Routing a packet by a device

US 9,407,605 B2
Filed: 03/31/2014
Issued: 08/02/2016
Est. Priority Date: 09/28/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device, comprising a memory and a processor, to;

extract information from a layer 2 header of a packet received from a first security zone,the information including a security identifier;

determine, based on the security zone identifier, whether the packet is to be screened,the packet being screened when the packet is intended for a second security zone that is different from the first security zone,the packet not being screened when the packet is intended for the first security zone;

when the packet is intended for the second security zone;

screen the packet for security,process the packet, to obtain a first processed packet, based on a security policy corresponding to the second security zone after screening the packet,determine, based on screening the packet for security, whether to drop the first processed packet or route the first processed packet toward a destination of the packet; and

route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether to drop or route the first processed packet; and

when the packet is intended for the first security zone;

process the packet to obtain a second processed packet based on a security policy corresponding to the first security zone, androute the second processed packet to the port for routing toward the destination of the packet, without processing the packet based on the security policy corresponding to the second security zone,the port being associated with an address included in the information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Citations

17 Claims

1. A system comprising:
- a device, comprising a memory and a processor, to;
  
  extract information from a layer 2 header of a packet received from a first security zone,the information including a security identifier;
  
  determine, based on the security zone identifier, whether the packet is to be screened,the packet being screened when the packet is intended for a second security zone that is different from the first security zone,the packet not being screened when the packet is intended for the first security zone;
  
  when the packet is intended for the second security zone;
  
  screen the packet for security,process the packet, to obtain a first processed packet, based on a security policy corresponding to the second security zone after screening the packet,determine, based on screening the packet for security, whether to drop the first processed packet or route the first processed packet toward a destination of the packet; and
  
  route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether to drop or route the first processed packet; and
  
  when the packet is intended for the first security zone;
  
  process the packet to obtain a second processed packet based on a security policy corresponding to the first security zone, androute the second processed packet to the port for routing toward the destination of the packet, without processing the packet based on the security policy corresponding to the second security zone,the port being associated with an address included in the information.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, where the device is further to:
    - retrieve the security policy, corresponding to the first security zone, based on the address.
  - 3. The system of claim 1,where the device is further to:
    - compare a security zone identifier associated with the port and the security zone identifier, included in the information, to determine whether the packet is intended for the first security zone or the second security zone.
  - 4. The system of claim 1, where the device is further to:
    - determine the security zone identifier based on the information.
  - 5. The system of claim 1, where the packet is received at the port of the device, andwhere, when the packet is intended for the second security zone, the device is further to:
    - retrieve the security policy, corresponding to the second security zone, based on an identifier of the port.

6. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a device, cause the device to extract information from a layer 2 header of a packet received from a first security zone,the information including a security zone identifier;
  
  one or more instructions which, when executed by the device, cause the device to determine, based on the security zone identifier, whether the packet is to be screened,the packet being not screened when the packet is intended for the first security zone, andthe packet being screened when the packet is intended for a second security zone that is different from the first security zone;
  
  one or more instructions which, when executed by the device, cause the device to screen the packet for security when the packet is intended for the second security zone;
  
  one or more instructions which, when executed by the device, cause the device to process the packet, to obtain a first processed packet, based on a policy corresponding to the second security zone after screening the packet when the packet is intended for the second security zone;
  
  one or more instructions which, when executed by the device, cause the device to determine, based screening the packet for security, whether the first processed packet is to be dropped or routed toward a destination of the packet when the packet is intended for the second security zone;
  
  one or more instructions which, when executed by the device, cause the device to route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether the first processed packet is to be dropped or routed;
  
  one or more instructions which, when executed by the device, cause the device to process the packet, to obtain a second processed packet, based on a policy corresponding to the first security zone when the packet is intended for the first security zone; and
  
