Architecture for an integrated policy enforcement system

US 7,257,833 B1
Filed: 01/17/2002
Issued: 08/14/2007
Est. Priority Date: 01/17/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for enforcing a plurality of different policies on a stream of packets, the method comprising:

receiving a packet in a packet-switched network;

appending an extension to the packet;

determining session information regarding the packet;

updating the extension with the session information;

forwarding the packet to a packet policy rule engine module;

determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type;

providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and

updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enforcing a plurality of different policies on a stream of packets is disclosed. In lieu of running separate algorithms for each policy, the system exploits the commonalities of all of the policies. The conditions corresponding to the compiled rules are arranged in a condition tree and processed in a pipelined architecture that allows the results of the various stages to be carried forward into subsequent stages of processing. The rules for which all conditions have been satisfied can be identified by one stage of processing in one pass of condition tree traversal and are passed to subsequent stages. A rule table corresponding to an individual policy type can then be readily examined to determine partial or complete satisfaction of the rule of that policy type, without requiring a re-examination of the conditions underlying the rule. Additionally, corresponding actions can be taken where rule satisfaction is determined. This approach allows extremely high-speed policy enforcement performance.

60 Citations

View as Search Results

22 Claims

1. A method for enforcing a plurality of different policies on a stream of packets, the method comprising:
- receiving a packet in a packet-switched network;
  
  appending an extension to the packet;
  
  determining session information regarding the packet;
  
  updating the extension with the session information;
  
  forwarding the packet to a packet policy rule engine module;
  
  determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type;
  
  providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and
  
  updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - forwarding the packet to an application decode engine module;
      
      determining, at the application engine decode module, whether the packet corresponds to an application rule;
      
      if the packet corresponds to an application rule, at the application engine decode module, updating the extension with application information from the application rule; and
      
      wherein said forwarding the packet to a packet policy rule engine module includes forwarding the packet from the application engine decode module to a packet policy rule engine module.
  - 3. The method of claim 1, wherein the first policy type is a firewall policy and the second policy type is a quality of service policy.
  - 4. The method of claim 1, wherein the first and second policy types are selected from the following policy types:
    - firewall, quality of service, intrusion detection.
  - 5. The method of claim 1, further comprising:
    - determining whether the packet corresponds to a first particular condition for the first policy rule as compared to the second policy rule; and
      
      determining applicability of the first policy rule to the packet where it is determined that the common condition and the first particular condition correspond to the packet.
  - 6. The method of claim 5, wherein determining applicability of the first policy rule to the packet comprises:
    - traversing a rule tree corresponding to the first policy rule, the rule tree having a first path corresponding to the first rule, the first path including the common condition and the first particular condition, wherein presence of the common condition and the first particular condition prompts a determination that the first policy rule is applicable to the packet.
  - 7. The method of claim 1, wherein said appending an extension to the packet occurs at an extension builder module.
  - 8. The method of claim 7, wherein said determining session information regarding the packet and said updating the extension with the session information occur at a session manager module.

9. An apparatus for enforcing a plurality of different policies on a stream of packets, the apparatus comprising:
- means for receiving a packet in a packet-switched network;
  
  means for appending an extension to the packet;
  
  means for determining session information regarding the packet;
  
  means for updating the extension with the session information;
  
  means for forwarding the packet to a packet policy rule engine module;
  
  means for determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type;
  
  means for providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and
  
  means for updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, further comprising:
    - means for forwarding the packet to an application decode engine module;
      
      means for determining, at the application engine decode module, whether the packet corresponds to an application rule;
      
      means for, if the packet corresponds to an application rule, at the application engine decode module, updating the extension with application information from the application rule; and
      
      wherein said means for forwarding the packet to a packet policy rule engine module includes means for forwarding the packet from the application engine decode module to a packet policy rule engine module.
  - 11. The apparatus of claim 9, wherein the first policy type is a firewall policy and the second policy type is a quality of service policy.
  - 12. The apparatus of claim 9, wherein the first and second policy types are selected from the following policy types:
    - firewall, quality of service, intrusion detection.
  - 13. The apparatus of claim 9, further comprising:
    - means for determining whether the packet corresponds to a first particular condition for the first policy rule as compared to the second policy rule, determining applicability of the first policy rule to the packet where it is determined that the common condition and the first particular condition correspond to the packet.
  - 14. The apparatus of claim 13, wherein determining applicability of the first policy rule to the packet comprises traversing a rule tree corresponding to the first policy rule, the rule tree having a first path corresponding to the first rule, the first path including the common condition and the first particular condition, wherein presence of the common condition and the first particular condition prompts a determination that the first policy rule is applicable to the packet.
  - 15. The apparatus of claim 9, wherein said means for appending an extension to the packet builder includes an extension builder module.
  - 16. The apparatus of claim 15 wherein said means for determining session information regarding the packet and said means for updating the extension with the session information include a session manager module.

17. An apparatus for enforcing a plurality of different policies on a stream of packets, the apparatus comprising:
- an extension builder module configured to receive a packet in a packet-switched network, appending an extension to the packet, and forward the packet to a session manager module;
  
  said session manager module configured to receive the packet, determine session information regarding the packet, update the extension with the session information, and forward the packet to an application decode engine module;
  
  said application decode engine module configured to determine if the packet corresponds to an application rule, update the extension with application information from the application if the packet corresponds to an application rule, and forward the packet to a packet policy rule engine module; and
  
  said packet policy rule engine module configured to determine whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type, provide an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition, and update the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The apparatus of claim 17, wherein the first policy type is a firewall policy and the second policy type is a quality of service policy.
  - 19. The apparatus of claim 17, wherein the first and second policy types are selected from the following policy types:
    - firewall, quality of service, intrusion detection.
  - 20. The apparatus of claim 17, wherein said packet policy rule engine module is further configured to:
    - determine whether the packet corresponds to a first particular condition for the first policy rule as compared to the second policy rule; and
      
      determine applicability of the first policy rule to the packet where it is determined that the common condition and the first particular condition correspond to the packet.
  - 21. The apparatus of claim 20, wherein the packet policy rule engine module is further configured to traverse a rule tree corresponding to the first policy rule, the rule tree having a first path corresponding to the first rule, the first path including the common condition and the first particular condition, wherein presence of the common condition and the first particular condition prompts a determination that the first policy rule is applicable to the packet.

22. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for enforcing a plurality of different policies on a stream of packets, the method comprising:
- receiving a packet in a packet-switched network;
  
  appending an extension to the packet;
  
  determining session information regarding the packet;
  
  updating the extension with the session information;
  
  forwarding the packet to a packet policy rule engine module;
  
  determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type;
  
  providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and
  
  updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tech Mahindra Limited
Original Assignee
iPolicy Networks, Inc (Tech Mahindra Limited)
Inventors
Shah, Pranav, Gupta, Sandeep, Vaidya, Vimal, Parekh, Pankaj S.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Lipman, Jacob

Application Number

US10/052,745
Time in Patent Office

2,035 Days
Field of Search

713/200, 713/201, 726/1
US Class Current

726/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/102 Entity profiles

Architecture for an integrated policy enforcement system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Architecture for an integrated policy enforcement system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links