Policy management and conflict resolution in computer networks

US 5,889,953 A
Filed: 03/29/1996
Issued: 03/30/1999
Est. Priority Date: 05/25/1995
Status: Expired due to Term

First Claim

Patent Images

1. A system for determining an enforceable policy applicable to one or more network devices, comprising a computer-readable medium encoded with:

a data structure comprising a policy space, the policy space including domain elements representing network devices and groups of network devices, and rule elements defining actions; and

a plurality of executable methods for determining and resolving conflicts among multiple policies applied in real time including;

a method for attaching one or more of the rule elements to one or more of the domain elements to create multiple policies;

a method for determining whether conflicts exist between the multiple policies wherein a conflict exists when two or more of the multiple policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules; and

a method for resolving the conflicts to produce one or more enforceable policies.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for determining an enforceable policy applicable to one or more network devices. The method includes attaching one or more rule elements to one or more domain elements to create policies, the domain elements representing network devices and groups of network devices, and the rule elements defining actions, a method for determining whether a conflict exists between the polices, and a method for resolving the conflicts to produce one or more enforceable policies.

614 Citations

54 Claims

1. A system for determining an enforceable policy applicable to one or more network devices, comprising a computer-readable medium encoded with:
- a data structure comprising a policy space, the policy space including domain elements representing network devices and groups of network devices, and rule elements defining actions; and
  
  a plurality of executable methods for determining and resolving conflicts among multiple policies applied in real time including;
  
  a method for attaching one or more of the rule elements to one or more of the domain elements to create multiple policies;
  
  a method for determining whether conflicts exist between the multiple policies wherein a conflict exists when two or more of the multiple policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules; and
  
  a method for resolving the conflicts to produce one or more enforceable policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the method for resolving conflicts comprises resolving conflicts when any policy becomes active at a scheduled event.
  - 3. The system of claim 1, wherein the domain elements include both location-based groups and nonlocation-based groups.
  - 4. The system of claim 3, wherein the location-based groups are topological groups and the nonlocation-based groups are selected from the group consisting of logical end systems groups and logical user groups.
  - 5. The system of claim 1, further comprising a method for executing one or more enforceable policies.
  - 6. The system of claim 1, the domain elements include at least one of topological and logical domains.
  - 7. The system of claim 1, wherein the method for determining whether a conflict exists comprises determining whether the policies have an overlap in attributes of the domain elements and scheduling.
  - 8. The system of claim 1, wherein the domain elements include attributes and attribute values, the rules specify attribute values for the domain elements, and the method for determining whether conflicts exist includes comparing the attribute values.
  - 9. The system of claim 8, wherein the rules are "if/then" rules having the attribute values on the "if" side of the rule and the actions on the "then" side of the rule.
  - 10. The system of claim 1, wherein the actions include at least one of:
    - permission or forbiddance of an operation on the network devices, modification of domain elements, display of a message, and entry in a log.
  - 11. The system of claim 1, wherein the method for determining a conflict for a domain element E comprises:
    - collecting all domain elements D of which E is a member;
      
      collecting the rules that apply to each domain element D, if any, and the rules that apply to E, if any; and
      
      determining whether any conflicts exist between the collected rules.
  - 12. The system of claim 1, wherein the method of resolving conflicts includes at least one of:
    - selecting the policy that issues from a pre-defined priority;
      
      selecting the policy that issues from the least specific domain element among the conflicting policies;
      
      selecting the policy that satisfies a largest number of conditions included in the conflicting policies;
      
      reporting the conflicting policies to a user and allowing the user to adjudicate.
  - 13. The system of claim 1, wherein the method for resolving conflicts comprises determining one prevalent policy.
  - 14. The system of claim 1, wherein the method for resolving conflicts comprises determining one prevalent policy made up of prevalent attributes of the domain elements.
  - 15. The system of claim 1, wherein the domain elements are hierarchial and the method for resolving conflicts comprises resolving any conflicts at the highest level of the hierarchy at which the conflict arises.

16. A method for determining and resolving conflicts among multiple policies applied in real time for determining an enforceable policy applicable to one or more network devices, the method comprising:
- creating a plurality of policy object sets, a policy object set being created by attaching at least one rule to one or more objects representing network devices or groups of network devices;
  
  determining whether a conflict exists among an intersection of policy object sets wherein a conflict exists when two or more of the policy object sets operate on the same or an intersecting set of objects and have overlapping enforcement schedules; and
  
  resolving any conflict at the specific point of set intersection to produce one or more enforceable policies.

