Method and apparatus for best effort propagation of security group information

US 7,877,796 B2
Filed: 11/16/2004
Issued: 01/25/2011
Est. Priority Date: 11/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:

determining whether an association exists, at the network node, between a destination and a reserved group identifier, whereinif said association exists, information indicating said association is maintained at said network node;

if said association exists, indicating a packet received at said network node can be sent to another network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet,a group identifier is assigned to a security group of a plurality of security groups,said destination is a member of said security group, andsaid reserved group identifier is not assigned to any of said security groups;

if said association does not exist, determining whether another association exists, at said network node, between said destination and said group identifier, whereinif said another association exists, information indicating said another association is maintained at said network node; and

if said another association exists, performing access control processing on said packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.

85 Citations

View as Search Results

70 Claims

1. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:
- determining whether an association exists, at the network node, between a destination and a reserved group identifier, whereinif said association exists, information indicating said association is maintained at said network node;
  
  if said association exists, indicating a packet received at said network node can be sent to another network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet,a group identifier is assigned to a security group of a plurality of security groups,said destination is a member of said security group, andsaid reserved group identifier is not assigned to any of said security groups;
  
  if said association does not exist, determining whether another association exists, at said network node, between said destination and said group identifier, whereinif said another association exists, information indicating said another association is maintained at said network node; and
  
  if said another association exists, performing access control processing on said packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, whereinsaid indicating indicates that access control processing will not be performed on said packet at said network node.
  - 3. The method of claim 2, whereinsaid indicating indicates that said packet should be sent to said another network node.
  - 4. The method of claim 3, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 5. The method of claim 2, further comprising:
    - receiving said packet at said network node; and
      
      if said indicating indicates that said destination is associated with said reserved group identifier at said network node, sending said packet to said another network node.
  - 6. The method of claim 5, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 7. The method of claim 1, whereinsaid access control processing is performed using a role-based access control list.
  - 8. The method of claim 1, further comprising:
    - if said destination is not associated with said group identifier at said network node, performing said indicating.
  - 9. The method of claim 1, wherein said group identifier is one of a plurality of group identifiers, and further comprising:
    - determining if said destination is associated with any of said group identifiers at said network node, whereinsaid group identifiers are other than said reserved group identifier; and
      
      if said destination is associated with none of said group identifiers at said network node, performing said indicating.
  - 10. The method of claim 1, further comprising:
    - determining if said destination is associated with a null group identifier at said network node, whereinsaid null group identifier is other than said group identifier and said reserved group identifier; and
      
      if said destination is associated with said null group identifier at said network node, dropping said packet.
  - 11. The method of claim 1, further comprising:
    - if said network node is an egress node and said destination is not associated with any of said group identifiers at said network node,requesting said group identifier, whereinsaid destination is a member of a group identified by said group identifier;
      
      receiving said group identifier; and
      
      associating said destination with said group identifier at said network node.
  - 12. The method of claim 11, further comprising:
    - if said group identifier is a member of a super-group, associating said destination with a super-group identifier at said network node, whereinsaid super-group comprises at least two of the security groups of the plurality of security groups.

13. A computer program product comprising:
- a first set of instructions, executable from a memory device of a computer system, configured to determine whether an association exists, at a network node, between a destination and a reserved group identifier, whereinif said associate exists, information indicating said association is maintained at said network node;
  
  a second set of instructions, executable from a memory device of said computer system, configured to indicate a packet received at a network node can be sent to another network node, if said association exists, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet,a group identifier is assigned to a security group of a plurality of security groups, said destination is a member of said security group, andsaid reserved group identifier is not assigned to any of said security groups;
  
  a third set of instructions, executable from a memory device of said computer system, configured to determine, if said association does not exist, whether another association exists, at said network node, between said destination and said group identifier, whereinif said another association exists, information indicating said another association is maintained at said network node;
  
  a fourth set of instructions, executable from a memory device of said computer system, configured to perform access control processing on said packet, if said another association exists; and
  
  computer readable storage media, wherein said computer program product is encoded in said computer readable storage media.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The computer program product of claim 13, whereinsaid second set of instructions is configured to indicate that access control processing will not be performed on said packet at said network node.
  - 15. The computer program product of claim 14, whereinsaid second set of instructions is configured to indicate that said packet should be sent to said another network node.
  - 16. The computer program product of claim 15, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 17. The computer program product of claim 14, further comprising:
    - a fifth set of instructions, executable from a memory device of said computer system, configured toreceive said packet at said network node; and
      
