Recognizing and processing conflicts in network management policies

US 6,327,618 B1
Filed: 12/03/1998
Issued: 12/04/2001
Est. Priority Date: 12/03/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of recognizing and resolving a conflict among at least a first policy and a second policy that govern a policy-based system, comprising the computer-implemented steps of:

receiving the first policy and the second policy, wherein the first policy and the second policy are defined according to a formal policy definition;

verifying that the first policy and the second policy each conform to the formal policy definition by performing the steps of;

verifying that the first policy and the second policy each contain exactly one condition; and

verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;

testing whether the first policy and the second policy conflict, according to a set of conflict tests; and

when the first policy and the second policy conflict, resolving the conflict among the policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for recognizing and processing conflicts in policies that govern a policy-based system. The method and apparatus may be implemented as a policy verifier that acts upon one or more policies. Each policy is formally defined and comprises a condition and a consequent, each of which are further formally defined in terms of component elements. A conflict among two or more policies is formally defined to occur when the condition of a first policy and the condition of a second policy may be simultaneously true, and when the consequent of the first policy and the consequent of the second policy may not be carried out simultaneously. When a policy conflict is detected, the conflict is resolved by bringing it to the attention of a user or external system, and receiving information that corrects one of the policies or specifies a precedence relationship among the policies.

205 Citations

39 Claims

1. A method of recognizing and resolving a conflict among at least a first policy and a second policy that govern a policy-based system, comprising the computer-implemented steps of:
- receiving the first policy and the second policy, wherein the first policy and the second policy are defined according to a formal policy definition;
  
  verifying that the first policy and the second policy each conform to the formal policy definition by performing the steps of;
  
  verifying that the first policy and the second policy each contain exactly one condition; and
  
  verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  testing whether the first policy and the second policy conflict, according to a set of conflict tests; and
  
  when the first policy and the second policy conflict, resolving the conflict among the policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method recited in claim 1, wherein each policy comprises at least one consequent for each condition.
  - 3. The method recited in claim 2, wherein the at least one consequent indicates one of the following:
    - to allow information to pass through the policy-based system;
      
      to deny information from passing through the policy-based system;
      
      to mark information passing through the policy-based system;
      
      or to initiate a service.
  - 4. The method recited in claim 2, wherein the at least one consequent identifies a state that is to be established when the condition is satisfied.
  - 5. The method recited in claim 2, wherein the at least one consequent identifies an action that is to be taken or attempted when the condition is satisfied.
  - 6. The method recited in claim 1, wherein at least one condition element identifies a service type, a user type, or a time.
  - 7. The method recited in claim 1, wherein at least one condition element identifies a source address, a destination address or a port.
  - 8. The method recited in claim 1, wherein the step of testing comprises the steps of:
9. The method recited in claim 1, wherein the step of resolving comprises the steps of:
- displaying information that describes the conflict; and
  
  receiving modification information that modifies the first policy or the second policy so as to eliminate the conflict.
10. The method recited in claim 1, wherein the step of resolving comprises the steps of:
- displaying information that describes the conflict; and
  
  receiving precedence information that identifies whether the first policy or the second policy shall take precedence over the other.
11. The method recited in claim 1, further comprising the steps of:
- when either the first policy or the second policy is not defined according to the formal policy definition, generating an error.

12. In a network management system, a method of recognizing and resolving a conflict among at least a first network management policy and a second network management policy that govern operation of a network, comprising the computer-implemented steps of:
- receiving the first network management policy and the second network management policy, wherein the first network management policy and the second network management policy are defined according to a formal policy definition;
  
  verifying that the first network management policy and the second network management policy each conform to the formal policy definition by performing the steps of;
  
  verifying that the first network management policy and the second network management policy each contain exactly one condition; and
  
  verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  testing whether the first network management policy and the second network management policy conflict, according to a set of conflict tests; and
  
