Method and apparatus for best effort propagation of security group information
First Claim
Patent Images
1. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:
- determining whether an association exists, at the network node, between a destination and a reserved group identifier, whereinif said association exists, information indicating said association is maintained at said network node;
if said association exists, indicating a packet received at said network node can be sent to another network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet,a group identifier is assigned to a security group of a plurality of security groups,said destination is a member of said security group, andsaid reserved group identifier is not assigned to any of said security groups;
if said association does not exist, determining whether another association exists, at said network node, between said destination and said group identifier, whereinif said another association exists, information indicating said another association is maintained at said network node; and
if said another association exists, performing access control processing on said packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.
85 Citations
70 Claims
-
1. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:
-
determining whether an association exists, at the network node, between a destination and a reserved group identifier, wherein if said association exists, information indicating said association is maintained at said network node; if said association exists, indicating a packet received at said network node can be sent to another network node, wherein said packet comprises destination information that identifies said destination as a destination of said packet, a group identifier is assigned to a security group of a plurality of security groups, said destination is a member of said security group, and said reserved group identifier is not assigned to any of said security groups; if said association does not exist, determining whether another association exists, at said network node, between said destination and said group identifier, wherein if said another association exists, information indicating said another association is maintained at said network node; and if said another association exists, performing access control processing on said packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product comprising:
-
a first set of instructions, executable from a memory device of a computer system, configured to determine whether an association exists, at a network node, between a destination and a reserved group identifier, wherein if said associate exists, information indicating said association is maintained at said network node; a second set of instructions, executable from a memory device of said computer system, configured to indicate a packet received at a network node can be sent to another network node, if said association exists, wherein said packet comprises destination information that identifies said destination as a destination of said packet, a group identifier is assigned to a security group of a plurality of security groups, said destination is a member of said security group, and said reserved group identifier is not assigned to any of said security groups; a third set of instructions, executable from a memory device of said computer system, configured to determine, if said association does not exist, whether another association exists, at said network node, between said destination and said group identifier, wherein if said another association exists, information indicating said another association is maintained at said network node; a fourth set of instructions, executable from a memory device of said computer system, configured to perform access control processing on said packet, if said another association exists; and computer readable storage media, wherein said computer program product is encoded in said computer readable storage media. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
a memory device; means for determining whether an association exists, at a network node, between a destination and a reserved group identifier, wherein if said association exists, information indicating said association is maintained at said memory at said network node; means for indicating a packet received at a network node can be sent to another network node, if association exists, wherein said packet comprises destination information that identifies said destination as a destination of said packet, a group identifier is assigned to a security group of a plurality of security groups, said destination is a member of said security group, and said reserved group identifier is not assigned to any of said security groups; means for determining whether another association exists, at said network node, between said destination and said group identifier, wherein if said another association exists, information indicating said another association is maintained at said network node; and means for performing access control processing on said packet, if said another association exists. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:
-
receiving a group identifier; determining, at the network node, if an association between a destination and another group identifier exists, wherein if said association exists, said association is maintained at said network node, and said group identifier and said another group identifier are different from one another; and if said destination is associated with said another group identifier at said network node, associating said destination with a reserved group identifier in place of said another group identifier at said network node, wherein said group identifier is assigned as a group identifier of a first security group of a plurality of security groups, said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, and said reserved group identifier is not assigned to any of said security groups. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A computer program product comprising:
-
a first set of instructions, stored in a memory device, executable on a computer system, configured to receive a group identifier; a second set of instructions, stored in the memory device, executable on said computer system, configured to determine, at a network node, if an association between a destination and another group identifier exists, wherein if said association exists, said association is maintained at said network node, and said group identifier and said another group identifier are different from one another; a third set of instructions, stored in the memory device, executable on said computer system, configured to associate said destination with a reserved group identifier in place of said another identifier at said network node, if said destination is associated with said another group identifier at said network node, wherein said group identifier is assigned as a group identifier of a first security group of a plurality of security groups, said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, and said reserved group identifier is not assigned to any of said security groups; and wherein said computer program product is encoded in the memory device. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
-
60. An apparatus comprising:
-
a memory device; means for receiving a group identifier; means for determining, at a network node, if an association between a destination and another group identifier exists, wherein if said association exists, said association is maintained in said memory device at said network node, and said group identifier and said another group identifier are different from one another; and means for associating said destination with a reserved group identifier in place of said another group identifier at said network node, if said destination is associated with said another group identifier at said network node, wherein said group identifier is assigned as a group identifier of a first security group of a plurality of security groups, said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, and said reserved group identifier is not assigned to any of said security groups. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
Specification