Distributing remote device management attributes to service nodes for service rule processing

US 9,906,560 B2
Filed: 11/01/2015
Issued: 02/27/2018
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing a program for processing remote-device data messages entering a network, the program comprising sets of instructions for:

receiving, at a virtual private network (VPN) gateway, a data message sent by the remote device through a first tunnel that connects the remote device to the network;

identifying a set of remote device management (RDM) attributes associated with the received data message; and

based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second tunnel and inserting the identified RDM attribute set in a header of the second tunnel;

said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message;

wherein the particular network element and the VPN gateway operate on two different physical devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

75 Citations

View as Search Results

16 Claims

1. A non-transitory machine readable medium storing a program for processing remote-device data messages entering a network, the program comprising sets of instructions for:
- receiving, at a virtual private network (VPN) gateway, a data message sent by the remote device through a first tunnel that connects the remote device to the network;
  
  identifying a set of remote device management (RDM) attributes associated with the received data message; and
  
  based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second tunnel and inserting the identified RDM attribute set in a header of the second tunnel;
  
  said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message;
  
  wherein the particular network element and the VPN gateway operate on two different physical devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The non-transitory machine readable medium of claim 1, wherein the particular network element is a device that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set.
  - 3. The non-transitory machine readable medium of claim 2, wherein the device performs the middlebox service operation by using the inserted RDM attribute set to identify a service rule that specifies the service operation to perform on the forwarded data message.
  - 4. The non-transitory machine readable medium of claim 1, wherein the particular network element executes a middlebox service node that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set.
  - 5. The non-transitory machine readable medium of claim 4, wherein the middlebox service operation comprises one of a firewall operation, a load balancing operation, a logical network segmentation operation, and a destination network address translation operation on the data message based on the inserted RDM attribute set.
  - 6. The non-transitory machine readable medium of claim 1, wherein the program further comprises sets of instructions for:
    - intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to a destination within the network; and
      
      encapsulating the data message with a tunnel header for the second tunnel to forward the intercepted data message along the second tunnel to the particular network element.
  - 7. The non-transitory machine readable medium of claim 1, wherein the program further comprises a set of instructions forreceiving at least a subset of the RDM attribute set in a header of the first tunnel.
  - 8. The non-transitory machine readable medium of claim 1, wherein the program further comprises a set of instructions forreceiving at least a subset of the RDM attribute set from an RDM server that the VPN gateway uses to authenticate a request from the remote device to establish a VPN session through the first tunnel.
  - 9. The non-transitory machine readable medium of claim 8, wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset as part of an authentication approval from the RDM server.
  - 10. The non-transitory machine readable medium of claim 8, wherein the program further comprises a set of instructions for receiving an authentication approval from the RDM server, wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset in a communication from the RDM server that is separate from the authentication approval.

11. A non-transitory machine readable medium storing a program for processing remote-device data messages entering a network, the program comprising sets of instructions for:
- receiving a data message sent by the remote device;
  
  identifying a set of remote device management (RDM) attributes associated with the received data message; and
  
  based on the RDM attribute set, forwarding the data message to a particular network element within the network via a tunnel and inserting the identified RDM attribute set in a header of the tunnel,wherein the particular network element executes a middlebox service node that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set;
  
  wherein the service node performs the middlebox service operation by using the inserted RDM attribute set to identify a service rule with an RDM attribute set that matches the inserted RDM attribute set, said identified service rule specifying the service operation to perform on the forwarded data message.

12. A non-transitory machine readable medium storing a program for processing remote-device data messages entering a network, the program comprising sets of instructions for:
- receiving, at a virtual private network (VPN) gateway, a data message sent by the remote device through a first tunnel that connects the remote device to the network;
  
  performing, at the VPN gateway, a load balancing operation to select a particular network service element from a plurality of network service elements that perform the service operation, andidentifying a set of remote device management (RDM) attributes associated with the received data message; and
  
  based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second tunnel and inserting the identified RDM attribute set in a header of the second tunnel, said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message;
  
  the VPN gateway forwarding data messages to at least two different service network elements along at least two different tunnels.

13. A method of processing remote-device data messages entering a network comprising a plurality of network elements, the method comprising:
- through a first tunnel that connects the remote device to the network, receiving a data message sent by the remote device;
  
  identifying a set of remote device management (RDM) attributes associated with the received data message, said identifying comprising receiving at least a subset of the RDM attribute set in a header of the first tunnel; and
  
  based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second tunnel and inserting the identified RDM attribute set in a header of the second tunnel;
  
  said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the particular network element performs a middlebox service operation on the forwarded data message by using the inserted RDM attribute set to identify a service rule that specifies the service operation to perform on the forwarded data message.

15. A method of processing remote-device data messages entering a network comprising a plurality of network elements, the method comprising:
- through a first tunnel that connects the remote device to the network, receiving a data message sent by the remote device;
  
  identifying a set of remote device management (RDM) attributes associated with the received data message; and
  
  based on the RDM attribute set, forwarding the data message to a particular network element within the network via a second tunnel and inserting the identified RDM attribute set in a header of the second tunnel, said inserted RDM attribute set in the second tunnel header for identifying a service operation to perform on the data message, said forwarding comprising;
  
  removing a tunnel header for the first tunnel from the data message;
  
  encapsulating the data message with a tunnel header for the second tunnel to forward the data message along the second tunnel to the particular node.
- View Dependent Claims (16)
- - 16. The method of claim 15, the method further comprising receiving another subset of the RDM attribute set from an RDM server that is used to authenticate a request from the remote device to establish a VPN session through the first tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jain, Jayant, Sengupta, Anirban, Nimmagadda, Srinivas, Tiagi, Alok S., Kumar, Kausum
Primary Examiner(s)
McNally, Michael S

Application Number

US14/929,401
Publication Number

US 20170063797A1
Time in Patent Office

849 Days
Field of Search

726 11
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/5045   Making service definitions ...

H04L 61/256   NAT traversal

H04L 61/2571   for identification, e.g. fo...

H04L 61/2585   through application level g...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/1004   Server selection for load b...

H04L 67/1097   for distributed storage of ...

H04L 69/22   Parsing or analysis of headers

H04W 12/08   Access security

H04W 76/12   Setup of transport tunnels

Distributing remote device management attributes to service nodes for service rule processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Distributing remote device management attributes to service nodes for service rule processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links