Application based packet forwarding

US 8,873,556 B1
Filed: 12/24/2008
Issued: 10/28/2014
Est. Priority Date: 12/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets at a network device, the method comprising:

receiving a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content;

based on the content of two or more first packets in the plurality of packets, identifying an application associated with the flow, where none of the first packets is addressed to the network device, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets; and

for one or more second packets associated with the flow, determining a forwarding destination for the second packets based on the application associated with the flow using an application based policy and a non-application based policy;

wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination; and

forwarding the one or more second packets according to the determined forwarding destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer program products, featuring receiving at a network device a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content. Based on the content of one or more first packets in the plurality of packets, the network device identifies an application associated with the flow, where none of the first packets is addressed to the network device. For one or more second packets associated with the flow, the network device determines a forwarding destination for the second packets based on the application associated with the flow and forwards the packet according to the determined forwarding destination.

Citations

39 Claims

1. A method for processing packets at a network device, the method comprising:
- receiving a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content;
  
  based on the content of two or more first packets in the plurality of packets, identifying an application associated with the flow, where none of the first packets is addressed to the network device, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets; and
  
  for one or more second packets associated with the flow, determining a forwarding destination for the second packets based on the application associated with the flow using an application based policy and a non-application based policy;
  
  wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination; and
  
  forwarding the one or more second packets according to the determined forwarding destination.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - each of the plurality of packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of packets associated with the flow comprises determining that the plurality of packets are associated with the flow, including for each packet;
      
      identifying a tuple based on the packet including a source address, a source port, a destination address, and a destination port; and
      
      identifying a flow record based on the identified tuple in a flow table corresponding to the flow.
  - 3. The method of claim 1, where identifying the application further includes:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 4. The method of claim 1, where determining a forwarding destination for the packet includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 5. The method of claim 1, where the network device is a router or a switch.
  - 6. The method of claim 1, wherein the non-application based policy includes a user based policy.

7. A method for processing packets at a network device, the method comprising:
- receiving a plurality of first packets associated with a flow until an application associated with the flow is identified based on content of at least one of the first packets, where none of the first packets is addressed to the network device;
  
  while receiving the first packets, for each of one or more of the first packets;
  
  forwarding the packet to a destination; and
  
  attempting to identify the application associated with the flow based on the content of at least two of the first packets, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets;
  
  after the application associated with the flow is identified;
  
  receiving one or more second packets associated with the flow; and
  
  determining a forwarding destination for the second packets based on the application using an application based policy and a non-application based policy, wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein:
    - each of the plurality of first packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of first packets associated with the flow comprises determining that the plurality of first packets are associated with the flow, including for each packet;
      
      using the packet, identifying a tuple including a source address, a source port, a destination address, and a destination port; and
      
      using the tuple, identifying a flow record in a flow table corresponding to the flow.
  - 9. The method of claim 7, where attempting to identify the application further comprises:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 10. The method of claim 7, where determining a forwarding destination for the further data packets based on the application includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 11. The method of claim 7, where the network device is a router or a switch.
  - 12. The method of claim 7, wherein the non-application based policy includes a user based policy.
  - 13. The method of claim 7, further comprising:
    - forwarding the one or more second packets according to the determined forwarding destination.

14. A computer program product, encoded on a non-transitory computer-readable medium, operable to cause a first network device to perform operations comprising:
- receiving a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content;
  
  based on the content of two or more first packets in the plurality of packets, identifying an application associated with the flow, where none of the first packets is addressed to the network device, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets; and
  
  for one or more second packets associated with the flow, determining a forwarding destination for the second packets based on the application associated with the flow using an application based policy and a non-application based policy;
  
  wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination; and
  
  forwarding the one or more second packets according to the determined forwarding destination.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product of claim 14, wherein:
    - each of the plurality of packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of packets associated with the flow comprises determining that the plurality of packets are associated with the flow, including for each packet;
      
      identifying a tuple based on the packet including a source address, a source port, a destination address, and a destination port; and
      
      identifying a flow record based on the identified tuple in a flow table corresponding to the flow.
  - 16. The computer program product of claim 14, where identifying the application further includes:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 17. The computer program product of claim 14, where determining a forwarding destination for the packet includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 18. The computer program product of claim 14, where the network device is a router or a switch.
  - 19. The computer program product of claim 14, wherein the non-application based policy includes a user based policy.