  one or more instructions which, when executed by the device, cause the device to route the second processed packet to the port for routing toward the destination of the packet based on processing the packet based on the policy corresponding to the first security zone when the packet is intended for the first security zone,the port being associated with an address included in the information.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The non-transitory computer-readable medium of claim 6, where the packet is received at the port of the device, andwhere the instructions further comprise:
    - one or more instructions which, when executed by the device, cause the device to retrieve the policy corresponding to the second security zone based on;
      
      an identifier of the port, andan identifier of another port of the device via which the packet is routed toward the destination of the packet.
  - 8. The non-transitory computer-readable medium of claim 6, where the instructions further comprise:
    - one or more instructions which, when executed by the device, cause the device to determine that the packet is not to be routed toward the destination of the packet; and
      
      one or more instructions which, when executed by the device, cause the device to drop the packet based on determining that the packet is not to be routed toward the destination of the packet.
  - 9. The non-transitory computer-readable medium of claim 6, where the packet is received at the port of the device, andwhere the instructions further include:
    - one or more instructions which, when executed by the device, cause the device to compare a security zone identifier associated with the port and the security zone identifier, included in the information, to determine whether the packet is intended for the first security zone or the second security zone.
  - 10. The non-transitory computer-readable medium of claim 9, where the instructions further comprise:
    - one or more instructions which, when executed by the device, cause the device to determine the security zone identifier associated with the packet based on the information.

11. A method comprising:
- extracting, by a device, information from a layer 2 header of a packet,the information including a security zone identifier;
  
  determining, by the device and using the security zone identifer, whether the packet is to be screened,the packet not being screened when the packet is intended for a first security zone, andthe packet being screened when the packet is intended for a second security zone,the second security zone being different from the first security zone,the packet being received from the first security zone;
  
  when the packet is intended for the second security zone;
  
  screening the packet for security,processing, by the device and after screening the packet, the packet to obtain a first processed packet,the packet being processed based on a policy corresponding to the second security zone,determining, by the device, whether the first processed packet is to be dropped or routed toward a destination of the packet based on screening the packet for security, andselectively routing, by the device, the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether the first processed packet is to be dropped or routed toward the destination of the packet; and
  
  when the packet is intended for the first security zone;
  
  processing, by the device, the packet to obtain a second processed packet,the packet being processed based on a policy corresponding to the first security zone and without processing the packet based on the policy corresponding to the second security zone, androuting, by the device the second processed packet to the port of the device for routing toward the destination of the packet after processing the packet based on the policy corresponding to the first security zone, the port being associated with an address included in the information.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - examining the packet; and
      
      determining whether the packet is intended for the first security zone or the second security zone based on examining the packet.
  - 13. The method of claim 11, where the packet is received at the port of the device, andwhere the method further comprises:
    - retrieving the policy corresponding to the second security zone based on;
      
      an identifier of the port, andan identifier of another port of the device via which the packet is routed toward the destination of the packet.
  - 14. The method of claim 11, further comprising:
    - determining that the packet is not to be routed toward the destination of the packet; and
      
      dropping the packet based on determining that the packet is not to be routed toward the destination of the packet.
  - 15. The method of claim 11, where the packet is received at the port of the device, andwhere the method further comprises:
    - comparing a security zone identifier associated with the port and a security zone identifier, included in the information, to determine whether the packet is intended for the first security zone or the second security zone.
  - 16. The method of claim 11, further comprising determining the security zone identifier based on the information.
  - 17. The method of claim 16, further comprising:
    - extracting the information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Lian, Roger Jia-Jyi, Huang, Guangsong, Mao, Yuming, Cheung, Lee Chik
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BELL, KALISH K

Application Number

US14/230,210
Publication Number

US 20140215600A1
Time in Patent Office

855 Days
Field of Search

726 1- 3, 726/16, 709/201, 709/202, 709/238
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/102   Entity profiles

H04L 63/162   at the data link layer

Routing a packet by a device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Routing a packet by a device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links