Flexible access control policy enforcement

US 7,945,941 B2
Filed: 06/01/2007
Issued: 05/17/2011
Est. Priority Date: 06/01/2007
Status: Active Grant

First Claim

Patent Images

1. Logic encoded in one or more tangible non-transitory media for execution and when executed operable to:

identify one or more parameters of a connection with a client;

determine one or more policies, and a prioritization order for the determined policies, based on the one or more parameters;

access an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and

create one or more entries in one or more policy data structures for the one or more determined policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for applying access-control policies. In particular implementations, a method includes determining one or more policies, and a prioritization order for the determined policies, based on the one or more parameters; accessing an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and creating one or more entries in one or more policy data structures for the one or more determined policies.

Citations

20 Claims

1. Logic encoded in one or more tangible non-transitory media for execution and when executed operable to:
- identify one or more parameters of a connection with a client;
  
  determine one or more policies, and a prioritization order for the determined policies, based on the one or more parameters;
  
  access an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and
  
  create one or more entries in one or more policy data structures for the one or more determined policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The logic of claim 1 wherein the indirection table and the one or more policy data structures are accessible to a data plane for processing of received frames.
  - 3. The logic of claim 1 wherein the logic is further operable to populate one or more policy lists with the one or more policies based on the one or more parameters.
  - 4. The logic of claim 1 wherein the logic is further operable to:
    - populate one or more policy lists with the one or more policies; and
      
      index the one or more policies by keys based on a tuple of attributes.
  - 5. The logic of claim 1 wherein the one or more parameters comprises one or more of network information, group information, and client information.
  - 6. The logic of claim 1 wherein the one or more policies comprise network-based policies, group-based policies, and client-based policies.
  - 7. The logic of claim 6 wherein the network-based policies comprise wired network and wireless network policies.
  - 8. The logic of claim 1 wherein at least one of the one or more policies follows the client from one network to another network.

9. A method comprising:
- determining, by one or more computing devices, one or more policies, and a prioritization order for the determined policies, based on the one or more parameters;
  
  accessing, by the one or more computing devices, an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and
  
  creating, by the one or more computing devices, one or more entries in one or more policy data structures for the one or more determined policies.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 further comprising populating, by the one or more computing devices, one or more policy lists with the one or more policies based on the one or more parameters.
  - 11. The method of claim 9 further comprising:
    - populating, by the one or more computing devices, one or more policy lists with the one or more policies; and
      
      indexing, by the one or more computing devices, the one or more policies by keys based on a tuple of attributes.
  - 12. The method of claim 9 wherein the one or more parameters comprises one or more of network information, group information, and client information.
  - 13. The method of claim 9 wherein the one or more policies comprise network-based policies, group-based policies, and client-based policies.
  - 14. The method of claim 9 wherein at least one of the one or more policies follows the client from one network to another network.

15. An apparatus comprising:
- a network interface; and
  
  one or more packet processors comprising control plane logic operable to;
  
  identify one or more parameters of a connection with a client;
  
  determine one or more policies, and a prioritization order for the determined policies, based on the one or more parameters;
  
  access an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies;
  
  create one or more entries in one or more policy data structures for the one or more determined policies;
  
  wherein the one or more packet processors further comprise data plane logic operable to;
  
  access the indirection table against one or more attributes of a received frame to identify one or more policies for the frame; and
  
  apply the one or more policies based on the prioritization indicated in the indirection table.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The controller of claim 15 wherein the instructions are further operable to cause the one or more processors and the controller to populate one or more policy lists with the one or more policies based on the one or more parameters.
  - 17. The controller of claim 15 wherein the instructions are further operable to cause the one or more processors and the controller to:
    - populate one or more policy lists with the one or more policies; and
      
      index the one or more policies by keys based on a tuple of attributes.
  - 18. The controller of claim 15 wherein the one or more parameters comprises one or more of network information, group information, and client information.
  - 19. The controller of claim 15 wherein the one or more policies comprise network-based policies, group-based policies, and client-based policies.
  - 20. The controller of claim 15 wherein at least one of the one or more policies follows the client from one network to another network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sinha, Santanu, Pignatelli, David J., Carr, Alan
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/757,215
Publication Number

US 20080301755A1
Time in Patent Office

1,446 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 63/20 for managing network securi...

Flexible access control policy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible access control policy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links