Network operating system for managing and securing networks

US 9,876,672 B2
Filed: 06/22/2015
Issued: 01/23/2018
Est. Priority Date: 09/26/2007
Status: Active Grant

First Claim

Patent Images

1. A network controller computer comprising a memory and at least one processing unit for executing:

a network operating system for managing a plurality of network elements that forward data flows in the network, the network operating system comprising;

a programmatic interface for allowing communication with management applications that are defined to run on top of the network operating system; and

a set of modules for;

maintaining a network state based on information received from the plurality of network elements, wherein the network state comprises a topology of the network elements and locations in the topology of machines connected to the network;

providing the network state to at least one management application; and

generating events based on detecting changes in the network state; and

a set of one or more management applications that run on top of the network operating system as a set of separate applications from the network operating system, each management application in the set configured to, through the programmatic interface of the network operating system, access the network state, receive notification of the events generated by the network operating system based on changes in the network state, and define forwarding behaviors of the plurality of network elements,wherein the network operating system manages the network elements to enforce the forwarding behaviors defined by the one or more management applications.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

186 Citations

20 Claims

1. A network controller computer comprising a memory and at least one processing unit for executing:
- a network operating system for managing a plurality of network elements that forward data flows in the network, the network operating system comprising;
  
  a programmatic interface for allowing communication with management applications that are defined to run on top of the network operating system; and
  
  a set of modules for;
  
  maintaining a network state based on information received from the plurality of network elements, wherein the network state comprises a topology of the network elements and locations in the topology of machines connected to the network;
  
  providing the network state to at least one management application; and
  
  generating events based on detecting changes in the network state; and
  
  a set of one or more management applications that run on top of the network operating system as a set of separate applications from the network operating system, each management application in the set configured to, through the programmatic interface of the network operating system, access the network state, receive notification of the events generated by the network operating system based on changes in the network state, and define forwarding behaviors of the plurality of network elements,wherein the network operating system manages the network elements to enforce the forwarding behaviors defined by the one or more management applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network controller computer of claim 1, wherein the set of modules is further for:
    - maintaining a history of prior network states and prior data flows in the network; and
      
      performing an analysis of the history of prior network states and the history of prior data flows for troubleshooting and forensics.
  - 3. The network controller computer of claim 1, wherein the network elements comprise virtual switches that connect to virtual machines operating on hosts.
  - 4. The network controller computer of claim 1, wherein the forwarding behavior of each network element is implemented as a set of flow entries that specifies which of several possible paths a particular data flow takes through the network, wherein the network operating system inserts flow entries into flow tables of the network elements.
  - 5. The network controller computer of claim 1, wherein the set of modules comprises (i) a packet classification module that enables the management applications to specify types of packets to receive and (ii) a classifier that ensures that the management applications only receive the specified types of packets.
  - 6. The network controller computer of claim 1, wherein the set of modules comprises a locator module that determines when the machines connected to the network join and leave the network and updates the network state based on the determinations.
  - 7. The network controller computer of claim 1, wherein the locator module further determines the locations in the topology of the machines connected to the network.
  - 8. The network controller computer of claim 1, wherein the set of modules comprises a topology discovery module that determines the network element topology and updates the network state.

9. A non-transitory machine readable medium storing a network operating system which when executed by a set of processing units manages a network comprising a plurality of network elements, the network operating system comprising sets of instructions for:
- providing a programmatic interface for allowing one or more management applications to access a network state comprising bindings between high-level abstractions of the network elements that do not identify locations of the network elements in the network and low-level network addresses that identify the locations of the network elements in the network and declare network policies in terms of the high-level abstractions for implementation by the plurality of network elements;
  
  providing the network state to the one or more management applications through the programmatic interface;
  
  receiving a network policy declared in terms of the high-level abstractions through the programmatic interface; and
  
  automatically configuring forwarding behaviors of at least one of the network elements according to the network policy declared through the programmatic interface by inserting new flow entries into flow tables of the network elements in order to direct paths of data flows through the plurality of network elements such that the declared network policy is enforced independently of changes to the low-level network addresses of the network elements.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The non-transitory machine readable medium of claim 9, wherein the network operating system further comprises sets of instructions for:
    - maintaining a history of views of prior states of the network; and
      
      maintaining a history of prior data flows in the network.
  - 11. The non-transitory machine readable medium of claim 9, wherein a particular flow entry in a network element flow table is associated with a particular data flow forwarded by the network element.
  - 12. The non-transitory machine readable medium of claim 11, wherein the network element is a virtual switch that operates in a host in which a virtual machine also operates, wherein the virtual machine is one of a destination and a source of the data flow.
  - 13. The non-transitory machine readable medium of claim 9, wherein the network operating system further comprises a set of instructions for registering one of the management applications for an event corresponding to a change in the network state in order to notify the management application of the event upon detecting the event.
  - 14. The non-transitory machine readable medium of claim 9, wherein the set of instructions for providing the network state to the one or more management applications comprises a set of instructions for presenting a logically centralized view of the network state, which represents the entire network as though it were present on a single machine, to the one or more management applications.
  - 15. The non-transitory machine readable medium of claim 9, wherein the flow entries in a flow table of a particular network element have different priorities.

16. A method for managing a network comprising a plurality of network constituents, the network constituents comprising network elements that forward data flows in the network, the method comprising:
- at an electronic device on which a network operating system operates, providing a programmatic interface for allowing one or more management applications (i) to access a network state comprising bindings between high-level names of the network constituents that do not identify locations of the network constituents in the network and low-level network addresses that identify the locations of the network constituents in the network and (ii) to declare network policies in terms of the high-level names of the network constituents;
  
  enforcing the network policies declared through the programmatic interface in terms of the high-level names of the low-level network addresses, said enforcing comprising;
  
  maintaining bindings between the high-level names and the low-level network addresses; and
  
  configuring forwarding behaviors of the network elements in order to enforce the network policies of the management applications declared through the programmatic interface by inserting new flow entries into flow tables of the network elements to direct paths of data flows through the plurality of network elements such that the network policies, declared in terms of the high-level names, are enforced independently of changes to the low-level network addresses of the network constituents, wherein the flow entries inserted in the flow tables comprise headers for packets to match and actions for the network elements to perform when packets match the headers.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the network elements comprise virtual switches that are defined according to a standard for defining switch abstractions, wherein the network constituents comprise virtual machines and at least one of the virtual machines operates in a same host in which a virtual switch operates.
  - 18. The method of claim 16 further comprising registering one of the management applications for an event corresponding to a change in the network state in order to notify the management application of the event upon detecting the event.
  - 19. The method of claim 16 further comprising:
    - monitoring the network state to detect changes in the network state;
      
      upon detection of a particular change in the network state, generating an event; and
      
      providing a notification of the generated event through the programmatic interface to at least one of the management applications.
  - 20. The method of claim 16 further comprising registering the management application for events of a type of the generated event prior to detecting the particular change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Casado, Martin, Amidon, Keith E., Balland, III, Peter J., Gude, Natasha, Pettit, Justin, Pfaff, Benjamin Levy, Shenker, Scott J, Wendlandt, Daniel J
Primary Examiner(s)
Williams, Clayton R

Application Number

US14/746,816
Publication Number

US 20160013969A1
Time in Patent Office

946 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/06   Management of faults, event...

H04L 41/0809   Plug-and-play configuration

H04L 41/082   the condition being updates...

H04L 41/0853   by actively collecting conf...

H04L 41/0859   by keeping history of diffe...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 41/40   using virtualisation of net...

H04L 43/0817   by checking functioning

Network operating system for managing and securing networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network operating system for managing and securing networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links