17. A method for determining and resolving conflicts among multiple policies applied in real time for determining an enforceable configuration policy applicable to one or more network devices, comprising the steps of:
- providing a data structure including configuration records and domain elements, the domain elements representing network devices and groups of network devices;
  
  attaching at least one of the configuration records to at least one domain element to produce multiple configuration policies; and
  
  determining whether any conflicts exist among the multiple configuration policies, wherein a conflict exists when two or more of the multiple configuration policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules and resolving the conflicts to produce one or more enforceable configuration policies.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17, further comprising:
    - loading a configuration described by the enforceable configuration policies into one or more network devices.
  - 19. The method of claim 17, wherein the determining step occurs in response to a trigger which includes at least one of:
    - a device in the network has been activated;
      
      a device in the network has been deactivated;
      
      the network has been deactivated;
      
      the network has been deactivated;
      
      a device has been added to a network;
      
      a scheduler has determined a trigger event; and
      
      a user has manually triggered a trigger event.
  - 20. The method of claim 17, wherein the step of determining whether any conflicts exist for a domain element E includes the steps of:
    - determining applicable policies for the domain element E, the applicable policies each having attributes and associated attribute values; and
      
      determining whether any of the policies have different values for one attribute.
  - 21. The method of claim 17, wherein the step of resolving includes the steps of:
    - selecting a resolution strategy; and
      
      selecting one of the policies according to the resolution strategy.
  - 22. The method of claim 21, wherein the step of selecting a resolution strategy includes selecting one of:
    - a policy that more specifically defines a policy;
      
      a policy that less specifically defines a policy;
      
      an applicable policy that includes a largest number of satisfied conditions among conditions set forth in the applicable policies; and
      
      enabling a user to select a policy from the plurality of applicable policies.
  - 23. The method of claim 17, further comprising the step of providing an output which includes at least one of:
    - a configuration load;
      
      a notice of conflicting configuration policies;
      
      a notice that no action is required; and
      
      a report of the overall network configuration.
  - 24. The method of claim 17, wherein the step of determining and resolving conflicts for a domain element E comprises:
    - collecting all domain elements D of which E is a member;
      
      collecting the configuration records that attach to each domain element D, if any, and the configuration records for E, if any;
      
      for each collected configuration record, selecting those that attach to domain elements that are members of E;
      
      resolving any conflicting attachments, producing the enforceable configuration policies.
  - 25. The method of claim 18, wherein the configuration records include an ordering index, and the step of loading includes loading according to the value of the ordering index.
  - 26. The method of claim 17, wherein the configuration records include conditions, and the step of determining enforceable policies includes determining whether the conditions have been satisfied.
  - 27. The method of claim 17, wherein the step of resolving conflicts for a domain element E includes selecting a conflict resolution strategy from one of:
    - a) selecting a policy which is attached to the most specific network domain;
      
      b) selecting a policy which satisfies a greatest number of conditions;
      
      c) if the result of both (a) and (b) is a conflict, selecting the policy from (a);
      
      andd) reporting conflicting policies to a user and allowing the user to adjudicate.

28. A method of determining connectivity in a communications network between a source and a destination, the method comprising:
- partitioning the network into a plurality of groups;
  
  providing policies applicable to at least one of the source, destination and select groups of network devices;
  
  for a desired connection between a source and a destination determining and resolving conflicts among multiple policies applied in real time for the desired connection including;
  
  collecting the policies applicable to the source and any groups associated with the source to determine an outbound policy term;
  
  collecting the policies applicable to the destination and any groups associated with the destination to determine an inbound policy term;
  
  resolving any conflicts between the inbound and outbound policy terms to determine an operating policy; and
  
  applying the operating policy for a duration of an allowed communication between the source and destination.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 29. The method of claim 28, wherein a child member of a group inherits all of the policies of ancestor members of the group, but the child member is allowed to override certain of these policies.
  - 30. The method of claim 29, wherein the policies of the ancestors are inherited when the child policy is represented by a "don'"'"'t care" entry, and the policies of the ancestors are not inherited when the child explicitly defines a policy different from that of the ancestors.
  - 31. The method of claim 30, wherein the operating policy is determined by projecting the policy term towards the most distant ancestor until all "don'"'"'t care" entries have been replaced by actual values.
  - 32. The method of claim 28, wherein the operating policy includes a type of service.
  - 33. The method of claim 28, wherein the policies include location-based policies and non-location-based policies.
  - 34. The method of claim 33, wherein the non-location-based policies take precedence over the location-based policies.
  - 35. The method of claim 28, wherein the groups include both of:
    - a numbering-plan end station group comprising a group of end stations within a topological area of the network;
      
      a generic group comprising at least one of a non-location based group of end stations, and a non-location based user group.
  - 36. The method of claim 35, wherein a user'"'"'s policy is automatically attached to an end station at which the user is authenticated.
  - 37. The method of claim 35, wherein a user'"'"'s policy supplements an end station policy.
  - 38. The method of claim 35, wherein an end station policy is a default policy.
  - 39. The method of claim 38, wherein a user'"'"'s policy is a specific policy having precedence over the default policy.
  - 40. The method of claim 35, wherein a user'"'"'s policy defines network access privileges.
  - 41. The method of claim 35, wherein a user'"'"'s policy defines the network resources allocated to the users.
  - 42. The method of claim 35, wherein:
    - a numbering plan end station policy is a base policy;
      
      a generic end station policy has a higher precedence than the base policy; and
      
      a generic user policy has the highest precedence.
  - 43. The method of claim 28, wherein the outbound policy term includes one or more of:
    - access policy, usage policy, routing policy, administrative policy and connectionless-access policy.
  - 44. The method of claim 28, wherein the inbound policy term includes one or more of:
    - access permission, maximum connection time, maximum connection count, audit trail flag, and connection priority.
  - 45. The method of claim 28, wherein a conflict between the input and output policy terms is resolved by the following rules:
    - 1. For routing, only outbound policy is considered;
      
