines coupled by a network, the network having a plurality of connection control nodes having filtering, switching or routing functions, and local connection policy managers for configuring the connection control nodes to implement a connection policy in a distributed manner, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the local connection policy managers being arranged to:
-
determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and configure the connection control nodes such that for a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised.
-
-
18. A method of providing a service from a data center, the data center having a number of physical host machines coupled by a network, the network having a plurality of connection control nodes having filtering, switching or routing functions, and local connection policy managers for configuring the connection control nodes to implement a connection policy in a distributed manner, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the method having the steps of:
-
providing an application on one of the physical host machines to provide the service, and making the application accessible to users of the service by setting the connection policy and causing the local connection policy managers to; determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and configure the connection control nodes such that for a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised.
-
-
19. A method of using a service offered from a data center, the method having the steps of sending and receiving packets to and from the data center, and thereby causing the data center to implement a connection policy in a distributed manner, the data center having a communications network having a plurality of connection control
nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the data center having determined, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and the method having the steps of sending a message to the data center, the message following a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised, and receiving a message as part of the service from another path between two of the nodes having their own local connection policies, if both of these nodes have determined that this path is currently dual authorised.
Specification