Bi-planar network architecture

Abstract

An electronic communication network includes a connectivity plane and a control plane. The control plane includes at least one control node for inspecting packets received by the control plane. The control plane is configured to perform network traffic control functions on the packets received by the at least one control node before transmitting the packets to any other node in the network. The network traffic control functions include one or more of access control, attack control, and application control.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a high-level functional diagram of a prior art electronic communication network;

FIG. 1B is a high-level functional diagram of an electronic communication network according to one embodiment of the present invention;

FIG. 1C is a diagram illustrating use of a control plane to perform network traffic control functions according to one embodiment of the present invention;

FIG. 1D is a diagram illustrating a control plane according to one embodiment of the present invention;

FIG. 2 is a flowchart of a method for consolidating control in the electronic communications network of FIG. 1A according to one embodiment of the present invention;

FIG. 3 is a flowchart of a method for using a control plane to perform network traffic control functions according to one embodiment of the present invention;

FIG. 4 is a flowchart of a method for configuring a control plane to perform network traffic control functions according to one embodiment of the present invention; and

FIG. 5 is a flowchart of a method for configuring a control plane over a secure management connection according to one embodiment of the present invention.

Claims

1. A method of consolidating control in an electronic communication network, the method comprising: (A) deploying at least one control node in the network, the at least one control node comprising means for inspecting packets received by the at least one control node; and(B) configuring the at least one control node to perform network traffic control functions on the packets received by the at least one control node before transmitting the packets to any other node in the network, wherein the network traffic control functions include network access control and either: (1) application control, (2) attack control, or (3) both application traffic control and attack control.

2. The method of claim 2, wherein (B) comprises configuring the network to perform the network traffic control functions substantially exclusively in the at least one control node.

3. The method of claim 2, wherein the network comprises at least one network interconnect device not configured to perform the network traffic control functions.

4. The method of claim 3, wherein the at least one network interconnect device comprises at least one layer 2 switch.

5. The method of claim 3, wherein the at least one network interconnect device comprises at least one layer 3 switch.

6. The method of claim 3, wherein the at least one network interconnect device comprises at least one router.

7. The method of claim 1, wherein network access control comprises controlling initial connection of a device to the electronic communication network and revoking access of the device to the electronic communication network if the device engages in unauthorized behavior.

8. A method for use with an electronic communication network, the method comprising: (A) receiving a packet at a control node in the network; and(B) at the control node, performing network traffic control functions on the packet received by the control node without transmitting the packet to any other node in the network, the network traffic control functions including network access control and either: (1) application traffic control, (2) attack control, or (3) both application traffic control and attack control.

9. The method of claim 8, further comprising: (C) after (B), transmitting the packet to another node in the network.

10. An electronic communication network comprising: a first node;a control node comprising: means for inspecting network traffic received by the control node; andmeans for performing network traffic control functions on the network traffic received by the control node before transmitting the network traffic to the first node, the network traffic control functions including network access control and either: (1) application traffic control, (2) attack control, or (3) both application traffic control and attack control.

11. The network of claim 10, wherein the means for performing network traffic control functions comprises means for performing the network traffic control functions without transmitting the network traffic to any other node in the network.

12. The network of claim 11, further comprising means for transmitting the network traffic to the first node after the means for performing the network traffic control functions performs the network traffic control functions.

13. A network control device, suitable for installation in an electronic communication network comprising a plurality of network nodes communicatively linked by at least one network interconnect device, the network control device comprising, in a unitary assemblage: (a) input/output means for communicatively linking the network control device to said electronic communication network;(b) a power supply means for supplying power to the network control device; and(c) logic and processing circuitry configurable to perform network traffic control functions on traffic flowing into the network control device through the input/output means, the network traffic control functions including network access control and either: (1) application traffic control, (2) attack control, or (3) both application traffic control and attack control.

14. The network control device of claim 13, wherein the logic and processing circuitry comprises means for performing the network traffic control functions on the traffic without transmitting the traffic to any other device in the network.