20. A computer program product, encoded on a non-transitory computer-readable medium, operable to cause a first network device to perform operations comprising:
- receiving a plurality of first packets associated with a flow until an application associated with the flow is identified based on content of at least one of the first packets, where none of the first packets is addressed to the network device;
  
  while receiving the first packets, for each of one or more of the first packets;
  
  forwarding the packet to a destination; and
  
  attempting to identify the application associated with the flow based on the content of at least two of the first packets, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets;
  
  after the application associated with the flow is identified;
  
  receiving one or more second packets associated with the flow;
  
  determining a forwarding destination for the second packets based on the application using an application based policy and a non-application based policy; and
  
  wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The computer program product of claim 20, wherein:
    - each of the plurality of first packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of first packets associated with the flow comprises determining that the plurality of first packets are associated with the flow, including for each packet;
      
      using the packet, identifying a tuple including a source address, a source port, a destination address, and a destination port; and
      
      using the tuple, identifying a flow record in a flow table corresponding to the flow.
  - 22. The computer program product of claim 20, where attempting to identify the application further comprises:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 23. The computer program product of claim 20, where determining a forwarding destination for the further data packets based on the application includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 24. The computer program product of claim 20, where the network device is a router or a switch.
  - 25. The computer program product of claim 20, wherein the non-application based policy includes a user based policy.
  - 26. The computer program product of claim 20, further comprising:
    - forwarding the one or more second packets according to the determined forwarding destination.

27. A system comprising:
- a network device comprising one or more processors and one or more network interfaces;
  
  where the network device has encoded on a computer-readable medium instructions operable to cause one or more of the processors of the network device to perform;
  
  using one of the network interfaces, receiving a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content;
  
  based on the content of two or more first packets in the plurality of packets, identifying an application associated with the flow, where none of the first packets is addressed to the network device, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets; and
  
  for one or more second packets associated with the flow, determining a forwarding destination for the second packets based on the application associated with the flow using an application based policy and a non-application based policy;
  
  wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination; and
  
  forwarding the one or more second packets according to the determined forwarding destination.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The system of claim 27, wherein:
    - each of the plurality of packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of packets associated with the flow comprises determining that the plurality of packets are associated with the flow, including for each packet;
      
      identifying a tuple based on the packet including a source address, a source port, a destination address, and a destination port; and
      
      identifying a flow record based on the identified tuple in a flow table corresponding to the flow.
  - 29. The system of claim 27, where identifying the application further includes:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 30. The system of claim 27, where determining a forwarding destination for the packet includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 31. The system of claim 27, where the network device is a router or a switch.
  - 32. The system of claim 27, wherein the non-application based policy includes a user based policy.

33. A system comprising:
- a network device comprising one or more processors and one or more network interfaces;
  
  where the network device has encoded on a computer-readable medium instructions operable to cause one or more of the processors of the network device to perform;
  
  using one of the network interfaces, receiving a plurality of first packets associated with a flow until an application associated with the flow is identified based on content of at least one of the first packets, where none of the first packets is addressed to the network device;
  
  while receiving the first packets, for each of one or more of the first packets;
  
  forwarding the packet to a destination; and
  
  attempting to identify the application associated with the flow based on the content of at least two of the first packets, wherein identifying the application includes reassembling two or more of the first packets, and performing heuristic analysis on the content of the reassembled two or more of the first packets;
  
  after the application associated with the flow is identified;
  
  receiving one or more second packets associated with the flow; and
  
  determining a forwarding destination for the second packets based on the application using an application based policy and a non-application based policy;
  
  wherein if the application based policy indicates that the one or more second packets are forwarded to a first destination and the non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a rule indicating whether to give a preference to the application based policy or to the non-application based policy, then the network device applies the rule to determine whether to forward the one or more second packets to the first destination or to the second destination as the forwarding destination.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The system of claim 33, wherein:
    - each of the plurality of first packets is a Transmission Control Protocol (TCP)/Internet Protocol (IP) packet;
      
      the flow comprises a sequence of one or more packets communicating information between a source and a destination in a TCP connection;
      
      receiving a plurality of first packets associated with the flow comprises determining that the plurality of first packets are associated with the flow, including for each packet;
      
      using the packet, identifying a tuple including a source address, a source port, a destination address, and a destination port; and
      
      using the tuple, identifying a flow record in a flow table corresponding to the flow.
  - 35. The system of claim 33, where attempting to identify the application further comprises:
    - performing signature matching and at least one of fixed pattern matching, regular expression matching, and statistical analysis on the content of the reassembled two or more of the first packets.
  - 36. The system of claim 33, where determining a forwarding destination for the further data packets based on the application includes:
    - using a policy based routing table, where the table associates applications with forwarding decisions.
  - 37. The system of claim 33, where the network device is a router or a switch.
  - 38. The system of claim 33, wherein the non-application based policy includes a user based policy.
  - 39. The system of claim 33, further comprising:
    - forwarding the one or more second packets according to the determined forwarding destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Xu, Wilson, Gill, Monty S., Cheng, Yonghui
Primary Examiner(s)
Hamza, Faruk
Assistant Examiner(s)
TRAN, THINH D

Application Number

US12/344,067
Time in Patent Office

2,134 Days
Field of Search

None
US Class Current

370/392
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 45/38   Flow based routing

H04L 45/74   Address processing for routing

Application based packet forwarding

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Application based packet forwarding

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links