SYSTEM AND METHOD FOR DISTRIBUTION OF POLICY ENFORCEMENT POINT
First Claim
1. A computer-implemented method for distributed policy enforcement in a network, comprising:
- receiving, at an edge device, an initial packet for a traffic flow going out of the network;
determining that the initial packet triggers an edge policy maintained at the edge device;
performing a reverse lookup to identify at least;
an intermediate node that is previous traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node;
translating the policy based on the traffic parameters at the identified intermediate node; and
forwarding the translated policy to the identified intermediate node, thereby facilitating the identified intermediate node in applying the policy to the traffic flow.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.
-
Citations
20 Claims
-
1. A computer-implemented method for distributed policy enforcement in a network, comprising:
-
receiving, at an edge device, an initial packet for a traffic flow going out of the network; determining that the initial packet triggers an edge policy maintained at the edge device; performing a reverse lookup to identify at least;
an intermediate node that is previous traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node;translating the policy based on the traffic parameters at the identified intermediate node; and forwarding the translated policy to the identified intermediate node, thereby facilitating the identified intermediate node in applying the policy to the traffic flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for distributed policy enforcement in a network, the method comprising:
-
receiving, at an edge device, an initial packet for a traffic flow going out of the network; determining that the initial packet triggers an edge policy maintained at the edge device; performing a reverse lookup to identify at least;
an intermediate node that is previous traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node;translating the policy based on the traffic parameters at the identified intermediate node; and forwarding the translated policy to the identified intermediate node, thereby facilitating the identified intermediate node in applying the policy to the traffic flow. - View Dependent Claims (11, 12, 13, 14, 15, 16, 18)
-
-
17. The storage medium of claim 17, wherein the method further comprises:
-
identifying changes to traffic parameters associated with the incoming packet before the incoming packet reaches the next-hop node; and translating the second edge policy based on the identified changes.
-
-
19. An edge device for distributed policy enforcement in a network, comprising:
-
a receiving mechanism configured to receive an initial packet for a traffic flow going out of the network; a determination mechanism configured to determining that the initial packet triggers an edge policy maintained at the edge device; a lookup mechanism configured to perform a reverse lookup to identify at least;
an intermediate node that is previous traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node;a policy translator configured to translate the policy based on the traffic parameters at the identified intermediate node; and a policy-forwarding mechanism configured to forward the translated policy to the identified intermediate node, thereby facilitating the identified intermediate node in applying the policy to the traffic flow. - View Dependent Claims (20)
-
Specification