Community separation control in a multi-community node

US 6,760,330 B2
Filed: 10/16/2001
Issued: 07/06/2004
Est. Priority Date: 12/18/2000
Status: Active Grant

First Claim

Patent Images

1. A method of community separation control in a Multi-Community Node (MCN) comprising:

determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;

discarding said first data packet in response to detecting said PCS is null; and

processing said first data packet in response to detecting said POS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and mechanism of enforcing, in a computer network, a community separation policy wherein the data of a particular user community should be accessible only by members of that community. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce the community separation policy. In an open MCN, which may run both trusted and untrusted applications, the method and mechanism performs a set of checks on packets received from and to be transmitted on a network, and on application processes which correspond to those packets, to ensure that all communications comply with the community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to ports, applications, and other network addresses within the computer network. The method and mechanism includes determining a packet community set (PCS) of a data packet, discarding said data packet if the PCS is null, and allowing further processing if the PCS is not null.

56 Citations

View as Search Results

53 Claims

1. A method of community separation control in a Multi-Community Node (MCN) comprising:
- determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
  
  discarding said first data packet in response to detecting said PCS is null; and
  
  processing said first data packet in response to detecting said POS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising recording an event corresponding to said first data packet in response to detecting said PCS is null.
  - 3. The method of claim 1, wherein said processing further comprises:
4. The method of claim 1, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is not a subset of an IFCS over which said first data packet was received.
5. The method of claim 4, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is said MCN, and said PCS is not a subset of an ACS of the destination process of said first data packet.
6. The method of claim 5, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is a remote node, and said PCS is not a subset of an IFCS of the interface over which said first data packet will be output.
7. The method of claim 6, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises allowing further receive processing of said first data packet in response to detecting a destination of said first data packet is said MCN, said PCS is a subset of said IFCS over which said first data packet was received, and said PCS is a subset of said ACS.
8. The method of claim 1, further comprising consulting a Community Information Base (CIB).
9. The method of claim 8, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
10. The method of claim 8, further comprising performing object access control.
11. The method of claim 10, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an abject community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.

12. A method of community separation control in a Multi-Community Node (MCN) comprising:
- determining a first packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of a process which sent said first data packet;
  
  discarding said first data packet in response to detecting said PCS is null; and
  
  processing said first data packet in response to detecting said PCS is not null.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein said processing comprises:
14. The method of claim 12, further comprising consulting a Community Information Base (CIB).
15. The method of claim 14, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
16. The method of claim 14, further comprising performing object access control.
17. The method of claim 16, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.

18. A method of community separation control in a Multi-Community Node (MCN) comprising:
- determining a packet community set (PCS) of a first data packet, wherein said PCS is encoded in a header of said first data packet, and wherein determining said PCS comprises decoding said PCS from said header;
  
  discarding said first data packet in response to detecting said PCS is not a subset of the intersection of a source network address community set (NACS) and a destination NACS of said first data packet; and
  
  processing said first data packet in response to detecting said PCS is a subset of said intersection of said source NACS and said destination NACS.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of claim 18, further comprising discarding said first data packet in response to detecting an interface community set (IFCS) of the interface over which said first packet was received is not a subset of said PCS.
  - 20. The method of claim 19, wherein a destination of said first data packet is said MCN, further comprising:
21. The method of claim 19, wherein a destination of said first data packet is a remote node, further comprising:
- discarding said first data packet in response to detecting said PCS is not a subset of the IFCS of the interface over which said first data packet is to be output; and
  
  allowing transmit processing of said first data packet in response to detecting said PCS is a subset of said IFCS.
22. The method of claim 18, further comprising consulting a Community Information Base (CIB).
23. The method of claim 22, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
24. The method of claim 22, further comprising performing object access control.
25. The method of claim 24, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.

26. A Multi-Community Node (MCN) comprising:
- a processing unit, wherein said processing unit is configured to;
  
  determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a sending process of said first data packet; and
  
  a community information base (CIB) coupled to said processing unit.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. The MCN of claim 26, wherein said processing unit is further configured to record an event corresponding to said first data packet in response to detecting said PCS is null.
  - 28. The MCN of claim 26, wherein said processing unit is further configured to:
29. The MCN of claim 26, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is not a subset of an IFCS over which said first data packet was received.
30. The MCN of claim 29, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is said MCN, and said PCS is not a subset of an ACS of the destination process of said first data packet.
31. The MCN of claim 30, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is a remote node, and said PCS is not a subset of an IFCS of the interface over which said first data packet will be output.
32. The MCN of claim 31, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to allow further receive processing of said first data packet in response to detecting a destination of said first data packet is said MCN, said PCS is a subset of said IFCS over which said first data packet was received, and said PCS is a subset of said ACS.
33. The MCN of claim 26, wherein said processing unit is further configured to consult said CIB.
34. The MCN of claim 33, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
35. The MCN of claim 33, further comprising performing object access control.
36. The MCN of claim 35, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
37. The MCN of claim 35, wherein said MCN is coupled to a computer network.

38. A Multi-Community Node (MCN) comprising:
- a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of the sending process of said first data packet; and
  
  a community information base coupled to said processing unit.
- View Dependent Claims (39, 40, 41, 42, 43)
- - 39. The MCN of claim 38, wherein said processing unit is further configured to:
40. The MCN of claim 38, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
41. The MCN of claim 39, further comprising performing object access control.
42. The MCN of claim 41, wherein said MCN is coupled to a computer network.
43. The MCN of claim 41, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.

44. A Multi-Community Node (MCN) comprising:
- a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is encoded in a header of said first data packet, and wherein said PCS is determined by decoding said PCS from said header; and
  
  a community information base coupled to said processing unit.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
- - 45. The MCN of claim 44, wherein said processing unit is further configured to:
46. The MCN of claim 45, further comprising discarding said first data packet in response to detecting the interface community set (IFCS) of the interface over which said first packet was received is not a subset of said PCS.
47. The MCN of claim 46, wherein a destination of said first data packet is said MCN, further comprising:
- discarding said first data packet in response to detecting said PCS is not a subset of the application community set (ACS) of the destination process of said first data packet; and
  
  allowing receive processing of said first data packet in response to detecting said PCS is a subset of said ACS.
48. The MCN of claim 46, wherein a destination of said first data packet is a remote node, further comprising:
- discarding said first data packet in response to detecting said PCS is not a subset of the IFCS of the interface over which said first data packet is to be output; and
  
  allowing transmit processing of said first data packet in response to detecting said PCS is a subset of said IFCS.
49. The MCN of claim 44, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
50. The MGN of claim 48, further comprising performing object access control.
51. The MCN of claim 50, wherein said MCN is coupled to a computer network.
52. The MCN of claim 51, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.

53. A carrier medium comprising program instructions, wherein said program instructions are executable to:
- determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
  
  discard said first data packet in response to detecting said PCS is null; and
  
  process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Tahan, Thomas E.
Primary Examiner(s)
Chin, Wellington
Assistant Examiner(s)
JAIN, RAJ K

Application Number

US09/981,607
Publication Number

US 20020075877A1
Time in Patent Office

994 Days
Field of Search

370/229, 370/230, 370/230.1, 370/231, 370/235, 370/400, 370/401, 370/389, 370/392, 709/284, 709/225, 709/227
US Class Current

370/389
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Community separation control in a multi-community node

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Community separation control in a multi-community node

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links