Strong and searching a hierarchy of items of particular use with IP security policies and security associations

US 6,988,106 B2
Filed: 07/09/2003
Issued: 01/17/2006
Est. Priority Date: 07/09/2003
Status: Active Grant

First Claim

Patent Images

1. A method for maintaining a data structure, the method comprising:

identifying an ordered list of Internet Protocol security policies;

programming ordered associative memory entries associated with the ordered list of Internet Protocol security policies;

programming corresponding context memory entries associated with the ordered list of Internet Protocol security policies;

performing an associative memory lookup operation on said ordered associative memory entries based on a received packet to identify a particular associative memory entry location;

performing a lookup operation on the context memory based on the particular associative memory entry location to identify a particular Internet Protocol security policy of the ordered list of Internet Protocol security policies; and

adding a particular security association entry based on the received packet to said ordered associative memory entries, the particular security association entry corresponding to the particular Internet Protocol security policy, and the particular security association entry being added to said ordered associative memory entries prior to the particular associative memory entry location and after other security policy entries of said ordered list of Internet Protocol security policies located prior to the particular associative memory entry location.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms for storing and searching a hierarchy of items are disclosed which may be particularly useful for implementing security policies and security associations, such as, but not limited to Internet Protocol security (IPsec). A hierarchy of items is stored in a search priority order. Multiple element definitions and groups of elements are identified. Representations of the element definitions and elements are stored in a prioritized searchable data structure in decreasing search priority such that representations of each particular element definition is stored after representations of a set of particular elements associated with the particular element definition and before representations of lower priority element definitions and their associated elements. The element definitions may include Internet Protocol security policies and the elements may include Internet Protocol security associations. The searchable data structure may include an associative memory or a plurality of associative memory entries.

113 Citations

View as Search Results

16 Claims

1. A method for maintaining a data structure, the method comprising:
- identifying an ordered list of Internet Protocol security policies;
  
  programming ordered associative memory entries associated with the ordered list of Internet Protocol security policies;
  
  programming corresponding context memory entries associated with the ordered list of Internet Protocol security policies;
  
  performing an associative memory lookup operation on said ordered associative memory entries based on a received packet to identify a particular associative memory entry location;
  
  performing a lookup operation on the context memory based on the particular associative memory entry location to identify a particular Internet Protocol security policy of the ordered list of Internet Protocol security policies; and
  
  adding a particular security association entry based on the received packet to said ordered associative memory entries, the particular security association entry corresponding to the particular Internet Protocol security policy, and the particular security association entry being added to said ordered associative memory entries prior to the particular associative memory entry location and after other security policy entries of said ordered list of Internet Protocol security policies located prior to the particular associative memory entry location.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein said adding the particular security association entry includes expanding a partition allocated for entries in an associative memory corresponding to the particular Internet Protocol security policy and its associated security association entries.
  - 3. The method of claim 2, wherein said expanding a partition includes redistributing free space to multiple partitions in the associative memory.

4. An apparatus for maintaining a data structure based an ordered list of Internet Protocol security policies, the apparatus comprising:
- means for programming ordered associative memory entries associated with the ordered list of Internet Protocol security policies;
  
  means for programming corresponding context memory entries associated with the ordered list of Internet Protocol security policies;
  
  means for performing an associative memory lookup operation on said ordered associative memory entries based on a received packet to identify a particular associative memory entry location;
  
  means for performing a lookup operation on the context memory based on the particular associative memory entry location to identify a particular Internet Protocol security policy of the ordered list of Internet Protocol security policies; and
  
