Policy Processing Method and Network Device

US 20140156823A1
Filed: 11/25/2013
Published: 06/05/2014
Est. Priority Date: 12/03/2012
Status: Active Grant

First Claim

Patent Images

1. A network device, comprising:

a mixed orchestrator configured to;

perform a mixed orchestration on all service rules corresponding to multiple service applications running on the network device so as to extract conditions of all the service rules, wherein each service rule comprises a condition and an action;

use the extracted conditions to construct at least one condition set; and

generate mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set;

a condition matcher configured to;

perform, according to each condition set constructed by the mixed orchestrator, condition matching on packet feature information of a network data packet received by the network device; and

output a condition matching result set, wherein the condition matching result set is used to record the condition that is matched successfully; and

a rule matcher configured to;

determine, according to the condition matching result set and the mapping relationship data generated by the mixed orchestrator, a service rule that is matched successfully; and

trigger a service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy processing method and network device. The method includes: performing a mixed orchestration on all service rules corresponding to multiple services, so as to construct multiple condition sets; performing, according to the constructed multiple condition sets, unified condition matching on packet feature information of a received network packet, and outputting a condition matching result set; and calling, a service application to execute a policy action corresponding to each condition identifier in the condition matching result set. In solutions of the embodiments of the present invention, by performing a mixed orchestration on multiple service rules, all service rules are organized in a unified manner, information required by all services is extracted in one packet scanning process, and only one matching and rule verification process is required. Thereby, redundant operations between multiple services are reduced, and device integration and performance are improved.

156 Citations

20 Claims

1. A network device, comprising:
- a mixed orchestrator configured to;
  
  perform a mixed orchestration on all service rules corresponding to multiple service applications running on the network device so as to extract conditions of all the service rules, wherein each service rule comprises a condition and an action;
  
  use the extracted conditions to construct at least one condition set; and
  
  generate mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set;
  
  a condition matcher configured to;
  
  perform, according to each condition set constructed by the mixed orchestrator, condition matching on packet feature information of a network data packet received by the network device; and
  
  output a condition matching result set, wherein the condition matching result set is used to record the condition that is matched successfully; and
  
  a rule matcher configured to;
  
  determine, according to the condition matching result set and the mapping relationship data generated by the mixed orchestrator, a service rule that is matched successfully; and
  
  trigger a service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The network device according to claim 1, wherein the mixed orchestrator comprises:
    - a rule splitting unit configured to split each of all the service rules into the condition and the action;
      
      a duplicate condition filtering and removing unit configured to extract the conditions obtained by splitting by the rule splitting unit and remove duplicate conditions;
      
      a condition classifying unit configured to classify conditions that are left after the duplicate conditions are removed by the duplicate condition filtering and removing unit so as to obtain at least one type of condition set; and
      
      a mapping unit configured to generate the mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set.
  - 3. The network device according to claim 2, wherein the mapping unit is configured to:
    - map each condition in the condition set to all service rules comprising the condition so as to establish the mapping relationship between each service rule and the condition in the condition set; and
      
      generate mapping relationship data for recording the mapping relationship.
  - 4. The network device according to claim 2, wherein the mapping unit is configured to:
    - record a mapping relationship between each service rule and the condition in the service rule when the rule splitting unit splits each of all the service rules into the condition and the action;
      
      adjust the recorded mapping relationship so that each condition in the condition set is mapped to all service rules comprising the condition after the duplicate conditions are removed by the duplicate condition filtering and removing unit; and
      
      generate mapping relationship data for recording the adjusted mapping relationship.
  - 5. The network device according to claim 2, wherein the mixed orchestrator further comprises a compiling unit configured to compile each of the all types of condition sets formed by classification by the condition classifying unit into a unified format, wherein the unified format is a format supported by the condition matcher, and wherein the condition matcher is configured to perform, according to the condition sets of the unified format compiled by the compiling unit, condition matching on the packet feature information of the network data packet received by the network device, and output the condition matching result set.
  - 6. The network device according to claim 1, wherein the condition matcher is configured to match the packet feature information of the network data packet received by the network device with the conditions in each condition set, and record an identifier of a successfully matched condition into the condition matching result set.
  - 7. The network device according to claim 6, further comprising an inspector configured to inspect the network data packet received by the network device to collect the packet feature information of the network data packet, wherein the condition matcher is configured to perform, according to each condition set constructed by the mixed orchestrator, condition matching on the packet feature information of the network data packet collected by the inspector, and output the condition matching result set.
  - 8. The network device according to claim 7, wherein the inspector comprises multiple packet processing units, wherein the multiple packet processing units are configured to jointly collect and obtain all packet feature information required by the multiple service applications from the network data packet.
  - 9. The network device according to claim 8, wherein the condition matcher is deployed in the multiple processing units in a distributed manner.
  - 10. The network device according to claim 1, wherein at least one service rule in all the service rules is a composite rule, wherein the composite rule is the service rule comprising multiple conditions, wherein the mixed orchestrator is further configured to record a logical relationship between the conditions in the composite rule, and wherein the rule matcher is configured to:
    - determine the service rule that is matched successfully according to the condition matching result set, the mapping relationship recorded by the mixed orchestrator, and the logical relationship between the conditions; and
      
      call the service application to which the successfully matched service rule belongs to execute an action corresponding to the successfully matched service rule.
  - 11. The network device according to claim 1, wherein at least one service rule in all the service rules is a composite rule, wherein the composite rule is the service rule comprising multiple conditions, wherein the mixed orchestrator is further configured to record a logical relationship between the conditions in the composite rule, and wherein the rule matcher is configured to:
    - determine the service rule that is matched successfully according to the condition matching result set, the mapping relationship recorded by the mixed orchestrator, and the logical relationship between the conditions; and
      
      send a rule hit message to the service application corresponding to the successfully matched service rule so that the service application executes an action corresponding to the successfully matched service rule according to the rule hit message.

