Policy-based processing of packets
First Claim
1. A method for processing packets performed by a packet switching device, the method comprising:
- authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies, with said operations of authenticating the user and configuring the packet switching device including;
using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;
associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and
querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; and
subsequent to said operations of authenticating the user and configuring the packet switching device, for each particular packet of the plurality of packets;
receiving said particular packet, with said particular packet including the source address and a second field;
associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;
identifying a second non-network address group identifier based on the second field of said received particular packet;
performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and
processing, by the packet switching device, said received particular packet based on the packet processing action said identified.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.
41 Citations
11 Claims
-
1. A method for processing packets performed by a packet switching device, the method comprising:
-
authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies, with said operations of authenticating the user and configuring the packet switching device including;
using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;
associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and
querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; andsubsequent to said operations of authenticating the user and configuring the packet switching device, for each particular packet of the plurality of packets;
receiving said particular packet, with said particular packet including the source address and a second field;
associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;
identifying a second non-network address group identifier based on the second field of said received particular packet;
performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and
processing, by the packet switching device, said received particular packet based on the packet processing action said identified. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A packet switching device, comprising:
-
means for authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies configured to perform operations including;
using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;
associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and
querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; andmeans for receiving and processing each particular packet of the plurality of packets configured to perform particular operations subsequent to said means for authenticating a user and configuring the packet switching device said authenticating the user and configuring the packet switching device, with said particular operations including;
receiving said particular packet, with said particular packet including the source address and a second field;
associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;
identifying a second non-network address group identifier based on the second field of said received particular packet;
performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and
processing, by the packet switching device, said received particular packet based on the packet processing action said identified. - View Dependent Claims (9, 10, 11)
-
Specification