Apparatus and method for providing a device level security mechanism in a network
First Claim
Patent Images
1. A method for filtering a packet in a network, comprising:
- intercepting a packet having a packet header and a packet body including packet data providing control information;
determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information in the packet body;
if no access list is determined to exist for the packet, forwarding the packet; and
if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for filtering a packet in a network is disclosed. The packet includes a packet header and packet data. The packet is intercepted. It is then determined if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with contents of the packet data. If no access list is determined to exist for the packet, the packet is forwarded. However, if an access list is determined to exist for the packet, the packet is filtered in accordance with the filtering criteria stored in the access list.
61 Citations
34 Claims
-
1. A method for filtering a packet in a network, comprising:
-
intercepting a packet having a packet header and a packet body including packet data providing control information;
determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information in the packet body;
if no access list is determined to exist for the packet, forwarding the packet; and
if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
parsing the packet to obtain the control information;
searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
dropping the packet in accordance with the selected packet filtering criteria.
-
-
3. The method as recited in claim 2, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
-
4. The method as recited in claim 3, wherein dropping the packet further includes:
-
if searching the filtering criteria fails, forwarding the packet; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
5. The method as recited in claim 2, wherein dropping the packet further includes:
storing the parsed control information in a memory location.
-
6. The method as recited in claim 5, wherein the memory location is associated with a line in a switching element.
-
7. The method as recited in claim 2, wherein dropping the packet further includes:
-
ascertaining whether a cache exists for the packet, the cache being associated with a line in a switching element;
building a cache if it is ascertained that a cache does not exist for the packet; and
storing the parsed control information in the cache.
-
-
8. The method as recited in claim 1, wherein filtering the packet further includes:
-
establishing whether the packet has been parsed;
parsing the packet to obtain the control information if it is established that the packet has not been parsed;
obtaining the parsed control information if it is determined that the packet has been parsed;
searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
dropping the packet in accordance with the selected packet filtering criteria.
-
-
9. The method as recited in claim 8, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
-
10. The method as recited in claim 9, wherein dropping the packet further includes:
-
if searching the filtering criteria fails, forwarding the packet; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
11. The method as recited in claim 8, wherein obtaining the parsed control information further includes:
obtaining the parsed control information from a pre-determined memory location.
-
12. The method as recited in claim 11, wherein the pre-determined memory location is associated with a line in a switching element.
-
13. The method as recited in claim 8, wherein establishing whether the packet has been parsed further includes:
ascertaining whether a cache exists for the packet, the cache being associated with a line in a switching element.
-
14. The method as recited in claim 1, further including:
-
establishing a default mode, the default mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped; and
wherein forwarding the packet is performed if the default mode is the send mode.
-
-
15. The method as recited in claim 14, wherein filtering the packet further includes:
-
parsing the packet to obtain the control information;
searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
dropping the packet in accordance with the selected packet filtering criteria.
-
-
16. The method as recited in claim 15, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
-
17. The method as recited in claim 16, wherein dropping the packet further includes:
-
if searching the filtering criteria fails, forwarding the packet if the default mode is the send mode; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
18. The method as recited in claim 14, wherein filtering the packet further includes:
-
establishing whether the packet has been parsed;
parsing the packet to obtain the control information if it is established that the packet has not been parsed;
obtaining the parsed control information if it is determined that the packet has been parsed;
searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
dropping the packet in accordance with the selected packet filtering criteria.
-
-
19. The method as recited in claim 18, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
-
20. The method as recited in claim 19, wherein dropping the packet further includes:
-
if searching the filtering criteria fails, forwarding the packet if the default mode is the send mode; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
21. The method as recited in claim 16, wherein dropping the packet further includes:
-
setting up a filtering mode, the filtering mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped;
if searching the filtering criteria fails, forwarding the packet if the filtering mode is the send mode; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
22. The method as recited in claim 19, wherein dropping the packet further includes:
-
setting up a filtering mode, the filtering mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped;
if searching the filtering criteria fails, forwarding the packet if the filtering mode is the send mode; and
if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
-
-
23. The method as recited in claim 1, wherein the filtering criteria includes an action field associated with the control information, the action field dictating forwarding of the packet when in a first state, and discarding of the packet when in a second state.
-
24. The method as recited in claim 1, wherein the control information includes an object, a type, and a zone, and wherein the filtering criteria includes an action field associated with the object, the type, and the zone, the action field dictating forwarding of the packet when in a first state, and discarding of the packet when in a second state.
-
25. The method as recited in claim 2, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
-
locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
-
-
26. The method as recited in claim 8, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
-
locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
-
-
27. The method as recited in claim 15, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
-
locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
-
-
28. The method as recited in claim 18, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
-
locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
-
-
29. A switching element for filtering a packet in a computer network, comprising:
-
a processor; and
a memory having stored therein instructions that, when executed, cause the switching element to perform the steps of;
intercepting a packet having a packet header and a packet body including packet data providing control information;
determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
forwarding the packet if no access list is determined to exist for the packet; and
filtering the packet in accordance with the filtering criteria stored in the access list if an access list is determined to exist for the packet. - View Dependent Claims (32)
-
-
30. A computer-readable medium recording software, the software disposed on a computer to perform a method for filtering a packet in a network, the method comprising:
-
intercepting a packet having a packet header and a packet body including packet data providing control information;
determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
if no access list is determined to exist for the packet, forwarding the packet; and
if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.
-
-
31. A computer data signal embodied in a carrier wave and representing sequences of instructions which, when executed by a processor, cause said processor to perform a method for filtering a packet in a network, the method comprising:
-
intercepting a packet having a packet header and a packet body including packet data providing control information;
determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
if no access list is determined to exist for the packet, forwarding the packet; and
if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.
-
-
33. A method for filtering packets in a network device comprising:
-
receiving a packet having a packet header and a packet body including packet data providing control information, wherein the control information is not provided in a header of the packet;
parsing the control information into a plurality of fields to determine packet values for the plurality of fields;
matching the packet values for the plurality of fields to an ingress record in an ingress access list;
handling the packet according to an action specified in the ingress record;
matching the packet values for the plurality of fields to an egress record in an egress access list; and
handling the packet according to an action specified in the egress record. - View Dependent Claims (34)
-
Specification