15. The network control device of claim 14, further comprising means for transmitting the traffic to another node in the network after the logic and processing circuitry performs the network traffic control functions on the traffic.

16. An electronic communication network comprising: a plurality of network nodes communicatively linked by at least one network interconnect device;at least one control node, each comprising: means for receiving network traffic from the at least one network interconnect device; andmeans for inspecting the received network traffic; andmeans for performing a plurality of network traffic control functions on the received network traffic, said plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control, wherein said plurality of network traffic control functions is performed substantially exclusively by said at least one control node throughout said electronic communication network.

17. The electronic communication network of claim 16, wherein the at least one network interconnect device comprises at least one layer 2 switch.

18. The electronic communication network of claim 16, wherein the at least one network interconnect device comprises at least one layer 3 switch.

19. The electronic communication network of claim 16, wherein the at least one network interconnect device comprises at least one router.

20. The electronic communication network of claim 16, wherein network access control comprises controlling initial connection of a device to the electronic communication network and revoking access of the device to the electronic communication network if the device engages in unauthorized behavior.

21. An electronic communication network comprising: a connectivity plane comprising at least one network interconnect device; anda control plane comprising at least one control node;wherein the electronic communication network is configured to perform a plurality of network traffic control functions substantially exclusively in said control plane on network traffic flowing into said control plane from at least one network interconnect device, said plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control.

22. The electronic communication network of claim 21, wherein the at least one network interconnect device comprises at least one layer 2 switch.

23. The electronic communication network of claim 21, wherein the at least one network interconnect device comprises at least one layer 3 switch.

24. The electronic communication network of claim 21, wherein the at least one network interconnect device comprises at least one router.

25. A method for use with an electronic communication network, the network comprising a connectivity plane, the method comprising: (A) installing a control plane in the network;(B) configuring the control plane to perform a plurality of network traffic control functions on network traffic received by the control plane, the plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control;wherein (A) and (B): are performed without modifying the connectivity plane;are performed without disabling network interconnect devices in the connectivity plane; andinclude configuring a subset of the network interconnect devices in the connectivity plane not to perform the plurality of network traffic control functions.

26. The method of claim 25, wherein the network further comprises an application plane, and wherein (A) and (B) are performed without modifying the application plane.

27. A method for use with an electronic communication network, the network comprising a connectivity plane configured to perform a first plurality of network traffic control functions, the method comprising: (A) installing a control plane in the network;(B) configuring the control plane to perform a second plurality of network traffic control functions on network traffic received by the control plane, the second plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control; and(C) configuring the connectivity plane not to perform the second plurality of network traffic control functions.

28. The method of claim 27, wherein the network further comprises an application plane, and wherein (A) and (B) are performed without modifying the application plane.

29. A method for use with an electronic communication network, the network comprising a connectivity plane, the method comprising: (A) installing a control plane in the network; and(B) configuring the control plane to perform, substantially exclusively throughout the electronic communication network, a plurality of network traffic control functions on network traffic received by the control plane, the plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control.

30. The method of claim 29, wherein (B) comprises configuring the control plane without modifying the connectivity plane.

31. The method of claim 29, wherein (B) comprises configuring the control plane without disabling network interconnect devices in the connectivity plane.

32. The method of claim 29, wherein (B) comprises configuring a subset of network interconnect devices in the connectivity plane not to perform the plurality of network traffic control functions.

33. A method for use with an electronic communication network, the network comprising a connectivity plane and a control plane, the method comprising: (A) establishing a secure management connection in the network with the control plane;(B) configuring, over the secure management connection, the control plane to perform, substantially exclusively throughout the electronic communication network, a plurality of network traffic control functions on network traffic received by the control plane, the plurality of network traffic control functions including at least two of network access control, application traffic control, and attack control.

34. The method of claim 33, wherein (B) comprises configuring the control plane without modifying the connectivity plane.

35. The method of claim 33, wherein (B) comprises configuring the control plane without disabling network interconnect devices in the connectivity plane.