Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-05-27
2003-07-01
Kizou, Hassan (Department: 2662)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S395320, C370S395430, C370S411000, C370S471000
Reexamination Certificate
active
06587466
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to the field of packet data communication networks. It is more particularly directed to packet data transmission systems that provide service to individual packets based on defined policy criteria.
BACKGROUND OF INVENTION
This invention addresses the problem of efficiently supporting multiple services in packet networks. A key aspect of such support involves discriminating among different packets based on their contents and administratively defined policies. Most packet data networks, including the global Internet and various enterprise networks based on the Internet protocol (IP), have employed a “nondiscriminatory best-effort service model.” In this model, network offers a uniform service to all traffic, in the sense that devices treat all packets equally in terms of their access to resources. An alternate model, known as “policy based service differentiation model” has several advantages. In this model, network offers many kinds and levels of service where different packets may get different treatment based on administratively defined policies.
This latter service model is motivated by several factors. Firstly, the number and variety of applications that generate packet traffic in networks is continuously increasing. Each of these applications has varying networking service requirements. Secondly, technologies and protocols that enable provision of many kinds of services having different levels of security and Quality of Service (QoS) are widely available. However, access to these services needs to be regulated because these services consume resources such as network bandwidth, memory and processing cycles in network devices. Thirdly, business objectives or organizational goals may be better served by discriminating between different kinds of traffic in the network rather than by treating all traffic in a uniform manner.
The importance of these motivating factors is illustrated by considering some common examples:
Traffic generated by an application such as voice over IP (VOIP) requires a low delay service while that generated by a file transfer application can tolerate longer delays.
When two network service providers, or an enterprise and a network service provider, enter into a bilateral Service Level Agreement (SLA), the agreement may dictate that the service provider guarantee performance levels (e.g., bandwidth, delay, packet loss, etc.) to certain classes of traffic under specific conditions. Obviously, enforcement of such an SLA calls for policy based differentiation among various packets in the network.
Traffic generated by a web commerce application includes packets that carry sensitive financial transaction information which need a high level of security while most other web traffic does not.
A firewall that protects a company network may have to filter incoming traffic and selectively drop certain packets based on security policies.
A Virtual Private Network (VPN) implemented on a shared public packet data network may incorporate security and QoS features for specific categories of traffic.
As an example of how traffic could differ in its importance, consider the traffic generated by casual World-Wide-Web browsing by employees as opposed to that generated by important mission-critical applications. Since both kinds of traffic compete for the same network resources, the latter, being more important, should be insulated from the former.
A central requirement in enabling policy based service differentiation in packet networks, is that many network devices need to play an active role in classifying packets into categories based on applicable policy rules. It would be advantageous to have an efficient method to do such classification.
In general, rules that specify service differentiation policies are called Policy Rules and are of the form:
if (policy condition) then (policy action).
In the context of IP networks, which is one of the most common packet switched networks today, policy conditions are primarily specified in terms of various packet attributes. These attributes include header fields that identify source and destination addresses of the packet, applications identified by the source and destination port numbers, value of the protocol field, type-of-service-byte, etc. Additionally, policy conditions may also include other criteria such as time of day, identity of the local interfaces on which packet has arrived or will depart, etc. Such packet attributes and criteria used in choosing policy rules are herein referred to as ‘selector’ attributes. In general, policy rules are range based in the sense that policy conditions of the policy rules are defined in terms of ranges of selector attribute values.
Policy actions in policy rules include accepting or dropping data packets (for instance, in the context of a firewall functionality), accepting or denying a request for resource reservation (for instance, in the context of a protocol such as RSVP), encrypting data packets, authenticating the sender, (for instance, in the context of the IPSEC standards), metering the data traffic, marking the type-of-service byte in packet header, shaping the traffic rate, (for instance, in the context of the differentiated services standards).
FIG. 1
is an example of how policy administration may be organized. It shows a scenario in which a set of rules are defined as security policy rules (e.g. drop all incoming traffic that is destined to port number X, encrypt all outgoing traffic originating from sources in the address range A
1
. . . A
2
, and leaving on interface Y) and another set as policy rules for quality of service based discrimination (e.g. mark all traffic from sources in the address range A
1
. . . A
2
and leaving on interface Y as high priority). These sets of rules are installed in a device
100
through configuration from a configuration utility
110
. Device
100
is a network edge device that provides service differentiation. It contains security enforcement (filtering) module
120
and quality of service enforcement (filtering) module
130
. These modules are respectively responsible for security and quality of service based differentiations. During configuration, an administrator configures the two modules over an interface
115
providing the modules
120
130
with their corresponding policy rules. Such configuration is done from a console attached to the device. As data packets
140
arrive at device
100
, the two modules
120
and
130
separately process the packet in an order that is determined by the device architecture. The data packets
145
leave the device after receiving appropriate conditioning treatment.
In this illustration, parts of the packet processing steps are similar in both modules
120
and
130
. These steps involve determining which of the specified set of policy rules are applicable. Module
120
scans only the security policy rules, and module
130
scans only the quality of service policy rules. Each module also directly applies the relevant actions to packets once an applicable policy rule is found. Often, in practice, creating a meaningful higher level service requires combination of multiple lower level services. For example, a virtual private network service offering may combine both security and quality-of-service elements. In such a scenario, packets belonging to a certain class will require both security and quality of service specific actions. In the case illustrated in
FIG. 1
, this implies that such packets go through identical classification steps twice, once in module
120
and again in module
130
. In general, in a network device architecture that implements policies through separate configuration of multiple service specific modules, there is likelihood of redundant steps in processing individual packets. This reduces the overall throughput.
The classification process to determine applicability of a set of policy rules to a packet is in itself a time consuming process. This is primarily because of the multiple dimensions and criteria involved. Each policy condition
Bhattacharya Partha P.
Kamat Sanjay D.
Rajan Rajendran R.
Sarkar Saswati
Herzberg Louis P
Kizou Hassan
Odland David
LandOfFree
Search tree for policy based packet classification in... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Search tree for policy based packet classification in..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Search tree for policy based packet classification in... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3100208