CREATING AND DISTRIBUTING TEMPLATE BASED SERVICE RULES

US 20170180320A1
Filed: 12/18/2015
Published: 06/22/2017
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method of specifying service rules, the method comprising:

specifying a set of service rules that each includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier comprising at least one template identifier for identifying one template, each template for deploying a multi-tier application in a datacenter; and

distributing the set of service rules to a service node in the datacenter, the service node comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the service node processes, the service node comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

30 Citations

View as Search Results

19 Claims

1. A method of specifying service rules, the method comprising:
- specifying a set of service rules that each includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier comprising at least one template identifier for identifying one template, each template for deploying a multi-tier application in a datacenter; and
  
  distributing the set of service rules to a service node in the datacenter, the service node comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the service node processes, the service node comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the template identifiers associated with the data messages comprise template identifiers associated with at least the sources of the data messages or the destinations of the data messages.
  - 3. The method of claim 1, wherein the template identifiers associated with the data messages comprise template identifiers associated with at least the sources and the destinations of the data messages.
  - 4. The method of claim 3, wherein a template identifier is associated with the source and destination of a data message when the source and destination are network nodes that were deployed based on node definitions provided by the template specified by the template identifier.
  - 5. The method of claim 1, wherein distributing the set of service rules comprises distributing the set of service rules to a plurality of service nodes.
  - 6. The method of claim 1, wherein the service node is a first service node, and the specified set of service rules is a first set of service rules, the method further comprising:
    - specifying a second set of service rules that each includes (1) a service parameter for performing the service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier comprising at least one template identifier for identifying one template; and
      
      distributing the second set of service rules to a second service node in the datacenter, the second service node comparing the rule identifiers of the second set of service rules with the data message attribute sets in order to identify service rules that match the data messages that the second service node processes, the second service node comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages.
  - 7. The method of claim 6, wherein the first and second sets of service rules are identical.
  - 8. The method of claim 6, wherein the first and second sets of service rules are different.
  - 9. The method of claim 6, wherein the first and second sets of service rules have a plurality of service rules that overlap and a plurality of service rules that only exist in one of the first set of service rules and the second set of service rules.
  - 10. The method of claim 1, wherein at least the rule identifier for at least one service rule comprises at least two different template identifiers to specify that the service rule is associated with two different templates.
  - 11. The method of claim 1, wherein distributing the set of service rules comprises distributing the set of service rules with a rule precedence hierarchy that defines a priority value for each service rule, such that rules with higher priority are processed by the service node before rules with lower priority.
  - 12. The method of claim 1, wherein the rule precedence hierarchy implicitly defines priority values for the rules based on an order in which the rules appear in a storage structure used to distribute the set of service rules.
  - 13. The method of claim 1, wherein the rule precedence hierarchy explicitly defines priority values for the rules in a storage structure used to distribute the set of service rules.
  - 14. The method of claim 1, wherein each rule identifier includes n identifying tuples, and at least one rule identifier includes a wildcard value for at least one of its n identifying tuples.
  - 15. The method of claim 14, whereineach rule identifier'"'"'s n-identifying tuples include a source identifier and a destination identifier,at least one particular rule identifier'"'"'s source or destination identifier is defined by reference to a group identifier that identifies a group storage structure that stores a plurality of attributes for a plurality of network nodes,when processing the particular rule for a particular data message, the service node determines that the particular data message has an attribute that is stored in the group storage structure and retrieves the particular data message'"'"'s template identifier from the group storage structure.
  - 16. The method of claim 14, whereineach rule identifier'"'"'s n-identifying tuples include a source identifier and a destination identifier,at least one particular rule identifier'"'"'s source or destination identifier is defined by reference to a group identifier that identifies a first group storage structure that stores a plurality of attributes for a plurality of network nodes,when processing the particular rule for a particular data message, the service node determines that the particular data message has a particular attribute that is stored in the first group storage structure and retrieves the particular data message'"'"'s template identifier from a second group storage structure that is identified by a record in the first group storage structure for the particular attribute.
  - 17. The method of claim 1, wherein the service node is a service module that executes on a host machine along with a plurality of data compute nodes that are sources or destinations of the data messages processed by the service module.
  - 18. The method of claim 1, wherein the service node is a standalone service appliance.

19. A non-transitory machine readable medium storing a program for specifying a firewall rule, the program comprising sets of instructions for:
- receiving a set of rule-identifying tuples for the service rule, the set of tuples for matching with a set of attributes of a message, the set of tuples comprising a template identifier that specifies a template for deploying a multi-tier application in a datacenter;
  
  receiving a service parameter for a service to perform when a message'"'"'s set of attributes matches the set of tuples of the service rule;
  
  specifying the service rule based on the received set of rule-identifying tuples and the received service parameter; and
  
  distributing the specified service rule to a plurality of service devices in the datacenter, wherein the distributed service rule includes the template identifier in the rule-identifying tuples.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Nimmagadda, Srinivas, Manuguri, Subrahmanyam, Tiagi, Alok S., Jain, Jayant, Sengupta, Anirban

Granted Patent

US 10,469,450 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 67/1031   Controlling of the operatio...

CREATING AND DISTRIBUTING TEMPLATE BASED SERVICE RULES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

CREATING AND DISTRIBUTING TEMPLATE BASED SERVICE RULES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links