      a sixth set of instructions, executable from a memory device of said computer system, configured to send said packet to said another network node, if said second set of instructions indicate that said destination is associated with said reserved group identifier at said network node.
  - 18. The computer program product of claim 17, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 19. The computer program product of claim 13, whereinsaid fourth set of instructions use a role-based access control list.
  - 20. The computer program product of claim 13, further comprising:
    - a sixth set of instructions, executable from a memory device of said computer system, configured to cause said second set of instructions to be executed, if said destination is not associated with said group identifier at said network node.
  - 21. The computer program product of claim 13, whereinsaid group identifier is one of a plurality of group identifiers, further comprising:
    - a fifth set of instructions, executable from a memory device of said computer system, configured to determine if said destination is associated with a null group identifier at said network node, whereinsaid null group identifier is other than said group identifier and said reserved group identifier; and
      
      a sixth set of instructions, executable from a memory device of said computer system, configured to drop said packet, if said destination is associated with said null group identifier at said network node.
  - 22. The computer program product of claim 13, whereinsaid group identifier is one of a plurality of group identifiers, further comprising:
    - a fifth set of instructions, executable from a memory device of said computer system, configured to determine if said destination is associated with any of said group identifiers at said network node, whereinsaid group identifiers are other than said reserved group identifier; and
      
      a sixth set of instructions, executable from a memory device of said computer system, configured to cause said second set of instructions to be executed, if said destination is associated with none of said group identifiers at said network node.

23. An apparatus comprising:
- a memory device;
  
  means for determining whether an association exists, at a network node, between a destination and a reserved group identifier, whereinif said association exists, information indicating said association is maintained at said memory at said network node;
  
  means for indicating a packet received at a network node can be sent to another network node, if association exists, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet,a group identifier is assigned to a security group of a plurality of security groups,said destination is a member of said security group, andsaid reserved group identifier is not assigned to any of said security groups;
  
  means for determining whether another association exists, at said network node, between said destination and said group identifier, whereinif said another association exists, information indicating said another association is maintained at said network node; and
  
  means for performing access control processing on said packet, if said another association exists.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The apparatus of claim 23, whereinsaid means for indicating is configured to indicate that access control processing will not be performed on said packet at said network node.
  - 25. The apparatus of claim 24, whereinsaid means for indicating is configured to indicate that said packet should be sent to said another network node.
  - 26. The apparatus of claim 25, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 27. The apparatus of claim 24, further comprising:
    - means for receiving said packet at said network node; and
      
      means for sending said packet to said another network node, if said means for indicating indicates that said destination is associated with said reserved group identifier at said network node.
  - 28. The apparatus of claim 27, whereinsaid another network node is a next network node in a route to said destination which is to be taken by said packet.
  - 29. The apparatus of claim 23, whereinsaid access control processing is performed using a role-based access control list.
  - 30. The apparatus of claim 23, further comprising:
    - means for causing said means for indicating to indicate said packet can be sent to said another network node, if said destination is not associated with said group identifier at said network node.
  - 31. The apparatus of claim 23, wherein said group identifier is one of a plurality of group identifiers, and further comprising:
    - means for determining if said destination is associated with any of said group identifiers at said network node, whereinsaid group identifiers are other than said reserved group identifier; and
      
      means for causing said means for indicating to indicate said packet can be sent to said another network node, if said destination is associated with none of said group identifiers at said network node.
  - 32. The apparatus of claim 23, further comprising:
    - means for determining if said destination is associated with a null group identifier at said network node, whereinsaid null group identifier is other than said group identifier and said reserved group identifier; and
      
      means for dropping said packet, if said destination is associated with said null group identifier at said network node.

33. A method, performed by a network node configured to execute instructions stored in a memory device of said network node, the method comprising:
- receiving a group identifier;
  
  determining, at the network node, if an association between a destination and another group identifier exists, whereinif said association exists, said association is maintained at said network node, andsaid group identifier and said another group identifier are different from one another; and
  