12. A multi-service policy processing method, comprising:
- performing a mixed orchestration on all service rules corresponding to multiple service applications to extract conditions of all the service rules, wherein each service rule comprises a condition and an action;
  
  using the extracted conditions to construct at least one condition set;
  
  generating mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set;
  
  performing, according to each constructed condition set, condition matching on packet feature information of a received network data packet;
  
  outputting a condition matching result set, wherein the condition matching result set is used to record the condition that is matched successfully;
  
  determining, according to the condition matching result set and the generated mapping relationship data, the service rule that is matched successfully; and
  
  triggering the service application corresponding to the successfully matched service rule to execute the action corresponding to the successfully matched service rule.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method according to claim 12, wherein performing the mixed orchestration on all service rules corresponding to multiple service applications comprises:
    - splitting each of all the service rules into the condition and the action;
      
      generating mapping relationship data for recording a mapping relationship between each service rule and the condition in the service rule;
      
      extracting the conditions obtained by splitting;
      
      removing duplicate conditions;
      
      classifying conditions that are left after the duplicate conditions are removed so as to obtain at least one type of condition set; and
      
      adjusting the mapping relationship data so that each condition in the condition set is mapped to all service rules comprising the condition to obtain the mapping relationship data between the condition in the condition set and each service rule.
  - 14. The method according to claim 12, wherein performing the mixed orchestration on all service rules corresponding to multiple service applications comprises:
    - splitting each of all the service rules into the condition and the action;
      
      extracting the conditions obtained by splitting;
      
      removing duplicate conditions;
      
      classifying conditions that are left after the duplicate conditions are removed so as to obtain at least one type of condition set; and
      
      mapping each condition in the condition set to all service rules comprising the condition to obtain the mapping relationship data between the condition in the condition set and each service rule.
  - 15. The method according to claim 12, wherein performing, according to each constructed condition set, condition matching on packet feature information of the received network data packet and outputting a condition matching result set comprises:
    - performing a packet inspection on the received network data packet to obtain all packet feature information required by the multiple service applications;
      
      matching the extracted packet feature information with the conditions in each condition set; and
      
      recording an identifier of a successfully matched condition into the condition matching result set.
  - 16. The method according to claim 12, wherein at least one service rule in all the service rules is a composite rule, wherein the composite rule is the service rule comprising multiple conditions, wherein after the splitting each of all the service rules into the condition and the action, the method further comprises recording a logical relationship between the conditions in the composite rule, and wherein determining, according to the condition matching result set and the generated mapping relationship data, the service rule that is matched successfully, comprises determining the service rule that is matched successfully according to the condition matching result set, the mapping relationship, and the logical relationship between the conditions, and calling the service application to which the successfully matched service rule belongs to execute a corresponding action.
  - 17. The method according to any claim 12, wherein triggering the service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule comprises calling the service application to which the successfully matched service rule belongs to execute an action corresponding to the successfully matched service rule.
  - 18. The method according to any claim 12, wherein triggering the service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule comprises sending the rule hit message to the service application corresponding to the successfully matched service rule so that the service application executes an action corresponding to the successfully matched service rule according to the rule hit message.

19. A network device, comprising:
- a processor; and
  
  a memory, wherein the processor and the memory are connected through a bus, wherein the memory is configured to store an executable program code, wherein the processor is configured to read the executable program code stored in the memory to run the program corresponding to the executable program code so as to;
  
  perform a mixed orchestration on all service rules corresponding to multiple service applications to extract conditions of all the service rules, wherein each service rule comprises a condition and an action;
  
  use the extracted conditions to construct at least one condition set;
  
  generate mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set;
  
  perform, according to each constructed condition set, condition matching on packet feature information of a received network data packet;
  
  output a condition matching result set, wherein the condition matching result set is used to record the condition that is matched successfully;
  
  determine, according to the condition matching result set and the generated mapping relationship data, a service rule that is matched successfully;
  
  trigger the service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule.

20. A non-transitory computer readable medium including operations stored thereon that when processed by at least one processing unit cause a system to perform the acts of:
- performing a mixed orchestration on all service rules corresponding to multiple service applications to extract conditions of all the service rules, wherein each service rule comprises a condition and an action;
  
  using the extracted conditions to construct at least one condition set;
  
  generating mapping relationship data for recording a mapping relationship between each service rule and the condition in the condition set;
  
  performing, according to each constructed condition set, condition matching on packet feature information of a received network data packet;
  
  outputting the condition matching result set, wherein the condition matching result set is used to record a condition that is matched successfully;
  
  determining, according to the condition matching result set and the generated mapping relationship data, a service rule that is matched successfully; and
  
  triggering a service application corresponding to the successfully matched service rule to execute an action corresponding to the successfully matched service rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Liu, Hewei, Shi, Yunlong

Granted Patent

US 9,461,888 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/20   Network management software...

H04L 63/0263   Rule management

Policy Processing Method and Network Device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

156 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy Processing Method and Network Device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links