  means for adding a particular security association entry based on the received packet to said ordered associative memory entries, the particular security association entry corresponding to the particular Internet Protocol security policy, and the particular security association entry being added to said ordered associative memory entries prior to the particular associative memory entry location and after other security policy entries of said ordered list of Internet Protocol security policies located prior to the particular associative memory entry location.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The apparatus of claim 4, wherein said means for adding the particular security association entry includes means for expanding a partition allocated for entries in an associative memory corresponding to the particular Internet Protocol security policy and its associated security association entries.
  - 6. The apparatus of claim 5, wherein said means for expanding a partition includes redistributing free space to multiple partitions in the associative memory.
  - 7. The apparatus of claim 4, wherein said means for expanding the partition includes means for getting space from neighboring partitions.
  - 8. The apparatus of claim 4, wherein said means for expanding the partition includes means for feeing another starving partition.
  - 9. The apparatus of claim 4, wherein said means for adding the particular security association entry includes means for splitting the security association entry into a plurality of associative memory entries of said ordered associative memory entries.

10. A computer-readable medium containing computer-executable instructions for performing steps for maintaining a data structure based an ordered list of Internet Protocol security policies, said steps comprising:
- programming ordered associative memory entries associated with the ordered list of Internet Protocol security policies;
  
  programming corresponding context memory entries associated with the ordered list of Internet Protocol security policies;
  
  performing an associative memory lookup operation on said ordered associative memory entries based on a received packet to identify a particular associative memory entry location;
  
  performing a lookup operation on the context memory based on the particular associative memory entry location to identify a particular Internet Protocol security policy of the ordered list of Internet Protocol security policies; and
  
  adding a particular security association entry based on the received packet to said ordered associative memory entries, the particular security association entry corresponding to the particular Internet Protocol security policy, and the particular security association entry being added to said ordered associative memory entries prior to the particular associative memory entry location and after other security policy entries of said ordered list of Internet Protocol security policies located prior to the particular associative memory entry location.
- View Dependent Claims (11, 12)
- - 11. The computer-readable medium of claim 10, wherein said adding the particular security association entry includes expanding a partition allocated for entries in an associative memory corresponding to the particular Internet Protocol security policy and its associated security association entries.
  - 12. The computer-readable medium of claim 11, wherein said expanding a partition includes redistributing free space to multiple partitions in the associative memory.

13. An apparatus for maintaining entries of an associative memory based an ordered list of Internet Protocol security policies, the apparatus comprising:
- the associative memory including ordered associative memory entries associated with the ordered list of Internet Protocol security policies;
  
  a programming mechanism coupled to the associative memory;
  
  a mechanism for generating lookup words to the associative memory based on which the associative memory performs a lookup operation to identify a particular associative memory entry location;
  
  a context memory for performing lookup operations based on the particular associative memory entry location to identify a particular Internet Protocol security policy of the ordered list of Internet Protocol security policies;
  
  wherein the programming mechanism is configured to add a particular security association entry based on the received packet to said ordered associative memory entries, the particular security association entry corresponding to the particular Internet Protocol security policy, and the particular security association entry being added to said ordered associative memory entries prior to the particular associative memory entry location and after other security policy entries of said ordered list of Internet Protocol security policies located prior to the particular associative memory entry location.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13, wherein the programming mechanism expands a partition allocated for entries in an associative memory corresponding to the particular Internet Protocol security policy and its associated security association entries.
  - 15. The apparatus of claim 13, wherein the programming mechanism redistributes free space to multiple partitions in the associative memory.
  - 16. The apparatus of claim 13, wherein the programming mechanism is further configured to split a range corresponding to the particular security association entry into a plurality of associative memory entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nagaraj, Ashwath, Kwok, Henry Kin-Chuen, Enderwick, Thomas Jeffrey
Primary Examiner(s)
ROBINSON, GRETA LEE

Application Number

US10/616,737
Publication Number

US 20050010612A1
Time in Patent Office

923 Days
Field of Search

707/3, 707/5, 707/9, 707/200, 707/201, 707/100
US Class Current

1/1
CPC Class Codes

H04L 45/7453   using hashing

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Strong and searching a hierarchy of items of particular use with IP security policies and security associations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

113 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Strong and searching a hierarchy of items of particular use with IP security policies and security associations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links