Policy management and conflict resolution in computer networks
First Claim
Patent Images
1. A system for determining an enforceable policy applicable to one or more network devices, comprising a computer-readable medium encoded with:
- a data structure comprising a policy space, the policy space including domain elements representing network devices and groups of network devices, and rule elements defining actions; and
a plurality of executable methods for determining and resolving conflicts among multiple policies applied in real time including;
a method for attaching one or more of the rule elements to one or more of the domain elements to create multiple policies;
a method for determining whether conflicts exist between the multiple policies wherein a conflict exists when two or more of the multiple policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules; and
a method for resolving the conflicts to produce one or more enforceable policies.
6 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus for determining an enforceable policy applicable to one or more network devices. The method includes attaching one or more rule elements to one or more domain elements to create policies, the domain elements representing network devices and groups of network devices, and the rule elements defining actions, a method for determining whether a conflict exists between the polices, and a method for resolving the conflicts to produce one or more enforceable policies.
614 Citations
54 Claims
-
1. A system for determining an enforceable policy applicable to one or more network devices, comprising a computer-readable medium encoded with:
-
a data structure comprising a policy space, the policy space including domain elements representing network devices and groups of network devices, and rule elements defining actions; and a plurality of executable methods for determining and resolving conflicts among multiple policies applied in real time including; a method for attaching one or more of the rule elements to one or more of the domain elements to create multiple policies; a method for determining whether conflicts exist between the multiple policies wherein a conflict exists when two or more of the multiple policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules; and a method for resolving the conflicts to produce one or more enforceable policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for determining and resolving conflicts among multiple policies applied in real time for determining an enforceable policy applicable to one or more network devices, the method comprising:
-
creating a plurality of policy object sets, a policy object set being created by attaching at least one rule to one or more objects representing network devices or groups of network devices; determining whether a conflict exists among an intersection of policy object sets wherein a conflict exists when two or more of the policy object sets operate on the same or an intersecting set of objects and have overlapping enforcement schedules; and resolving any conflict at the specific point of set intersection to produce one or more enforceable policies.
-
-
17. A method for determining and resolving conflicts among multiple policies applied in real time for determining an enforceable configuration policy applicable to one or more network devices, comprising the steps of:
-
providing a data structure including configuration records and domain elements, the domain elements representing network devices and groups of network devices; attaching at least one of the configuration records to at least one domain element to produce multiple configuration policies; and determining whether any conflicts exist among the multiple configuration policies, wherein a conflict exists when two or more of the multiple configuration policies operate on the same or an intersecting set of domain elements and have overlapping enforcement schedules and resolving the conflicts to produce one or more enforceable configuration policies. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method of determining connectivity in a communications network between a source and a destination, the method comprising:
-
partitioning the network into a plurality of groups; providing policies applicable to at least one of the source, destination and select groups of network devices; for a desired connection between a source and a destination determining and resolving conflicts among multiple policies applied in real time for the desired connection including; collecting the policies applicable to the source and any groups associated with the source to determine an outbound policy term; collecting the policies applicable to the destination and any groups associated with the destination to determine an inbound policy term; resolving any conflicts between the inbound and outbound policy terms to determine an operating policy; and applying the operating policy for a duration of an allowed communication between the source and destination. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A method of determining connectivity in a communications system between a first user at a source and a second user at a destination for one of a plurality of different types of communication service, the method comprising:
-
providing a plurality of policy rules for different connections based on different users, sources, destinations and types of service, each policy rule having one or more attributes and at least one of the attributes specifying whether a connection is allowed, a plurality of policy rules being created by attaching one or more rule elements to one or more domain elements; selecting one or more policy rules based on a first user, second user, source, destination and service type for a desired connection and determining and resolving conflicts among the selected policy rules applied in real time for the desired connection to determine an enforceable operating policy from the combined attributes of the selected policy rules; wherein if the enforceable operating policy allows the desired connection, implementing the desired connection in accordance with the enforceable operating policy. - View Dependent Claims (49, 50, 51, 52, 53, 54)
-
Specification