Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules

US 7,855,972 B2
Filed: 02/08/2002
Issued: 12/21/2010
Est. Priority Date: 02/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method of controlling usage of network resources on a communications network based on the identity of an authenticated user, the method comprising acts of:

creating, with a relationship management module, one or more packet rules for use on one or more network devices of the communications network, each rule including a condition and action to be taken as part of providing a service of the communications network if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;

storing the one or more packet rules in the communications network;

creating, with the relationship management module, one or more role abstractions, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction capable of being assigned a set of one or more service abstractions to be provided to the user associated with the represented role;

creating, with the relationship management module, the one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;

storing the one or more service abstractions in the communications network;

storing the one or more role abstractions in the communications network;

associating, with the relationship management module, the one or more role abstractions with the identity of the authenticated user of the communications network; and

in response to receipt of a packet at any of the network devices from the authenticated user, using, by any of the network devices, the one or more service abstractions associated with the identity of the authenticated user to control usage of network resources on the communications network, the using including applying the packet rules in the one or more service abstractions to the packet.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and system for controlling usage of network resources on a communications network. The method comprising acts of: (a) creating one or more packet rules for analyzing packets received at one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition; and (b) creating one or more service abstractions associated with a user of the communication network, each service abstraction representing a named set of one or more of the packet rules. In some embodiments one or more role abstractions may be created, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction including a set of one or more packet rules, and possibly one or more service abstractions.

45 Citations

View as Search Results

34 Claims

1. A method of controlling usage of network resources on a communications network based on the identity of an authenticated user, the method comprising acts of:
- creating, with a relationship management module, one or more packet rules for use on one or more network devices of the communications network, each rule including a condition and action to be taken as part of providing a service of the communications network if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  storing the one or more packet rules in the communications network;
  
  creating, with the relationship management module, one or more role abstractions, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction capable of being assigned a set of one or more service abstractions to be provided to the user associated with the represented role;
  
  creating, with the relationship management module, the one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  storing the one or more service abstractions in the communications network;
  
  storing the one or more role abstractions in the communications network;
  
  associating, with the relationship management module, the one or more role abstractions with the identity of the authenticated user of the communications network; and
  
  in response to receipt of a packet at any of the network devices from the authenticated user, using, by any of the network devices, the one or more service abstractions associated with the identity of the authenticated user to control usage of network resources on the communications network, the using including applying the packet rules in the one or more service abstractions to the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 25, 30)
- - 2. The method of claim 1, further comprising an act of:
    - configuring a network device of the communications network with one or more packet rules according to at least one of the service abstractions.
  - 3. The method of claim 2, wherein configuring the network device comprises:
    - configuring a port module of a switching device of the communications network with one or more packet rules according to at least one of the service abstractions.
  - 4. The method of claim 1, further comprising an act of:
    - distributing the one or more service abstractions to one or more network devices residing on the communications network.
  - 5. The method of claim 1, further comprising an act of:
    - configuring a network device of the communications network with one or more packet rules according to one of the role abstractions.
  - 6. The method of claim 5, wherein configuring the network device with one or more packet rules according to one of the role abstractions comprises:
    - configuring a port module of a switching device of the communications network with one or more packet rules according to one of the role abstractions.
  - 7. The method of claim 1, further comprising an act of:
    - distributing the one or more role abstractions to one or more network devices residing on the communications network.
  - 25. The method of claim 1, wherein the relationship management module comprises any of firmware, electronic circuitry or programmatically generated instructions.
  - 30. The method of claim 6, wherein the with at least one computer comprises any of firmware, electronic circuitry or programmatically generated instructions.

