System and method for controlling routing in a virtual router system

US 7,340,535 B1
Filed: 06/04/2002
Issued: 03/04/2008
Est. Priority Date: 06/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a packet by a flow manager associated with a network interface connection of an Internet Protocol Service Generator (IPSG), the IPSG includinga plurality of virtual routing engines (VREs) coupled to the network interface connection via a service generator fabric, each VRE of the plurality of VREs providing one or more network layer and transport layer functions corresponding to the Open Systems Interconnection (OSI) model, including one or more of routing services, network address translation (NAT) and Multi-Protocol Label Switching (MPLS), anda plurality of virtual service engines (VSEs) coupled to the network interface connection and the plurality of VREs via the service generator fabric, each VSE of the plurality of VSEs tailored to provide one or more specific application layer, presentation layer, session layer and transport layer functions corresponding to the OSI model, including one or more of encryption, packet filtering and anti-virus scanning;

the flow manager selecting a VRE of the plurality of VREs to which to direct the packet based on a steering table, which contains a mapping of Virtual Local Area Networks (VLANs) to the plurality of VREs;

the flow manager directing the packet to the selected VRE by tagging the packet with an internal control header and transferring the packet across the service generator fabric;

responsive to receiving the packet at the selected VRE, the selected VRE determining whether the packet is to be processed in hardware or in software by performing packet classification and a flow cache lookup;

if the flow cache lookup indicates the packet is a first packet of a new flow and is therefore to be processed in software, then the VRE (i) causing a plurality of functions at a plurality of OSI model layers to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs and (ii) performing flow learning by tracking the plurality of functions applied and storing information regarding the plurality of functions in a transform control block (TCB) record corresponding to the new flow;

if the flow cache lookup indicates the packet is associated with a previously learned flow and is therefore to be processed in hardware, then the VRE causing a plurality of functions identified in a previously created TCB record to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs; and

a VRE of the one or more VREs routing the packet through the network interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more functions are applied to network data packets in a virtual router. A packet comprising part of a packet flow is received, and the packet is evaluated to determine which of the one or more functions are to be applied to the flow. The results of the evaluation are stored in a record, and the functions indicated in the stored record are applied to subsequent packets in the packet flow.

318 Citations

16 Claims

1. A method comprising:
- receiving a packet by a flow manager associated with a network interface connection of an Internet Protocol Service Generator (IPSG), the IPSG includinga plurality of virtual routing engines (VREs) coupled to the network interface connection via a service generator fabric, each VRE of the plurality of VREs providing one or more network layer and transport layer functions corresponding to the Open Systems Interconnection (OSI) model, including one or more of routing services, network address translation (NAT) and Multi-Protocol Label Switching (MPLS), anda plurality of virtual service engines (VSEs) coupled to the network interface connection and the plurality of VREs via the service generator fabric, each VSE of the plurality of VSEs tailored to provide one or more specific application layer, presentation layer, session layer and transport layer functions corresponding to the OSI model, including one or more of encryption, packet filtering and anti-virus scanning;
  
  the flow manager selecting a VRE of the plurality of VREs to which to direct the packet based on a steering table, which contains a mapping of Virtual Local Area Networks (VLANs) to the plurality of VREs;
  
  the flow manager directing the packet to the selected VRE by tagging the packet with an internal control header and transferring the packet across the service generator fabric;
  
  responsive to receiving the packet at the selected VRE, the selected VRE determining whether the packet is to be processed in hardware or in software by performing packet classification and a flow cache lookup;
  
  if the flow cache lookup indicates the packet is a first packet of a new flow and is therefore to be processed in software, then the VRE (i) causing a plurality of functions at a plurality of OSI model layers to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs and (ii) performing flow learning by tracking the plurality of functions applied and storing information regarding the plurality of functions in a transform control block (TCB) record corresponding to the new flow;
  
  if the flow cache lookup indicates the packet is associated with a previously learned flow and is therefore to be processed in hardware, then the VRE causing a plurality of functions identified in a previously created TCB record to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs; and
  
  a VRE of the one or more VREs routing the packet through the network interface.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the plurality of VSEs include at least one advanced security engine configured to provide security functionality for one or more security protocols.
  - 3. The method of claim 1, wherein the flow cache lookup is based upon various fields of the packet including one or more of Internet Protocol (IP) source, IP destination, Universal Datagram Protocol (UDP)/Transmission Control Protocol (TCP) source port number, UDP/TCP destination port number, IP protocol field, type of service (TOS) field, Internet Protocol Security (IPSec) header and Security Parameters Index (SPI) field information.
  - 4. The method of claim 1, further comprising maintaining a set of metering control blocks for use in connection with enforcing provisioned traffic parameters on traffic flows.

