Method and apparatus for ingress filtering using security group information
First Claim
Patent Images
1. A method comprising:
- receiving a packet at a network node of a network, after said packet has been received by an ingress node of said network, whereinsaid packet comprises access control information,said network comprises a plurality of nodes,said ingress node is the first node of said plurality of nodes to receive said packet, andsaid network node is a network node of said plurality of nodes other than said ingress node;
performing access control processing on said packet at said network node, after said packet has been received at said network node,whereinsaid access control processing identifies said access control information of said packet,said access control information comprisessecurity group information, andan address of a destination node,said security group information identifies a security group,said destination node is a member of said security group, andsaid destination node is a destination of said packet; and
sending another packet from said network node to said ingress node, in response to said access control processing, whereinsaid another packet comprises said access control information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for ingress filtering using security group information are disclosed. The method includes performing access control processing on a packet and sending access control information to an ingress node of the packet in response to the access control processing. The access control information includes security group information and an address of a network node. The security group information identifies a security group. The network node is a member of the security group and is a destination of the packet.
87 Citations
76 Claims
-
1. A method comprising:
-
receiving a packet at a network node of a network, after said packet has been received by an ingress node of said network, wherein said packet comprises access control information, said network comprises a plurality of nodes, said ingress node is the first node of said plurality of nodes to receive said packet, and said network node is a network node of said plurality of nodes other than said ingress node; performing access control processing on said packet at said network node, after said packet has been received at said network node, wherein said access control processing identifies said access control information of said packet, said access control information comprises security group information, and an address of a destination node, said security group information identifies a security group, said destination node is a member of said security group, and said destination node is a destination of said packet; and sending another packet from said network node to said ingress node, in response to said access control processing, wherein said another packet comprises said access control information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product comprising:
-
a first set of instructions, executable on a computer system, configured to cause a network node of a network to receive a packet, after said packet has been received by an ingress node of said network, wherein said packet comprises access control information, said network comprises a plurality of nodes, said ingress node is the first node of said plurality of nodes to receive said packet, and said network node is a network node of said plurality of nodes other than said ingress node; a second set of instructions, executable on said computer system, configured to cause said network node to perform access control processing on said packet, wherein said first set of instructions are further configured to perform said access control processing after said packet has been received by said network node, said access control processing identifies said access control information of said packet, said access control information comprises security group information, and an address of a destination node, said security group information identifies a security group, said destination node is a member of said security group, and said destination node is a destination of said packet; a third set of instructions, executable on said computer system, configured to cause said network node to send another packet from said network node to said ingress node, in response to said second set of instructions, wherein said another packet comprises said access control information; and a computer readable storage medium, wherein said computer program product is encoded in said computer readable medium. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. An apparatus comprising:
a network node of a network, comprising a processor, means for receiving a packet at a network node of a network, after said packet has been received by an ingress node of said network, wherein said means for receiving is coupled to said processor, said packet comprises access control information, said network comprises a plurality of nodes, said ingress node is the first node of said plurality of nodes to receive said packet, and said network node is a network node of said plurality of nodes other than said ingress node, means for performing access control processing on said packet at said network node, wherein said means for performing is coupled to said processor and said means for receiving, said means for performing is configured to perform said access control processing after said packet has been received at said network node, said means for performing is configured to identify said access control information of said packet, said access control information comprises security group information, and an address of a destination node, said security group information identifies a security group, said destination node is a member of said security group, and said destination node is a destination of said packet, and means for sending another packet from said network node to said ingress node responsive to said means for performing, wherein said another packet comprises said access control information, and said means for sending is coupled to said processor and said means for performing. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
38. A method comprising:
propagating a packet from a network node of a network to an ingress node of said network, wherein said network comprises a plurality of nodes, said ingress node is the first node of said plurality of nodes to receive another packet, said network node is a network node of said plurality of nodes other than said ingress node, said packet comprises access control information, said another packet comprises said access control information, said propagating is performed in response to access control processing performed on said another packet at said network node after said another packet has been received by said ingress node, said access control information comprises security group information, and an address of a destination node, said security group information identifies a security group, and said destination node is a member of said security group. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
-
58. A method comprising:
-
receiving, from a network node of a network, security group information and an address of a destination node at an ingress node of said network as a result of a first packet being filtered by said network node after said first packet has been received by said ingress node, wherein said first packet comprises said security group information and said address, said network comprises a plurality of nodes, said ingress node is the first node of said plurality of nodes to receive said first packet, said network node is a network node of said plurality of nodes other than said ingress node, said receiving comprises receiving another packet, and said another packet comprises said security group information and said address; and associating said security group information with said address, wherein said security group information identifies a security group, and said destination node is a member of said security group. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
-
Specification