  when the first network management policy and the second network management policy conflict, resolving the conflict among the network management policies.
- View Dependent Claims (13, 14, 15)
- - 13. The method recited in claim 12, wherein each network management policy comprises at least one consequent for each condition, and wherein the at least one consequent indicates one of the following:
    - to allow information to pass through the network;
      
      to deny information from passing through the network;
      
      to mark information passing through the network;
      
      or to initiate a network service.
  - 14. The method recited in claim 12, wherein the step of testing comprises the steps of:
15. The method recited in claim 12, wherein the step of resolving comprises the steps of:
- displaying information that describes the conflict; and
  
  receiving modification information that modifies the first network management policy or the second network management policy so as to eliminate the conflict, or receiving precedence information that identifies whether the first network management policy or the second network management policy shall take precedence over the other.

16. A computer-readable medium carrying one or more sequences of instructions for recognizing and resolving a conflict among at least a first policy and a second policy that govern a policy-based system, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving the first policy and the second policy, wherein the first policy and the second policy are defined according to a formal policy definition;
  
  verifying that the first policy and the second policy each conform to the formal policy definition by performing the steps of;
  
  verifying that the first policy and the second policy each contain exactly one condition; and
  
  verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  testing whether the first policy and the second policy conflict, according to a set of conflict tests; and
  
  when the first policy and the second policy conflict, resolving the conflict among the policies.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The computer-readable medium recited in claim 16, wherein each policy comprises at least one consequent for each condition.
  - 18. The computer-readable medium recited in claim 17, wherein the at least one consequent indicates one of the following:
    - to allow information to pass through the policy-based system;
      
      to deny information from passing through the policy-based system;
      
      to mark information passing through the policy-based system;
      
      or to initiate a service.
  - 19. The computer-readable medium recited in claim 17, wherein the at least one consequent identifies a state that is to be established when the condition is satisfied.
  - 20. The computer-readable medium recited in claim 17, wherein the at least one consequent identifies an action that is to be taken or attempted when the condition is satisfied.
  - 21. The computer-readable medium recited in claim 16, wherein the step of testing comprises instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of:
22. The computer-readable medium recited in claim 16, wherein the step of resolving comprises instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- displaying information that describes the conflict; and
  
  receiving modification information that modifies the first policy or the second policy so as to eliminate the conflict.
23. The computer-readable medium recited in claim 16, wherein the step of resolving comprises instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- displaying information that describes the conflict; and
  
  receiving precedence information that identifies whether the first policy or the second policy shall take precedence over the other.

24. An apparatus for recognizing and resolving a conflict among at least a first policy and a second policy that govern a policy-based system, comprising:
- means for receiving the first policy and the second policy, wherein the first policy and the second policy are defined according to a formal policy definition;
  
  means for verifying that the first policy and the second policy each conform to the formal policy definition, wherein the means for verifying comprise;
  
  means for verifying that the first policy and the second policy each contain exactly one condition; and
  
  means for verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  means for testing whether the first policy and the second policy conflict, according to a set of conflict tests; and
  
  means for resolving the conflict among the policies, when the first policy and the second policy conflict.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The apparatus recited in claim 24, wherein each policy comprises at least one consequent for each condition.
  - 26. The apparatus recited in claim 25, wherein the at least one consequent indicates one of the following:
    - to allow information to pass through the policy-based system;
      
      to deny information from passing through the policy-based system;
      
      to mark information passing through the policy-based system;
      
      or to initiate a service.
  - 27. The apparatus recited in claim 25, wherein the at least one consequent identifies a state that is to be established when the condition is satisfied.
  - 28. The apparatus recited in claim 25, wherein the at least one consequent identifies an action that is to be taken or attempted when the condition is satisfied.
  - 29. The apparatus recited in claim 24, wherein the means for testing comprises:
30. The apparatus recited in claim 24, wherein the means for resolving comprises:
- means for displaying information that describes the conflict; and
  
  means for receiving modification information that modifies the first policy or the second policy so as to eliminate the conflict.
31. The apparatus recited in claim 24, wherein the means for resolving comprises:
- means for displaying information that describes the conflict; and
  
  means for receiving precedence information that identifies whether the first policy or the second policy shall take precedence over the other.

