Community separation control in a multi-community node
First Claim
1. A method of community separation control in a Multi-Community Node (MCN) comprising:
- determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said POS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of enforcing, in a computer network, a community separation policy wherein the data of a particular user community should be accessible only by members of that community. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce the community separation policy. In an open MCN, which may run both trusted and untrusted applications, the method and mechanism performs a set of checks on packets received from and to be transmitted on a network, and on application processes which correspond to those packets, to ensure that all communications comply with the community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to ports, applications, and other network addresses within the computer network. The method and mechanism includes determining a packet community set (PCS) of a data packet, discarding said data packet if the PCS is null, and allowing further processing if the PCS is not null.
56 Citations
53 Claims
-
1. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said POS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
discarding said first data packet in response to detecting said first data packet is an outgoing data packet, said PCS is a subset of said ACS, and said PCS is not a subset of an interface community set (IFCS) of the interface over which said first data packet is to be output; and
allowing further transmit processing on said first data packet in response to detecting said first data packet is an outgoing data packet, said PCS is a subset of said ACS, and said PCS is a subset of said IFCS.
-
-
4. The method of claim 1, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is not a subset of an IFCS over which said first data packet was received.
-
5. The method of claim 4, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is said MCN, and said PCS is not a subset of an ACS of the destination process of said first data packet.
-
6. The method of claim 5, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises discarding said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is a remote node, and said PCS is not a subset of an IFCS of the interface over which said first data packet will be output.
-
7. The method of claim 6, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing further comprises allowing further receive processing of said first data packet in response to detecting a destination of said first data packet is said MCN, said PCS is a subset of said IFCS over which said first data packet was received, and said PCS is a subset of said ACS.
-
8. The method of claim 1, further comprising consulting a Community Information Base (CIB).
-
9. The method of claim 8, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
10. The method of claim 8, further comprising performing object access control.
-
11. The method of claim 10, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an abject community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
12. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a first packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of a process which sent said first data packet;
discarding said first data packet in response to detecting said PCS is null; and
processing said first data packet in response to detecting said PCS is not null. - View Dependent Claims (13, 14, 15, 16, 17)
discarding said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of the interface over which said first data packet is to be output; and
encoding said PCS in a header of said first data packet and allowing transmit processing to proceed, in response to detecting said PCS is a subset of said IFCS.
-
-
14. The method of claim 12, further comprising consulting a Community Information Base (CIB).
-
15. The method of claim 14, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
16. The method of claim 14, further comprising performing object access control.
-
17. The method of claim 16, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
18. A method of community separation control in a Multi-Community Node (MCN) comprising:
-
determining a packet community set (PCS) of a first data packet, wherein said PCS is encoded in a header of said first data packet, and wherein determining said PCS comprises decoding said PCS from said header;
discarding said first data packet in response to detecting said PCS is not a subset of the intersection of a source network address community set (NACS) and a destination NACS of said first data packet; and
processing said first data packet in response to detecting said PCS is a subset of said intersection of said source NACS and said destination NACS. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
discarding said first data packet in response to detecting said PCS is not a subset of the application community set (ACS) of the destination process of said first data packet; and
allowing receive processing of said first data packet in response to detecting said PCS is a subset of said ACS.
-
-
21. The method of claim 19, wherein a destination of said first data packet is a remote node, further comprising:
-
discarding said first data packet in response to detecting said PCS is not a subset of the IFCS of the interface over which said first data packet is to be output; and
allowing transmit processing of said first data packet in response to detecting said PCS is a subset of said IFCS.
-
-
22. The method of claim 18, further comprising consulting a Community Information Base (CIB).
-
23. The method of claim 22, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
24. The method of claim 22, further comprising performing object access control.
-
25. The method of claim 24, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
26. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to;
determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a sending process of said first data packet; and
a community information base (CIB) coupled to said processing unit. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
discard said first data packet in response to detecting said first data packet is an outgoing data packet, said PCS is a subset of said ACS, and said PCS is not a subset of an interface community set (IFCS) of the interface over which said first data packet is to be output; and
allow further transmit processing on said first data packet in response to detecting said first data packet is an outgoing data packet, said PCS is a subset of said ACS, and said PCS is a subset of said IFCS.
-
-
29. The MCN of claim 26, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is not a subset of an IFCS over which said first data packet was received.
