Packet routing system and method

US 8,583,800 B2
Filed: 08/30/2012
Issued: 11/12/2013
Est. Priority Date: 09/13/2000
Status: Expired due to Term

First Claim

Patent Images

1. An Internet Protocol (IP) service processing switch comprising:

a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, the plurality of processors providing customized security services to a plurality of subscribers of a service provider by (i) creating software entities, in a form of object groups within a plurality of virtual routers (VRs) executing on the plurality of processors, in accordance with security service needs of respective subscribers of the plurality of subscribers, (ii) assigning logical queue identifiers (LQIDs) to each of the software entities and (iii) assigning processor element identifiers (PEIDs) to each of the processors of the plurality of processors based on a processor element number of the processor and a blade ID of a service blade of the plurality of service blades with which the processor is associated, that is unique within the IP service processing switch;

one or more packet-passing data rings coupling the plurality of service blades in communication; and

wherein upon a service blade of the plurality of blades receiving a packet from the one or more packet-passing data rings,the service blade inspects a PEID value within the packet and when the PEID value corresponds to a PEID assigned to a processor of the plurality of processors on the service blade, the packet is steered to a software entity of a VR of the plurality of VR on the processor that corresponds to an LQID value within the packet, andwhen the PEID value does not correspond to any PEIDs assigned to the plurality of processors on the service blade, the packet is passed to a next service blade of the plurality of service blades on the one or more packet-passing data rings.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for offering network-based managed security services are provided. According to one embodiment, an IP service processing switch includes multiple service blades and one or more packet-passing data rings. The service blades each have multiple processors for providing customized security services to subscribers of a service provider. Upon receipt of a packet by a service blade from the one or more packet-passing data rings, a PEID value within the packet is inspected and when the PEID value corresponds to a PEID assigned to a processor associated with the service blade, the packet is steered to a software entity of a VR on the processor that corresponds to an LQID value within the packet. And, when the PEID value does not correspond to any PEIDs assigned to processors on the service blade, the packet is passed to a next service blade on the one or more packet-passing data rings.

Citations

17 Claims

1. An Internet Protocol (IP) service processing switch comprising:
- a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, the plurality of processors providing customized security services to a plurality of subscribers of a service provider by (i) creating software entities, in a form of object groups within a plurality of virtual routers (VRs) executing on the plurality of processors, in accordance with security service needs of respective subscribers of the plurality of subscribers, (ii) assigning logical queue identifiers (LQIDs) to each of the software entities and (iii) assigning processor element identifiers (PEIDs) to each of the processors of the plurality of processors based on a processor element number of the processor and a blade ID of a service blade of the plurality of service blades with which the processor is associated, that is unique within the IP service processing switch;
  
  one or more packet-passing data rings coupling the plurality of service blades in communication; and
  
  wherein upon a service blade of the plurality of blades receiving a packet from the one or more packet-passing data rings,the service blade inspects a PEID value within the packet and when the PEID value corresponds to a PEID assigned to a processor of the plurality of processors on the service blade, the packet is steered to a software entity of a VR of the plurality of VR on the processor that corresponds to an LQID value within the packet, andwhen the PEID value does not correspond to any PEIDs assigned to the plurality of processors on the service blade, the packet is passed to a next service blade of the plurality of service blades on the one or more packet-passing data rings.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The IP service processing switch of claim 1, wherein:
    - a first set of the plurality of VRs is configured to provide a first set of router services on behalf of a first subscriber of the plurality of subscribers by creating within a first object group one or more of a first routing object, a first packet filtering object and a first network address translation object; and
      
      a second set of the plurality of VRs is configured to provide a second set of router services on behalf of a second subscriber of the plurality of subscribers by creating within a second object group one or more of a second routing object, a second packet filtering object and a second network address translation object.
  - 3. The IP service processing switch of claim 1, wherein:
    - a first set of the plurality of VRs is configured to provide a first set of managed network-based security services on behalf of a first subscriber of the plurality of subscribers; and
      
