Method and apparatus providing controlled access of requests from virtual private network devices to managed information objects using simple network management protocol
First Claim
1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
- a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers;
storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers;
storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;
receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;
wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping;
at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;
at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and
in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects.
2 Assignments
0 Petitions
Accused Products
Abstract
Access control approaches are disclosed wherein managed object in Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) are accessed on a per-Virtual Private Network (VPN)-basis with no modifications to existing MIBs. A manager and an SNMP Agent operating in a VPN environment agree on a mapping between SNMP securityNames and VPN IDs. Under the agreed mapping, the target VPN of any SNMP management request can be unambiguously determined from the securityName alone. For each securityName, one or more MIB Views are configured using in a View-based Access Control Model MIB (VACM MIB) table; the MIB Views specify which portions of the managed object tree can be viewed or modified by a corresponding VPN. Thereafter, a VPN-enabled device provides SNMP requests in which a VPN ID value is passed in the securityName field of the context string in the community string. The receiving device extracts the securityName, locates corresponding MIB Views using the VACM MIB table, and allows the requesting device to access only objects that are identified in the MIB Views.
117 Citations
30 Claims
-
1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
-
a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers; storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers; storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views; receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network; wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping; at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views; at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
-
receiving, from a network device participating in a virtual private network, a request to carry out a management protocol operation, wherein the request contains an identifier of the virtual private network in a security name value, wherein the identifier contained in the request is based on a mapping of securityName values to corresponding virtual private network identifiers that was agreed upon by two or more network devices participating in the virtual private network; extracting the security name value, which identifies the virtual private network, and determining a protocol operation that is embodied in the request; using a view-based access control model, matching the security name value, which identifies the virtual private network, to a management information base view that corresponds to the requested operation; processing the requested operation only if access is allowed to managed objects, in the management information base, that are associated with one or more network devices participating in the virtual private network, based on the management information base view matching the security name value that identifies the virtual private network. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-readable medium carrying one or more sequences of instructions for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers; storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers; storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views; receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network; wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping; at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views; at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects. - View Dependent Claims (14, 15, 16)
-
-
17. An apparatus for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
-
means for a second managed network device agreeing with a first network device on a first mapping between securityNames and virtual private network identifiers; means for storing, at the second managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views; means for receiving at the second managed network device a request from the first network device, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network; wherein the request contains a particular securityName value mapped, in the first mapping, to the particular virtual private network identifier, and wherein the first mapping is stored at the first network device; at the second managed network device, means for extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views; at the second managed network device, means for identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and means for providing to the first network device access to only the subset of managed objects from the plurality of managed objects. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. An apparatus controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; a second managed network device agreeing with a first network device on a first mapping between securityNames and virtual private network identifiers; storing, at the second managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views; receiving at the second managed network device a request from the first network device, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network; wherein the request contains a particular securityName value mapped, in the first mapping, to the particular virtual private network identifier, and wherein the first mapping is stored at the first network device; at the second managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views; at the second managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and providing to the first network device access to only the subset of managed objects from the plurality of managed objects. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification