Method and apparatus providing controlled access of requests from virtual private network devices to managed information objects using simple network management protocol

US 7,099,947 B1
Filed: 06/08/2001
Issued: 08/29/2006
Est. Priority Date: 06/08/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:

a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers;

storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers;

storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;

receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;

wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping;

at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;

at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and

in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control approaches are disclosed wherein managed object in Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) are accessed on a per-Virtual Private Network (VPN)-basis with no modifications to existing MIBs. A manager and an SNMP Agent operating in a VPN environment agree on a mapping between SNMP securityNames and VPN IDs. Under the agreed mapping, the target VPN of any SNMP management request can be unambiguously determined from the securityName alone. For each securityName, one or more MIB Views are configured using in a View-based Access Control Model MIB (VACM MIB) table; the MIB Views specify which portions of the managed object tree can be viewed or modified by a corresponding VPN. Thereafter, a VPN-enabled device provides SNMP requests in which a VPN ID value is passed in the securityName field of the context string in the community string. The receiving device extracts the securityName, locates corresponding MIB Views using the VACM MIB table, and allows the requesting device to access only objects that are identified in the MIB Views.

117 Citations

View as Search Results

30 Claims

1. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
- a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers;
  
  storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers;
  
  storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;
  
  receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;
  
  wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping;
  
  at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;
  
  at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and
  
  in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1, further comprising the steps of providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views.
  - 3. A method as recited in claim 1, further comprising the steps of providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 4. A method as recited in claim 1, further comprising the steps of providing, at the managed network device, the second mapping, and wherein the steps of identifying a subset of objects and providing access comprise the steps of:
    - determining whether the securityName value from the request is in the second mapping;
      
      when the securityName value from the request is in the second mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the second mapping, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 5. A method as recited in claim 1, further comprising the steps of providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate security name values to corresponding MIB (Management Information Base) Views, and wherein the steps of identifying a subset of objects and providing access comprise the steps of:
    - determining whether the securityName value from the request is in the view-based access control model table;
      
      when the securityName value from the request is in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 6. A method as recited in claim 1, further comprising the steps of providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks, and wherein the steps of identifying a subset of objects and providing the request with access comprise the steps of:
    - determining whether the securityName value from the request is in theview-based access control model table;
      
      when the identifier from the request is in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 7. A method as recited in claim 1, further comprising the steps of:
    - providing, at the network manager that is communicatively coupled to the network devices, a mapping of a plurality of virtual private network identifiers to SNMPv3 securityNames;
      
      providing, at the network manager, an executable process that associates a virtual private network identifier with each SNMP request that is issued by the network management station to the network devices.

8. A method of controlling access of network management requests directed to one or more network devices that participate in a virtual private network, the method comprising the computer-implemented steps of:
- receiving, from a network device participating in a virtual private network, a request to carry out a management protocol operation, wherein the request contains an identifier of the virtual private network in a security name value, wherein the identifier contained in the request is based on a mapping of securityName values to corresponding virtual private network identifiers that was agreed upon by two or more network devices participating in the virtual private network;
  
  extracting the security name value, which identifies the virtual private network, and determining a protocol operation that is embodied in the request;
  
  using a view-based access control model, matching the security name value, which identifies the virtual private network, to a management information base view that corresponds to the requested operation;
  
  processing the requested operation only if access is allowed to managed objects, in the management information base, that are associated with one or more network devices participating in the virtual private network, based on the management information base view matching the security name value that identifies the virtual private network.
- View Dependent Claims (9, 10, 11, 12)
- - 9. A method as recited in claim 8, further comprising the steps of:
    - determining whether the request can be satisfied;
      
      extracting the security name value from a context string in the request.
  - 10. A method as recited in claim 9, wherein the matching step further comprises the steps of:
    - determining whether the security name is in a view-based access control model table;
      
      rejecting and returning the request when the security name is not found in the view-based access control model table.
  - 11. A method as recited in claim 9, further comprising the steps of:
    - determining whether the security name is in a view-based access control model table;
      
      when the security name is found in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the view-based access control model table, determining whether the protocol operation is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 12. The method as recited in claim 9, further comprising the steps of:
    - determining whether the security name is in a view-based access control model table;
      
      when the security name is found in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the view-based access control model table, determining whether the protocol operation is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable;
      
      determining whether a virtual private network identifier is referenced in the request, processing the request using managed information objects in a default view when no virtual private network identifier is referenced in the request, and processing the request using management information objects in a view corresponding to the virtual private network identifier only when a virtual private network identifier is referenced in the request.

13. A computer-readable medium carrying one or more sequences of instructions for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- a network manager and a managed network device agreeing on a first mapping between securityNames and virtual private network identifiers;
  
  storing, at the network manager, a translation table containing the first mapping of securityName values to corresponding virtual private network identifiers;
  
  storing, at a managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;
  
  receiving at the managed network device a request from the network manager, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;
  
  wherein the request contains a particular securityName value that is mapped to the particular virtual private network identifier in the first mapping;
  
  at the managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;
  
  at the managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and
  
  in response to the request, providing to the network manager access to only the subset of managed objects from the plurality of managed objects.
- View Dependent Claims (14, 15, 16)
- - 14. A computer-readable medium as recited in claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views.
  - 15. A computer-readable medium as recited in claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 16. A computer-readable medium as recited in claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of providing, at the managed network device, the second mapping, and wherein the steps of identifying a subset of objects and providing access comprise the steps of:
    - determining whether the securityName value from the request is in the second mapping;
      
      when the securityName value from the request is in the second mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the second mapping, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.

17. An apparatus for controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
- means for a second managed network device agreeing with a first network device on a first mapping between securityNames and virtual private network identifiers;
  
  means for storing, at the second managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;
  
  means for receiving at the second managed network device a request from the first network device, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;
  
  wherein the request contains a particular securityName value mapped, in the first mapping, to the particular virtual private network identifier, and wherein the first mapping is stored at the first network device;
  
  at the second managed network device, means for extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;
  
  at the second managed network device, means for identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and
  
  means for providing to the first network device access to only the subset of managed objects from the plurality of managed objects.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17, further comprising means for providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views.
  - 19. The apparatus of claim 17, further comprising means for providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 20. The apparatus of claim 17, further comprising means for providing, at the managed network device, the second mapping, and wherein the means for identifying a subset of objects and providing access comprise:
    - means for determining whether the securityName value from the request is in the second mapping;
      
      means for identifying a management information base variable referenced in the request when the securityName value from the request is in the second mapping;
      
      based on one or more views referenced in the second mapping, means for determining whether a protocol operation of the request is allowed for the variable when the securityName value from the request is in the second mapping;
      
      means for dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable when the securityName value from the request is in the second mapping.
  - 21. The apparatus of claim 17, further comprising means for providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate security name values to corresponding MIB (Management Information Base) Views, and wherein the means for identifying a subset of objects and providing access comprise:
    - means for determining whether the securityName value from the request is in the view-based access control model table;
      
      means for identifying a management information base variable referenced in the request when the securityName value from the request is in the view-based access control model table;
      
      based on one or more MIB Views referenced in the view-based access control model table, means for determining whether a protocol operation of the request is allowed for the variable when the securityName value from the request is in the view-based access control model table;
      
      means for dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable when the securityName value from the request is in the view-based access control model table.
  - 22. The apparatus of claim 17, further comprising means for providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks, and wherein the means for identifying a subset of objects and providing the request with access comprise:
    - means for determining whether the securityName value from the request is in the view-based access control model table;
      
      means for identifying a management information base variable referenced in the request when the identifier from the request is in the view-based access control model table;
      
      based on one or more MIB Views referenced in the view-based access control model table, means for determining whether a protocol operation of the request is allowed for the variable when the identifier from the request is in the view-based access control model table;
      
      means for dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable when the identifier from the request is in the view-based access control model table.
  - 23. The apparatus of claim 17, further comprising:
    - means for providing, at the network manager that is communicatively coupled to the network devices, a mapping of a plurality of virtual private network identifiers to SNMPv3 securityNames;
      
      means for providing, at the network manager, an executable process that associates a virtual private network identifier with each SNMP request that is issued by the network management station to the network devices.

24. An apparatus controlling access of network management requests directed to one or more network devices that participate in a virtual private network, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  a second managed network device agreeing with a first network device on a first mapping between securityNames and virtual private network identifiers;
  
  storing, at the second managed network device, a view-based access control model table containing a second mapping of securityName values to corresponding MIB (Management Information Base) Views;
  
  receiving at the second managed network device a request from the first network device, which is participating in a particular virtual private network, to carry out a management protocol operation that involves one or more managed objects associated with one or more network devices participating in the particular virtual private network;
  
  wherein the request contains a particular securityName value mapped, in the first mapping, to the particular virtual private network identifier, and wherein the first mapping is stored at the first network device;
  
  at the second managed network device, extracting the particular securityName value from the request and identifying, based on the particular securityName value that is mapped in the second mapping, one or more corresponding particular MIB (Management Information Base) Views;
  
  at the second managed network device, identifying, based on the one or more corresponding particular MIB (Management Information Base) Views and from a plurality of managed objects, a subset of managed objects that requests associated with the particular virtual private network are permitted to access; and
  
  providing to the first network device access to only the subset of managed objects from the plurality of managed objects.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the step of providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views.
  - 26. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the step of providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks.
  - 27. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the step of providing, at the managed network device, the second mapping, and wherein the steps identifying a subset of objects and providing access comprise:
    - determining whether the securityName value from the request is in the second mapping;
      
      when the securityName value from the request is in the second mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more views referenced in the second mapping, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 28. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the step of providing, at the managed network device, the second mapping in the form of one or more entries in a view-based access control model table that associate security name values to corresponding MIB (Management Information Base) Views, and wherein the steps of identifying a subset of objects and providing access comprise:
    - determining whether the securityName value from the request is in the view-based access control model table;
      
      when the securityName value from the request is in the second mapping;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 29. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the step of providing, at the managed network device, one or more entries in a view-based access control model table that associate SNMPv3 securityName values to corresponding MIB (Management Information Base) Views, wherein each of the securityName values is associated with a virtual private network, and wherein the corresponding MIB Views represent access control policies applicable to the associated virtual private networks, and wherein the steps of identifying a subset of objects and providing the request with access comprise:
    - determining whether the securityName value from the request is in the view-based access control model table;
      
      when the identifier from the request is in the view-based access control model table;
      
      identifying a management information base variable referenced in the request;
      
      based on one or more MIB Views referenced in the view-based access control model table, determining whether a protocol operation of the request is allowed for the variable;
      
      dispatching information identifying the variable and the protocol operation to a code implementation of the protocol operation only when the protocol operation is allowed for the variable.
  - 30. The apparatus of claim 24, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - providing, at the network manager that is communicatively coupled to the network devices, a mapping of a plurality of virtual private network identifiers to SNMPv3 securityNames;
      
      providing, at the network manager, an executable process that associates a virtual private network identifier with each SNMP request that is issued by the network management station to the network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nadeau, Thomas D., Francisco, Dale
Primary Examiner(s)
Maung, Zarni
Assistant Examiner(s)
Tiv, Backhean

Application Number

US09/877,548
Time in Patent Office

1,908 Days
Field of Search

709/244, 709/229, 709/250, 713/132, 713/171, 715/771, 715/835
US Class Current

709/229
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/28   Restricting access to netwo...

H04L 41/40   using virtualisation of net...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

Method and apparatus providing controlled access of requests from virtual private network devices to managed information objects using simple network management protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus providing controlled access of requests from virtual private network devices to managed information objects using simple network management protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links