Method and apparatus for organizing, storing and evaluating access control lists
First Claim
Patent Images
1. In an intermediate network device having a plurality of ports for forwarding messages between one or more network entities across a computer network and a memory device, a method for optimizing one or more Access Control Lists (ACLs) comprising the steps of:
- retrieving a first ACL having a plurality of Access Control Entry (ACE) statements;
translating each ACE statement of the first ACL into a Binary Decision Diagram (BDD) format;
processing each of the BDD-formatted ACE statements so as to generate a single BDD corresponding to the first ACL; and
translating the single BDD-formatted ACL into a second boolean representation and storing the ACL corresponding to the second boolean representation at the memory device for subsequent evaluation by the intermediate device.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method and apparatus for efficiently organizing, storing and evaluating access control lists (ACLs) for use by an intermediate network device of a computer network. The intermediate network device includes an ACL converter which, in turn, includes a boolean transformation engine that is operatively coupled to a boolean manipulation engine. The boolean transformation engine is configured to access the ACLs in first format and to translate them into a first boolean representation, such as binary decision diagram (BDD) format. The boolean manipulation engine is configured to perform one or more operations on the ACLs specified for a given interface, including a merge operation, so as to generate a single, unified ACL for the given interface. In order to resolve possibly conflicting actions output by the multiple ACLs, the ACL converter may utilize one or more predefined conflict resolution tables during the merging process. The boolean transformation engine then translates the single, unified ACL into a second boolean representation, such as a sum of products (SOP) format, and stores the single, unified ACL in a preferred memory structure for subsequent evaluation by the intermediate device.
329 Citations
19 Claims
-
1. In an intermediate network device having a plurality of ports for forwarding messages between one or more network entities across a computer network and a memory device, a method for optimizing one or more Access Control Lists (ACLs) comprising the steps of:
-
retrieving a first ACL having a plurality of Access Control Entry (ACE) statements;
translating each ACE statement of the first ACL into a Binary Decision Diagram (BDD) format;
processing each of the BDD-formatted ACE statements so as to generate a single BDD corresponding to the first ACL; and
translating the single BDD-formatted ACL into a second boolean representation and storing the ACL corresponding to the second boolean representation at the memory device for subsequent evaluation by the intermediate device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
extracting a selected BDD-formatted ACE statement from the ACL; and
applying an If-Then-Else (ITE) operator to the extracted ACE statement and a function representing the first ACL.
-
-
3. The method of claim 2 wherein the function representing the first ACL is optimized with dynamic re-ordering.
-
4. The method of claim 3 wherein the memory device is a content addressable memory (CAM).
-
5. The method of claim 4 wherein the second boolean representation is a Sum of Products (SOP) representation.
-
6. The method of claim 5 wherein a plurality of ACLs are assigned to a given interface of the intermediate device and the intermediate device includes at least one conflict resolution table for resolving conflicts among actions specified by the plurality of ACLs, the method further comprises the step of merging each ACL assigned to the given interface, utilizing the least one conflict resolution table, into a single, unified ACL that represents all of the ACLs assigned to the given interface.
-
7. The method of claim 6 further comprising step of storing the single, unified ACL at a portion of the CAM that corresponds to the given interface.
-
8. The method of claim 7 wherein
the ACLs are used to evaluate network messages received by the intermediate network device, and the ACEs specify one or more of Internet Protocol (IP) source address, IP destination address, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) source port and TCP/UDP destination port. -
9. The method of claim 1 wherein the second boolean representation is a Sum of Products (SOP) representation.
-
10. The method of claim 1 wherein a plurality of ACLs are assigned to a given interface of the intermediate device and the intermediate device includes at least one conflict resolution table for resolving conflicts among actions specified by the plurality of ACLs, the method further comprises the step of merging each ACL assigned to the given interface, utilizing the at least one conflict resolution table, into a single, unified ACL that resents all of the ACLs assigned to the given interface.
-
11. The method of claim 1 wherein
the ACLs are used to search against network messages, and the ACEs specify one or more of Internet Protocol (IP) source address, IP destination address, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) source port and TCP/UDP destination port.
-
12. An Access Control List (ACL) converter for use at an intermediate network device having a plurality of interfaces for forwarding messages between one or more network entities across a computer network and a memory device storing one or more ACLs in a first format, each of the one or more ACLs having a plurality of Access Control Entry (ACE) statements, wherein a plurality of ACLs are assigned to a given interface, the ACL converter comprising:
-
a boolean transformation engine configured to retrieve the one or more ACL in the first format, and to translate the ACE statements of the one or more ACL into a Binary Decision Diagram (BDD) format; and
a boolean manipulation engine cooperatively coupled to the boolean transformation engine and configured to process each of the BDD-formatted ACE statements so as to generate a single BDD corresponding to the first ACL, wherein the boolean manipulation engine is further configured to merge each ACL assigned to the given interface into a single, unified ACL that represents all of the ACLs assigned to the given interface. - View Dependent Claims (13, 14)
the boolean manipulation engine is further configured to utilize the least one conflict resolution table when merging each ACL assigned to the given interface, into the single, unified ACL. -
14. The intermediate network device of claim 13 wherein the memory device is a content address memory (CAM) having a plurality of portions each of which is associated with an interface of the network device, wherein
the boolean translation engine is further configured to convert the single, unified ACL for the given interface into a second boolean representation and to store the single, unified ACL in the second boolean representation format at the portion of the CAM that is associated with the given interface.
-
-
15. A computer readable medium containing executable program instructions for optimizing one or more Access Control Lists (ACLs) comprising the steps of:
-
retrieving a first ACL having a plurality of Access Control Entry (ACE) statements;
translating each ACE statement of the first ACL into a Binary Decision Diagram (BDD) format;
processing each of the BDD-formatted ACE statements so as to generate a single BDD corresponding to the first ACL; and
translating the single BDD-formatted ACL into a second boolean representation; and
storing the ACL corresponding to the second boolean representation at the memory device for subsequent evaluation by the intermediate device. - View Dependent Claims (16, 17, 18, 19)
extracting a selected BDD-formatted ACE statement from the ACL; and
applying an If-Then-Else (ITE) operator to the extracted ACE statement and a function representing the first ACL.
-
-
17. The computer readable medium of claim 16 wherein the function representing the first ACL is optimized with dynamic re-ordering.
-
18. The computer readable medium of claim 15 wherein the second boolean representation is a Sum of Products (SOP) representation.
-
19. The computer readable medium of claim 15 wherein
the ACLs are used to evaluate network messages received by the intermediate network device, and the ACEs specify one or more of Internet Protocol (IP) source address, IP destination address, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) source port and TCP/UDP destination port.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsKanekar, Bhushan M., McCloghrie, Keith, Gai, Silvano
-
Primary Examiner(s)Sheikh, Ayaz
-
Assistant Examiner(s)Tran, Philip B.
-
Application NumberUS09/295,187Time in Patent Office1,673 DaysField of Search709/223, 709/225, 709/226, 709/238, 709/242, 709/246US Class Current709/223CPC Class CodesH04L 63/0263 Rule managementH04L 63/101 Access control lists [ACL]
