Dynamic filtering for SDN API calls across a security boundary
First Claim
1. A method comprising:
- dynamically loading one or more filters that validate data across an application programming interface (API) boundary in a network element of a software defined network, such that a reboot of the network element is not required to use the one or more filters;
receiving an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function;
validating the parameters using the one or more filters;
if it is determined that the one or more filters validate the parameters for the API function, executing the API function using the parameter values; and
if it is determined that the one or more filters do not validate the parameters for the API function, aborting execution of the API function.
1 Assignment
0 Petitions
Accused Products
Abstract
Presented herein are techniques to reduce the vulnerabilities of network elements to malicious API calls. One or more filters that validate data across an API boundary at a network element are dynamically loaded into the network element such that a reboot of the network element is not required to use the one or more filters. An API call is received for an API function, wherein the API call contains one or more parameter values associated with the API function. The parameters may be validated using the one or more filters. If it is determined that the one or more filters validate the parameters for the API function, the API function may be executed using the parameter values. If it is determined that the one or more filters do not validate the parameters for the API function, the execution of the API function may be aborted.
-
Citations
20 Claims
-
1. A method comprising:
-
dynamically loading one or more filters that validate data across an application programming interface (API) boundary in a network element of a software defined network, such that a reboot of the network element is not required to use the one or more filters; receiving an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function; validating the parameters using the one or more filters; if it is determined that the one or more filters validate the parameters for the API function, executing the API function using the parameter values; and if it is determined that the one or more filters do not validate the parameters for the API function, aborting execution of the API function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
a plurality of network ports; a network processor unit coupled to the plurality of network ports; a processor coupled to the network processor unit, and configured to; dynamically load one or more filters that validate data across an application programming interface (API) boundary in a software defined network, such that a reboot of a network element is not required to use the one or more filters; receive an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function; validate the parameters using one or more filters that validate data traversing an API boundary of a network element; if it is determined that the one or more filters validate the parameters for the API function or there are no associated filters, execute the API function using the parameter values; and if it is determined that the one or more filters do not validate the parameters for the API function, abort execution of the API function. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
dynamically load one or more filters that validate data across an application programming interface (API) boundary in a software defined network, such that a reboot of a network element is not required to use the one or more filters; receive an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function; validate the parameters using one or more filters that validate data traversing an API boundary of a network element; if it is determined that the one or more filters validate the parameters for the API function or there are no associated filters, execute the API function using the parameter values; and if it is determined that the one or more filters do not validate the parameters for the API function, abort execution of the API function. - View Dependent Claims (17, 18, 19, 20)
-
Specification