Method and apparatus for providing policy-based services for internal applications

US 6,674,743 B1
Filed: 12/30/1999
Issued: 01/06/2004
Est. Priority Date: 12/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:

said internal application generating internally-generated packets;

applying a first policy to said internally-generated packets;

forwarding said internally-generated packets to said first interface;

receiving second incoming packets at said second interface, said second incoming packets having destination addresses;

classifying said second incoming packets as internally-destined packets if said destination addresses of said second incoming packets are in a first set of one or more addresses and classifying said second incoming packets as second external packets if said destination addresses of said second incoming packets are in a second set of one or more addresses; and

forwarding said second external packets to said first interface without applying said first policy to said second external packets.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet-forwarding device for providing policy-based services has at least a first interface, a second interface, and a packet forwarder for forwarding external packets between the first and second interfaces. The packet-forwarding device also runs internal applications that may be remotely accessed. The first and second interfaces transmit and receive internal and external packets, the internal packets being those packets generated or received by the internal applications during remote access, and the external packets being those packets destined for devices other than the packet-forwarding device. The packet forwarder forwards external packets between the first and second interfaces. An internal interface forwards internal packets between the internal applications and the first and second interfaces, and a policy engine logically connected to the internal interface applies a policy to the internal packets.

Citations

48 Claims

1. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:
- said internal application generating internally-generated packets;
  
  applying a first policy to said internally-generated packets;
  
  forwarding said internally-generated packets to said first interface;
  
  receiving second incoming packets at said second interface, said second incoming packets having destination addresses;
  
  classifying said second incoming packets as internally-destined packets if said destination addresses of said second incoming packets are in a first set of one or more addresses and classifying said second incoming packets as second external packets if said destination addresses of said second incoming packets are in a second set of one or more addresses; and
  
  forwarding said second external packets to said first interface without applying said first policy to said second external packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein said step of applying a first policy to said internally-generated packets includes the steps of:
3. The method of claim 2, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
4. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of dropping said internally-generated packets.
5. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-generated packets.
6. The method of claim 2, wherein said step of handling said intenally-generated packets in a predetermined manner includes the step of encrypting said internally-generated packets.
7. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of prioritizing said internally-generated packets.
8. The method of claim 1, further comprising the step of:
- applying a second policy to said second external packets, said second policy differing from said first policy.
9. The method of claim 1, further comprising the steps of:
- applying a third policy to said internally-destined packets; and
  
  forwarding said internally-destined packets to said internal application.
10. The method of claim 9, wherein said step of applying a third policy to said internally-destined packets includes the steps of:
- examining at least one selector field in each one of said internally-destined packets; and
  
  handling said internally-destined packets in a predetermined manner if said selector fields of said internally-destined packets meet predetermined criteria.
11. The method of claim 10, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
12. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of dropping said internally-destined packets.
13. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-destined packets.
14. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of decrypting said internally-destined packets.
15. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of prioritizing said internally-destined packets.
16. The method of claim 8, further comprising the steps of:
- receiving first incoming packets at said first interface, said first incoming packets having destination addresses;
  
  classifying said first incoming packets as internally-destined packets if said destination addresses of said first incoming packets are in said first set of one or more addresses and classifying said first incoming packets as first external packets if said destination addresses of said first incoming packets are in said second set of one or more addresses; and
  
  applying a fourth policy to said first external packets, said fourth policy differing from said first policy.
17. The method of claim 1, wherein said second set of one or more addresses includes at least one address assigned to said packet-forwarding device.

18. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:
- receiving incoming packets at said first interface, each one of said incoming packets having an address;
  
  classifying said incoming packets as internally-destined packets if said addresses of said incoming packets are in a first set of addresses and classifying said incoming packets as first external packets if said addresses of said incoming packets are in a second set of addresses;
  
  applying a first policy to said internally-destined packets;
  
  forwarding said internally-destined packets to said internal application;
  
  forwarding said first external packets to said second interface without applying said first policy to said first external packets.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The method of claim 18, wherein said step of applying a first policy to said internally-destined packets includes the steps of:
20. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of dropping said internally-destined packets.
21. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-destined packets.
22. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of encrypting said internally-destined packets.
23. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of prioritizing said internally-destined packets.
24. The method of claim 18, further comprising the step of:
- applying a second policy to said first external packets, said second policy differing from said first policy.
25. The method of claim 18, further comprising the steps of:
- said internal application generating internally-generated packets;
  
  applying a third policy to said internally-generated packets;
  
  forwarding said internally-generated packets to said first interface;
  
  receiving second external packets at said second interface; and
  
  forwarding said second external packets to said first interface without applying said third policy to said second external packets.
26. The method of claim 25, further comprising the step of applying a fourth policy to said second external packets, said fourth policy differing from said third policy.
27. The method of claim 19, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
28. The method of claim 18, wherein said second set of addresses includes at least one address assigned to said packet-forwarding device.

