System and method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment

US 9,332,005 B2
Filed: 07/10/2012
Issued: 05/03/2016
Est. Priority Date: 07/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment operable on one or more microprocessors, comprising:

storing a defined management key value in a secured memory of a network switch;

receiving, at the network switch, a plurality of SMPs destined for a subnet management agent (SMA);

filtering the plurality of SMPs using the network switch by,checking, in the network switch, whether each of the plurality of SMPs includes a management key value which matches the defined management key value,forwarding from the network switch to the subnet management agent, each of the plurality of SMPs which includes a management key value which matches the defined management key value,blocking, using the network switch, each of the plurality of SMPs which includes a management key value which does not match the defined management key value, andenforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method can provide switch based subnet management packet (SMP) traffic protection in a middleware machine environment. The middleware machine environment includes a network switch that operates to receive at least one SMP destined for a subnet management agent (SMA). The network switch can check whether the at least one SMP includes a correct management key, and prevent the at least one SMP from being forwarded to the destined SMA when at least one SMP does not include the correct management key. Furthermore, the network switch can specify a different management key for each external port and can enforce separate restrictions on ingress and egress SMP traffic at a particular external port.

100 Citations

20 Claims

1. A method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment operable on one or more microprocessors, comprising:
- storing a defined management key value in a secured memory of a network switch;
  
  receiving, at the network switch, a plurality of SMPs destined for a subnet management agent (SMA);
  
  filtering the plurality of SMPs using the network switch by,checking, in the network switch, whether each of the plurality of SMPs includes a management key value which matches the defined management key value,forwarding from the network switch to the subnet management agent, each of the plurality of SMPs which includes a management key value which matches the defined management key value,blocking, using the network switch, each of the plurality of SMPs which includes a management key value which does not match the defined management key value, andenforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprising:
    - filtering the plurality of SMPs according to a fabric policy.
  - 3. The method according to claim 2, further comprising:
    - allowing each of the plurality of SMPs to be a direct route SMP.
  - 4. The method according to claim 2, further comprising:
    - allowing a subnet manager to use one or more SMPs to communicate with the subnet management agent (SMA) via a particular switch port on the network switch.
  - 5. The method according to claim 1, wherein the network switch has a plurality of external ports, each associated with a different subnet the method further comprising:
    - defining a different management key for each of the plurality of external ports.
  - 6. The method according to claim 1, wherein enforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA includes:
    - preventing egress of an SMP via the external port if the external port is untrusted and the SMP was received from another untrusted external port but allowing egress of the SMP via the external port if the external port is untrusted and the SMP was received from a trusted external port.
  - 7. The method according to claim 1, further comprising:
    - ensuring, via a subnet manager, that a untrusted remote host channel adapter (HCA) associated with the SMA can only send out one or more SMPs when a correct management key value is specified.
  - 8. The method according to claim 1, further comprising:
    - specifying an SMP rate that defines how fast a remote HCA port is allowed to generate SMPs.
  - 9. The method according to claim 1, further comprising:
    - declaring one or more switch ports to be trusted and allowingSMP requests to be sent from the trusted ports, andSMP responses to be received at the trusted ports.
  - 10. The method according to claim 9, further comprising:
    - allowing only SMA requests to be sent to an untrusted port from the trusted ports.

11. A system for providing switch based subnet management packet traffic protection in a middleware machine environment, comprising:
- one or more microprocessors;
  
  a subnet management agent (SMA) component;
  
  a network switch running on said one or more microprocessors and having a secured memory, wherein the network switch operates tostore a defined management key value in the secured memory;
  
  receive a plurality of SMPs destined for the subnet management agent (SMA); and
  
  filter the plurality of SMPs by,checking, whether each of the plurality of SMPs includes a management key value which matches the defined management key value,forwarding to the subnet management agent, each of the plurality of SMPs which includes a management key value which matches the defined management key value,blocking each of the plurality of SMPs which includes a management key value which does not match the defined management key value, andenforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system according to claim 11, wherein:
    - the plurality of SMPs are filtered according to a fabric policy.
  - 13. The system according to claim 12, wherein:
    - each of the plurality of SMPs is a direct route SMP.
  - 14. The system according to claim 12, further comprising:
    - a subnet manager which can use one or more SMPs to communicate with a subnet management agent (SMA) via a particular switch port on the network switch.
  - 15. The system according to claim 11, wherein:
    - the network switch comprises a plurality of external ports; and
      
      the network switch operates to store in the secured memory a different defined management key value for of the plurality of external ports on the network switch.
  - 16. The system according to claim 11, wherein enforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA includes:
    - preventing egress of an SMP via the external port if the external port is untrusted and the SMP was received from another untrusted external port but allowing egress of the SMP via the external port if the external port is untrusted and the SMP was received from a trusted external port.
  - 17. The system according to claim 11, further comprising:
    - a subnet manager, which ensures that a untrusted remote host channel adapter (HCA) associated with the SMA can only send out a SMP when a correct management key value is specified.
  - 18. The system according to claim 11, wherein:
    - the network switch operates to enforce an SMP rate which limits how fast a remote HCA port is allowed to generate SMPs.
  - 19. The system according to claim 11, wherein:
    - the network switch comprises a plurality of trusted switch ports and the network switch allowsSMP requests to be sent from the trusted ports, andSMP responses to be received at the trusted ports.

20. A non-transitory machine readable storage medium having instructions stored thereon for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment that when executed cause a system to perform steps comprising:
- storing a defined management key value in a secured memory of a network switch;
  
  receiving, at the network switch, a plurality of SMPs destined for a subnet management agent (SMA);
  
  filtering the plurality of SMPs using the network switch by,checking, in the network switch, whether each of the plurality of SMPs includes a management key value which matches the defined management key value,forwarding from the network switch to the subnet management agent, each of the plurality of SMPs which includes a management key value which matches the defined management key value,blocking, using the network switch, each of the plurality of SMPs which includes a management key value which does not match the defined management key value, andenforcing separate restrictions on SMPs sent from an external port to the SMA and SMPs received at the external port from the SMA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Johnsen, Bjrn Dag, Brean, David, Trudbakken, Ola
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US13/545,803
Publication Number

US 20130019303A1
Time in Patent Office

1,393 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/0803   Configuration setting

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/083   using passwords cryptograph...

H04L 63/162   at the data link layer

System and method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

100 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links