8. A system for enabling a network manager to control usage of network resources on a communications network based on the identity of an authenticated user, the system comprising:
- a rule editing module enabling the network manager to edit one or more packet rules for use on one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition;
  
  a service editing module enabling the network manager to edit one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  a role editing module enabling the network manager to edit one or more role abstractions, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction capable of being assigned a set of one or more of the service abstractions representing communications network services to be provided to the user associated with the represented role;
  
  a user management module enabling the network manager to associate the users of the communications network with one or more of the role abstractions; and
  
  storage means comprising memory for storing one or more of the service abstractions, one or more of the packet rules, one or more of the role abstractions or one or more of the associations between the users of the communications network and one or more of the role abstractions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising:
    - logic to configure a network device with one or more packet rules according to at least one of the service abstractions.
  - 10. The system of claim 9, wherein the logic comprises:
    - port configuration logic to configure a port module of a switching device with one or more packet rules according to at least one of the service abstractions.
  - 11. The system of claim 8, further comprising:
    - a distribution module to distribute the one or more service abstractions to one or more network devices residing on the communications network.
  - 12. The system of claim 8, further comprising:
    - logic to configure a network device with one or more packet rules according to one of the role abstractions.
  - 13. The system of claim 12, wherein the logic comprises:
    - port configuration logic to configure a port module of a switching device with one or more packet rules according to one of the role abstractions.
  - 14. The system of claim 8, further comprising:
    - a distribution module to distribute the one or more role abstractions to one or more network devices residing on the communications network.

15. A computer program product, comprising:
- a non-transitory computer readable medium; and
  
  computer readable signals stored on the computer readable medium that define instructions that, as a result of being executed by a computer, instruct the computer to perform a process of controlling usage of network resources on a communications network based on the identity of an authenticated user, the process comprising acts of;
  
  creating one or more packet rules for use on one or more devices of the communication network, each rule including a condition and action to be taken as part of providing a service of the communications network if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  storing the one or more packet rules;
  
  creating one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  storing the one or more service abstractions;
  
  creating one or more role abstractions, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction capable of being assigned a set of one or more of the service abstractions representing communications network services to be provided to the users associated with the represented role;
  
  storing the one or more role abstractions; and
  
  associating the one or more role abstractions with the identity of the authenticated user of the communications network.

16. A method of controlling usage of network resources on a communications network based on the identity of an authenticated user, the method comprising acts of:
- (a) defining one or more packet rules for use on one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  (b) providing the one or more packet rules;
  
  (c) defining one or more service abstractions, each service abstraction representing a communications network service to be provided to a user of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  (d) providing the one or more services abstractions;
  
  (e) in response to a user, defining one or more role abstractions associated with an authenticated user, each role abstraction representing a role of the authenticated user with respect to the communications network for controlling usage of network resources on the communications network by the authenticated user, and each role abstraction capable of being assigned a set of one or more of the service abstractions;
  
  (f) providing the one or more role abstractions; and
  
  (g) associating the one or more role abstractions with the identity of the authenticated user of the communications network.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising an act of:
    - (h) configuring a network device of the communications network with one or more packet rules according to one of the role abstractions.
  - 18. The method of claim 17, wherein act (h) comprises:
    - configuring a port module of a switching device of the communications network with one or more packet rules according to one of the role abstractions.
  - 19. The method of claim 16, further comprising an act of:
    - (h) distributing the one or more role abstractions to one or more network devices residing on the communications network.

20. A system for controlling usage of network resources on a communications network based on the identity of an authenticated user, the system comprising:
- a rule editing module to create one or more packet rules for use on one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  a service editing module to create one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  a role editing module to create, in response to a user, one or more role abstractions associated with an authenticated user, each role abstraction representing a role of an authenticated user with respect to the communications network for controlling usage of network resources on the communications network by the authenticated user, and each role abstraction capable of being assigned a set of one or more of the service abstractions;
  
  a user management module to associate the one or more role abstractions with the identity of the authenticated user of the communications network; and
  
  storage means comprising memory for storing the one or more created role abstractions, the one or more created service abstractions, or the one or more created packet rules.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, further comprising:
    - logic to configure a port module of a network device with one or more packet rules according to one of the role abstractions.
  - 22. The system of claim 21, wherein the logic comprises:
    - port configuration logic to configure a port module of a switching device with one or more packet rules according to one of the role abstractions.
  - 23. The system of claim 20, further comprising:
    - a distribution module to distribute the one or more role abstractions to one or more network devices residing on the communications network.

