Security mediation for dynamically programmable network

US 9,705,918 B2
Filed: 03/13/2013
Issued: 07/11/2017
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network;

comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network;

determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and

transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Citations

33 Claims

1. A method, comprising:
- receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network;
  
  comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network;
  
  determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and
  
  transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein comparing the candidate flow rule against the set of currently active flow rules includes determining whether an action of the candidate flow rule is also an action of a rule from the set of currently active flow rules.
  - 3. The method of claim 1, further comprising:
    - determining whether the candidate flow rule includes a particular set action, wherein a set action modifies a communication associated with the set action; and
      
      expanding the candidate flow rule to include a modification associated with the particular set action.
  - 4. The method of claim 3, wherein the set of currently active flow rules are associated with priorities, and wherein the expanded candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 5. The method of claim 3, wherein determining that the candidate flow rule does not conflict with the set of currently active flow rules includes determining that the expanded candidate flow rule does not conflict with the set of currently active flow rules.
  - 6. The method of claim 1, wherein a flow rule is associated with a match field, wherein a match field can be used to determine whether a communication corresponds to the flow rule, and wherein comparing the candidate flow rule against the set of currently active flow rules includes determining whether a value associated with a match field of the candidate flow rule is also a value associated with a match field of a rule from the set of currently active flow rules.
  - 7. The method of claim 1, further comprising:
    - determining that a match field of the candidate flow rule permits a new value to be substituted for a value in the match field; and
      
      expanding the candidate flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the expanded candidate flow rule against the set of currently active flow rules.
  - 8. The method of claim 1, further comprising:
    - determining that a match field of a currently active flow rule permits a new value to be substituted for a value in the match field;
      
      expanding the currently active flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the candidate flow rule against the expanded currently active flow rule.
  - 9. The method of claim 8, further comprising:
    - updating the set of currently active flow rules to include the expanded currently active flow rule.
  - 10. The method of claim 1, wherein the currently active flow rules are associated with priorities, and wherein the candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 11. The method of claim 1, further comprising:
    - updating the set of currently active flow rules to include the candidate flow rule.

12. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
- receive, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network;
  
  compare the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network;
  
  determine that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and
  
  transmit a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-program product of claim 12, wherein the instructions for comparing the candidate flow rule against the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine whether an action of the candidate flow rule is also an action of a rule from the set of currently active flow rules.
  - 14. The computer-program product of claim 12, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine whether the candidate flow rule includes a particular set action, wherein a set action modifies a communication associated with the set action; and
      
      expand the candidate flow rule to include a modification associated with the particular set action.
  - 15. The computer-program product of claim 14, wherein the set of currently active flow rules are associated with priorities, and wherein the expanded candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 16. The computer-program product of claim 14, wherein the instructions for determining that the candidate flow rule does not conflict with the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that the expanded candidate flow rule does not conflict with the set of currently active flow rules.
  - 17. The computer-program product of claim 12, wherein a flow rule is associated with a match field, wherein a match field can be used to determine whether a communication corresponds to the flow rule, and wherein the instructions for comparing the candidate flow rule against the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine whether a value associated with a match field of the candidate flow rule is also a value associated with a match field of a rule from the set of currently active flow rules.
  - 18. The computer-program product of claim 12, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that a match field of the candidate flow rule permits a new value to be substituted for a value in the match field; and
      
      expand the candidate flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the expanded candidate flow rule against the set of currently active flow rules.
  - 19. The computer-program product of claim 12, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that a match field of a currently active flow rule permits a new value to be substituted for a value in the match field;
      
      expand the currently active flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the candidate flow rule against the expanded currently active flow rule.
  - 20. The computer-program product of claim 19, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - update the set of currently active flow rules to include the expanded currently active flow rule.
  - 21. The computer-program product of claim 12, wherein the currently active flow rules are associated with priorities, and wherein the candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 22. The computer-program product of claim 12, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - update the set of currently active flow rules to include the candidate flow rule.

23. A computing system on a network, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  receiving a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network;
  
  comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network;
  
  determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and
  
  transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computing system of claim 23, wherein the instructions for comparing the candidate flow rule against the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining whether an action of the candidate flow rule is also an action of a rule from the set of currently active flow rules.
  - 25. The computing system of claim 23, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining whether the candidate flow rule includes a particular set action, wherein a set action modifies a communication associated with the set action; and
      
      expanding the candidate flow rule to include a modification associated with the particular set action.
  - 26. The computing system of claim 25, wherein the set of currently active flow rules are associated with priorities, and wherein the expanded candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 27. The computing system of claim 25, wherein the instructions for determining that the candidate flow rule does not conflict with the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that the expanded candidate flow rule does not conflict with the set of currently active flow rules.
  - 28. The computing system of claim 23, wherein a flow rule is associated with a match field, wherein a match field can be used to determine whether a communication corresponds to the flow rule, and wherein the instructions for comparing the candidate flow rule against the set of currently active flow rules include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining whether a value associated with a match field of the candidate flow rule is also a value associated with a match field of a rule from the set of currently active flow rules.
  - 29. The computing system of claim 23, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining that a match field of the candidate flow rule permits a new value to be substituted for a value in the match field; and
      
      expanding the candidate flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the expanded candidate flow rule against the set of currently active flow rules.
  - 30. The computing system of claim 23, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining that a match field of a currently active flow rule permits a new value to be substituted for a value in the match field;
      
      expanding the currently active flow rule to include the new value, wherein comparing the candidate flow rule against the set of currently active flow rules includes comparing the candidate flow rule against the expanded currently active flow rule.
  - 31. The computing system of claim 30, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - update the set of currently active flow rules to include the expanded currently active flow rule.
  - 32. The computing system of claim 23, wherein the currently active flow rules are associated with priorities, and wherein the candidate flow rule is compared against the set of currently active flow rules in a decreasing order of the priorities.
  - 33. The computing system of claim 23, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - updating the set of currently active flow rules to include the candidate flow rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Fong, Martin W., Yegneswaran, Vinod, Porras, Phillip A.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Harris, Christopher C

Application Number

US13/801,871
Publication Number

US 20140075498A1
Time in Patent Office

1,581 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Security mediation for dynamically programmable network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Security mediation for dynamically programmable network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links