      2. Access is granted if both inbound and outbound policies allow it;
      
      3. Audit trail is done if either the source or a destination policy say "yes";
      
      4. For other policies, liberal or conservative rules apply.
  - 46. The method of claim 28, wherein a conflict between source peer work groups is resolved by selecting from the following rules:
    - 1. A liberal policy that picks the highest among the conflicting values;
      
      2. A conservative policy that picks the lowest among the conflicting values.
  - 47. The method of claim 28, wherein a conflicts between destination peer work groups is resolved by selecting from the following rules:
    - 1. A liberal policy that permits access or picks the highest among the conflicting values;
      
      2. A conservative policy that denies access or picks the lowest among the conflicting values.

48. A method of determining connectivity in a communications system between a first user at a source and a second user at a destination for one of a plurality of different types of communication service, the method comprising:
- providing a plurality of policy rules for different connections based on different users, sources, destinations and types of service, each policy rule having one or more attributes and at least one of the attributes specifying whether a connection is allowed, a plurality of policy rules being created by attaching one or more rule elements to one or more domain elements;
  
  selecting one or more policy rules based on a first user, second user, source, destination and service type for a desired connection and determining and resolving conflicts among the selected policy rules applied in real time for the desired connection to determine an enforceable operating policy from the combined attributes of the selected policy rules;
  
  wherein if the enforceable operating policy allows the desired connection, implementing the desired connection in accordance with the enforceable operating policy.
- View Dependent Claims (49, 50, 51, 52, 53, 54)
- - 49. The method of claim 48, wherein the selecting step includes selecting, from among a rule set of more general to more specific policy rules, a more specific policy rule applicable to the desired connection.
  - 50. The method of claim 49, wherein the selecting step includes selecting a plurality of policy rules applicable to the desired connection, and wherein a value for each one of the combined attributes is selected from the more specific policy rule defining that one attribute.
  - 51. The method of claim 48, wherein the providing step includes providing a first set of outbound policy rules for the first user and the source, and providing a second set of inbound policy rules for the second user and the destination, and wherein the selecting step includes selecting at least one outbound policy rule from the outbound rule set and at least one inbound policy rule from the inbound policy rule set, and selecting from among the operating policy attributes of the selected outbound policy rule and selected inbound policy rule to provide the combined attributes of the enforceable operating policy.
  - 52. The method of claim 51, wherein attribute values are selected from the group consisting of "allowed", "don'"'"'t care", and "not allowed", and wherein a conflict between attribute values in the selected outbound policy rule and selected inbound policy rule is resolved by:
    - (1) if either value is "not allowed", then the "not allowed" attribute value is chosen; and
      
      (2) if either value is "don'"'"'t care", then the other attribute value is chosen.
  - 53. The method of claim 51, wherein attribute values have a range of increasing to decreasing values, and wherein a conflict between attribute values in the selected outbound policy rule and selected inbound policy rule is resolved based on a preset bias level wherein:
    - (1) if the bias level is "plus", then the greater of the two attribute values is chosen;
      
      (2) if the bias level is "minus", then the lesser of the two attribute values is chosen.
  - 54. The method of claim 51, wherein a conflict between the attribute values of the selected inbound policy rule and selected outbound policy rule is resolved by choosing the attribute value of the outbound policy rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Cabletron Systems Incorporated (Extreme Networks, Inc.)
Inventors
Lewis, Lundy, Scott, Walter, Malik, Rajiv, Dev, Roger, Rustici, Eric, Thebaut, Suzanne, Kaikini, Prasan, Aggarwal, Ajay, Sycamore, Steve, Wohlers, Todd, Ibe, Oliver
Primary Examiner(s)
Lall, Parshotam S.
Assistant Examiner(s)
Coulter, Kenneth R.

Application Number

US08/622,866
Time in Patent Office

1,096 Days
Field of Search

395/200.11, 395/200.54, 395/200.51
US Class Current

709/221
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/62   Protecting access to data v...

H04L 41/0866   Checking the configuration

H04L 41/0869   Validating the configuratio...

H04L 41/0873   Checking configuration conf...

H04L 41/0879   Manual configuration throug...

H04L 41/0883   Semiautomatic configuration...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/20   Network management software...

H04L 41/5019   Ensuring fulfilment of SLA

Policy management and conflict resolution in computer networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

614 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Policy management and conflict resolution in computer networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

614 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links