METHOD AND DEVICE FOR PROCESSING SOURCE ROLE INFORMATION

US 20130064247A1
Filed: 05/24/2011
Published: 03/14/2013
Est. Priority Date: 05/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for processing source role information, applied to a network comprising an Ingress device and an Egress device, comprising:

an Ingress device receiving a packet from user equipment and, determining a source role tag according to source information of the packet, inserting the source role tag into the packet as an inner Virtual Local Area Network (VLAN) tag of the packet, and forwarding the packet, wherein the source role tag corresponds to a role of the user equipment;

if there are one or more intermediate devices between the Ingress device and the Egress device, the intermediate device or intermediate devices forwarding the packet to the Egress device, said intermediate device or intermediate devices keeping the source role tag unchanged during said forwarding;

the Egress device receiving the packet, obtaining the source role tag from the inner VLAN tag of the packet, and performing role based access control processing for the packet based on said source role tag.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for processing source role information in which a source role tag is inserted into a packet as an inner VLAN tag of the packet and used to perform role based access control processing for the packet.

Citations

20 Claims

1. A method for processing source role information, applied to a network comprising an Ingress device and an Egress device, comprising:
- an Ingress device receiving a packet from user equipment and, determining a source role tag according to source information of the packet, inserting the source role tag into the packet as an inner Virtual Local Area Network (VLAN) tag of the packet, and forwarding the packet, wherein the source role tag corresponds to a role of the user equipment;
  
  if there are one or more intermediate devices between the Ingress device and the Egress device, the intermediate device or intermediate devices forwarding the packet to the Egress device, said intermediate device or intermediate devices keeping the source role tag unchanged during said forwarding;
  
  the Egress device receiving the packet, obtaining the source role tag from the inner VLAN tag of the packet, and performing role based access control processing for the packet based on said source role tag.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - after receiving a verification request of the user equipment, forwarding, by the Ingress device, the verification request to an access verification server, obtaining source role information of the user equipment issued by the access verification server, converting the source role information of the user equipment into the inner VLAN tag, and applying a corresponding relation between the Ingress device'"'"'s ingress port receiving the verification request and the inner VLAN tag to a hardware plane of the Ingress device;
      
      whereindetermining the source role tag according to the source information of the packet comprises;
      
      determining the source role tag corresponding to the Ingress device'"'"'s ingress port receiving the verification request according to the corresponding relation applied to the hardware plane of the Ingress device.
  - 3. The method of claim 1, further comprising:
    - forwarding, by a common device, a verification request of the user equipment to an access verification server, obtaining source role information of the user equipment issued by the access verification server, and transmitting a corresponding relation between the source role information of the user equipment and source address information or protocol number of the verification request to the Ingress device;
      
      applying, by the Ingress device, the corresponding relation between the source role tag corresponding to the source role information of the user equipment and the source address information or protocol number of the verification request to a hardware plane of the Ingress device;
      
      whereindetermining the source role tag according to the source information of the packet comprises;
      
      determining the source role tag corresponding to the source address information or protocol number of the packet according to the corresponding relation applied to the hardware plane of the Ingress device.
  - 4. The method of claim 1, wherein performing role based access control processing for the packet comprises:
    - determining, by the Egress device, destination role information of the packet, matching the source role tag and the destination role information with items in a Role Based Access Control List (RBACL), and performing access control processing for the packet according to a matching result.
  - 5. The method of claim 4, further comprising:
    - after receiving a verification request of a resource side device, forwarding, by the Egress device, the verification request to the access verification server, obtaining destination role information of the resource side device issued by the access verification server, and applying a corresponding relation between source address information of the verification request and the destination role information of the resource side device to a hardware plane of the Egress device;
      
      obtaining a role based control policy from the access verification server, wherein the destination role information of the resource side device issued by the access verification server is taken as destination role information;
      
      converting source role information into the source role tag, obtaining a RBACL, and applying the RBACL to the hardware plane of the Egress device;
      
      wherein, the RBACL contains source role tag, destination role information and access control mode;
      
      determining the destination role information of the packet from the user equipment comprises;
      
      determining the destination role information corresponding to the destination address information of the packet from the user equipment according to the corresponding relation applied to the hardware plane of the Egress device;
      
      performing, by the Egress device, matching processing according to the RBACL applied to the hardware plane of the Egress device.
  - 6. The method of claim 1, wherein when the source role tag is taken as the inner VLAN tag, a Tag Protocol Identity (TPID) of the inner VLAN tag is configured as a preset value unequal to 0X8100;
    - keeping, by the intermediate device, the inner VLAN tag unchangeable when determining that the TPID of the inner VLAN tag of the packet is the preset value;
      
      obtaining, by the Egress device, the source role tag as the inner VLAN tag from the packet when determining that the TPID of the inner VLAN tag of the packet is the preset value.
  - 7. The method of claim 1, wherein forwarding processing performed by the Ingress device and the intermediate device comprises:
    - A1) if the packet does not contain an outer VLAN tag (Vtag), determining the Vtag of the packet, inserting the Vtag into the packet, and performing a step A2);
      
      if the packet contains a Vtag, directly performing the step A2);
      
