Privilege-based access admission table

US 8,873,555 B1
Filed: 02/02/2006
Issued: 10/28/2014
Est. Priority Date: 02/02/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of processing data packets in a network, the method comprising:

receiving a data packet at a network interface from a source device requesting access to a resource provided in the network;

extracting from the data packet a source address of the source device and a destination address of a destination device to which the data packet is to be transmitted;

performing a first query in an address database to retrieve a first device category associated with the source address, the first device category being of a plurality of first device categories of devices requesting access to resources in the network;

performing a second query in the address database to retrieve a second device category associated with the destination address, the second device category being of a plurality of second device categories of devices providing the resources in the network;

determining a command to assign the data packet in response to the source address being associated with the first device category and the destination address being associated with the second device category, the command identifying how to process the data packet; and

assigning the command to the data packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data packets are received at a network interface. A source address and a destination address are extracted from each data packet. Thereafter, a first query is performed in an address database to retrieve access group information associated with the source address. A second query is performed in the address database to retrieve resource group information associated with the destination address. Based upon the access group and the resource group, a command is assigned to the data packet. Optionally, the access group information and resource group information are used in connection with an access matrix to assign the command to the data packet.

22 Citations

View as Search Results

32 Claims

1. A method of processing data packets in a network, the method comprising:
- receiving a data packet at a network interface from a source device requesting access to a resource provided in the network;
  
  extracting from the data packet a source address of the source device and a destination address of a destination device to which the data packet is to be transmitted;
  
  performing a first query in an address database to retrieve a first device category associated with the source address, the first device category being of a plurality of first device categories of devices requesting access to resources in the network;
  
  performing a second query in the address database to retrieve a second device category associated with the destination address, the second device category being of a plurality of second device categories of devices providing the resources in the network;
  
  determining a command to assign the data packet in response to the source address being associated with the first device category and the destination address being associated with the second device category, the command identifying how to process the data packet; and
  
  assigning the command to the data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 29, 31)
- - 2. The method of claim 1, wherein the plurality of first device categories specifies a first dimension of an access matrix, wherein the plurality of second device categories specifies a second dimension of the access matrix, wherein determining the command to assign the data packet comprises determining an entry in the access matrix defined by an intersection of the first and the second dimensions corresponding to the first and second device categories.
  - 3. The method of claim 1, wherein the command assigned to the data packet is selected from the group consisting of FORWARD, SOFT DROP, and HARD DROP.
  - 4. The method of claim 3, further comprising logging information about data packets that are assigned the command HARD DROP or SOFT DROP.
  - 5. The method of claim 1, wherein the first device category is indicative of a privilege level associated with the source device and the second device category is indicative of a privilege level associated with the destination device.
  - 6. The method of claim 1, further comprising:
    - receiving authentication data packets at the network interface, and changing access group information associated with the plurality of first device categories and resource group information associated with the plurality of second device categories as directed by the authentication data packets.
  - 7. The method of claim 6, wherein the authentication data packets originate from an authentication server connected to the network and the authentication server requires a password, smart card, or biometric identification before sending authentication packets.
  - 8. The method of claim 1, wherein the source and destination addresses are one of Layer 2 addresses and Layer 3 addresses.
  - 9. The method of claim 8, wherein the source and destination addresses are Layer 2 addresses wherein the address database includes a forwarding address database.
  - 10. The method of claim 9, further comprising:
    - retrieving a first default value that is assigned to the data packet when the source address is not found in the forwarding address database and retrieving a second default value that is assigned to the data packet when the destination address is not found in the forwarding address database.
  - 11. The method of claim 8, wherein the source and destination addresses are Layer 3 addresses, and wherein the address database includes a destination address entry corresponding to a network broadcast address.
  - 12. The method of claim 8, wherein the source and destination addresses are Layer 3 addresses, and wherein the address database includes a next-hop table.
  - 13. The method of claim 12, wherein a longest prefix match algorithm is used to retrieve the access group information associated with the source address and the resource group information associated with the destination address.
  - 14. The method of claim 12, wherein the next-hop table includes access group information characterized by a first default value and resource group information characterized by a second default value.
  - 29. The method of claim 1, wherein the first device category indicates a first level of trustworthiness associated with the source device and the second device category indicates a second level of trustworthiness associated with the destination device.
  - 31. The method as recited in claim 1, wherein each of the plurality of first device categories and the plurality of second device categories comprises two or more of an untrusted host, a trusted host, an authentication server, or a router.