24. A computer program product, comprising:
- a non-transitory computer readable medium; and
  
  computer readable signals stored on the computer readable medium that define instructions that, as a result of being executed by a computer, instruct the computer to perform a process of controlling usage of network resources on a communications network based on the identity of an authenticated user, the process comprising acts of;
  
  (a) editing one or more packet rules for use on one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  (b) storing the one or more packet rules;
  
  (c) editing one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  (d) in response to a user, editing one or more role abstractions associated with an authenticated user, each role abstraction representing a role of an authenticated user with respect to the communications network for controlling usage of network resources on the communications network by the authenticated user, and each role abstraction capable of being assigned a set of one or more of the service abstractions;
  
  (e) associating the users of the communications network with one or more of the role abstractions; and
  
  (f) saving the one or more role abstractions and the one or more service abstractions.

26. A method of controlling usage of network resources on a communications network based on the identity of an authenticated user, the method comprising acts of:
- creating, with at least one computer, one or more packet rules for analyzing packets received at one or more network devices of the communications network, each rule including a condition and action to be taken as part of providing a service of the communications network if a packet received at a device satisfies the condition, wherein the one or more packet rules are defined to examine any portion of a packet;
  
  storing, with at least one computer, the one or more packet rules;
  
  creating, with at least one computer, one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  storing, with at least one computer, the one or more service abstractions;
  
  associating, by at least one computer and by the one or more service abstractions, with the identity of the authenticated user of the communications network;
  
  in response to receipt of a packet at any of the network devices from the authenticated user, using, by one of the network devices, the one or more service abstractions associated with the identity of the authenticated user to control usage of network resources on the communications network, the using including applying the packet rules in the one or more service abstractions to the packet; and
  
  creating, with at least one computer, one or more role abstractions, each role abstraction representing a role of users with respect to the communications network, and each role abstraction including a set of one or more service abstractions representing communications network services to be provided to users associated with the represented role,and wherein the act of associating one or more service abstractions with the identity of the authenticated user includes associating the identity of the authenticated user with one or more of the role abstractions.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26, further comprising an act of:
    - configuring, with at least one computer, a network device of the communications network with one or more packet rules according to one of the role abstractions.
  - 28. The method of claim 27, wherein configuring the network device with one or more packet rules according to one of the role abstractions comprises:
    - configuring, with at least one computer, a port module of a switching device of the communications network with one or more packet rules according to one of the role abstractions.
  - 29. The method of claim 26, further comprising an act of:
    - distributing, with at least one computer, the one or more role abstractions to one or more network devices residing on the communications network.

31. A system for enabling a network manager to control usage of network resources on a communications network based on the identity of an authenticated user, the system comprising:
- a rule editing module enabling the network manager to edit one or more packet rules for analyzing packets received at one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition;
  
  a service editing module enabling the network manager to edit one or more service abstractions, each service abstraction representing a communications network service to be provided to users of the communications network, each service abstraction including a named set of one or more of the packet rules that, in combination, provide the represented communications network service;
  
  a user management module enabling the network manager to associate users of the communications network with one or more of the service abstractions;
  
  storage means comprising memory for storing one or more of the service abstractions, one or more of the packet rules or one or more of the associations between users of the communications network and one or more of the service abstractions; and
  
  a role editing module enabling the network manager to edit one or more role abstractions, each role abstraction representing a role of users with respect to the communications network, and each role abstraction including a set of one or more service abstractions representing communications network services to be provided to users associated with the represented role,and wherein the user management module further enables the network manager to associate users of the communications network with one or more of the role abstractions.
- View Dependent Claims (32, 33, 34)
- - 32. The system of claim 31, further comprising:
    - logic to configure a network device with one or more packet rules according to one of the role abstractions.
  - 33. The system of claim 32, wherein the logic comprises:
    - port configuration logic to configure a port module of a switching device with one or more packet rules according to one of the role abstractions.
  - 34. The system of claim 31, further comprising:
    - a distribution module to distribute the one or more role abstractions to one or more network devices residing on the communications network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Dunigan, Paula Jane, Pettit, Steven A., Roese, John, Richmond, James
Primary Examiner(s)
Wong, Warner

Application Number

US10/071,228
Publication Number

US 20030152035A1
Time in Patent Office

3,238 Days
Field of Search

370/230, 370/235, 370/252, 370/389, 370/392, 370153-154, 713160-162, 713153-154
US Class Current

370/252
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links