29. A packet-forwarding device comprising:
- a first interface for transmitting first outgoing and receiving first incoming packets;
  
  a second interface for transmitting second outgoing and receiving second incoming packets;
  
  an internal application running on said packet-forwarding device, said internal application generating internally-generated packets and using internally-destined packets;
  
  an internal interface logically connected to said internal application, said internal interface forwarding said internally-generated packets to said first interface, said internal interface forwarding said internally-destined packets to said internal application;
  
  a packet forwarder logically connected to said first interface and to said second interface, said packet forwarder forwarding packets between said first and second interfaces;
  
  a first packet classifier logically connected to said first interface, said internal interface, and said packet forwarder, said first packet classifier classifying said first incoming packets as first internally-destined packets if destination addresses in said first incoming packets are in a first set of one or more addresses and classifying said first incoming packets as first external packets if destination addresses in said first incoming packets are in a second set of one or more addresses, said first packet classifier forwarding said first internally-destined packets to said internal interface, said packet classifier forwarding said first external packets to said packet forwarder;
  
  a second packet classifier logically connected to said second interface, said internal interface, and said packet forwarder, said second packet classifier classifying said second incoming packets as second internally-destined packets if destination addresses in said second incoming packets are in said first set of one or more addresses and classifying said second incoming packets as second external packets if destination addresses in said second incoming packets are in said second set of one or more addresses, said second packet classifier forwarding said second internally-destined packets to said internal interface, said packet classifier forwarding said second external packets to said packet forwarder, and a first policy engine logically connected to said internal interface and to said internal application, said first policy engine applying a first policy to internal packets, said internal packets being selected from the group consisting of said internally-generated packets and said internally-destined packets.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The device of claim 29, further comprising a second policy engine logically connected to said first packet classifier and to said packet forwarder, said second policy engine applying a second policy to said first external packets.
  - 31. The device of claim 30, further comprising a third policy engine logically connected to said second packet classifier and to said packet forwarder, said third policy engine applying a third policy to said second external packets.
  - 32. The device of claim 29, wherein said first policy engine examines at least one selector field in each of one of said internal packets and handles said internal packets in a predetermined manner if said selector fields of said internal packets meets predetermined criteria.
  - 33. The device of claim 32, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
  - 34. The device of claim 32, wherein said first policy engine drops said internal packets if said selector fields of said internal packets meet predetermined criteria.
  - 35. The device of claim 32, wherein said first policy engine translates the source and destination addresses of said internal packets if said selector fields of said internal packets meet predetermined criteria.
  - 36. The device of claim 32, wherein said first policy engine encrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
  - 37. The device of claim 32, wherein said first policy engine decrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
  - 38. The device of claim 32, wherein said first policy engine prioritizes said internal packets if said selector fields of said internal packets meet predetermined criteria.

39. In a packet-forwarding device having a first interface, a second interface, a packet forwarder forwarding packets between said first and second interfaces, and running an internal application, said internal application generating internally-generated packets and using internally-destined packets, an improvement comprising:
- at least one packet classifier logically connected to said first and second interfaces, said at least one packet classifier classifying received packets received by said first and second interfaces as internal packets or external packets based on destination addresses in said received packets;
  
  an internal interface logically connected to said internal application and said at least one packet classifier; and
  
  a policy engine logically connected to said internal interface, said policy engine applying a policy to said internal packets.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 40. The improvement of claim 39, wherein said at least one packet classifier forwards said internal packets to said internal interface and forwards said external packets to said packet forwarder.
  - 41. The improvement of claim 39, wherein said at least one packet classifier includes a first packet classifier logically connected to said first interface and a second packet classifier logically connected to said second interface.
  - 42. The improvement of claim 39, wherein
- 43. The improvement of claim 42, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
- 44. The improvement of claim 42, wherein said policy engine drops said internal packets if said selector fields of said internal packets meet predetermined criteria.
- 45. The improvement of claim 42, wherein said policy engine translates the source and destination addresses of said internal packets if said selector fields of said internal packets meet predetermined criteria.
- 46. The improvement of claim 42, wherein said policy engine encrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
- 47. The improvement of claim 42, wherein said policy engine decrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
- 48. The improvement of claim 42, wherein said policy engine prioritizes said internal packets if said selector fields of said internal packets meet predetermined criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Freed, Michael, Amara, Satish
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
Duong, Frank

Application Number

US09/475,855
Time in Patent Office

1,468 Days
Field of Search

370/229-235, 370/351, 370/389-392, 370/412-418, 370/428, 370/401, 370/402, 370/465, 370/466, 709/227, 709/228, 709/238, 709/240
US Class Current

370/351
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/60   Router architectures

H04L 49/3009   Header conversion, routing ...

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

Method and apparatus for providing policy-based services for internal applications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing policy-based services for internal applications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links