15. A network device for processing data packet traffic, the network device comprising:
- a network interface configured to receive a data packet from a source device requesting access to a resource provided in a network;
  
  a parsing engine configured to extract from the data packet a source address of the source device and a destination address of a destination device to which the data packet is to be transmitted;
  
  an address database;
  
  a query engine configured to;
  
  retrieve a first device category associated with the source address from the address database, the first device category being of a plurality of first device categories of devices requesting access to resources in the network, andretrieve a second device category associated with the destination address from the address database, the second device category being of a plurality of second device categories of devices providing the resources in the network; and
  
  a processing engine configured to;
  
  determine a command to assign the data packet in response to the source address being associated with the first device category and the destination address being associated with the second device category, the command identifying how to process the data packet; and
  
  assign the command to the data packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 30, 32)
- - 16. The network device as recited in claim 15, wherein the plurality of first device categories specifies a first dimension of an access matrix, wherein the plurality of second device categories specifies a second dimension of the access matrix, and wherein the processing engine is configured to determine an entry in the access matrix defined by an intersection of the first and second dimensions row corresponding to the first and second device categories.
  - 17. The network device as recited in claim 15, wherein the command assigned to the data packet is selected from the group consisting of FORWARD, SOFT DROP, and HARD DROP.
  - 18. The network device as recited in claim 17, wherein the processing engine is further configured to log information about data packets that are assigned the command HARD DROP or SOFT DROP.
  - 19. The network device as recited in claim 15, wherein the first device category is indicative of a privilege level associated with the source device and wherein second device category is indicative of a privilege level associated with the destination device.
  - 20. The network device as recited in claim 15, wherein the query engine is further configured to modify an entry in the address database in response to authentication data packets received at the network interface.
  - 21. The network device as recited in claim 20, wherein the authentication data packets originate from an authentication server connected to the network and wherein the authentication server requires a password, smart card, or biometric identification before sending authentication packets.
  - 22. The network device as recited in claim 15, wherein the source address and the destination address are one of Layer 2 addresses and Layer 3 addresses.
  - 23. The network device as recited in claim 22, wherein the source and destination addresses are Layer 2 addresses, and wherein the address database includes a forwarding address database.
  - 24. The network device as recited in claim 23, wherein the query engine is further configured to retrieve a first default value that is assigned to the data packet when the source address is not found in the forwarding address database and retrieve a second default value that is assigned to the data packet when the destination address is not found in the forwarding address database.
  - 25. The network device as recited in claim 22, wherein the source and destination addresses are Layer 3 addresses, and wherein the address database includes a destination address entry corresponding to a network broadcast address.
  - 26. The network device as recited in claim 22, wherein the source and destination addresses are Layer 3 addresses, and wherein the address database includes a next-hop table.
  - 27. The network device as recited in claim 26, wherein a longest prefix match algorithm is used to retrieve access group information associated with the source address and resource group information associated with the destination address.
  - 28. The network device as recited in claim 26, wherein the next-hop table includes access group information characterized by a first default value and resource group information characterized by a second default value.
  - 30. The network device as recited in claim 15, wherein the first device category indicates a first level of trustworthiness associated with the source device and the second device category indicates a second level of trustworthiness associated with the destination device.
  - 32. The network device as recited in claim 15, wherein each of the plurality of first device categories and the plurality of second device categories comprises two or more of an untrusted host, a trusted host, an authentication server, or a router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marvell Israel Limited (Marvell Technology Group Limited)
Original Assignee
Marvell Israel Limited (Marvell Technology Group Limited)
Inventors
Arad, Nir
Primary Examiner(s)
Moore, Jr., Michael J

Application Number

US11/347,444
Time in Patent Office

3,190 Days
Field of Search

370/401, 370/352, 370/289, 370/353, 370/216, 370/225, 705/26, 705/40, 726/22, 726/29, 726/23, 726/11, 726/6
US Class Current

370/392
CPC Class Codes

H04L 12/462   LAN interconnection over a ...

H04L 45/745   Address table lookup; Addre...

H04L 45/748   using longest matching prefix

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

Privilege-based access admission table

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Privilege-based access admission table

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links