Network operating system for managing and securing networks

US 9,083,609 B2
Filed: 09/26/2008
Issued: 07/14/2015
Est. Priority Date: 09/26/2007
Status: Active Grant

First Claim

Patent Images

1. For a network operating system that executes on a network controller computing device and manages a network comprising a plurality of network elements that forward data flows in the network, a method comprising:

configuring forwarding behaviors of the plurality of network elements according to network policies declared by a set of management applications that operate on top of the network operating system, wherein the forwarding behavior of each of the plurality of network elements is specified by a set of flow entries stored on the respective network element;

receiving a packet from a particular network element of the plurality of network elements for a particular data flow when the particular network element is unable to match the packet to a flow entry of the set of flow entries stored on the particular network element;

analyzing the packet according to the declared network policies and a current view of the network comprising a current topology of the plurality of network elements to determine whether to modify a forwarding behavior of the particular network element; and

when the forwarding behavior of the particular network element is to be modified, configuring the particular network element to forward additional packets for the particular data flow.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

207 Citations

24 Claims

1. For a network operating system that executes on a network controller computing device and manages a network comprising a plurality of network elements that forward data flows in the network, a method comprising:
- configuring forwarding behaviors of the plurality of network elements according to network policies declared by a set of management applications that operate on top of the network operating system, wherein the forwarding behavior of each of the plurality of network elements is specified by a set of flow entries stored on the respective network element;
  
  receiving a packet from a particular network element of the plurality of network elements for a particular data flow when the particular network element is unable to match the packet to a flow entry of the set of flow entries stored on the particular network element;
  
  analyzing the packet according to the declared network policies and a current view of the network comprising a current topology of the plurality of network elements to determine whether to modify a forwarding behavior of the particular network element; and
  
  when the forwarding behavior of the particular network element is to be modified, configuring the particular network element to forward additional packets for the particular data flow.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising managing creation and distribution of system events to the set of management applications.
  - 3. The method of claim 1, wherein the plurality of network elements comprises a set of virtual switches.
  - 4. The method of claim 1, wherein the plurality of network elements forward data to and from virtual machines.
  - 5. The method of claim 1, wherein receiving the packet from the particular network element comprises receiving the packet with a message that indicates the particular network element and a particular port of the particular network element.
  - 6. The method of claim 1, wherein analyzing the packet comprises determining how to handle the packet based on network addresses and high-level names associated with the packet.

7. A non-transitory machine readable medium for storing a network operating system which when executed by a set of processors manages a network comprising a plurality of network elements that forward data flows in the network, the network operating system comprising sets of instructions for:
- configuring forwarding behaviors of the plurality of network elements according to network policies declared by a set of management applications, wherein the forwarding behavior of each of the plurality of network elements is specified by a set of flow entries stored on the respective network element;
  
  receiving a packet from a particular network element of the plurality of network elements for a particular data flow when the particular network element is unable to match the packet to a flow entry of the set of flow entries stored on the particular network element; and
  
  analyzing the packet according to the declared network policies and a current view of the network comprising a current topology of the plurality of network elements to determine whether to modify a forwarding behavior of the particular network element; and
  
  when the forwarding behavior of the particular network element is to be modified, configuring the particular network element to forward additional packets for the particular data flow.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory machine readable medium of claim 7, wherein the network operating system further comprises a set of instructions for managing creation and distribution of system events to the set of management applications.
  - 9. The non-transitory machine readable medium of claim 7, wherein the plurality of network elements comprises a set of virtual switches.
  - 10. The non-transitory machine readable medium of claim 7, wherein the plurality of network elements forward data to and from virtual machines.
  - 11. The non-transitory machine readable medium of claim 7, wherein the set of instructions for receiving the packet from the particular network element comprises a set of instructions for receiving the packet with a message that indicates the particular network element and a particular port of the particular network element.
  - 12. The non-transitory machine readable medium of claim 7, wherein the set of instructions for analyzing the packet comprises a set of instructions for determining how to handle the packet based on network addresses and high-level names associated with the packet.