      A2) searching a layer-2 or layer-3 forwarding list according to the Vtag contained in the packet and the destination address information of the packet to determine an egress port;
      
      A3) stripping or not stripping the Vtag, and forwarding the packet containing the source role tag through the determined egress port.
  - 8. The method of claim 1, further comprising:
    - B1) if the packet does not contain a Vtag, deter mining, by the Egress device, the Vtag of the packet, inserting the Vtag into the packet, and performing a step B2);
      
      if the packet contains a Vtag, directly performing the step B2);
      
      B2) searching a layer-2 or layer-3 forwarding list according to the Vtag contained in the packet and the destination address information of the packet to determine an egress port;
      
      B3) stripping the source role tag of the packet, stripping or not stripping the Vtag, and forwarding the packet through the determined egress port when the access control processing indicates to forward the packet.

9. An Ingress device, comprising:
- a packet receiving unit, configured to receive a packet from user equipment;
  
  a role tag determining unit, configured to determine a source role tag according to source information of the packet, where the source role tag corresponds to a role of the user equipment;
  
  a role tag inserting unit, configured to insert the source role tag into the packet as an inner Virtual Local Area Network (VLAN) tag of the packet; and
  
  a forwarding processing unit, configured to forward the packet.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The Ingress device of claim 9, further comprising a verification processing unit and a first tag configuring unit;
    - whereinthe verification processing unit is configured to forward a verification request from the user equipment to an access verification server;
      
      the first tag configuring unit is configured to obtain source role information of the user equipment issued by the access verification server, convert the source role information of the user equipment into the source role tag, and applies a corresponding relation between the Ingress device'"'"'s ingress port receiving the verification request and source role tag to a hardware plane of the Ingress device;
      
      the role tag determining unit is configured to perform, according to the corresponding relation applied to the hardware plane of the Ingress device, an operation of determining the source role tag according to the source information of the packet, wherein the source information of the packet is the Ingress device'"'"'s ingress port receiving the packet.
  - 11. The Ingress device of claim 9, further comprising:
    - a role obtaining unit and a second tag configuring unit;
      
      whereinthe role obtaining unit is configured to obtain from a common device a corresponding relation between source role information of the user equipment and source address information or protocol number of the verification request, wherein the source role information of the user equipment is issued to the common device by the access verification server after the common device forwards the verification request of the user equipment to the access verification server;
      
      the second tag configuring unit is configured to apply the corresponding relation between the source role tag corresponding to the role information of the user equipment and the source address information or protocol number of the packet to the hardware plane of the Ingress device;
      
      the role tag determining unit is configured to perform, according to the corresponding relation applied to the hardware plane of the Ingress device, an operation of determining the source role tag according to the source information of the packet, wherein the source information of the packet is the source address information or protocol number of the packet.
  - 12. The Ingress device of claim 9, wherein when the role tag inserting unit inserts the source role tag into the packet as the inner VLAN tag of the packet of the packet, a Tag Protocol Identity (TPID) of the inner VLAN tag is configured as a preset value unequal to 0X8100.
  - 13. The Ingress device of claim 9, wherein the forwarding processing unit comprises:
    - an outer tag inserting sub-unit, configured to determine an outer Virtual Local Area Network (VLAN) tag (Vtag) of the packet when the packet received by the packet receiving unit does not contain the Vtag, and insert the Vtag into the packet;
      
      a forwarding list searching sub-unit, configured to search a layer-2 or layer-3 forwarding list according to the Vtag and destination address information contained in the packet which is received by the packet receiving unit or according to the Vtag and the destination address information contained in the packet which has been processed by the outer tag inserting sub-unit;
      
      an egress port processing sub-unit, configured to strip or not to strip the Vtag contained in the packet, and forward the packet containing the source role tag through a determined egress port.

