Method and apparatus for providing network security using security labeling
First Claim
Patent Images
1. A method comprising:
- comparing first security level information and second security level information,whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes; and
indicating processing to be performed on said packet based on said comparing,whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for providing network security using security labeling is disclosed. The method includes comparing first security level information and second security level information, and indicating processing to be performed on the packet based on the comparing. The first security level information is stored in a security label of a packet received at a network node, while the second security level information is stored at the network node.
103 Citations
95 Claims
-
1. A method comprising:
-
comparing first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes; and indicating processing to be performed on said packet based on said comparing, wherein said processing comprises determining whether to forward said packet from said network node to one of said network nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A computer system comprising:
-
a processor; a tangible, non-transitory computer-readable storage medium coupled to said computer, and computer instructions, encoded in said computer-readable storage medium, configured to cause said processor to; compare first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes; and indicate processing to be performed on said packet based on said comparing, wherein said processing comprises determining whether to forward said packet from said network node to one of said network nodes. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A computer program product comprising:
a non-transitory computer-readable storage medium, wherein a plurality of sets of instructions are encoded in said tangible computer-readable medium, and said plurality of sets of instructions comprise a first set of instructions, executable on a computer system, configured to compare first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes, and a second set of instructions, executable on said computer system, configured to indicate processing to be performed on said packet based on said comparing, wherein said processing comprises determining whether to forward said packet from said network node to one of said network nodes. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
-
69. A network device comprising:
a network interface, wherein said network interface is configured to receive a packet, and said network device is configured to store first security level information, compare said first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes, and indicate processing to be performed on said packet based on said comparing, wherein said processing comprises
determining whether to forward said packet from said network node to one of said network nodes, andperform said processing of said packet. - View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
-
81. A network device comprising:
-
a content-addressable memory; and an access control list, wherein said content-addressable memory is configured to store said access control list, said access control list comprises an access control list entry, said access control list entry comprises a label information field, said label information field is configured to store a security label, and said network device is configured to compare first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes; and indicate processing to be performed on said packet based on said comparing, wherein said processing comprises
determining whether to forward said packet from said network node to one of said network nodes. - View Dependent Claims (82, 83, 84, 85, 86, 87, 88)
-
-
89. A network device comprising:
a forwarding table, wherein said forwarding table comprises a plurality of forwarding table entries, at least one forwarding table entry of said forwarding table entries comprises a label range field, and said network device is configured to compare first security level information and second security level information, wherein said first security level information is stored in a security label of a packet received at a network node of a network, said first security level information represents a first security level, said first security level is a security level of a source of said packet, said second security level information is stored at said network node, said second security level information is received from another network node of said network as a result of said second security level information being registered in a context, said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information, said second security level information represents a second security level, said second security level is a security level of a destination of said packet, said network comprises a plurality of network nodes, said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes; and indicate processing to be performed on said packet based on said comparing, wherein said processing comprises determining whether to forward said packet from said network node to one of said network nodes. - View Dependent Claims (90, 91, 92, 93, 94, 95)
Specification