TRACKING POLICY DECISIONS IN A NETWORK

US 20100312740A1
Filed: 06/09/2009
Published: 12/09/2010
Est. Priority Date: 06/09/2009
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

policy component logic and configured to;

inspect one or more data packets which are received from one or more of said interfaces; and

make a networking policy decision based, at least in part, on;

one or more available policy rules; and

information contained in the one or more inspected data packets;

policy data collection logic coupled to the policy component logic and configured to;

create one or more policy data records based, at least in part, on the network policy decision; and

store said policy data records, wherein each of the policy data records comprises data identifying the networking policy decision.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is disclosed for creating and storing policy data records comprising data identifying network policy decisions. After a data packet is received, a network policy decision is made based on information in the packet and one or more network policies. A policy data record identifying the network policy decision is created, and the policy data record is stored.

Citations

20 Claims

1. A data processing apparatus, comprising:
- policy component logic and configured to;
  
  inspect one or more data packets which are received from one or more of said interfaces; and
  
  make a networking policy decision based, at least in part, on;
  
  one or more available policy rules; and
  
  information contained in the one or more inspected data packets;
  
  policy data collection logic coupled to the policy component logic and configured to;
  
  create one or more policy data records based, at least in part, on the network policy decision; and
  
  store said policy data records, wherein each of the policy data records comprises data identifying the networking policy decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the policy data collection logic is configured to record, in each of the policy data records, data comprising:
    - a record type value that identifies a format of the policy data records;
      
      a policy data collection point identifier that identifies the apparatus;
      
      a policy enforcement point identifier that identifies a first component that requested and enforced the networking policy decision;
      
      a policy decision point identifier that identifies a second component that made the networking policy decision;
      
      a target type value that identifies a type of the target of the networking policy decision;
      
      a target identifier that identifies the target of the networking policy decision;
      
      a rule identifier that uniquely identifies one or more policy rules that were enforced;
      
      a verdict value that indicates a result of applying the one or more policy rules; and
      
      a time stamp indicating when the policy data record was generated.
  - 3. The apparatus of claim 2, wherein the policy data collection logic is further configured to record, in each of the policy data records, a plurality of rule indicators.
  - 4. The apparatus of claim 2, wherein the rule identifier comprises a transaction identifier that identifies a transaction involving a plurality of previously applied rules.
  - 5. The apparatus of claim 2, wherein each of the policy detail records further comprises a condition value specifying a condition of the one or more packets that triggered the networking policy decision.
  - 6. The apparatus of claim 2, wherein each of the first component and second component is identified by a unique component identifier that comprises a type value, a scope identifier value, a capability identifier, a policy component instance identifier that uniquely identifies a particular instance of the component, and a device identifier.
  - 7. The apparatus of claim 1, further comprising:
    - query component logic coupled to the one or more processors and configured to receive, from a requester via said one or more interfaces, a policy decision query comprising a query context which comprises hypothetical network state information;
      
      policy simulation logic coupled to the query component logic and configured to;
      
      make a policy decision based, at least in part, on said query context;
      
      create one or more policy data records based, at least in part, on the policy decision; and
      
      return, to the requester, one or more policy data records associated with the policy decision.
  - 8. The apparatus of claim 7 wherein the policy simulation logic is configured to provide in each of the policy data records one or more of:
    - a record type value that identifies a format of the policy data records;
      
      a policy data collection point identifier that identifies the apparatus;
      
      a policy enforcement point identifier that identifies a first component that requested and enforced the networking policy decision;
      
      a policy decision point identifier that identifies a component that made the networking policy decision;
      
      a target type value that identifies a type of the target of the networking policy decision;
      
      a target identifier that identifies the target of the networking policy decision;
      
      a rule identifier that uniquely identifies one or more policy rules that were enforced;
      
      a verdict value that indicates a result of applying the one or more policy rules;
      
      ora time stamp indicating when the policy data record was generated.
  - 9. The apparatus of claim 7, wherein:
    - policy configuration logic is further configured to determine that the policy decision query is directed to a policy enforcement point, and in response, to determine one or more policy decision points associated with the policy enforcement point;
      
      redirecting the policy decision query to each of said policy decision points;
      
      receive, as a response from each of said policy decision points, a policy data record;
      
      create a policy data record reflecting a decision based on said received policy data records;
      
      return said policy data record reflecting said decision.

