Architecture for an integrated policy enforcement system
First Claim
1. A method for enforcing a plurality of different policies on a stream of packets, the method comprising:
- receiving a packet in a packet-switched network;
appending an extension to the packet;
determining session information regarding the packet;
updating the extension with the session information;
forwarding the packet to a packet policy rule engine module;
determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type;
providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and
updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.
5 Assignments
0 Petitions
Accused Products
Abstract
Enforcing a plurality of different policies on a stream of packets is disclosed. In lieu of running separate algorithms for each policy, the system exploits the commonalities of all of the policies. The conditions corresponding to the compiled rules are arranged in a condition tree and processed in a pipelined architecture that allows the results of the various stages to be carried forward into subsequent stages of processing. The rules for which all conditions have been satisfied can be identified by one stage of processing in one pass of condition tree traversal and are passed to subsequent stages. A rule table corresponding to an individual policy type can then be readily examined to determine partial or complete satisfaction of the rule of that policy type, without requiring a re-examination of the conditions underlying the rule. Additionally, corresponding actions can be taken where rule satisfaction is determined. This approach allows extremely high-speed policy enforcement performance.
60 Citations
22 Claims
-
1. A method for enforcing a plurality of different policies on a stream of packets, the method comprising:
-
receiving a packet in a packet-switched network; appending an extension to the packet; determining session information regarding the packet; updating the extension with the session information; forwarding the packet to a packet policy rule engine module; determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type; providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for enforcing a plurality of different policies on a stream of packets, the apparatus comprising:
-
means for receiving a packet in a packet-switched network; means for appending an extension to the packet; means for determining session information regarding the packet; means for updating the extension with the session information; means for forwarding the packet to a packet policy rule engine module; means for determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type; means for providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and means for updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus for enforcing a plurality of different policies on a stream of packets, the apparatus comprising:
-
an extension builder module configured to receive a packet in a packet-switched network, appending an extension to the packet, and forward the packet to a session manager module; said session manager module configured to receive the packet, determine session information regarding the packet, update the extension with the session information, and forward the packet to an application decode engine module; said application decode engine module configured to determine if the packet corresponds to an application rule, update the extension with application information from the application if the packet corresponds to an application rule, and forward the packet to a packet policy rule engine module; and said packet policy rule engine module configured to determine whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type, provide an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition, and update the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for enforcing a plurality of different policies on a stream of packets, the method comprising:
-
receiving a packet in a packet-switched network; appending an extension to the packet; determining session information regarding the packet; updating the extension with the session information; forwarding the packet to a packet policy rule engine module; determining, at the packet policy rule engine module, whether the packet corresponds to a common condition for a first policy rule and a second policy rule, the first policy rule belonging to a first policy type and the second policy rule belonging to a second policy type that differs from the first policy type; providing, at the packet policy rule engine module, an association between the first packet and the common condition where it is determined that the packet corresponds to the common condition; and updating the extension with the association, wherein communication between modules of said packet-switched network using said extension occurs without use of shared memory.
-
Specification