Method and apparatus for ingress filtering using security group information

US 8,301,882 B2
Filed: 11/01/2010
Issued: 10/30/2012
Est. Priority Date: 12/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a packet at an ingress node of a network,whereinsaid network comprises a plurality of nodes,said ingress node is one of said plurality of nodes,said packet is received from a source node communicatively coupled to said network at said ingress node,said packet comprisessource security group information, anda destination address,said destination address is an address of a network node communicatively coupled to said network,said source security group information identifies a source security group,said source node is a member of said source security group, andsaid network node is a destination of said packet;

extracting said destination address from said packet, using a processor of said ingress node;

determining destination security group information, using said processor, whereinsaid destination security group information is determined using said destination address; and

performing access control processing on said packet, using said processor, whereinsaid access control processing comprisescomparing said destination security group information and said source security group information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for ingress filtering using security group information are disclosed. The method includes performing access control processing on a packet and sending access control information to an ingress node of the packet in response to the access control processing. The access control information includes security group information and an address of a network node. The security group information identifies a security group. The network node is a member of the security group and is a destination of the packet.

94 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- receiving a packet at an ingress node of a network,whereinsaid network comprises a plurality of nodes,said ingress node is one of said plurality of nodes,said packet is received from a source node communicatively coupled to said network at said ingress node,said packet comprisessource security group information, anda destination address,said destination address is an address of a network node communicatively coupled to said network,said source security group information identifies a source security group,said source node is a member of said source security group, andsaid network node is a destination of said packet;
  
  extracting said destination address from said packet, using a processor of said ingress node;
  
  determining destination security group information, using said processor, whereinsaid destination security group information is determined using said destination address; and
  
  performing access control processing on said packet, using said processor, whereinsaid access control processing comprisescomparing said destination security group information and said source security group information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, whereinsaid security group information is a source security group identifier, andsaid destination group information is a destination security group identifier.
  - 3. The method of claim 1, further comprising:
    - sending a first packet from said ingress node, whereinsaid first packet comprisessource security group information of said first packet, anda destination address of said first packet,said source security group information of said first packet identifies said source security group,said destination address of said first packet is an address of a destination of said first packet, andsaid destination of said first packet is said network node.
  - 4. The method of claim 3, further comprising:
    - receiving access control information at said ingress node, whereinsaid receiving said access control information is in response to receiving a reply to said sending said first packet,said access control information comprisessaid destination security group information, andsaid destination address,said destination security group information identifies a destination security group, andsaid network node is a member of said destination security group.
  - 5. The method of claim 4, wherein said receiving said access control information comprises:
    - receiving a control packet at said ingress node, whereinsaid control packet comprises said access control information.
  - 6. The method of claim 4, further comprising:
    - associating said security group information and said destination address with one another.
  - 7. The method of claim 6, wherein said associating comprises:
    - creating a binding at said ingress node, whereinsaid binding is between said destination security group information and said destination address.
  - 8. The method of claim 7, further comprising:
    - deleting said binding in response to a criteria being met.
  - 9. The method of claim 7, further comprising:
    - receiving a second packet at said ingress node; and
      
      filtering said second packet using said binding.
  - 10. The method of claim 5, further comprising:
    - receiving said first packet at said ingress node;
      
      determining if a binding between said destination security group information and said destination address exists;
      
      if said binding exists,performing said access control processing; and
      
      if said binding does not exist,performing said sending said first packet, whereinsaid sending said first packet sends said packet to an egress node,filtering said packet at said egress node, andif said first packet is denied as a result of said filtering at said egress node,sending said control packet from said egress node to said ingress node.
  - 11. The method of claim 5, whereinsaid control packet is a modified Internet Control Message Protocol (ICMP) packet.
  - 12. The method of claim 1, further comprising:
    - determining if a binding between said destination security group information and said destination address exists;
      
      if said binding exists,performing said access control processing; and
      
      if said binding does not exist,sending said first packet to said network node.
  - 13. The method of claim 1, wherein said sending said first packet to said network node comprises:
    - receiving said packet at an egress node;
      
      filtering said packet at said egress node; and
      
      if said first packet is denied as a result of said filtering at said egress node,sending a control packet from said egress node to said ingress node,whereinsaid control packet comprises said access control information, andsaid access control information comprisessaid destination security group information, andsaid destination address.
  - 14. The method of claim 1, further comprising:
    - receiving access control information at said ingress node, whereinsaid access control information comprisessaid destination security group information, andsaid destination address,said destination security group information identifies a destination security group, andsaid network node is a member of said destination security group.

15. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on an ingress node of a network,configured to receive a packet, whereinsaid network comprises a plurality of nodes,said ingress node is one of said plurality of nodes,said packet is configured to be received from a source node communicatively coupled to said network at said ingress node,said packet comprisessource security group information, anda destination address,said destination address is an address of a network node communicatively coupled to said network,said source security group information identifies a source security group,said source node is a member of said source security group, andsaid network node is a destination of said packet,a second set of instructions, executable on said ingress node, configured to extract said destination address from said packet,a third set of instructions, executable on said ingress node, configured to determine destination security group information, whereinsaid destination security group information is determined using said destination address,a fourth set of instructions, executable on said ingress node, configured to perform access control processing on said packet, whereinsaid fourth set of instructions comprisea first subset of instructions, executable on said ingress node, configured to compare said destination security group information and said source security group information; and
  
  a computer-readable storage medium, wherein said instructions are encoded in said computer-readable storage medium.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15, wherein said instructions further comprise:
    - a fifth set of instructions, executable on said ingress node, configured to receive access control information at said ingress node, whereinsaid access control information comprisessaid destination security group information, andsaid destination address,said destination security group information identifies a destination security group, andsaid network node is a member of said destination security group.
  - 17. The computer program product of claim 16, wherein said instructions further comprise:
    - a sixth set of instructions, executable on said ingress node, configured to send a first packet from said ingress node, whereinsaid first packet comprisessource security group information of said first packet, anda destination address of said first packet,said source security group information of said first packet identifies said source security group,said destination address of said first packet is an address of a destination of said first packet, andsaid destination of said first packet is said network node.
  - 18. The computer program product of claim 17, wherein said instructions further comprise:
    - a seventh set of instructions, executable on said ingress node, configured to associate said security group information and said destination address with one another, whereinsaid seventh set of instructions comprisesa first subset of instructions, executable on said ingress node,configured to create a binding at said ingress node,said binding is between said destination security group information and said destination address.
  - 19. The computer program product of claim 15, wherein said instructions further comprise:
    - a fifth set of instructions, executable on said ingress node, configured to determine if a binding between said destination security group information and said destination address exists;
      
      a sixth set of instructions, executable on said ingress node, configured to perform said access control processing, if said binding exists; and
      
      a seventh set of instructions, executable on said ingress node, configured to send said first packet to said network node, if said binding does not exist.

20. A computer system comprising:
- a processor;
  
  a computer-readable storage medium coupled to said processor; and
  
  a plurality of instructions, encoded in said computer-readable storage medium and configured to cause said processor toreceive a packet at an ingress node of a network, whereinsaid network comprises a plurality of nodes,said ingress node is one of said plurality of nodes,said packet is received from a source node communicatively coupled to said network at said ingress node,said packet comprisessource security group information, anda destination address,said destination address is an address of a network node communicatively coupled to said network,said source security group information identifies a source security group,said source node is a member of said source security group, andsaid network node is a destination of said packet;
  
  extract said destination address from said packet, using a processor of said ingress node;
  
  determine destination security group information, using said processor, whereinsaid destination security group information is determined using said destination address; and
  
  perform access control processing on said packet, using said processor, whereinsaid access control processing comprisescomparing said destination security group information and said source security group information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US12/917,125
Publication Number

US 20110271102A1
Time in Patent Office

729 Days
Field of Search

713/151, 713/160, 726/2
US Class Current

713/160
CPC Class Codes

H04L 63/101 Access control lists [ACL]

H04L 63/105 Multiple levels of security

Method and apparatus for ingress filtering using security group information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for ingress filtering using security group information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links