Method and apparatus for best effort propagation of security group information
First Claim
Patent Images
1. A method comprising:
- request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes;
receiving an authentication message, wherein the authentication message indicates authentication of the entity; and
in response to receipt of the authentication message,determining a security group identifier, whereinthe determining is performed at a first network node,the determining is based on a destination address of the first network node,the security group identifier identifies a destination security group, andthe entity is a member of the destination security group, andpropagating the security group identifier towards a host, whereinthe host is a member of a source security group,the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group,the determination comprises performing a lookup using both the source security group and the security group identifier,the second network node is nearer to the host than is the first network node,the propagating comprises sending the security group identifier from the first network node to the second network node, andthe plurality of network nodes comprises the first network node and the second network node.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.
-
Citations
20 Claims
-
1. A method comprising:
-
request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes; receiving an authentication message, wherein the authentication message indicates authentication of the entity; and in response to receipt of the authentication message, determining a security group identifier, wherein the determining is performed at a first network node, the determining is based on a destination address of the first network node, the security group identifier identifies a destination security group, and the entity is a member of the destination security group, and propagating the security group identifier towards a host, wherein the host is a member of a source security group, the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group, the determination comprises performing a lookup using both the source security group and the security group identifier, the second network node is nearer to the host than is the first network node, the propagating comprises sending the security group identifier from the first network node to the second network node, and the plurality of network nodes comprises the first network node and the second network node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer system comprising:
-
a processor; a network interface coupled to the processor; a computer-readable storage medium coupled to the processor; and a plurality of instructions, encoded in the computer-readable storage medium and configured to cause the processor to request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes, the computer system is a first network node of the plurality of network nodes, and the computer system is configured to communicate with others of the plurality of network nodes by virtue of being coupled to the network via the network interface, receive an authentication message, wherein the authentication message indicates authentication of the entity, and in response to receipt of the authentication message, determine a security group identifier for the entity, wherein determining the security group identifier is performed by the first network node, the determining is based on a destination address of the first network node, the security group identifier identifies a destination security group, and the entity is a member of the destination security group, and propagate the security group identifier towards a host, wherein the host is a member of a source security group, the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group, the determination comprises the second network node performing a lookup using both the source security group and the security group identifier, the second network node is nearer to the host than is the first network node, the instructions configured to cause the processor to propagate comprise instructions configured to cause the processor to send the security group identifier from the first network node to the second network node, and the plurality of network nodes comprises the second network node. - View Dependent Claims (17, 18, 19)
-
-
20. A non-transitory computer readable storage medium storing a plurality of instructions, comprising:
-
a first set of instructions, executable on a computer system, configured to request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes, and the computer system is a first network node of the plurality of network nodes, a second set of instructions, executable on the computer system, configured to receive an authentication message, wherein the authentication message indicates authentication of the entity, and a third set of instructions, executable on the computer system, configured to, in response to receipt of the authentication message, determine a security group identifier for the entity, wherein determining the security group identifier is performed by the first network node, the determining is based on a destination address of the first network node, the security group identifier identifies a destination security group, and the entity is a member of the destination security group, and propagate the security group identifier towards a host, wherein the host is a member of a source security group, the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group, the determination comprises performing a lookup using both the source security group and the security group identifier, the second network node is nearer to the host than is the first network node, the third set of instructions comprise a first subset of instructions, executable on the computer system, configured to send the security group identifier from the first network node to the second network node, and the plurality of network nodes comprises the second network node.
-
Specification