DISTRIBUTED NETWORK CONNECTION POLICY MANAGEMENT

US 20100115101A1
Filed: 03/09/2009
Published: 05/06/2010
Est. Priority Date: 03/07/2008
Status: Active Grant

First Claim

Patent Images

1. A computer program on a computer readable medium for implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the computer program when executed being arranged to:

determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andfor a given message for a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898) and others of the nodes (computers B, C, filters B1, B2, C1, C2, hosts 890, 892) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorised as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised. This can provide reassurance that changes in versions of the connection policy won'"'"'t transiently open a risk of undetected unwanted communication.

288 Citations

19 Claims

1. A computer program on a computer readable medium for implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the computer program when executed being arranged to:
- determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andfor a given message for a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The program of claim 1, the connection policy comprising rules having a monotonic effect in the sense that each additional rule can only increase the number of allowable paths, and paths can only be removed by removing rules.
  - 3. The program of claim 1 arranged to determine the dual authorised paths locally to the given node.
  - 4. The program of claim 1, the local connection policy representing allowable paths by symbolic expressions of ranges of endpoint addresses.
  - 5. The program of claim 4, the determination of the paths regarded as dual authorised paths by the given node comprising carrying out a boolean AND of the symbolic expressions for the local connection policy and for the other local connection policies to obtain an expression for the dual authorised paths as a function of node addresses.
  - 6. The program of claim 5, arranged to configure the given node to check for dual authorised paths using a store of endpoint node addresses, determined by substituting node addresses local to the given node into the expression for the dual authorised paths.
  - 7. The program of claim 1, the connection policy comprises a symbolic expression of ranges of endpoint addresses, and the program is also arranged to derive the local connection policy by partial evaluation of the symbolic expression using information associated with the given node.
  - 8. The program of claim 1 arranged to validate that the local connection policy does not violate a meta rule defining any paths which must not be allowed.
  - 9. The program of claim 1, the network being used for hosting multiple services, the program being arranged to cut over the multiple services to another version of the services at different addresses in the network by changing the connection policy so that a user of the services cannot be connected to old versions once connected to any of the new services.
  - 10. The program of claim 1, arranged to allow bidirectional communication on an allowable path.
  - 11. The program of claim 1, the network comprising a customer network implemented on shared infrastructure shared with other customers.
  - 12. The program of claim 11, the connection policy being generated by the customer.
  - 13. The program of claim 1, the network comprising a virtual network having virtual machines hosted by physical host machines coupled to form a physical network.
  - 14. The program of claim 1, the connection control nodes comprising any one or more of:
    - a filter with stored rules, a switch with a switching table, and a router with arouting table, and the program being arranged to update respectively the store of filter rules, or the switching table or the routing table, according to the determined dual authorised other nodes.
  - 15. The program of claim 1 the network comprising an IP network and the connection policy being represented in the form of which selections of IP addresses are allowed to communicate with other selections of IP addresses.

16. A method of implementing a connection policy in a distributed manner in a communications network having a plurality of connection control nodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the method having the steps of:
- determining, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andfor a given message for a given path between two of the nodes having their own local connection policies, determining at both of these nodes whether the given path is currently dual authorised.

17. A data center having a number of physical host machines coupled by a network, the network having a plurality of connection control nodes having filtering, switching or routing functions, and local connection policy managers for configuring the connection control nodes to implement a connection policy in a distributed manner, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the local connection policy managers being arranged to:
- determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andconfigure the connection control nodes such that for a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised.

18. A method of providing a service from a data center, the data center having a number of physical host machines coupled by a network, the network having a plurality of connection control nodes having filtering, switching or routing functions, and local connection policy managers for configuring the connection control nodes to implement a connection policy in a distributed manner, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the method having the steps of:
- providing an application on one of the physical host machines to provide the service, and making the application accessible to users of the service by setting the connection policy and causing the local connection policy managers to;
  
  determine, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, andconfigure the connection control nodes such that for a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised.

19. A method of using a service offered from a data center, the method having the steps of sending and receiving packets to and from the data center, and thereby causing the data center to implement a connection policy in a distributed manner, the data center having a communications network having a plurality of connection controlnodes having filtering, switching or routing functions, the connection policy comprising a local connection policy indicating which paths between a given one of the nodes and others of the nodes are allowable paths, and other local connection policies in respect of at least some of the other nodes, indicating their allowable paths, the data center having determined, for the given node, which of the allowable paths indicated as allowable by the local connection policy, are dual authorised in the sense of also being indicated as allowable by the other local connection policy relating to the other node at the other end of that path, and the method having the steps ofsending a message to the data center, the message following a given path between two of the nodes having their own local connection policies, causing both of these nodes to determine whether the given path is currently dual authorised, andreceiving a message as part of the service from another path between two of the nodes having their own local connection policies, if both of these nodes have determined that this path is currently dual authorised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Goldsack, Patrick, Lain, Antonio

Granted Patent

US 9,178,850 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

H04L 45/02   Topology update or discovery

H04L 45/021   Ensuring consistency of rou...

H04L 45/308   Route determination based o...

H04L 45/586   of virtual routers

H04L 45/76   Routing in software-defined...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

DISTRIBUTED NETWORK CONNECTION POLICY MANAGEMENT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

288 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED NETWORK CONNECTION POLICY MANAGEMENT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links