Session cache and rule caching method for a dynamic filter
First Claim
1. A method for providing peer-level access control on a network that carries packets of information having packet identification data, said method using a dynamic filter having a cache that stores a cache entry having a cache key, a cache version number, a cache action and a rule base indicator, the cache entry derived from at least one rule having a rule key and rule action in at least one rule base, said method comprising:
- a. receiving a packet;
b. searching the cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet;
c. if a corresponding cache entry is identified and if the rule base indicator of the cache entry indicates that the cache entry was derived from a rule base having associated therewith a rule base version number;
i. determining if the cache entry version number corresponds to the version number of the rule base from which the cache entry was derived;
ii. if the cache entry version number does not correspond to the version number of the rule base from which the cache entry was derived, searching at least one rule base of the filter to identify a corresponding rule that corresponds to the identification data of the received packet;
iii. if a corresponding rule is identified, carrying out the action of the corresponding rule; and
iv. storing a cache entry derived from the corresponding rule, the cache entry comprising the identification data of the received packet, the action prescribed by the corresponding rule and carried out on said packet in step iii, and a rule base indicator that indicates the rule base of the corresponding rule from which the cache entry was derived.
1 Assignment
0 Petitions
Accused Products
Abstract
A cache for use with a network filter that receives, stores and ejects local rule bases dynamically. The cache stores a rule that was derived from a rule base in the filter. The cache rule is associated in the cache with a rule base indicator indicating from which rule base the cache rule was derived, and a rule base version number indicating the version of the rule base from which the cache rule was derived. When the filter receives a packet, the cache is searched for a rule applicable to a received packet. If no such rule is found, the filter rule base is found, and an applicable rule is carried out and copied to the cache along with a rule base indicator and version number. If a cache rule is found, it is implemented if its version number matches the version number of the rule base from which it was derived. Otherwise, the cache rule is deleted. The cache provides an efficient way of accurately implementing the rules of a dynamic rule base without having to search the entire rule base for each packet.
-
Citations
6 Claims
-
1. A method for providing peer-level access control on a network that carries packets of information having packet identification data, said method using a dynamic filter having a cache that stores a cache entry having a cache key, a cache version number, a cache action and a rule base indicator, the cache entry derived from at least one rule having a rule key and rule action in at least one rule base, said method comprising:
-
a. receiving a packet;
b. searching the cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet;
c. if a corresponding cache entry is identified and if the rule base indicator of the cache entry indicates that the cache entry was derived from a rule base having associated therewith a rule base version number;
i. determining if the cache entry version number corresponds to the version number of the rule base from which the cache entry was derived;
ii. if the cache entry version number does not correspond to the version number of the rule base from which the cache entry was derived, searching at least one rule base of the filter to identify a corresponding rule that corresponds to the identification data of the received packet;
iii. if a corresponding rule is identified, carrying out the action of the corresponding rule; and
iv. storing a cache entry derived from the corresponding rule, the cache entry comprising the identification data of the received packet, the action prescribed by the corresponding rule and carried out on said packet in step iii, and a rule base indicator that indicates the rule base of the corresponding rule from which the cache entry was derived. - View Dependent Claims (2)
v. if a rule base version number is associated with the rule base of the corresponding rule, storing the rule base version number as the cache entry version number of the cache entry of step iv.
-
-
3. A method for providing peer-level access control on a network that carries packets of information having packet identification data, said method using a dynamic filter having a cache that stores a cache entry having a cache key, a cache version number, a cache action and a rule base indicator, the cache entry derived from at least one rule having a rule key and rule action in at least one rule base, said method comprising:
-
a. receiving a packet;
b. searching the cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet;
c. if a corresponding cache entry is identified and if the rule base indicator of the cache entry indicates that the cache entry was derived from a rule base having associated therewith a rule base version number;
i. determining if the cache entry version number corresponds to the version number of the rule base from which the cache entry was derived, wherein if a corresponding cache entry is identified and if the rule base indicator indicates that the cache entry was derived from a rule of a global rule base, further comprising the steps of; A. determining if the cache entry version number corresponds to the global rule base version number of the global rule base of the rule from which the cache entry was derived;
B. deleting all cache entries from the cache if the cache entry version number does not correspond to the global rule base version number. - View Dependent Claims (4)
iii carrying out the cache action of the cache entry if the cache entry version number corresponds to the global rule base version number.
-
-
5. A cache for a dynamic filter, the dynamic filter including a rule in a rule base, said cache having a cache entry, said cache comprising:
-
a. means for receiving a packet having identification data;
b. means for searching said cache to identify a cache entry that corresponds to the identification data of the received packet;
c. means for carrying out a first action on the received packet as prescribed by a corresponding cache entry of step b whose version number corresponds to the version number of the rule base from which the cache entry was derived;
d. means for carrying out a second action on the received packet as prescribed by a rule that corresponds to the identification data of the received packet if there is no corresponding cache entry or if the version number of the cache entry does not correspond to the version number of the rule base from which the rule was derived;
e. means for storing a cache entry, the cache entry comprising the identification data of the received packet, the action carried out on said packet in step d, and a rule base indicator that indicates from which rule base the cache entry was derived; and
f. means for storing a rule base version number as the cache entry version number of the cache entry of step e, if a rule base version number is associated with the rule base of the rule from which the cache entry was derived.
-
-
6. A computer readable medium having a computer program encoded thereon, comprising:
-
a. a first portion of said medium having a first program segment for receiving a packet having identification data over a computer network;
b. a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet;
c. a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived;
d. a fourth portion of said medium having a fourth program segment for carrying out the action of a corresponding cache entry whose cache key corresponds to the identification data of the received packet and whose cache entry version number corresponds to the version number of the rule base from which the cache entry was derived;
e. a fifth portion of said medium having a fifth program segment for searching a filter rule base to identify a rule having a rule key that corresponds to the identification data of the received packet if no corresponding cache entry was identified, or if the cache entry version number of a corresponding cache entry does not correspond to the version number of the rule base from which the cache entry was derived;
f. a sixth portion of said medium having a sixth program segment for carrying out the action of a corresponding rule identified by said fifth segment of said medium;
g. a seventh portion of said medium having a seventh program segment for storing a cache entry comprising the identification data of the received packet, the action prescribed by a corresponding rule and carried out by said sixth portion of said medium, and a rule base indicator indicating the rule base of the corresponding rule from which the cache entry was derived; and
h. an eighth portion of said medium having an eighth program segment for deleting a cache entry from the cache when the cache entry version number does not correspond to the version number of the rule base from which the cache entry was derived.
-
Specification