Methods, apparatuses and systems facilitating concurrent classification and control of tunneled and non-tunneled network traffic

US 7,778,176 B2
Filed: 01/14/2008
Issued: 08/17/2010
Est. Priority Date: 09/30/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus facilitating concurrent classification and control of tunneled and non-tunneled data flows across an access link between a first computer network and a second computer network, comprisinga tunnel mechanism including transformation tunnel capabilities operative to establish a communication tunnel with a remote network device having compatible transformation tunnel capabilities;

a bandwidth management device operably connected to the tunnel mechanism, the bandwidth management device operably connected to the access link to monitor data flows between the first computer network and the second computer network;

wherein the bandwidth management device is operative to;

receive a first data flow from the first computer network;

identify at least one traffic type corresponding to the first data flow;

enforce a first bandwidth utilization control on the first data flow having a first target rate;

transmit the first data flow to the tunnel mechanism;

receive a second data flow from the tunnel mechanism;

identify at least one traffic type corresponding to the second data flow;

associate the first data flow to the second data flow;

enforce a second bandwidth utilization control on the first data flow having a second target rate;

transmit the second data flow to the second computer network; and

adjust the first target rate based on feedback data derived from a difference between the first data flow and the second data flow.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems facilitating the concurrent classification and control of tunneled and non-tunneled data flows in a packet-based computer network environment. As discussed in more detail below, embodiments of the present invention allow for the “intra-tunnel” classification of data flows and, based on the classification, the deterministic and intelligent application of aggregate bandwidth utilization controls on data flows corresponding to a given tunnel. Embodiments of the present invention allow for the allocation of bandwidth on an application-level basis between tunneled and non-tunneled traffic, as well as between applications within a given tunnel. Other embodiments of the present invention can be configured to provide a differentiated security model for non-tunneled and tunneled traffic. In addition, embodiments of the present invention can be further configured to implement a layered security model for tunneled traffic.

232 Citations

22 Claims

1. An apparatus facilitating concurrent classification and control of tunneled and non-tunneled data flows across an access link between a first computer network and a second computer network, comprisinga tunnel mechanism including transformation tunnel capabilities operative to establish a communication tunnel with a remote network device having compatible transformation tunnel capabilities;
- a bandwidth management device operably connected to the tunnel mechanism, the bandwidth management device operably connected to the access link to monitor data flows between the first computer network and the second computer network;
  
  wherein the bandwidth management device is operative to;
  
  receive a first data flow from the first computer network;
  
  identify at least one traffic type corresponding to the first data flow;
  
  enforce a first bandwidth utilization control on the first data flow having a first target rate;
  
  transmit the first data flow to the tunnel mechanism;
  
  receive a second data flow from the tunnel mechanism;
  
  identify at least one traffic type corresponding to the second data flow;
  
  associate the first data flow to the second data flow;
  
  enforce a second bandwidth utilization control on the first data flow having a second target rate;
  
  transmit the second data flow to the second computer network; and
  
  adjust the first target rate based on feedback data derived from a difference between the first data flow and the second data flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on the second data flow, wherein the at least one bandwidth utilization control corresponds to the at least one traffic type identified in the second data flow or the first data flow.
  - 3. The apparatus of claim 2 wherein enforcement of the at least one bandwidth utilization control is influenced by at least one metric associated with the first data flow.
  - 4. The apparatus of claim 1 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on the first data flow, wherein the at least one bandwidth utilization control corresponds to the at least one traffic type identified in the second data flow or the first data flow.
  - 5. The apparatus of claim 4 wherein enforcement of the at least one bandwidth utilization control is influenced by at least one metric associated with the second data flow.
  - 6. The apparatus of claim 1 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on the first data flow and at least one bandwidth utilization control on the second data flow, wherein the at least one bandwidth utilization controls correspond to the at least one traffic type identified in the second data flow or the first data flow.
  - 7. The apparatus of claim 6 wherein enforcement of the at least one bandwidth utilization controls is influenced by at least one metric associated with the first and/or second data flow.
  - 8. The apparatus of claim 1 wherein the tunnel mechanism is operative to establish a secure communications tunnel with a remote device.
  - 9. The apparatus of claim 8 wherein the tunnel mechanism is a VPN/firewall device operative to establish a secure communications tunnel with a remote device for tunneled traffic and further operative to filter non-tunneled traffic against at least one security control policy.
  - 10. The apparatus of claim 1 wherein the bandwidth management device is operative to associate the first data flow to the second data flow, if the first data flow or the second data flow is a tunneled data flow.

