Method and apparatus for best effort propagation of security group information

US 8,621,596 B2
Filed: 01/24/2011
Issued: 12/31/2013
Est. Priority Date: 11/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in response to receipt of a first packet at a first network node of a network, propagating a packet from the first network node to a second network node of the network, whereinthe network comprises a plurality of network nodes,the network nodes comprise the first network node and the second network node,the first packet is received from the second network node via the network,the first packet comprisessource security group information, anda destination address,the destination address is an address of a destination of the first packet,the source security group information identifies a source security group,a source of the first packet is a member of the source security group,the packet comprisesaccess control information,the access control information comprisesthe source security group information,destination security group information, andthe destination address,the destination security group information identifies a destination security group,the destination is a member of the destination security group,the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, andthe access control processing comprisesdetermining the destination security group information using the destination address;

in response to receipt of the packet at the second network node, making a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address;

if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address,associating the destination group identifier with the destination address; and

if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associating a reserved group identifier with the destination address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.

Citations

18 Claims

1. A method comprising:
- in response to receipt of a first packet at a first network node of a network, propagating a packet from the first network node to a second network node of the network, whereinthe network comprises a plurality of network nodes,the network nodes comprise the first network node and the second network node,the first packet is received from the second network node via the network,the first packet comprisessource security group information, anda destination address,the destination address is an address of a destination of the first packet,the source security group information identifies a source security group,a source of the first packet is a member of the source security group,the packet comprisesaccess control information,the access control information comprisesthe source security group information,destination security group information, andthe destination address,the destination security group information identifies a destination security group,the destination is a member of the destination security group,the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, andthe access control processing comprisesdetermining the destination security group information using the destination address;
  
  in response to receipt of the packet at the second network node, making a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address;
  
  if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address,associating the destination group identifier with the destination address; and
  
  if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associating a reserved group identifier with the destination address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, whereinthe first network node is an egress node,the second network node an ingress node, andthe propagating propagates the packet from the egress node to the ingress node.
  - 3. The method of claim 1, further comprising:
    - receiving another packet at the second network node;
      
      forwarding the another packet to the first network node, whereinthe access control processing is performed at the first network node;
      
      receiving the another packet at the first network node; and
      
      performing the access control processing at the first network node.
  - 4. The method of claim 1, further comprising:
    - receiving another packet at the first network node, whereinthe access control processing comprisesdetermining if the another packet should be denied.
  - 5. The method of claim 4, further comprising:
    - if the another packet is denied, initiating the propagating.
  - 6. The method of claim 1, further comprising:
    - determining the source security group information, whereinthe source security group information identifies a group of a source network node, andperforming the access control processing uses the source security group information.
  - 7. The method of claim 6, whereinthe source network node is a source of the another packet,the another packet comprisesthe source security group information, andthe destination address, andthe access control processing comprisesdetermining if the packet should be denied, andif the packet is denied, initiating the propagating.
  - 8. The method of claim 1, wherein the packet is a control packet.
  - 9. The method of claim 8, further comprising:
    - receiving another packet at the second network node; and
      
      determining the source security group information, whereina source network node is a source of the another packet, andthe another packet comprisesthe source security group information, andthe destination address,the source security group information identifies a security group of the source network node, andthe access control processing uses the source security group information.
  - 10. The method of claim 9, wherein the performing the access control comprises:
    - determining if the another packet should be denied, andif the another packet is denied,performing the propagating, andcreating a binding between the destination address and the destination security group information at the second network node.
  - 11. The method of claim 1, whereinthe first network node is a network node in a route of the packet,the reserved group identifier is associated with the destination as a result of the route leading to a plurality of destinations from the second network node,the plurality of destinations comprise the destination,andanother destination of the plurality of destinations is a member of another security group.
  - 12. The method of claim 1, whereinthe reserved group identifier is one of a plurality of security group identifiers,each of the plurality of security group identifiers represents a corresponding one of a plurality of security groups, other than the reserved group identifier, andthe reserved group identifier does not represent any of the plurality of security groups.

13. A computer system comprising:
- a processor;
  
  a computer-readable storage medium coupled to the processor; and
  
  a plurality of instructions, encoded in the computer-readable medium, configured to cause the processor toin response to receipt of a first packet at a first network node of a network, propagate a packet from the first network node to a second network node of the network, whereinthe network comprises a plurality of network nodes,the network nodes comprise the first network node and the second network node,the first packet is received from the second network node via the network,the first packet comprisessource security group information, anda destination address,the destination address is an address of a destination of the first packet,the source security group information identifies a source security group,a source of the first packet is a member of the source security group,the packet comprisesaccess control information,the access control information comprisesthe source security group information,destination security group information, andthe destination address,the destination security group information identifies a destination security group,the destination is a member of the destination security group,the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, andthe access control processing comprisesdetermining the destination security group information using the destination address,in response to receipt of the packet at the second network node, make a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address,if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address,associate the destination group identifier with the destination address, andif the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address,associate a reserved group identifier with the destination address.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer system of claim 13, wherein the instructions are further configured to cause the processor to:
    - receive another packet at the second network node;
      
      forward the another packet to the first network node, whereinthe access control processing is performed at the first network node;
      
      receiving the another packet at the first network node; and
      
      performing the access control processing at the first network node.
  - 15. The computer system of claim 13, wherein the instructions are further configured to cause the processor to:
    - receive another packet at the first network node, whereinthe access control processing comprisesdetermining if the another packet should be denied.
  - 16. The computer system of claim 13, wherein the instructions are further configured to cause the processor to:
    - determine the source security group information, whereinthe source security group information identifies a group of a source network node, andthe access control processing uses the source security group information.
  - 17. The computer system of claim 13, wherein the instructions are further configured to cause the processor to:
    - receive another packet at the second network node; and
      
      determine the source security group information, whereina source network node is a source of the another packet, andthe another packet comprisesthe source security group information, andthe destination address,the source security group information identifies a security group of the source network node,the performing the access control uses the source security group information, andthe access control processing comprisesdetermining if the another packet should be denied, andif the another packet is denied,performing the propagating, andcreating a binding between the destination address and the destination security group information at the second network node.

18. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a computer system, configured to, in response to receipt of a first packet at a first network node of a network, propagate a packet from the first network node a second network node of the network, whereinthe network comprises a plurality of network nodes,the network nodes comprise the first network node and the second network node,the first packet is received from the second network node via the network,the first packet comprisessource security group information, anda destination address,the destination address is an address of a destination of the first packet,the source security group information identifies a source security group,a source of the first packet is a member of the source security group,the packet comprisesaccess control information,the access control information comprisesthe source security group information,destination security group information, andthe destination address,the destination security group information identifies a destination security group,the destination is a member of the destination security group,the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, andthe access control processing comprisesdetermining the destination security group information using the destination address,a second set of instructions, executable on the computer system, configured to in response to receipt of the packet at the second network node, make a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address, anda third set of instructions, executable on the computer system, configured toif the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address,associate the destination group identifier with the destination address, andif the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address,associate a reserved group identifier with the destination address; and
  
  a non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
LOUIE, OSCAR A

Application Number

US13/012,473
Publication Number

US 20110119753A1
Time in Patent Office

1,072 Days
Field of Search

726/13
US Class Current

726/13
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 45/52   Multiprotocol routers

H04L 49/35   Switches specially adapted ...

H04L 61/10   of different types

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 67/00   Network arrangements or pro...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links