Method and apparatus for ingress filtering using security group information
First Claim
Patent Images
1. A computer-implemented method comprising:
- receiving a packet at an ingress node of a network,whereinsaid network comprises a plurality of nodes,said ingress node is one of said plurality of nodes,said packet is received from a source node communicatively coupled to said network at said ingress node,said packet comprisessource security group information, anda destination address,said destination address is an address of a network node communicatively coupled to said network,said source security group information identifies a source security group,said source node is a member of said source security group, andsaid network node is a destination of said packet;
extracting said destination address from said packet, using a processor of said ingress node;
determining destination security group information, using said processor, whereinsaid destination security group information is determined using said destination address; and
performing access control processing on said packet, using said processor, whereinsaid access control processing comprisescomparing said destination security group information and said source security group information.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for ingress filtering using security group information are disclosed. The method includes performing access control processing on a packet and sending access control information to an ingress node of the packet in response to the access control processing. The access control information includes security group information and an address of a network node. The security group information identifies a security group. The network node is a member of the security group and is a destination of the packet.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving a packet at an ingress node of a network, wherein said network comprises a plurality of nodes, said ingress node is one of said plurality of nodes, said packet is received from a source node communicatively coupled to said network at said ingress node, said packet comprises source security group information, and a destination address, said destination address is an address of a network node communicatively coupled to said network, said source security group information identifies a source security group, said source node is a member of said source security group, and said network node is a destination of said packet; extracting said destination address from said packet, using a processor of said ingress node; determining destination security group information, using said processor, wherein said destination security group information is determined using said destination address; and performing access control processing on said packet, using said processor, wherein said access control processing comprises comparing said destination security group information and said source security group information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product comprising:
-
a plurality of instructions, comprising a first set of instructions, executable on an ingress node of a network, configured to receive a packet, wherein said network comprises a plurality of nodes, said ingress node is one of said plurality of nodes, said packet is configured to be received from a source node communicatively coupled to said network at said ingress node, said packet comprises source security group information, and a destination address, said destination address is an address of a network node communicatively coupled to said network, said source security group information identifies a source security group, said source node is a member of said source security group, and said network node is a destination of said packet, a second set of instructions, executable on said ingress node, configured to extract said destination address from said packet, a third set of instructions, executable on said ingress node, configured to determine destination security group information, wherein said destination security group information is determined using said destination address, a fourth set of instructions, executable on said ingress node, configured to perform access control processing on said packet, wherein said fourth set of instructions comprise a first subset of instructions, executable on said ingress node, configured to compare said destination security group information and said source security group information; and a computer-readable storage medium, wherein said instructions are encoded in said computer-readable storage medium. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer system comprising:
-
a processor; a computer-readable storage medium coupled to said processor; and a plurality of instructions, encoded in said computer-readable storage medium and configured to cause said processor to receive a packet at an ingress node of a network, wherein said network comprises a plurality of nodes, said ingress node is one of said plurality of nodes, said packet is received from a source node communicatively coupled to said network at said ingress node, said packet comprises source security group information, and a destination address, said destination address is an address of a network node communicatively coupled to said network, said source security group information identifies a source security group, said source node is a member of said source security group, and said network node is a destination of said packet; extract said destination address from said packet, using a processor of said ingress node; determine destination security group information, using said processor, wherein said destination security group information is determined using said destination address; and perform access control processing on said packet, using said processor, wherein said access control processing comprises comparing said destination security group information and said source security group information.
-
Specification