11. An apparatus facilitating concurrent classification and control of tunneled and non-tunneled data flows across an access link between a first computer network and a second computer network, comprisinga tunnel mechanism including transformation tunnel capabilities operative to establish a communication tunnel with a remote network device having compatible transformation tunnel capabilities;
- a bandwidth management device operably connected to the tunnel mechanism, and operably connected to the access link to monitor data flows between a first network and a second network,wherein the bandwidth management device is operative to;
  
  compute at least one metric associated with data flows traversing the bandwidth management device;
  
  detect data flows associated with a communications tunnel from the first computer network;
  
  channel data flows to the tunnel mechanism at a first rate;
  
  associate data flows corresponding to the communications tunnel from the first computer network to data flows emanating from the tunnel mechanism;
  
  transmit the data flows emanating from the tunnel mechanism to the second computer network; and
  
  adjust the first rate based on feedback data derived from a difference between the data flows channeled to the tunnel mechanism and the data flows emanating from the tunnel mechanism.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The apparatus of claim 11 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on at least one of the data flows emanating from the tunnel mechanism and the data flows emanating from the first computer network and channeled to the tunnel mechanism.
  - 13. The apparatus of claim 12 wherein enforcement of the at least one bandwidth utilization control on the data flows emanating from the tunnel mechanism is influenced by at least one metric associated with corresponding data flows transmitted to the tunnel mechanism.
  - 14. The apparatus of claim 13 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on at least one of the data flows emanating from the tunnel mechanism and the data flows emanating from the first computer network and channeled to the tunnel mechanism, wherein the at least one bandwidth utilization control corresponds to the at least one traffic type identified in either of the corresponding data flows.
  - 15. The apparatus of claim 14 wherein enforcement of the at least one bandwidth utilization control is influenced by at least one metric associated with the corresponding data flows.
  - 16. The apparatus of claim 11 wherein the bandwidth management device is further operative to enforce at least one bandwidth utilization control on the data flows channeled to the tunnel mechanism and at least one bandwidth utilization control on the data flows emanating from the tunnel mechanism.
  - 17. The apparatus of claim 16 wherein the at least one bandwidth utilization controls correspond to at least one traffic type associated with either of said flows.

18. An apparatus enabling concurrent classification and control of tunneled and non-tunneled data flows across an access link between a first computer network and a second computer network, comprisinga tunnel mechanism including transformation tunnel capabilities operative to establish a communication tunnel with a remote network device having compatible transformation tunnel capabilities;
- a bandwidth management device operably connected to an access link between a first computer network and a second computer network, wherein the bandwidth management device comprises;
  
  an inside interface, an outside interface, an inside tunnel interface and an outside tunnel interface,wherein the inside interface provides the communications interface between the bandwidth management device and the first computer network,wherein the outside interface provides the communications interface between the bandwidth management device and the second computer network, andwherein the inside tunnel interface and the outside tunnel interface provide communications interfaces to the tunnel mechanism;
  
  a packet processor operative to monitor data flows in relation to at least one metric;
  
  a traffic classification database operative to identify traffic types corresponding to data flows; and
  
  a bandwidth control mechanism operative to enforce bandwidth utilization controls on data flows associated with corresponding traffic types;
  
  wherein the bandwidth management device is operative to;
  
  receive a first data flow from the first computer network;
  
  transmit the first data flow to the tunnel mechanism at a first rate;
  
  receive a second data flow from the tunnel mechanism;
  
  associate the first data flow to the second data flow; and
  
  adjust the first rate based on feedback data derived from a difference between the first data flow and the second data flow.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18 wherein the bandwidth control mechanism is operative to enforce bandwidth utilization controls on the second data flow based, in part, on at least one metric associated with the first data flow.

20. A method facilitating concurrent classification and control of tunneled and non-tunneled network traffic, the method comprising:
- receiving a first data flow from a first computer network;
  
  identifying at least one traffic type corresponding to the first data flow;
  
  transmitting the first data flow to a tunnel mechanism at a first rate;
  
  receiving a second data flow from the tunnel mechanism;
  
  identifying at least one traffic type corresponding to the second data flow;
  
  associating the first data flow with the second data flow; and
  
  adjusting the first rate based on feedback data derived from a difference between the first data flow and the second data flow.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20 further comprisingenforcing at least one bandwidth utilization control on the second data flow, wherein the enforcing step is based on at least one characteristic of the first data flow and at least one characteristic of the second data flow.
  - 22. The method of claim 20 further comprisingenforcing at least one bandwidth utilization control on the transmission of the first data flow to the tunnel mechanism based, at least in part, on at least one metric associated with the second data flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Morford, Michael Robert
Primary Examiner(s)
Duong; Frank

Application Number

US11/951,101
Publication Number

US 20080095054A1
Time in Patent Office

946 Days
Field of Search

None
US Class Current

370/231
CPC Class Codes

H04L 41/08 Configuration management of...

H04L 41/0896 Bandwidth or capacity manag...

Methods, apparatuses and systems facilitating concurrent classification and control of tunneled and non-tunneled network traffic

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

232 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, apparatuses and systems facilitating concurrent classification and control of tunneled and non-tunneled network traffic

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

232 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links