Method and apparatus for best effort propagation of security group information
First Claim
Patent Images
1. A method comprising:
- in response to receipt of a first packet at a first network node of a network, propagating a packet from the first network node to a second network node of the network, whereinthe network comprises a plurality of network nodes,the network nodes comprise the first network node and the second network node,the first packet is received from the second network node via the network,the first packet comprisessource security group information, anda destination address,the destination address is an address of a destination of the first packet,the source security group information identifies a source security group,a source of the first packet is a member of the source security group,the packet comprisesaccess control information,the access control information comprisesthe source security group information,destination security group information, andthe destination address,the destination security group information identifies a destination security group,the destination is a member of the destination security group,the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, andthe access control processing comprisesdetermining the destination security group information using the destination address;
in response to receipt of the packet at the second network node, making a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address;
if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address,associating the destination group identifier with the destination address; and
if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associating a reserved group identifier with the destination address.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.
-
Citations
18 Claims
-
1. A method comprising:
-
in response to receipt of a first packet at a first network node of a network, propagating a packet from the first network node to a second network node of the network, wherein the network comprises a plurality of network nodes, the network nodes comprise the first network node and the second network node, the first packet is received from the second network node via the network, the first packet comprises source security group information, and a destination address, the destination address is an address of a destination of the first packet, the source security group information identifies a source security group, a source of the first packet is a member of the source security group, the packet comprises access control information, the access control information comprises the source security group information, destination security group information, and the destination address, the destination security group information identifies a destination security group, the destination is a member of the destination security group, the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, and the access control processing comprises determining the destination security group information using the destination address; in response to receipt of the packet at the second network node, making a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address; if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address, associating the destination group identifier with the destination address; and if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associating a reserved group identifier with the destination address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer system comprising:
-
a processor; a computer-readable storage medium coupled to the processor; and a plurality of instructions, encoded in the computer-readable medium, configured to cause the processor to in response to receipt of a first packet at a first network node of a network, propagate a packet from the first network node to a second network node of the network, wherein the network comprises a plurality of network nodes, the network nodes comprise the first network node and the second network node, the first packet is received from the second network node via the network, the first packet comprises source security group information, and a destination address, the destination address is an address of a destination of the first packet, the source security group information identifies a source security group, a source of the first packet is a member of the source security group, the packet comprises access control information, the access control information comprises the source security group information, destination security group information, and the destination address, the destination security group information identifies a destination security group, the destination is a member of the destination security group, the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, and the access control processing comprises determining the destination security group information using the destination address, in response to receipt of the packet at the second network node, make a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address, if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address, associate the destination group identifier with the destination address, and if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associate a reserved group identifier with the destination address. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer program product comprising:
-
a plurality of instructions, comprising a first set of instructions, executable on a computer system, configured to, in response to receipt of a first packet at a first network node of a network, propagate a packet from the first network node a second network node of the network, wherein the network comprises a plurality of network nodes, the network nodes comprise the first network node and the second network node, the first packet is received from the second network node via the network, the first packet comprises source security group information, and a destination address, the destination address is an address of a destination of the first packet, the source security group information identifies a source security group, a source of the first packet is a member of the source security group, the packet comprises access control information, the access control information comprises the source security group information, destination security group information, and the destination address, the destination security group information identifies a destination security group, the destination is a member of the destination security group, the propagating is performed in response to access control processing performed on the first packet at the first network node after the first packet has been received by the first network node, and the access control processing comprises determining the destination security group information using the destination address, a second set of instructions, executable on the computer system, configured to in response to receipt of the packet at the second network node, make a determination as to whether, at the second network node, the destination group identifier can be associated with the destination address, and a third set of instructions, executable on the computer system, configured to if the determination indicates that, at the second network node, the destination group identifier can be associated with the destination address, associate the destination group identifier with the destination address, and if the determination indicates that, at the second network node, the destination group identifier cannot be associated with the destination address, associate a reserved group identifier with the destination address; and a non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium.
-
Specification