Method and apparatus for best effort propagation of security group information

US 9,407,604 B2
Filed: 12/30/2013
Issued: 08/02/2016
Est. Priority Date: 11/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes;

receiving an authentication message, wherein the authentication message indicates authentication of the entity; and

in response to receipt of the authentication message,determining a security group identifier, whereinthe determining is performed at a first network node,the determining is based on a destination address of the first network node,the security group identifier identifies a destination security group, andthe entity is a member of the destination security group, andpropagating the security group identifier towards a host, whereinthe host is a member of a source security group,the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group,the determination comprises performing a lookup using both the source security group and the security group identifier,the second network node is nearer to the host than is the first network node,the propagating comprises sending the security group identifier from the first network node to the second network node, andthe plurality of network nodes comprises the first network node and the second network node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.

Citations

20 Claims

1. A method comprising:
- request authentication of an entity requesting entry into a network, wherein the network comprises a plurality of network nodes;
  
  receiving an authentication message, wherein the authentication message indicates authentication of the entity; and
  
  in response to receipt of the authentication message,determining a security group identifier, whereinthe determining is performed at a first network node,the determining is based on a destination address of the first network node,the security group identifier identifies a destination security group, andthe entity is a member of the destination security group, andpropagating the security group identifier towards a host, whereinthe host is a member of a source security group,the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group,the determination comprises performing a lookup using both the source security group and the security group identifier,the second network node is nearer to the host than is the first network node,the propagating comprises sending the security group identifier from the first network node to the second network node, andthe plurality of network nodes comprises the first network node and the second network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, whereinthe authentication message comprises a security group identifier for the entity, andthe entity is one of a user, a host computer, or a server computer.
  - 3. The method of claim 1, wherein the authenticating further comprises:
    - initiating the authentication of the entity, whereinthe authentication comprisessending a challenge to the entity, andreceiving authentication information from the entity.
  - 4. The method of claim 3, wherein the authentication of the entity comprises:
    - receiving an access acceptance at the first network node, whereinthe access acceptance is received from an authentication, authorization and accounting (AAA) server, andthe access acceptance comprises the security group identifier.
  - 5. The method of claim 1, wherein the determining further comprises:
    - determining a role of the entity;
      
      determining the destination security group using the role; and
      
      assigning the security group identifier based on the destination security group.
  - 6. The method of claim 5, further comprising:
    - populating a forwarding table with the security group identifier.
  - 7. The method of claim 1, wherein the propagating further comprises:
    - issuing a join request, whereinthe join request is configured according to a generic application registration protocol (GARP), andthe join request comprises the security group identifier.
  - 8. The method of claim 7, wherein the propagating further comprises:
    - in response to the join request, performing a join operation, whereinthe join operation results in the entity joining a GARP information propagation (GIP) context.
  - 9. The method of claim 8, whereinthe entity is an applicant in the GIP context.
  - 10. The method of claim 8, the propagating further comprises:
    - receiving the join request; and
      
      determining a multicast group identifier for a multicast group, whereinthe multicast group identifier is determined using a destination address for the multicast group,the multicast group identifier identifies a destination security group for the multicast group, andthe security group identifier is treated as an attribute type of the entity.
  - 11. The method of claim 10, the propagating further comprises:
    - determining whether the join request is for a sender or a receiver; and
      
      in response to the join request being for the sender,allowing the sender to join the multicast group,performing access control processing using the security group identifier, anddetermining whether the entity is allowed to communicate with the multicast group by determining whether the entity is allowed to communicate with the destination security group.
  - 12. The method of claim 10, the propagating further comprises:
    - determining whether the join request is for a sender or a receiver; and
      
      in response to the join request being for the receiver,determining whether the receiver is allowed to join the multicast group,in response to a determination that the receiver is not allowed to join the multicast group,preventing the receiver from joining the GIP context, and otherwise,performing access control processing using the security group identifier; and
      
      determining whether the entity is allowed to communicate with the multicast group by determining whether the entity is allowed to communicate with the destination security group.
  - 13. The method of claim 1, wherein the propagating further comprises:
    - receiving the security group identifier at the second network node;
      
      determining if another security group identifier is associated with a destination, whereinthe security group identifier and the another security group identifier are different from one another; and
      
      if the another security group identifier is associated with the destination, associating a reserved security group identifier with the destination.
  - 14. The method of claim 13, further comprising:
    - if the another security group identifier is not associated with the destination, associating the security group identifier with the destination.
  - 15. The method of claim 13, further comprising:
    - determining if the reserved security group identifier is associated with the destination; and
      
      if the reserved security group identifier is associated with the destination, indicating a packet received at a network node can be sent to another network node, whereinthe packet comprises destination information that identifies the destination as a destination of the packet.