      a second set of the plurality of VRs is configured to provide a second set of managed network-based security services on behalf of a second subscriber of the plurality of subscribers.
  - 4. The IP service processing switch of claim 3, wherein the first set of managed network-based security services includes firewall inspection and access control functions.
  - 5. The IP service processing switch of claim 3, wherein the first set of managed network-based security services includes virtual private network (VPN) tunneling and encryption.
  - 6. The IP service processing switch of claim 1, wherein the IP service processing switch is configured to be deployed within a point of presence (POP) of a service provider network.
  - 7. The IP service processing switch of claim 6, wherein the IP service processing switch is configured to communicate with a service management system (SMS) located within a network operating center of the service provider and the customized security services are configured via the SMS.
  - 8. The IP service processing switch of claim 6, wherein the IP service processing switch is configured to communicate with customer network management (CNM) systems located within sites associated with the plurality of subscribers and the customized security services can be augmented via the CNM systems.
  - 9. The IP service processing switch of claim 1, wherein the plurality of service blades include one or more processor blades which provide point-to-point connectivity and firewall protection.
  - 10. The IP service processing switch of claim 1, wherein the plurality of service blades include one or more access blades which provide physical line termination, network address translation, hardware-assisted IP forwarding, hardware-assisted encryption services and hardware-assisted queue management.

11. A method comprising:
- partitioning a plurality of virtual routers (VRs) of a service processing switch, including a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, between a first subscriber and a second subscriber of a network-based security service provider by (i) associating a first set of processor element identifiers (PEIDs) with a first set of processors of the plurality of processors, the first set of processors supporting a first set of VRs of the plurality of VRs partitioned to the first subscriber and (ii) associating a second set of PEIDs with a second set of processors of the plurality of processors, the second set of processors supporting a second set of VRs of the plurality of VRs partitioned to the second subscriber, wherein PEIDs are assigned to each of the plurality of processors based on a combination of a blade ID of a service blade of the plurality of service blades with which the processor is associated and a processor element number of the processor;
  
  configuring the first set of VRs to provide a first set of managed network-based security services on behalf of the first subscriber by creating within the first set of VRs a first software entity comprising a first object group including a first subset of objects selected to be supportive of the first set of managed network-based security services;
  
  configuring the second set of VRs to provide a second set of managed network-based security services on behalf of the second subscriber by creating within the second set of VRs a second software entity comprising a second object group including a second subset of objects selected to be supportive of the second set of managed network-based security services;
  
  the service processing switch providing the managed network-based security services for the first subscriber and the second subscriber bysteering a first packet destined for or originating from a site of the first subscriber to an appropriate processor of the first set of processors and the first software entity based on a first PEID value within the first packet and a first logical queue identifier (LQID) value within the first packet, the first PEID value corresponding to a first PEID assigned to the appropriate processor of the first set of processors, and the first LQID value corresponding to a first LQID assigned an object of the first object group of the first software entity; and
  
  steering a second packet destined for or originating from a site of the second subscriber to an appropriate processor of the second set of processors and the second software entity based on a second PEID value within the second packet and a second LQID value within the second packet, the second PEID value corresponding to a second PEID assigned to the appropriate processor of the second set of processors, and the second LQID value corresponding to a second LQID assigned to an object of the second object group of the second software entity.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - configuring the first set of VRs to provide a first set of router services on behalf of the first subscriber by creating within the first set of object groups one or more of a first routing object, a first packet filtering object and a first network address translation object; and
      
      configuring the second set of VRs to provide a second set of router services on behalf of the second subscriber by creating within the second set of object groups one or more of a second routing object, a second packet filtering object and a second network address translation object.
  - 13. The method of claim 12, further comprising locating the service processing switch within a point of presence (POP) of a service provider network.
  - 14. The method of claim 12, wherein the first set of managed network-based security services include firewall inspection and access control functions.
  - 15. The method of claim 12, wherein the first set of managed network-based security services include virtual private network (VPN) tunneling and encryption.
  - 16. The method of claim 12, wherein a service management system (SMS) of the service provider performs said configuring the first set of VRs and said configuring the second set of VRs.
  - 17. The method of claim 16, wherein a first Customer Network Management (CNM) system is installed at an information services (IS) headquarters site of the first subscriber, and wherein a second CNM system is installed at an IS headquarters site of the second subscriber, the method further comprising:
    - providing an information technology (IT) manager of the first subscriber with the ability to (i) initiate service provisioning and augmentation of the first set of VRs and (ii) obtain detailed network and service performance information via the first CNM; and
      
      providing an IT manager of the second subscriber with the ability to (i) initiate service provisioning and augmentation of the second set of VRs and (ii) obtain detailed network and service performance information via the second CNM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Matthews, Abraham R., Weir, Steven P.
Primary Examiner(s)
ZHANG, SHIRLEY X

Application Number

US13/600,179
Publication Number

US 20120324532A1
Time in Patent Office

439 Days
Field of Search

709/225, 709/226, 370/351, 718/104
US Class Current

709/226
CPC Class Codes

H04L 12/42   Loop networks

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Packet routing system and method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Packet routing system and method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links