  if said destination is associated with said another group identifier at said network node, associating said destination with a reserved group identifier in place of said another group identifier at said network node, whereinsaid group identifier is assigned as a group identifier of a first security group of a plurality of security groups,said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, andsaid reserved group identifier is not assigned to any of said security groups.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 34. The method of claim 33, further comprising:
    - if said destination is associated with said another group identifier at said network node, disassociating said destination from said another group identifier at said network node.
  - 35. The method of claim 33, further comprising:
    - if said destination is associated with said another group identifier at said network node, and said group identifier and said another group identifier are in a super-group, associating said destination with a super-group identifier at said network node, whereinsaid super-group comprises at least two of the security groups of the plurality of security groups.
  - 36. The method of claim 33, further comprising:
    - determining if said destination is associated with any of a plurality of group identifiers at said network node, whereinsaid group identifiers comprise said group identifier and said another group identifier.
  - 37. The method of claim 36, further comprising:
    - if said destination is associated with none of said group identifiers at said network node, associating said destination with said group identifier at said network node.
  - 38. The method of claim 36, further comprising:
    - if said destination is associated with one of said group identifiers at said network node and said one of said group identifiers is other than said group identifier, performing said associating said destination with said reserved group identifier at said network node.
  - 39. The method of claim 36, whereinsaid destination is a destination of a route.
  - 40. The method of claim 36, whereinif said destination is associated with a plurality of said group identifiers at said network node and each of said plurality of said group identifiers is in a super-group, associating a super-group identifier with said destination at said network node.
  - 41. The method of claim 33, further comprising:
    - if said destination is not associated with said another group identifier at said network node, associating said group identifier with said destination.
  - 42. The method of claim 41, further comprising:
    - if said destination is not associated with said another group identifier at said network node and said group identifier is in a super-group, associating said destination with a super-group identifier at said network node.
  - 43. The method of claim 41, further comprising:
    - determining if said destination is associated with said reserved group identifier at said network node; and
      
      if said destination is associated with said reserved group identifier at said network node, indicating a packet received at a network node can be sent to another network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet.
  - 44. The method of claim 43, whereinsaid indicating indicates that access control processing will not be performed on said packet at said network node.
  - 45. The method of claim 44, further comprising:
    - receiving said packet at said network node; and
      
      if said indicating indicates that said destination is associated with said reserved group identifier at said network node, sending said packet to said another network node.
  - 46. The method of claim 43, further comprising:
    - determining if said destination is associated with one of a plurality of group identifiers at said network node, whereinsaid one of a plurality of group identifiers is other than said reserved group identifier.
  - 47. The method of claim 46, further comprising:
    - if said destination is associated with said one of a plurality of group identifiers at said network node, performing access control processing on said packet.
  - 48. The method of claim 47, further comprising:
    - if said destination is not associated with said one of a plurality of group identifiers at said network node, performing said indicating.

49. A computer program product comprising:
- a first set of instructions, stored in a memory device, executable on a computer system, configured to receive a group identifier;
  
  a second set of instructions, stored in the memory device, executable on said computer system, configured to determine, at a network node, if an association between a destination and another group identifier exists, whereinif said association exists, said association is maintained at said network node, andsaid group identifier and said another group identifier are different from one another;
  
  a third set of instructions, stored in the memory device, executable on said computer system, configured to associate said destination with a reserved group identifier in place of said another identifier at said network node, if said destination is associated with said another group identifier at said network node, whereinsaid group identifier is assigned as a group identifier of a first security group of a plurality of security groups,said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, andsaid reserved group identifier is not assigned to any of said security groups; and
  
  wherein said computer program product is encoded in the memory device.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 50. The computer program product of claim 49, further comprising:
    - a fourth set of instructions, executable on said computer system, configured to determine if a destination is associated with any of a plurality of group identifiers at said network node, whereinsaid group identifiers comprise said group identifier and said another group identifier.
  - 51. The computer program product of claim 50, further comprising:
    - a fifth set of instructions, executable on said computer system, configured to associate said destination with said group identifier at said network node, if said destination is associated with none of said group identifiers at said network node.
  - 52. The computer program product of claim 50, further comprising:
    - a fifth set of instructions, executable on said computer system, configured to cause saidthird set of instructions to be executed, if said destination is associated with one of said group identifiers at said network node and said one of said group identifiers is other than said group identifier.
  - 53. The computer program product of claim 49, further comprising:
    - a fourth set of instructions, executable on said computer system, configured to associate said destination with said group identifier at said network node, if said destination is not associated with said another group identifier at said network node.
  - 54. The computer program product of claim 53, further comprising:
    - a fifth set of instructions, executable on said computer system, configured to determine if said destination is associated with said reserved group identifier at said network node; and
      
