Method and apparatus for policy management in a network device

US 7,447,755 B1
Filed: 03/18/2002
Issued: 11/04/2008
Est. Priority Date: 03/18/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

in response to receipt of a request from a client to open a connection between the client and a network device at which the request is received, a transactor of the network device opening a session for the connection and adding one or more transactions to the session, each of said transactions for accumulating information during processing of the connection;

associating, at the network device, a first policy ticket with the session for the duration of the connection, the first policy ticket including a first version of policy rules relating to processing of network connections that can be referred to throughout the processing of the connection, and, upon encountering a first communication flow checkpoint in processing of the connection, determining, by consulting the first policy ticket, whether the connection should be granted or denied;

if the connection is denied, then closing the session and the connection;

otherwise if the connection is granted, then;

issuing one or more second policy tickets, each associated with a respective one of the transactions, the second policy tickets each containing policy rules applicable to respective ones of the transactions;

at the network device, responding to the request by evaluating each of the transactions and die respective second policy tickets at one or more communication protocol-defined checkpoints and, following evaluation at each respective checkpoint, the transactor examining and executing actions written onto the respective one of the second policy tickets so that, depending on said actions, each respective transaction is subsequently processed at zero or more further ones of the checkpoints according to respective evaluations of the respective transaction and respective second policy ticket properties, including decisions rendered at previously evaluated ones of the checkpoints, until such time as the respective evaluations determine either that (i) die respective transaction should be denied continuance, and, if so, the transactor issuing a denial response to the client;

or (ii) the respective transaction processing is complete;

as each subject transaction finishes its respective processing, determining whether policy rules applicable to the subject transaction have been superseded by more current versions thereof and, if so, replacing the applicable policy rules with the more current versions thereof; and

closing the connection and the session once all transactions associated with the connection are complete.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for policy management in a network intermediary device. One embodiment of the invention, includes establishing a session between a client and an intermediary device on a network to enable processing of a communication between the client and the intermediary device. Then, the communication is processed by the intermediary device while maintaining a consistent version of policy throughout the communication. Finally, after the communication is complete, the intermediary terminates the communication. The intermediary device may maintain consistent policy by utilizing a policy ticket upon which transactional information is stored and that references the version of policy that was current when the communication first began. The policy ticket may be transported throughout the intermediary device according to a “checkpoint” scheme, and at each checkpoint, evaluating the policy rules, if necessary, to determine appropriate actions to be taken based on current client and network information as applied to the policy rules.

Citations

11 Claims

1. A method, comprising:
- in response to receipt of a request from a client to open a connection between the client and a network device at which the request is received, a transactor of the network device opening a session for the connection and adding one or more transactions to the session, each of said transactions for accumulating information during processing of the connection;
  
  associating, at the network device, a first policy ticket with the session for the duration of the connection, the first policy ticket including a first version of policy rules relating to processing of network connections that can be referred to throughout the processing of the connection, and, upon encountering a first communication flow checkpoint in processing of the connection, determining, by consulting the first policy ticket, whether the connection should be granted or denied;
  
  if the connection is denied, then closing the session and the connection;
  
  otherwise if the connection is granted, then;
  
  issuing one or more second policy tickets, each associated with a respective one of the transactions, the second policy tickets each containing policy rules applicable to respective ones of the transactions;
  
  at the network device, responding to the request by evaluating each of the transactions and die respective second policy tickets at one or more communication protocol-defined checkpoints and, following evaluation at each respective checkpoint, the transactor examining and executing actions written onto the respective one of the second policy tickets so that, depending on said actions, each respective transaction is subsequently processed at zero or more further ones of the checkpoints according to respective evaluations of the respective transaction and respective second policy ticket properties, including decisions rendered at previously evaluated ones of the checkpoints, until such time as the respective evaluations determine either that (i) die respective transaction should be denied continuance, and, if so, the transactor issuing a denial response to the client;
  
  or (ii) the respective transaction processing is complete;
  
  as each subject transaction finishes its respective processing, determining whether policy rules applicable to the subject transaction have been superseded by more current versions thereof and, if so, replacing the applicable policy rules with the more current versions thereof; and
  
  closing the connection and the session once all transactions associated with the connection are complete.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein as each second policy ticket is evaluated at the checkpoints and according to determinations, at any of the checkpoints, of actions to be taken during a communication, updating the respective second policy ticket properties.
  - 3. The method of claim 2, wherein determinations of actions to be taken during the communication comprise evaluations of policy rules according to information accumulated in the transactions.
  - 4. The method of claim 3, further comprising performing operations to each respective second policy ticket in anticipation of evaluation at the checkpoints.
  - 5. The method of claim 4, wherein performing operations in anticipation of evaluation at the checkpoints includes executing the actions.
  - 6. The method of claim 4, wherein performing operations in anticipation of evaluation at the checkpoints includes storing on each respective second policy ticket the actions to be subsequently executed by the transactor.
  - 7. The method of claim 4, wherein performing operations in anticipation of evaluation at the checkpoints includes maintaining evaluation states for the checkpoints.
  - 8. The method of claim 4, wherein performing operations in anticipation of evaluation at the checkpoints includes marking each respective second policy ticket for future checkpoints.
  - 9. The method of claim 1, wherein evaluating each of the transactions and each respective second policy ticket at one or more checkpoints comprises:
    - delivering the respective second policy ticket and the respective transaction to a policy evaluator when the respective transaction encounters a subject one of the checkpoints;
      
      determining, at the subject one of the checkpoints, if policy exists regarding the communication;
      
      if no policy exists, then;
      
      a. allowing the respective transaction to continue unrestricted;
      
      otherwise, if policy exists, then;
      
      b. determining if the subject checkpoint is a first checkpoint encountered for the respective transaction for a first time, and, if so, initializing the respective second policy ticket with a most current version of policy;
      
      determining if policy rules need to be evaluated at the subject checkpoint;
      
      if policy miles need to be evaluated, then;
      
      a. evaluating the policy rules;
      
      b. constructing properties and actions to be placed on the respective second policy ticket based on the evaluation of the policy rules; and
      
      c. merging the properties and actions with existing properties and actions on the respective second policy ticket.
  - 10. The method of claim 9, wherein merging the properties and actions with existing properties and actions on the respective second policy ticket comprises:
    - adding actions external to the network device onto the respective second policy ticket;
      
      maintaining an evaluation state for the subject checkpoint; and
      
      marking the respective second policy ticket for future evaluation points.
  - 11. The method of claim 1, further comprising:
    - transferring data to the client after encountering a final checkpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Porter, Kevin, Maxted, Mark, Zuercher, Chris, Thurston, Matthew, Moen, Doug
Primary Examiner(s)
Cardone; Jason
Assistant Examiner(s)
Duong; Thomas

Application Number

US10/100,837
Time in Patent Office

2,423 Days
Field of Search

709/228, 709220-222, 709223-225, 709230-237, 709/203
US Class Current

709/223
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/0281 Proxies

Method and apparatus for policy management in a network device

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for policy management in a network device

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links