10. A data processing apparatus, comprising:
- one or more processors;
  
  one or more interfaces coupled to the one or more processors;
  
  query component logic coupled to the one or more processors and configured to receive a policy decision query comprising a query context which comprises hypothetical network state information from said one or more interfaces and to determine, based, at least in part, on said query, one or more associated policy record collection points;
  
  policy component logic coupled to the query component logic and configured to forward the query to one or more policy record collection points; and
  
  policy trace logic coupled to the one or more processors and configured to receive one or more policy data records that describe one or more policy decisions based, at least in part, on said query context, performed by said one or more policy record collection points.
- View Dependent Claims (11, 12, 13, 18, 19, 20)
- - 11. The apparatus of claim 10, wherein the policy decision query is made up of one or more of:
    - a policy query target identifier that identifies one or more policy components at which the query is directed.a policy enforcement target identifier that identifies the subject on which the policy is to be enforced;
      
      a trigger value, identifying an event that may trigger a policy decision;
      
      ora query context identifying a hypothetical network state to be used for logically overriding the state of one or more network devices.
  - 12. The apparatus of claim 10, wherein the query component logic is further configured to determine each network device in a network path based, at least in part, on said query context;
    - send a policy decision query to one or more policy enforcement points associated with each corresponding network device in said network path;
      
      receive, from each policy enforcement point, one or more policy data records;
      
      concatenate each of said one or more policy data records from each of said policy enforcement points; and
      
      return the concatenation of policy data records.
  - 13. The apparatus of claim 10, wherein the query component logic is further configured to determine each network device in a network path based, at least in part, on said query context;
    - send a policy decision query to one or more policy decision points associated with each corresponding network device in said network path;
      
      receive, from each policy decision point, one or more policy data records;
      
      concatenate each of said one or more policy data records from each of said policy decision points; and
      
      return the concatenation of policy data records to the requestor.
  - 18. A computer-readable medium as recited in claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving a policy decision query comprising a query context which comprises hypothetical network state information from said one or more interfaces and to determine, based, at least in part, on said query, one or more associated policy record collection points;
      
      forwarding the query to one or more policy record collection points; and
      
      receiving one or more policy data records that describe one or more policy decisions based, at least in part, on said query context, performed by said one or more policy record collection points.
  - 19. The computer readable medium of claim 18, wherein the policy decision query is made up of one or more of:
    - a policy query target identifier that identifies one or more policy components at which the query is directed.a policy enforcement target identifier that identifies the subject on which the policy is to be enforced;
      
      a trigger value, identifying an event that may trigger a policy decision;
      
      or a query context identifying a hypothetical network state to be used for logically overriding the state of one or more network devices.
  - 20. The computer-readable medium as recited in claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - determining each network device in a network path based, at least in part, on said query context;
      
      sending a policy decision query to one or more policy enforcement points associated with each corresponding network device in said network path;
      
      receiving, from each policy enforcement point, one or more policy data records;
      
      concatenating each of said one or more policy data records from each of said policy enforcement points; and
      
      returning the concatenation of policy data records.

14. A computer-readable medium carrying one or more sequences of instructions for processing policy based network related data, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- inspecting one or more data packets which are received from one or more interfaces;
  
  making a networking policy decision based, at least in part, on;
  
  one or more available policy rules; and
  
  information contained in the one or more inspected data packets;
  
  creating one or more policy data records based, at least in part, on the network policy decision; and
  
  storing said policy data records in a volatile or non-volatile storage device, wherein each of the policy data records comprises data identifying the networking policy decision.
- View Dependent Claims (15, 16, 17)
- - 15. The computer readable medium of claim 14 further comprising instructions which, when executed by the one or more processors, cause the one or more processors to record, in each of the policy data records, data comprising:
    - a record type value that identifies a format of the policy data records;
      
      a policy data collection point identifier that identifies the apparatus;
      
      a policy enforcement point identifier that identifies a first component that requested and enforced the networking policy decision;
      
      a policy decision point identifier that identifies a second component that made the networking policy decision;
      
      a target type value that identifies a type of the target of the networking policy decision;
      
      a target identifier that identifies the target of the networking policy decision;
      
      a rule identifier that uniquely identifies one or more policy rules that were enforced;
      
      a verdict value that indicates a result of applying the one or more policy rules; and
      
      a time stamp indicating when the policy data record was generated.
  - 16. The computer readable medium of claim 15, wherein each of the first component and second component is identified by a unique component identifier that comprises a type value, a scope identifier value, a capability identifier, a policy component instance identifier that uniquely identifies a particular instance of the component, and a device identifier.
  - 17. The computer readable medium of claim 14 further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - determine that the policy decision query is directed to a policy enforcement point;
      
      in response to determining that the policy decision query is directed to a policy enforcement point, determining one or more policy decision points associated with the policy enforcement point;
      
      redirecting the policy decision query to each of said policy decision points;
      
      receiving, as a response from each of said policy decision points, a policy data record;
      
      creating a policy data record reflecting a decision based on said received policy data records;
      
      returning said policy data record reflecting said decision.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Clemm, L. Alexander, Narayan, Kaushik, McMcloghrie, Keith

Granted Patent

US 8,266,088 B2
Time in Patent Office

Days
Field of Search
US Class Current

706/47
CPC Class Codes

H04L 47/70 Admission control; Resource...

TRACKING POLICY DECISIONS IN A NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRACKING POLICY DECISIONS IN A NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links