DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF TEMPLATE IDENTIFIERS AND/OR TEMPLATE MATCHING CRITERIA

US 20170180319A1
Filed: 12/18/2015
Published: 06/22/2017
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method of performing a service on a data message having a set of attributes, the method comprising:

selecting a service rule associated with a template for deploying multi-tier applications in a network, said service rule comprising a service parameter for performing a service on data messages;

determining that the selected service rule is applicable to the data message, said determining comprising determining that at least a first attribute of the data message is associated with a network element that was deployed by using the template; and

in response to the determination, performing the service on the data message based on the service parameter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

24 Citations

View as Search Results

19 Claims

1. A method of performing a service on a data message having a set of attributes, the method comprising:
- selecting a service rule associated with a template for deploying multi-tier applications in a network, said service rule comprising a service parameter for performing a service on data messages;
  
  determining that the selected service rule is applicable to the data message, said determining comprising determining that at least a first attribute of the data message is associated with a network element that was deployed by using the template; and
  
  in response to the determination, performing the service on the data message based on the service parameter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, whereinthe first attribute is a first template identifier;
    - the service rule further comprises a rule identifier for matching to data message attribute set, the rule identifier defined by reference to a second template identifier that identifies the template; and
      
      determining that the first attribute is associated with the network element comprises determining that the first and second template identifiers match.
  - 3. The method of claim 2, wherein determining that that the first attribute is associated with the network element further comprises using a second attribute of the data message to retrieve the first attribute of the data message from a storage structure.
  - 4. The method of claim 3, wherein using the second attribute comprises:
    - using the second attribute of the data message to retrieve an identifier of the storage structure; and
      
      using the retrieved identifier to identify the storage structure to retrieve the first attribute.
  - 5. The method of claim 4, whereinthe storage structure is a first storage structure;
    - the rule identifier is further defined by reference to a group identifier that identifies a second storage structure that stores identifiers for a group of network elements,using the second attribute to retrieve the first storage structure identifier comprisesmining that the second attribute is one of the identifiers stored within the second storage structure; and
      
      retrieving the first storage structure identifier from the second storage structure.
  - 6. The method of claim 5 further comprising dynamically adding or removing identifiers to the second storage structure to account for network elements that are dynamically added or removed from the group.
  - 7. The method of claim 6, wherein the network elements comprise data compute nodes executing on host computers.
  - 8. The method of claim 5, wherein the second attribute is an IP (Internet Protocol) address or a MAC (Media Access Control) address.
  - 9. The method of claim 4, whereinthe storage structure identifies a group of data compute nodes;
    - the rule identifier is further defined by reference to a group identifier that identifies the storage structure,using the second attribute to retrieve the storage structure identifier comprises determining that the second attribute is within the storage structure.
  - 10. The method of claim 1, wherein the service rule is for use in processing data messages that are associated with a plurality of different instances of the template that are associated with a plurality of different deployments of the multi-tier application.

11. A non-transitory machine readable medium storing a program for performing a service on a data message having a set of attributes, the program comprising sets of instructions for:
- selecting a service rule including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one template identifier that specifies a template for deploying multi-tier applications in a datacenter;
  
  determining whether the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining whether the data message is associated with a network node that was deployed by using the template specified by the template identifier;
  
  when the data message'"'"'s attribute set matches the rule'"'"'s identifier, performing the service on the data message based on the service parameter.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The non-transitory machine readable medium of claim 11, wherein the rule is a first rule, and a rule data storage stores a plurality of rules according to a rule precedence priority, wherein the program further comprises sets of instructions for:
    - when the data message'"'"'s attribute set does not match the first rule'"'"'s identifier, selecting a second rule that is after the first rule in the rule precedence priority, the second rule including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier of the second rule defined by reference to at least template identifier;
      
      determining whether the data message'"'"'s attribute set matches the second rule'"'"'s identifier, said determining comprising determining whether determining whether the data message is associated with a network node that was deployed by using the template specified by the template identifier; and
      
      when the data message'"'"'s attribute set matches the second rule'"'"'s identifier, performing the second rule'"'"'s service on the data message based on the second rule'"'"'s service parameter.
  - 13. The non-transitory machine readable medium of claim 11, wherein the rule identifier is defined by reference to a plurality of template identifiers.
  - 14. The non-transitory machine readable medium of claim 11, wherein the attribute set is a header parameter set of the data message.
  - 15. The non-transitory machine readable medium of claim 14, wherein the header parameter set comprises layers 3 and 4 parameters.
  - 16. The non-transitory machine readable medium of claim 14, wherein the header parameter set comprises a layer 2 parameter.
  - 17. The non-transitory machine readable medium of claim 11, wherein the network node is a data compute node executing on a host computer, wherein the attribute set comprises at least one particular attribute associated with the data compute node on the host computer.
  - 18. The non-transitory machine readable medium of claim 17, wherein the particular attribute comprises an identifier associated with a software port switch connected to the data compute node, or an identifier associated with a virtual network interface of the data compute node.
  - 19. The non-transitory machine readable medium of claim 11, wherein the set of instructions for determining whether the data message'"'"'s attribute set matches the rule'"'"'s identifier further comprises a set of instructions for determining whether the data message'"'"'s source and destination are from a same instance of the template.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Manuguri, Subrahmanyam, Tiagi, Alok S., Nimmagadda, Srinivas, Jain, Jayant, Sengupta, Anirban

Granted Patent

US 10,341,297 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0843   based on generic templates

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 67/1031   Controlling of the operatio...

DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF TEMPLATE IDENTIFIERS AND/OR TEMPLATE MATCHING CRITERIA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF TEMPLATE IDENTIFIERS AND/OR TEMPLATE MATCHING CRITERIA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others