DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF DYNAMIC GROUPS

US 20170180321A1
Filed: 12/18/2015
Published: 06/22/2017
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method of performing a service on a data message having a set of attributes, the method comprising:

selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier;

determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining that at least one data message attribute is within a group storage structure identified by the group identifier; and

based on the service parameter, performing the service on the data message as the data message'"'"'s attribute set matches the rule'"'"'s identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

25 Citations

View as Search Results

20 Claims

1. A method of performing a service on a data message having a set of attributes, the method comprising:
- selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier;
  
  determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining that at least one data message attribute is within a group storage structure identified by the group identifier; and
  
  based on the service parameter, performing the service on the data message as the data message'"'"'s attribute set matches the rule'"'"'s identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19, 20)
- - 2. The method of claim 1, wherein determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier further comprises:
    - retrieving a data tuple from the group storage structure; and
      
      matching the retrieved data tuple with a parameter of the rule identifier.
  - 3. The method of claim 1, wherein the group data structure is a first group data structure, wherein determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier further comprises:
    - from the first group data structure, retrieving an identifier of a second group storage structure; and
      
      retrieving a data tuple from the second group storage structure; and
      
      matching the retrieved data tuple with a parameter of the rule identifier.
  - 4. The method of claim 1, wherein the attribute set is a header parameter set of the data message.
  - 5. The method of claim 4, wherein the header parameter set comprises layers 3 and 4 parameters.
  - 6. The method of claim 4, wherein the header parameter set comprises a layer 2 parameter.
  - 7. The method of claim 1, wherein the data message is from a data computer node executing on a host computer, wherein the attribute set comprises at least a first attribute associated with the data compute node on the host computer.
  - 8. The method of claim 7, wherein the first attribute comprises an identifier associated with a software port switch connected to the data compute node, or an identifier associated with a virtual network interface of the data compute node.
  - 9. The method of claim 1, wherein the group data structure stores attributes associated with a plurality of network elements in a network that are members of a group defined by the group data structure.
  - 10. The method of claim 9 further comprisingdynamically modifying the membership of the group by dynamically adding or removing attributes associated with the network elements as the network elements are added or removed from the network.
  - 11. The method of claim 9, wherein the network elements comprise data compute nodes executing on host computers.
  - 18. The non-transitory machine readable medium of claim 1, wherein the group data structure stores attributes associated with a plurality of network elements in a network that are members of a group defined by the group data structure.
  - 19. The non-transitory machine readable medium of claim 9, wherein the program further comprises a set of instructions for dynamically modifying the membership of the group by dynamically adding or removing attributes associated with the network elements as the network elements are added or removed from the network.
  - 20. The non-transitory machine readable medium of claim 19, wherein the network elements comprise data compute nodes executing on host computers.

12. A non-transitory machine readable medium storing a program for performing a service on a data message having a set of attributes, the program comprising sets of instructions for:
- selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier;
  
  determining whether the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining whether at least one data message attribute is within a group identified by the group identifier; and
  
  when the data message'"'"'s attribute set matches the rule'"'"'s identifier, performing the service on the data message based on the service parameter.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory machine readable medium of claim 12, wherein the rule is a first rule, and a rule data storage stores a plurality of rules according to a rule precedence priority, wherein the program further comprises sets of instructions for:
    - when the data message'"'"'s attribute set does not match the first rule'"'"'s identifier, selecting a second rule that is after the first rule in the rule precedence priority, the second rule including (1) a service parameter for performing the service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier of the second rule defined by reference to at least one group identifier;
      
      determining whether the data message'"'"'s attribute set matches the second rule'"'"'s identifier, said determining comprising determining whether at least one data message attribute is within a group identified by the second rule'"'"'s group identifier; and
      
      when the data message'"'"'s attribute set matches the second rule'"'"'s identifier, performing the service on the data message based on the second rule'"'"'s service parameter.
  - 14. The non-transitory machine readable medium of claim 12, wherein the set of instructions for determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier further comprises sets of instructions for:
    - retrieving a data tuple from the group storage structure; and
      
      matching the retrieved data tuple with a parameter of the rule identifier.
  - 15. The non-transitory machine readable medium of claim 12, wherein the group data structure is a first group data structure, wherein the set of instructions for determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier further comprises a set of instructions for:
    - retrieving, from the first group data structure, an identifier of a second group storage structure; and
      
      retrieving a data tuple from the second group storage structure; and
      
      matching the retrieved data tuple with a parameter of the rule identifier.
  - 16. The non-transitory machine readable medium of claim 12, wherein the data message is from a data computer node executing on a host computer, wherein the attribute set comprises at least a first attribute associated with the data compute node on the host computer.
  - 17. The non-transitory machine readable medium of claim 16, wherein the first attribute comprises an identifier associated with a software port switch connected to the data compute node, or an identifier associated with a virtual network interface of the data compute node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Nimmagadda, Srinivas, Jain, Jayant, Sengupta, Anirban, Manuguri, Subrahmanyam, Tiagi, Alok S.

Granted Patent

US 10,305,858 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF DYNAMIC GROUPS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF DYNAMIC GROUPS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links