-
30. The MCN of claim 29, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is said MCN, and said PCS is not a subset of an ACS of the destination process of said first data packet.
-
31. The MCN of claim 30, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to discard said first data packet in response to detecting said PCS is a subset of said IFCS, a destination of said first data packet is a remote node, and said PCS is not a subset of an IFCS of the interface over which said first data packet will be output.
-
32. The MCN of claim 31, wherein said first data packet is an incoming data packet received on an interface of said MCN, and wherein said processing unit is further configured to allow further receive processing of said first data packet in response to detecting a destination of said first data packet is said MCN, said PCS is a subset of said IFCS over which said first data packet was received, and said PCS is a subset of said ACS.
-
33. The MCN of claim 26, wherein said processing unit is further configured to consult said CIB.
-
34. The MCN of claim 33, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
35. The MCN of claim 33, further comprising performing object access control.
-
36. The MCN of claim 35, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
37. The MCN of claim 35, wherein said MCN is coupled to a computer network.
-
38. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is determined by calculating an intersection of a source network address community set (NACS) of said first data packet, a destination NACS of said first data packet, and an application community set (ACS) of the sending process of said first data packet; and
a community information base coupled to said processing unit. - View Dependent Claims (39, 40, 41, 42, 43)
discard said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of the interface over which said first data packet is to be output; and
encode said PCS in a header of said first data packet and allowing transmit processing to proceed, in response to detecting said PCS is a subset of said IFCS.
-
-
40. The MCN of claim 38, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NSCS of said MCN, the NSCS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
41. The MCN of claim 39, further comprising performing object access control.
-
42. The MCN of claim 41, wherein said MCN is coupled to a computer network.
-
43. The MCN of claim 41, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
44. A Multi-Community Node (MCN) comprising:
-
a processing unit, wherein said processing unit is configured to determine a first packet community set (PCS) of a first data packet, discard said first data packet in response to detecting said PCS is null, and process said first data packet in response to detecting said PCS is not null, wherein said PCS is encoded in a header of said first data packet, and wherein said PCS is determined by decoding said PCS from said header; and
a community information base coupled to said processing unit. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
discard said first data packet in response to detecting said PCS is not a subset of the intersection of a source network address community set (NACS) and a destination NACS of said first data packet; and
process said first data packet in response to detecting said PCS is a subset of said intersection of said source NACS and said destination NACS.
-
-
46. The MCN of claim 45, further comprising discarding said first data packet in response to detecting the interface community set (IFCS) of the interface over which said first packet was received is not a subset of said PCS.
-
47. The MCN of claim 46, wherein a destination of said first data packet is said MCN, further comprising:
-
discarding said first data packet in response to detecting said PCS is not a subset of the application community set (ACS) of the destination process of said first data packet; and
allowing receive processing of said first data packet in response to detecting said PCS is a subset of said ACS.
-
-
48. The MCN of claim 46, wherein a destination of said first data packet is a remote node, further comprising:
-
discarding said first data packet in response to detecting said PCS is not a subset of the IFCS of the interface over which said first data packet is to be output; and
allowing transmit processing of said first data packet in response to detecting said PCS is a subset of said IFCS.
-
-
49. The MCN of claim 44, wherein said CIB includes community set information corresponding to each IFCS of said MCN, each NACS of said MCN, the NACS of each node with which said MCN communicates, and the ACS of each process on said MCN.
-
50. The MGN of claim 48, further comprising performing object access control.
-
51. The MCN of claim 50, wherein said MCN is coupled to a computer network.
-
52. The MCN of claim 51, wherein said object access control comprises allowing a process to access an object in response to detecting an ACS of said process is a superset of an object community set (OCS) of said object, and denying said access to said process in response to detecting said ACS is not a superset of said OCS.
-
53. A carrier medium comprising program instructions, wherein said program instructions are executable to:
-
determine a packet community set (PCS) of a first data packet, wherein said PCS is determined by calculating an intersection of a source network service community set (NSCS) of said first data packet and a destination NSCS of said first data packet;
discard said first data packet in response to detecting said PCS is null; and
process said first data packet in response to detecting said PCS is not null, wherein said processing comprises discarding said first data packet in response to detecting said first data packet is an outgoing data packet and said PCS is not a subset of an application community set (ACS) of a process which sent said first data packet.
-
Specification