MULTI-TENANT ISOLATION IN A CLOUD ENVIRONMENT USING SOFTWARE DEFINED NETWORKING

US 20150139238A1
Filed: 11/18/2014
Published: 05/21/2015
Est. Priority Date: 11/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method for processing packet traffic in a multi-tenant network, comprising:

receiving a packet;

responsive to determining that a tenant associated with the received packet cannot be determined, requesting tenant information from a first controller;

receiving the requested tenant information from the first controller;

responsive to determining that a forwarding rule associated with the received packet cannot be determined, requesting the forwarding rule from a second controller;

receiving the requested forwarding rule from the second controller; and

transmitting the packet in accordance with the received forwarding rule.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for ensuring multi-tenant isolation in a data center are provided. A switch, or virtualized switch, can be used to de-multiplex incoming traffic between a number of data centers tenants and to direct traffic to the appropriate virtual slice for an identified tenant. The switch can store tenant identifying information received from a master controller and packet forwarding rules received from at least one tenant controller. The packet handling rules are associated with a specific tenant and can be used to forward traffic to its destination.

237 Citations

27 Claims

1. A method for processing packet traffic in a multi-tenant network, comprising:
- receiving a packet;
  
  responsive to determining that a tenant associated with the received packet cannot be determined, requesting tenant information from a first controller;
  
  receiving the requested tenant information from the first controller;
  
  responsive to determining that a forwarding rule associated with the received packet cannot be determined, requesting the forwarding rule from a second controller;
  
  receiving the requested forwarding rule from the second controller; and
  
  transmitting the packet in accordance with the received forwarding rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first controller is a master software defined networking (SDN) controller associated with a plurality of tenants in the multi-tenant network.
  - 3. The method of claim 1, wherein the second controller is a tenant software defined networking (SDN) controller associated with the tenant.
  - 4. The method of claim 1, wherein the tenant information is a tenant table identifier.
  - 5. The method of claim 1, further comprising, performing a first table lookup to select a tenant table identifier associated with the received packet from a master table.
  - 6. The method of claim 5, wherein the first table lookup is performed in accordance with an input port on which the packet was received.
  - 7. The method of claim 1, wherein requesting tenant information includes sending the received packet to the first controller.
  - 8. The method of claim 1, further comprising, storing the received tenant information in a master table.
  - 9. The method of claim 1, further comprising, performing a second table lookup to select the forwarding rule associated with the received packet from a tenant table associated with the tenant.
  - 10. The method of claim 9, wherein the second table lookup is performed in accordance with at least one header field of the received packet.
  - 11. The method of claim 10, wherein the at least one header field is selected from a group comprising:
    - a source IP address, a destination IP address, a source port, a destination port, and a protocol.
  - 12. The method of claim 1, wherein requesting the forwarding rule from a second controller includes sending the received packet to the second controller.
  - 13. The method of claim 1, further comprising, storing the received forwarding rule in a tenant table associated with the tenant.

14. A switch in a multi-tenant network comprising a processor and a memory, the memory containing instructions executable by the processor whereby the switch is operative to:
- receive a packet;
  
  responsive to determining that a tenant associated with the received packet cannot be determined, request tenant information from a first controller;
  
  receive the requested tenant information from the first controller;
  
  responsive to determining that a forwarding rule associated with the received packet cannot be determined, request the forwarding rule from a second controller;
  
  receive the requested forwarding rule from the second controller; and
  
  transmit the packet in accordance with the received forwarding rule.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The switch of claim 14, wherein the first controller is a master software defined networking (SDN) controller associated with a plurality of tenants in the multi-tenant network.
  - 16. The switch of claim 14, wherein the second controller is a tenant software defined networking (SDN) controller associated with the tenant.
  - 17. The switch of claim 14, wherein the tenant information is a tenant table identifier.
  - 18. The switch of claim 14, further operative to perform a first table lookup to select a tenant table identifier associated with the received packet from a master table.
  - 19. The switch of claim 18, wherein the first table lookup is performed in accordance with an input port on which the packet was received.
  - 20. The switch of claim 14, wherein requesting tenant information includes sending the received packet to the first controller.
  - 21. The switch of claim 14, further operative to store the received tenant information in a master table.
  - 22. The switch of claim 14, further operative to perform a second table lookup to select the forwarding rule associated with the received packet from a tenant table associated with the tenant.
  - 23. The switch of claim 22, wherein the second table lookup is performed in accordance with at least one header field of the received packet.
  - 24. The switch of claim 23, wherein the at least one header field is selected from a group comprising:
    - a source IP address, a destination IP address, a source port, a destination port, and a protocol.
  - 25. The switch of claim 14, wherein requesting the forwarding rule from a second controller includes sending the received packet to the second controller.
  - 26. The switch of claim 14, further operative to store the received forwarding rule in a tenant table associated with the tenant.

27. A switch comprising:
- a receiving module for receiving a packet;
  
  a tenant identification module for requesting tenant information from a first controller in response to determining that a tenant associated with the received packet cannot be determined, and for receiving the requested tenant information from the first controller;
  
  a rule identification module for requesting a forwarding rule from a second controller in response to determining that the forwarding rule associated with the received packet cannot be determined, and for receiving the requested forwarding rule from the second controller; and
  
  a transmitting module for transmitting the packet in accordance with the received forwarding rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
POURZANDI, Makan, Cheriet, Mohamed, Fekih Ahmed, Mohamed, Talhi, Chamseddine

Granted Patent

US 9,912,582 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/44505   Configuring for program ini...

G06F 9/45558   Hypervisor-specific managem...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 41/042   comprising distributed mana...

H04L 41/044   comprising hierarchical man...

H04L 41/40   using virtualisation of net...

H04L 41/5096   wherein the managed service...

H04L 45/42   Centralised routing

H04L 45/44   Distributed routing

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 47/12   Avoiding congestion; Recove...

H04L 61/2596   Translation of addresses of...

H04L 61/5038   for local use, e.g. in LAN ...

H04L 67/10   in which an application is ...

MULTI-TENANT ISOLATION IN A CLOUD ENVIRONMENT USING SOFTWARE DEFINED NETWORKING

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-TENANT ISOLATION IN A CLOUD ENVIRONMENT USING SOFTWARE DEFINED NETWORKING

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links