32. An apparatus for recognizing and resolving a conflict in a network management system among at least a first network management policy and a second network management policy that govern operation of a network, comprising the computer-implemented steps of:
- means for receiving the first network management policy and the second network management policy, wherein the first network management policy and the second network management policy are defined according to a formal policy definition;
  
  means for verifying that the first network management policy and the second network management policy each conform to the formal policy definition, wherein the means for verifying comprises;
  
  means for verifying that the first network management policy and the second network management policy each contain exactly one condition; and
  
  means for verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  means for testing whether the first network management policy and the second network management policy conflict, according to a set of conflict tests; and
  
  means for resolving the conflict among the network management policies, when the first network management policy and the second network management policy conflict.
- View Dependent Claims (33, 34, 35)
- - 33. The apparatus recited in claim 32, wherein each network management policy comprises at least one consequent for each condition, and wherein the at least one consequent indicates one of the following:
    - to allow information to pass through the network;
      
      to deny information from passing through the network;
      
      to mark information passing through the network;
      
      or to initiate a network service.
  - 34. The apparatus recited in claim 32, wherein the means for testing comprises:
35. The apparatus recited in claim 32, wherein the means for resolving comprises:
- means for displaying information that describes the conflict; and
  
  means for receiving modification information that modifies the first network management policy or the second network management policy so as to eliminate the conflict, or receiving precedence information that identifies whether the first network management policy or the second network management policy shall take precedence over the other.

36. An apparatus for recognizing and resolving a conflict in a network management system among at least a first network management policy and a second network management policy that govern operation of a network, comprising the computer-implemented steps of:
- a network interface;
  
  a processor coupled to the network interface and receiving information from the network interface;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving the first network management policy and the second network management policy, wherein the first network management policy and the second network management policy are defined according to a formal policy definition;
  
  verifying that the first network management policy and the second network management policy each conform to the formal policy definition by performing the steps of;
  
  verifying that the first network management policy and the second network management policy each contain exactly one condition; and
  
  verifying that each condition expresses one or more Boolean relations among one or more condition categories and one or more condition elements;
  
  testing whether the first network management policy and the second network management policy conflict, according to a set of conflict tests; and
  
  when the first network management policy and the second network management policy conflict, resolving the conflict among the network management policies.
- View Dependent Claims (37, 38, 39)
- - 37. The apparatus recited in claim 36, wherein each network management policy comprises at least one consequent for each condition, and wherein the consequent indicates one of the following:
    - to allow information to pass through the network;
      
      to deny information from passing through the network;
      
      to mark information passing through the network;
      
      or to initiate a network service.
  - 38. The apparatus recited in claim 36, wherein the instructions for testing further comprise instructions which, when executed by the processor, cause the processor to carry out the steps of:
39. The apparatus recited in claim 36, wherein the instructions for resolving further comprise instructions which, when executed by the processor, cause the processor to carry out the steps of:
- displaying information that describes the conflict; and
  
  receiving modification information that modifies the first network management policy or the second network management policy so as to eliminate the conflict, or receiving precedence information that identifies whether the first network management policy or the second network management policy shall take precedence over the other.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Schleimer, Stephen I., Ahlstrom, John K.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
JEAN, FRANTZ B

Application Number

US09/205,831
Time in Patent Office

1,097 Days
Field of Search

395/712, 370/254, 707/5, 709/221, 709/222, 709/223
US Class Current

709/223
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

Y10S 707/99935   Query augmenting and refini...

Recognizing and processing conflicts in network management policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

205 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Recognizing and processing conflicts in network management policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links