16. A computer system comprising:
- a processor;
  
  a network interface coupled to the processor;
  
  a computer-readable storage medium coupled to the processor; and
  
  a plurality of instructions, encoded in the computer-readable storage medium and configured to cause the processor torequest authentication of an entity requesting entry into a network, whereinthe network comprises a plurality of network nodes,the computer system is a first network node of the plurality of network nodes, andthe computer system is configured to communicate with others of the plurality of network nodes by virtue of being coupled to the network via the network interface,receive an authentication message, whereinthe authentication message indicates authentication of the entity, andin response to receipt of the authentication message,determine a security group identifier for the entity, whereindetermining the security group identifier is performed by the first network node,the determining is based on a destination address of the first network node,the security group identifier identifies a destination security group, andthe entity is a member of the destination security group, andpropagate the security group identifier towards a host, whereinthe host is a member of a source security group,the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group,the determination comprises the second network node performing a lookup using both the source security group and the security group identifier,the second network node is nearer to the host than is the first network node,the instructions configured to cause the processor to propagate comprise instructions configured to cause the processor to send the security group identifier from the first network node to the second network node, andthe plurality of network nodes comprises the second network node.
- View Dependent Claims (17, 18, 19)
- - 17. The computer system of claim 16, wherein the plurality of instructions configured to cause the processor to authenticate is further configured to cause the processor to:
    - initiate the authentication of the entity; and
      
      receive an access acceptance at the first network node, whereinthe access acceptance is received from an authentication, authorization and accounting (AAA) server, andthe access acceptance comprises the security group identifier.
  - 18. The computer system of claim 16, wherein the plurality of instructions configured to cause the processor to propagate is further configured to cause the processor to:
    - issue a join request, whereinthe join request is configured according to a generic application registration protocol (GARP), andthe join request comprises the security group identifier; and
      
      in response to the join request, perform a join operation, whereinthe join operation results in the entity joining a GARP information propagation (GIP) context.
  - 19. The computer system of claim 16, wherein the plurality of instructions configured to cause the processor to propagate is further configured to cause the processor to:
    - receive the security group identifier at the second network node;
      
      determine if another security group identifier is associated with a destination, whereinthe security group identifier and the another security group identifier are different from one another; and
      
      if the another security group identifier is associated with the destination, associate a reserved security group identifier with the destination.

20. A non-transitory computer readable storage medium storing a plurality of instructions, comprising:
- a first set of instructions, executable on a computer system, configured to request authentication of an entity requesting entry into a network, whereinthe network comprises a plurality of network nodes, andthe computer system is a first network node of the plurality of network nodes,a second set of instructions, executable on the computer system, configured to receive an authentication message, whereinthe authentication message indicates authentication of the entity, anda third set of instructions, executable on the computer system, configured to, in response to receipt of the authentication message,determine a security group identifier for the entity, whereindetermining the security group identifier is performed by the first network node,the determining is based on a destination address of the first network node,the security group identifier identifies a destination security group, andthe entity is a member of the destination security group, andpropagate the security group identifier towards a host, whereinthe host is a member of a source security group,the security group identifier comprises information that facilitates a determination by a second network node of whether traffic is permitted between members of the source security group and members of the destination security group,the determination comprises performing a lookup using both the source security group and the security group identifier,the second network node is nearer to the host than is the first network node,the third set of instructions comprise a first subset of instructions, executable on the computer system, configured to send the security group identifier from the first network node to the second network node, andthe plurality of network nodes comprises the second network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Bell, Kalish

Application Number

US14/143,935
Publication Number

US 20140181953A1
Time in Patent Office

946 Days
Field of Search

726 11- 15
US Class Current

1/1
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 45/52   Multiprotocol routers

H04L 49/35   Switches specially adapted ...

H04L 61/10   of different types

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 67/00   Network arrangements or pro...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for best effort propagation of security group information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links