Apparatus and method for providing a device level security mechanism in a network

US 6,700,891 B1
Filed: 06/25/1998
Issued: 03/02/2004
Est. Priority Date: 06/25/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for filtering a packet in a network, comprising:

intercepting a packet having a packet header and a packet body including packet data providing control information;

determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information in the packet body;

if no access list is determined to exist for the packet, forwarding the packet; and

if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for filtering a packet in a network is disclosed. The packet includes a packet header and packet data. The packet is intercepted. It is then determined if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with contents of the packet data. If no access list is determined to exist for the packet, the packet is forwarded. However, if an access list is determined to exist for the packet, the packet is filtered in accordance with the filtering criteria stored in the access list.

61 Citations

View as Search Results

34 Claims

1. A method for filtering a packet in a network, comprising:
- intercepting a packet having a packet header and a packet body including packet data providing control information;
  
  determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information in the packet body;
  
  if no access list is determined to exist for the packet, forwarding the packet; and
  
  if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method as recited in claim 1, wherein filtering the packet further includes:
3. The method as recited in claim 2, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
4. The method as recited in claim 3, wherein dropping the packet further includes:
- if searching the filtering criteria fails, forwarding the packet; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
5. The method as recited in claim 2, wherein dropping the packet further includes:
- storing the parsed control information in a memory location.
6. The method as recited in claim 5, wherein the memory location is associated with a line in a switching element.
7. The method as recited in claim 2, wherein dropping the packet further includes:
- ascertaining whether a cache exists for the packet, the cache being associated with a line in a switching element;
  
  building a cache if it is ascertained that a cache does not exist for the packet; and
  
  storing the parsed control information in the cache.
8. The method as recited in claim 1, wherein filtering the packet further includes:
- establishing whether the packet has been parsed;
  
  parsing the packet to obtain the control information if it is established that the packet has not been parsed;
  
  obtaining the parsed control information if it is determined that the packet has been parsed;
  
  searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
  
  dropping the packet in accordance with the selected packet filtering criteria.
9. The method as recited in claim 8, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
10. The method as recited in claim 9, wherein dropping the packet further includes:
- if searching the filtering criteria fails, forwarding the packet; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
11. The method as recited in claim 8, wherein obtaining the parsed control information further includes:
- obtaining the parsed control information from a pre-determined memory location.
12. The method as recited in claim 11, wherein the pre-determined memory location is associated with a line in a switching element.
13. The method as recited in claim 8, wherein establishing whether the packet has been parsed further includes:
- ascertaining whether a cache exists for the packet, the cache being associated with a line in a switching element.
14. The method as recited in claim 1, further including:
- establishing a default mode, the default mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped; and
  
  wherein forwarding the packet is performed if the default mode is the send mode.
15. The method as recited in claim 14, wherein filtering the packet further includes:
- parsing the packet to obtain the control information;
  
  searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
  
  dropping the packet in accordance with the selected packet filtering criteria.
16. The method as recited in claim 15, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
17. The method as recited in claim 16, wherein dropping the packet further includes:
- if searching the filtering criteria fails, forwarding the packet if the default mode is the send mode; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
18. The method as recited in claim 14, wherein filtering the packet further includes:
- establishing whether the packet has been parsed;
  
  parsing the packet to obtain the control information if it is established that the packet has not been parsed;
  
  obtaining the parsed control information if it is determined that the packet has been parsed;
  
  searching the filtering criteria in the access list for an entry corresponding to the parsed control information to obtain selected packet filtering criteria; and
  
  dropping the packet in accordance with the selected packet filtering criteria.
19. The method as recited in claim 18, wherein searching the filtering criteria fails if the selected packet filtering criteria is not obtained, and otherwise passes.
20. The method as recited in claim 19, wherein dropping the packet further includes:
- if searching the filtering criteria fails, forwarding the packet if the default mode is the send mode; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
21. The method as recited in claim 16, wherein dropping the packet further includes:
- setting up a filtering mode, the filtering mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped;
  