14. An Egress device, comprising:
- a packet receiving unit, configured to receive a packet from user equipment;
  
  a role tag obtaining unit, configured to obtain a source role tag as an inner Virtual Local Area Network (VLAN) tag from the packet, wherein the source role tag corresponds to a role of the user equipment transmitting the packet;
  
  an access control unit, configured to perform role based access control processing for the packet according to the source role tag.
- View Dependent Claims (15, 16, 17)
- - 15. The Egress device of claim 14, wherein the access control unit comprises:
    - a destination role determining sub-unit, configured to determine destination role information of the packet;
      
      an access control matching sub-unit, configured to match the source role tag and the destination role information with items in a Role Based Access Control List (RBACL);
      
      an access control processing sub-unit, configured to perform access control processing for the packet according to a matching result of the access control matching sub-unit.
  - 16. The Egress device of claim 15, further comprising a verification processing unit, a destination role configuring unit, a control list obtaining unit and a control list configuring unit;
    - whereinthe verification processing unit is configured to forwards a verification request from a resource side device to an access verification server, and obtain destination role information of the resource side device issued by the access verification server;
      
      the destination role configuring unit is configured to apply a corresponding relation between source address information of the verification request from the resource side device and the destination role information of the resource side device to a hardware plane of the Egress device;
      
      the control list obtaining unit is configured to obtain a role based control policy;
      
      wherein, the role based control policy contains source role tag, destination role information and access control mode;
      
      the control list configuring unit is configured to convert the source role information into the source role tag, obtain the RBACL, and apply the RBACL to the hardware plane of the Egress device;
      
      wherein, the RBACL contains source role tag, destination role information and access control mode;
      
      the destination role determining sub-unit is configured to determine the destination role information corresponding to a destination address of the packet from the user equipment according to the corresponding relation applied to the hardware plane of the Egress device;
      
      the access control matching sub-unit is configured to perform matching processing for the RBACL applied to the hardware plane of the Egress device.
  - 17. The Egress device of claim 14, further comprising a forwarding processing unit;
    - wherein the forwarding processing unit comprises;
      
      an outer tag inserting sub-unit, configured to determine an outer Virtual Local Area Network (VLAN) tag (Vtag) of the packet when the packet received by the packet receiving unit does not contain the Vtag, and insert the Vtag into the packet;
      
      a forwarding list searching sub-unit, configured to search a layer-2 or layer-3 forwarding list according to the Vtag and the destination address information contained in the packet which is received by the packet receiving unit or according to the Vtag and the destination address information contained in the packet which has been processed by the outer tag inserting sub-unit;
      
      an egress port processing sub-unit, configured to strip the source role tag of the packet, and after stripping or not stripping the Vtag contained in the packet and when the access control unit determines to forward the packet, forward the packet through the determined egress port.

18. An intermediate device, comprising:
- a packet receiving unit, configured to receive a packet from an Ingress device or another intermediate device;
  
  a tag identifying unit, configured to identify an inner Virtual Local Area Network (VLAN) tag of the packet as a source role tag;
  
  a forwarding processing unit, configured to forward the packet and keep the inner VLAN tag unchanged when the tag identifying unit determines that the inner VLAN tag is a source role tag;
  
  whereinthe inner VLAN tag corresponds to a role of user equipment transmitting the packet.
- View Dependent Claims (19, 20)
- - 19. The intermediate device of claim 18, wherein the tag identifying unit determines that the inner VLAN tag is a source role tag when determining a Tag Protocol Identity (TPID) of the inner VLAN tag is a preset value unequal to 0X8100.
  - 20. The intermediate device of claim 18, wherein the forwarding processing unit comprises:
    - an outer tag inserting sub-unit, configured to determine an outer Virtual Local Area Network (VLAN) tag (Vtag) of the packet when the packet received by the packet receiving unit does not contain the Vtag, and insert the Vtag into the packet;
      
      a forwarding list searching sub-unit, configured to search a layer-2 or layer-3 forwarding list according to the Vtag and destination address information contained in the packet which is received by the packet receiving unit or according to the Vtag and the destination address information contained in the packet which has been processed by the outer tag inserting sub-unit;
      
      an egress port processing sub-unit, configured to forward the packet containing the source role tag through the determined egress port after stripping or not stripping the Vtag contained in the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hangzhou H3C Technologies Co Ltd (Tsinghua Holdings Co., Ltd.)
Inventors
Song, Yubing, Yang, Xiaopeng

Granted Patent

US 9,088,437 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

METHOD AND DEVICE FOR PROCESSING SOURCE ROLE INFORMATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR PROCESSING SOURCE ROLE INFORMATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links