Network operating system for managing and securing networks
First Claim
1. A network controller computer comprising a memory and at least one processing unit for executing:
- a network operating system for managing a plurality of network elements that forward data flows in the network, the network operating system comprising;
a programmatic interface for allowing communication with management applications that are defined to run on top of the network operating system; and
a set of modules for;
maintaining a network state based on information received from the plurality of network elements, wherein the network state comprises a topology of the network elements and locations in the topology of machines connected to the network;
providing the network state to at least one management application; and
generating events based on detecting changes in the network state; and
a set of one or more management applications that run on top of the network operating system as a set of separate applications from the network operating system, each management application in the set configured to, through the programmatic interface of the network operating system, access the network state, receive notification of the events generated by the network operating system based on changes in the network state, and define forwarding behaviors of the plurality of network elements,wherein the network operating system manages the network elements to enforce the forwarding behaviors defined by the one or more management applications.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.
186 Citations
20 Claims
-
1. A network controller computer comprising a memory and at least one processing unit for executing:
-
a network operating system for managing a plurality of network elements that forward data flows in the network, the network operating system comprising; a programmatic interface for allowing communication with management applications that are defined to run on top of the network operating system; and a set of modules for; maintaining a network state based on information received from the plurality of network elements, wherein the network state comprises a topology of the network elements and locations in the topology of machines connected to the network; providing the network state to at least one management application; and generating events based on detecting changes in the network state; and a set of one or more management applications that run on top of the network operating system as a set of separate applications from the network operating system, each management application in the set configured to, through the programmatic interface of the network operating system, access the network state, receive notification of the events generated by the network operating system based on changes in the network state, and define forwarding behaviors of the plurality of network elements, wherein the network operating system manages the network elements to enforce the forwarding behaviors defined by the one or more management applications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine readable medium storing a network operating system which when executed by a set of processing units manages a network comprising a plurality of network elements, the network operating system comprising sets of instructions for:
-
providing a programmatic interface for allowing one or more management applications to access a network state comprising bindings between high-level abstractions of the network elements that do not identify locations of the network elements in the network and low-level network addresses that identify the locations of the network elements in the network and declare network policies in terms of the high-level abstractions for implementation by the plurality of network elements; providing the network state to the one or more management applications through the programmatic interface; receiving a network policy declared in terms of the high-level abstractions through the programmatic interface; and automatically configuring forwarding behaviors of at least one of the network elements according to the network policy declared through the programmatic interface by inserting new flow entries into flow tables of the network elements in order to direct paths of data flows through the plurality of network elements such that the declared network policy is enforced independently of changes to the low-level network addresses of the network elements. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method for managing a network comprising a plurality of network constituents, the network constituents comprising network elements that forward data flows in the network, the method comprising:
-
at an electronic device on which a network operating system operates, providing a programmatic interface for allowing one or more management applications (i) to access a network state comprising bindings between high-level names of the network constituents that do not identify locations of the network constituents in the network and low-level network addresses that identify the locations of the network constituents in the network and (ii) to declare network policies in terms of the high-level names of the network constituents; enforcing the network policies declared through the programmatic interface in terms of the high-level names of the low-level network addresses, said enforcing comprising; maintaining bindings between the high-level names and the low-level network addresses; and configuring forwarding behaviors of the network elements in order to enforce the network policies of the management applications declared through the programmatic interface by inserting new flow entries into flow tables of the network elements to direct paths of data flows through the plurality of network elements such that the network policies, declared in terms of the high-level names, are enforced independently of changes to the low-level network addresses of the network constituents, wherein the flow entries inserted in the flow tables comprise headers for packets to match and actions for the network elements to perform when packets match the headers. - View Dependent Claims (17, 18, 19, 20)
-
Specification