13. A network controller for managing a network comprising a plurality of network elements that forward data flows in the network, the network controller comprising:
- a set of processors; and
  
  a non-transitory machine readable medium for storing a network operating system comprising sets of instructions for;
  
  configuring forwarding behaviors of the plurality of network elements according to network policies declared by a set of management applications, wherein the forwarding behavior of each of the plurality of network elements is specified by a set of flow entries stored on the respective network element;
  
  receiving a packet from a particular network element of the plurality of network elements for a particular data flow when the particular network element is unable to match the packet to a flow entry of the set of flow entries stored on the particular network element;
  
  analyzing the packet according to the declared network policies and a current view of the network comprising a current topology of the plurality of network elements to determine whether to modify forwarding behaviors of the particular network element; and
  
  when the forwarding behaviors of the particular network element are to be modified, configuring the particular network element to forward additional packets for the particular data flow.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The network controller of claim 13, wherein the network operating system further comprises a set of instructions for managing creation and distribution of system events to the set of management applications.
  - 15. The network controller of claim 13, wherein the plurality of network elements comprises a set of virtual switches.
  - 16. The network controller of claim 13, wherein the plurality of network elements forward data to and from virtual machines.
  - 17. The network controller of claim 13, wherein the set of instructions for receiving the packet from the particular network element comprises a set of instructions for receiving the packet with a message that indicates the particular network element and a particular port of the particular network element.
  - 18. The network controller of claim 13, wherein the set of instructions for analyzing the packet comprises a set of instructions for determining how to handle the packet based on network addresses and high-level names associated with the packet.

19. A network control system comprising:
- a plurality of network elements that forward data flows in a network, wherein forwarding behaviors of each of the plurality of network elements are specified by a set of flow entries stored on the respective network element; and
  
  a network controller comprising a set of processing units, the network controller for configuring the forwarding behaviors of the plurality of network elements according to network policies declared by a set of management applications,wherein each network element of the plurality of network elements is for sending a packet for a particular data flow to the network controller when the respective network element is unable to match the packet to a flow entry of the set of flow entries stored on the respective network element, andwherein the network controller is further for analyzing the received packet according to the declared network policies and a current view of the network comprising a current topology of the plurality of network elements to determine whether to modify forwarding behaviors of the respective network element, when the forwarding behaviors of the respective network element are to be modified, configuring the respective network element to forward additional packets for the particular data flow.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The network control system of claim 19, wherein the network controller is further for managing creation and distribution of system events to the set of management applications.
  - 21. The network control system of claim 19, wherein the plurality of network elements comprises a set of virtual switches.
  - 22. The network control system of claim 19, wherein the plurality of network elements forward data to and from virtual machines.
  - 23. The network control system of claim 19, wherein each network element of the plurality of network elements sends the packet for the particular data flow with a message that indicates the respective network element and a particular port of the respective network element.
  - 24. The network control system of claim 19, wherein the network controller analyzes the packet by determining how to handle the packet based on network addresses and high-level names associated with the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Casado, Martin, Amidon, Keith Eric, Balland, Peter J. III, Gude, Natasha, Pettit, Justin, Pfaff, Benjamin Levy, Shenker, Scott J., Wendlandt, Daniel J.
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Williams, Clayton R

Application Number

US12/286,098
Publication Number

US 20090138577A1
Time in Patent Office

2,482 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/06   Management of faults, event...

H04L 41/0809   Plug-and-play configuration

H04L 41/082   the condition being updates...

H04L 41/0853   by actively collecting conf...

H04L 41/0859   by keeping history of diffe...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 41/40   using virtualisation of net...

H04L 43/0817   by checking functioning

Network operating system for managing and securing networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

207 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Network operating system for managing and securing networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

207 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others