  if searching the filtering criteria fails, forwarding the packet if the filtering mode is the send mode; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
22. The method as recited in claim 19, wherein dropping the packet further includes:
- setting up a filtering mode, the filtering mode being a send mode in which the packet is forwarded, and otherwise being a drop mode in which the packet is dropped;
  
  if searching the filtering criteria fails, forwarding the packet if the filtering mode is the send mode; and
  
  if searching the filtering criteria passes, discarding the packet in accordance with the selected packet filtering criteria.
23. The method as recited in claim 1, wherein the filtering criteria includes an action field associated with the control information, the action field dictating forwarding of the packet when in a first state, and discarding of the packet when in a second state.
24. The method as recited in claim 1, wherein the control information includes an object, a type, and a zone, and wherein the filtering criteria includes an action field associated with the object, the type, and the zone, the action field dictating forwarding of the packet when in a first state, and discarding of the packet when in a second state.
25. The method as recited in claim 2, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
- locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
  
  merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
26. The method as recited in claim 8, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
- locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
  
  merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
27. The method as recited in claim 15, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
- locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
  
  merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.
28. The method as recited in claim 18, wherein the access list includes a plurality of entries, each one of the plurality of entries having separate filtering criteria and a linking field, the linking field permitting a coupling between selected ones of the plurality of entries, wherein searching the filtering criteria further includes:
- locating a set of the plurality of entries corresponding to the parsed control information using the linking field; and
  
  merging the filtering criteria for the set of the plurality of entries with the filtering criteria for the entry corresponding to the parsed control information to obtain the selected packet filtering criteria.

29. A switching element for filtering a packet in a computer network, comprising:
- a processor; and
  
  a memory having stored therein instructions that, when executed, cause the switching element to perform the steps of;
  
  intercepting a packet having a packet header and a packet body including packet data providing control information;
  
  determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
  
  forwarding the packet if no access list is determined to exist for the packet; and
  
  filtering the packet in accordance with the filtering criteria stored in the access list if an access list is determined to exist for the packet.
- View Dependent Claims (32)
- - 32. The switching element as recited in claim 29, wherein the control information comprises at least one of a zone field, a type field indicating a device type, and an object field.

30. A computer-readable medium recording software, the software disposed on a computer to perform a method for filtering a packet in a network, the method comprising:
- intercepting a packet having a packet header and a packet body including packet data providing control information;
  
  determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
  
  if no access list is determined to exist for the packet, forwarding the packet; and
  
  if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.

31. A computer data signal embodied in a carrier wave and representing sequences of instructions which, when executed by a processor, cause said processor to perform a method for filtering a packet in a network, the method comprising:
- intercepting a packet having a packet header and a packet body including packet data providing control information;
  
  determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with the control information;
  
  if no access list is determined to exist for the packet, forwarding the packet; and
  
  if an access list is determined to exist for the packet, filtering the packet in accordance with the filtering criteria stored in the access list.

33. A method for filtering packets in a network device comprising:
- receiving a packet having a packet header and a packet body including packet data providing control information, wherein the control information is not provided in a header of the packet;
  
  parsing the control information into a plurality of fields to determine packet values for the plurality of fields;
  
  matching the packet values for the plurality of fields to an ingress record in an ingress access list;
  
  handling the packet according to an action specified in the ingress record;
  
  matching the packet values for the plurality of fields to an egress record in an egress access list; and
  
  handling the packet according to an action specified in the egress record.
- View Dependent Claims (34)
- - 34. The method as recited in claim 33, wherein handling the packet according to an action specified in the ingress record comprises forwarding or dropping the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wong, Dean W.
Primary Examiner(s)
VANDERPUYE, KENNETH N

Application Number

US09/104,883
Time in Patent Office

2,077 Days
Field of Search

370/401, 370/389, 370/395.1, 370/402, 713/200, 713/201, 709/225
US Class Current

370/401
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/101 Access control lists [ACL]

Apparatus and method for providing a device level security mechanism in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for providing a device level security mechanism in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links