      a sixth set of instructions, executable on said computer system, configured to indicate a packet received at a network node can be sent to another network node, if said destination is associated with said reserved group identifier at said network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet.
  - 55. The computer program product of claim 54, whereinsaid sixth set of instructions indicate that access control processing will not be performed on said packet at said network node.
  - 56. The computer program product of claim 55, further comprising:
    - a seventh set of instructions, executable on said computer system, configured to receive said packet at said network node; and
      
      a eighth set of instructions, executable on said computer system, configured to send said packet to said another network node, if said sixth set of instructions indicate that said destination is associated with said reserved group identifier at said network node.
  - 57. The computer program product of claim 54, further comprising:
    - a seventh set of instructions, executable on said computer system, configured to determine if said destination is associated with one of a plurality of group identifiers at said network node, whereinsaid one of a plurality of group identifiers is other than said reserved group identifier.
  - 58. The computer program product of claim 57, further comprising:
    - a eighth set of instructions, executable on said computer system, configured to perform access control processing on said packet, if said destination is associated with said one of a plurality of group identifiers at said network node.
  - 59. The computer program product of claim 58, further comprising:
    - a ninth set of instructions, executable on said computer system, configured to cause said sixth set of instructions to be executed, if said destination is not associated with said one of a plurality of group identifiers at said network node.

60. An apparatus comprising:
- a memory device;
  
  means for receiving a group identifier;
  
  means for determining, at a network node, if an association between a destination and another group identifier exists, whereinif said association exists, said association is maintained in said memory device at said network node, andsaid group identifier and said another group identifier are different from one another; and
  
  means for associating said destination with a reserved group identifier in place of said another group identifier at said network node, if said destination is associated with said another group identifier at said network node, whereinsaid group identifier is assigned as a group identifier of a first security group of a plurality of security groups,said another group identifier is assigned as a group identifier of a second security group of the plurality of security groups, andsaid reserved group identifier is not assigned to any of said security groups.
- View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 61. The apparatus of claim 60, further comprising:
    - means for determining if said destination is associated with any of a plurality of group identifiers at said network node, whereinsaid group identifiers comprise said group identifier and said another group identifier.
  - 62. The apparatus of claim 61, further comprising:
    - means for associating said destination with said group identifier at said network node, if said destination is associated with none of said group identifiers at said network node.
  - 63. The apparatus of claim 61, further comprising:
    - means for performing said associating said destination with said reserved group identifier at said network node, if said destination is associated with one of said groupidentifiers at said network node and said one of said group identifiers is other than said group identifier.
  - 64. The apparatus of claim 60, further comprising:
    - means for associating said destination with said group identifier at said network node, if said destination is not associated with said another group identifier at said network node.
  - 65. The apparatus of claim 64, further comprising:
    - means for determining if said destination is associated with said reserved group identifier at said network node; and
      
      means for indicating a packet received at a network node can be sent to another network node, if said destination is associated with said reserved group identifier at said network node, whereinsaid packet comprises destination information that identifies said destination as a destination of said packet.
  - 66. The apparatus of claim 65, whereinsaid means for indicating is configured to indicate that access control processing will not be performed on said packet at said network node.
  - 67. The apparatus of claim 66, further comprising:
    - means for receiving said packet at said network node; and
      
      means for sending said packet to said another network node, if said means for indicating indicates that said destination is associated with said reserved group identifier at said network node.
  - 68. The apparatus of claim 65, further comprising:
    - means for determining if said destination is associated with one of a plurality of group identifiers at said network node, whereinsaid one of a plurality of group identifiers is other than said reserved group identifier.
  - 69. The apparatus of claim 68, further comprising:
    - means for performing access control processing on said packet, if said destination is associated with said one of a plurality of group identifiers at said network node.
  - 70. The apparatus of claim 69, further comprising:
    - means for performing said indicating, if said destination is not associated with said one of a plurality of group identifiers at said network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Moazzami; Nassar
Assistant Examiner(s)
Louie; Oscar A

Application Number

US10/989,535
Publication Number

US 20060106750A1
Time in Patent Office

2,261 Days
Field of Search

726/2, 726/3, 726 11- 13, 726/16, 726/21, 726/26, 726/27, 713150-154, 713160-163, 713/168, 380/59, 380/255
US Class Current

726/13
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 45/52   Multiprotocol routers

H04L 49/35   Switches specially adapted ...

H04L 61/10   of different types

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 67/00   Network arrangements or pro...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for best effort propagation of security group information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for best effort propagation of security group information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links