5. A machine-readable medium with instructions stored thereon, the instructions when executed by an Internet Protocol Service Generator (IPSG) operable to cause application of functions to network data packets received by the IPSG by:
- receiving a packet by a flow manager associated with a network interface connection of the IPSG, the IPSG includinga plurality of virtual routing engines (VREs) coupled to the network interface connection via a service generator fabric, each VRE of the plurality of VREs providing one or more network layer and transport layer functions corresponding to the Open Systems Interconnection (OSI) model, including one or more of routing services, network address translation (NAT) and Multi-Protocol Label Switching (MPLS), anda plurality of virtual service engines (VSEs) coupled to the network interface connection and the plurality of VREs via the service generator fabric, each VSE of the plurality of VSEs tailored to provide one or more specific application layer, presentation layer, session layer and transport layer functions corresponding to the OSI model, including one or more of encryption, packet filtering and anti-virus scanning;
  
  the flow manager selecting a VRE of the plurality of VREs to which to direct the packet based on a steering table, which contains a mapping of Virtual Local Area Networks (VLANs) to the plurality of VREs;
  
  the flow manager directing the packet to the selected VRE by tagging the packet with an internal control header and transferring the packet across the service generator fabric;
  
  responsive to receiving the packet at the selected VRE, the selected VRE determining whether the packet is to be processed in hardware or in software by performing packet classification and a flow cache lookup;
  
  if the flow cache lookup indicates the packet is a first packet of a new flow and is therefore to be processed in software, then the VRE (i) causing a plurality of functions at a plurality of OSI model layers to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs and (ii) performing flow learning by tracking the plurality of functions applied and storing information regarding the plurality of functions in a transform control block (TCB) record corresponding to the new flow;
  
  if the flow cache lookup indicates the packet is associated with a previously learned flow and is therefore to be processed in hardware, then the VRE causing a plurality of functions identified in a previously created TCB record to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs; and
  
  a VRE of the one or more VREs routing the packet through the network interface.
- View Dependent Claims (6, 7, 8)
- - 6. The machine-readable medium of claim 5, wherein the plurality of VSEs include at least one advanced security engine configured to provide security functionality for one or more security protocols.
  - 7. The machine-readable medium of claim 5, wherein the flow cache lookup is based upon various fields of the packet including one or more of Internet Protocol (IP) source, IP destination, Universal Datagram Protocol (UDP)/Transmission Control Protocol (TCP) source port number, UDP/TCP destination port number, IP protocol field, type of service (TOS) field, Internet Protocol Security (IPSec) header and Security Parameters Index (SPI) field information.
  - 8. The machine-readable medium of claim 5, wherein the instructions further cause a set of metering control blocks to be maintained for use in connection with enforcing provisioned traffic parameters on traffic flows.

9. An Internet Protocol Service Generator (IPSG) system comprising:
- a flow manager means, associated with a network interface connection of the IPSG, for receiving packets;
  
  a plurality of virtual routing engine (VRE) means coupled to the network interface connection via a service generator fabric, each VRE means of the plurality of VRE means for providing one or more network layer and transport layer functions corresponding to the Open Systems Interconnection (OSI) model, including one or more of routing services, network address translation (NAT) and Multi-Protocol Label Switching (MPLS),a plurality of virtual service engine (VSE) means coupled to the network interface connection and the plurality of VRE means via the service generator fabric, each VSE means of the plurality of VSE means for providing one or more specific tailored application layer, presentation layer, session layer and transport layer functions corresponding to the OSI model, including one or more of encryption, packet filtering and anti-virus scanning;
  
  wherein the flow manager means is further forselecting a VRE means of the plurality of VRE means to which to direct the received packets based on a steering table, which contains a mapping of Virtual Local Area Networks (VLANs) to the plurality of VRE means; and
  
  directing the received packets to the selected VRE means by tagging the packets with internal control headers and transferring the received packets across the service generator fabric; and
  
  wherein the VRE means are further fordetermining whether the received packets are to be processed in hardware or in software by performing packet classification and a flow cache lookup;
  
  causing a plurality of functions at a plurality of OSI model layers to be applied to the received packets by internally routing the received packets to one or more of the plurality of VSE means and one or more of the plurality of VRE mean and (ii) performing flow learning by tracking the plurality of functions applied and storing information regarding the plurality of functions in a transform control block (TCB) record corresponding to a new flow if the flow cache lookup indicates the received packets are a first packet of the new flow and are therefore to be processed in software;
  
