Packet filter policy verification system
First Claim
1. A method for validating an n-dimensional policy table in a router, the router having at least two interfaces, the policy table having at least two policy rules, and each policy rule in the policy table having at least one dimension, the method comprising:
- making a first determination whether every dimension of any first policy rule intersects any subsequent policy rule in every dimension of the subsequent policy rule; and
if the first determination is that none of the policy rules intersect each other in every dimension, then producing an output signal indicating that the policy table is valid andif the first determination is that any first policy rule of the policy table intersects any subsequent policy rule in every dimension, thereby defining a first and a second intersecting policy rule, making a second determination whether one of said first and second intersecting policy rules is a subset of the other of the said first and second intersecting policy rules.
6 Assignments
0 Petitions
Accused Products
Abstract
A method for determining the validity of an n-dimensional policy table in a router. The router may include a processor, a memory (e.g. ROM, flash memory, non-volatile memory, hard disk, etc.), and two or more policy rules stored in the memory. Each policy rule may have one or more dimensions (or parameters), designated generally by the symbol n. In accord with the method, the processor may make a determination whether any particular policy rule in the table intersects any subsequent policy rule in the table in every dimension n. If no rules in the table intersect in every dimension n, then the policy table is valid, and the router may operate normally.
-
Citations
13 Claims
-
1. A method for validating an n-dimensional policy table in a router, the router having at least two interfaces, the policy table having at least two policy rules, and each policy rule in the policy table having at least one dimension, the method comprising:
-
making a first determination whether every dimension of any first policy rule intersects any subsequent policy rule in every dimension of the subsequent policy rule; and if the first determination is that none of the policy rules intersect each other in every dimension, then producing an output signal indicating that the policy table is valid and if the first determination is that any first policy rule of the policy table intersects any subsequent policy rule in every dimension, thereby defining a first and a second intersecting policy rule, making a second determination whether one of said first and second intersecting policy rules is a subset of the other of the said first and second intersecting policy rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for validating an n-dimensional policy table in a router, the router having at least two interfaces, the policy table having at least two policy rules, and each policy rule in the policy table having at least one dimension, the method comprising:
-
making a first determination whether any policy rules intersect by determining whether the maximum value of at least one dimension of every first policy rule is less than the minimum value of a corresponding dimension of each subsequent policy rule; if the first determination is that the maximum value of any dimension of every first policy rule is less than the minimum value of a corresponding dimension of each subsequent policy rule, producing an output signal indicating that no policy rules intersect and the policy table is valid; making a second determination whether any policy rules intersect by determining whether the minimum value of at least one dimension of every first policy rule is greater than the maximum value of a corresponding dimension of each subsequent policy rule; if the second determination is that the minimum value of any dimension of every first policy rule is greater than the maximum value of a corresponding dimension of each subsequent policy rule, producing an output signal indicating that the policy table is valid; if the first or second determination is that at least two policy rules intersect in every dimension, then making a third determination whether every first policy rule that intersects a subsequent policy rule is a subset of every intersected subsequent policy rule by determining whether the maximum value of every dimension of every first policy rule is less than the maximum value of every corresponding dimension of each subsequent policy rule that the first policy rule intersects, and whether the minimum value of every dimension of every first policy rule that intersects a subsequent policy rule is greater than the minimum value of every corresponding dimension of each subsequent policy rule that the first policy rule intersects; producing an output signal indicating that the policy table is valid if the third determination is that every first policy rule is a subset of every subsequent policy rule that it intersects in every dimension; producing an output signal indicating that the policy table is invalid if the third determination is that any first policy rule is not a subset of every subsequent policy rule that it intersects in every dimension; whereby, any output signal may be used by the router to generate an appropriate action.
-
-
10. A router comprising, in combination:
-
at least two interfaces; a processor; a memory; a policy table stored in the memory; at least two policy rules stored in the policy table; each policy rule having at least one dimension; a verification routine executable by the processor (i) to make a first determination whether every dimension of any first policy rule intersects any subsequent policy rule in the policy table in every dimension, and (ii) to make a second determination whether any first policy rule that intersects a subsequent policy rule in every dimension is a subset of the subsequent policy rule in every dimension; a signaling component that generates a signal in response to the first determination and the second determination. - View Dependent Claims (11)
-
-
12. A computer system for validating an n-dimensional policy table in a router comprising, in combination:
-
at least two interfaces; a processor; a memory; a policy table stored in the memory; at least two policy rules stored in the policy table; each policy rule having at least one dimension; a verification routine executable by the processor (i) to make a first determination whether every dimension of any first policy rule intersects any subsequent policy rule in the policy table in every dimension, and (ii) to make a second determination whether any first policy rule that intersects a subsequent policy rule in every dimension is a subset of the subsequent policy rule in every dimension; a signaling component that generates a signal in response to the first determination and the second determination. - View Dependent Claims (13)
-
Specification