  causing a plurality of functions identified in a previously created TCB record to be applied to the received packets by internally routing the received packets to one or more of the plurality of VSE means and one or more of the plurality of VRE means, if the flow cache lookup indicates the received packets are associated with one of a plurality of previously learned flows and are therefore to be processed in hardware; and
  
  routing the received packets through the network interface.
- View Dependent Claims (10, 11, 12)
- - 10. The IPSG system of claim 9, wherein the plurality of VSEs include at least one advanced security engine configured to provide security functionality for one or more security protocols.
  - 11. The IPSG system of claim 9, wherein the flow cache lookup is based upon various fields of the packet including one or more of Internet Protocol (IP) source, IP destination, Universal Datagram Protocol (UDP)/Transmission Control Protocol (TCP) source port number, UDP/TCP destination port number, IP protocol field, type of service (TOS) field, Internet Protocol Security (IPSec) header and Security Parameters Index (SPI) field information.
  - 12. The IPSG system of claim 9, wherein the flow manager means is further for maintaining a set of metering control blocks for use in connection with enforcing provisioned traffic parameters on traffic flows.

13. A method comprising:
- a step for receiving a packet by a flow manager associated with a network interface connection of an Internet Protocol Service Generator (IPSG), the IPSG includinga plurality of virtual routing engines (VREs) coupled to the network interface connection via a service generator fabric, each VRE of the plurality of VREs providing one or more network layer and transport layer functions corresponding to the Open Systems Interconnection (OSI) model, including one or more of routing services, network address translation (NAT) and Multi-Protocol Label Switching (MPLS), anda plurality of virtual service engines (VSEs) coupled to the network interface connection and the plurality of VREs via the service generator fabric, each VSE of the plurality of VSEs tailored to provide one or more specific application layer, presentation layer, session layer and transport layer functions corresponding to the OSI model, including one or more of encryption, packet filtering and anti-virus scanning;
  
  a step for selecting, by the flow manager, a VRE of the plurality of VREs to which to direct the packet based on a steering table, which contains a mapping of Virtual Local Area Networks (VLANs) to the plurality of VREs;
  
  a step for directing, by the flow manager, the packet to the selected VRE by tagging the packet with an internal control header and transferring the packet across the service generator fabric;
  
  a step, responsive to receiving the packet at the selected VRE, for determining, by the selected VRE, whether the packet is to be processed in hardware or in software by performing packet classification and a flow cache lookup;
  
  if the flow cache lookup indicates the packet is a first packet of a new flow and is therefore to be processed in software, then the VRE (i) causing a plurality of functions at a plurality of OSI model layers to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs and (ii) performing flow learning by tracking the plurality of functions applied and storing information regarding the plurality of functions in a transform control block (TCB) record corresponding to the new flow;
  
  if the flow cache lookup indicates the packet is associated with a previously learned flow and is therefore to be processed in hardware, then the VRE causing a plurality of functions identified in a previously created TCB record to be applied to the packet by internally routing the packet to one or more of the plurality of VSEs and one or more of the plurality of VREs; and
  
  a step for routing, by a VRE of the one or more VREs, the packet through the network interface.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the plurality of VSEs include at least one advanced security engine configured to provide security functionality for one or more security protocols.
  - 15. The method of claim 13, wherein the flow cache lookup is based upon various fields of the packet including one or more of Internet Protocol (IP) source, IP destination, Universal Datagram Protocol (UDP)/Transmission Control Protocol (TCP) source port number, UDP/TCP destination port number, IP protocol field, type of service (TOS) field, Internet Protocol Security (IPSec) header and Security Parameters Index (SPI) field information.
  - 16. The method of claim 13, further comprising a step for maintaining a set of metering control blocks for use in connection with enforcing provisioned traffic parameters on traffic flows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Alam, Naveed
Primary Examiner(s)
Avellino, Joseph E.

Application Number

US10/163,071
Time in Patent Office

2,100 Days
Field of Search

709/236, 709238-246, 709217-222, 370/389, 370/395.2, 726 2- 21
US Class Current

709/246
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/586   of virtual routers

H04L 45/76   Routing in software-defined...

H04L 47/2441   relying on flow classificat...

H04L 63/0485   Networking architectures fo...

System and method for controlling routing in a virtual router system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

318 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for controlling routing in a virtual router system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

318 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others