This application relates to the field of communications networks, and more particularly, to protocols and algorithms deployed in packet-switched networks.
In communications networks such as the Internet, information is transmitted in the form of packets. A packet comprises a unit of digital information that is individually routed hop-by-hop from a source to destination. The routing of a packet entails that each node, or router, along a path traversed by the packet examines header information in the packet, to compare this header against a local database; upon consulting the local database, the router forwards the packet to an appropriate next hop. The local database is typically referred to as the Forwarding Information Base or FIB; the FIB is typically structured as a table, but may be instantiated in alternative formats. Entries in the FIB determine the next hop for the packet, i.e., the next router, or node, to which the respective packets are forwarded in order to reach the appropriate destination. The Forwarding information Bases are usually derived from global or network-wide information from a collective database. Each protocol names the collective databases to denote the type of information. Such databases are referred to generically herein as Network Information Databases (NIBs).
In implementations of the Internet Protocol (IP), the FIB is typically derived from a collective database, i.e., a NIB, referred to as a Routing Information Database or RIB. A RIB resident on a router amalgamates the routing information available to that router; one or more algorithms are typically used to map the entries, e.g., routes, in the RIB to those in the FIB, which, in turn, is used for forwarding packets to their next hop. The IP RIB may be constructed by use of two techniques, which may be used in conjunction: (a) static configuration and (b) dynamic routing protocols. Dynamic IP routing protocols may be further subdivided into two groups based on the part of the Internet in which they operate: exterior gateway protocols, or EGPs, are responsible for the dissemination of routing data between autonomous administrative domains, and interior gateway protocols, or IGPs, are responsible for dissemination of routing data within a single autonomous domain. Furthermore, two types of IGPs are in widespread use today: those that use a distance-vector type of algorithm and those that use the link-state method.
Routers typically support route selection policies which enable the selection of a best route amongst alternative paths to a destination. Routing selection policies may be pre-defined by a protocol, or distributed statically or dynamically distributed. EGP protocols such as Border Gateway Protocol Version 4 (BGP-4) allow route selection policy on destination address and the BGP Path information. Routers also typically support route distribution policies, which govern the determination of which routes are sent to particular peers. Route distribution policies can be pre-defined by a protocol, statically configured or dynamically learned. Dynamically learned policies can, in turn, be forwarded to a router within the same routing protocol that sends routes, or may be sent in a separate protocol. As illustrative examples, BGP-4 allows for the inclusion of outbound route filter policies within BGP packets; the Route Policy Server Language sends route distribution policy in a separate protocol. Some BGP-4 peers add or subtract BGP communities from BGP-4 path attributes, to mitigate policy processing on recipient peers. The addition of the BGP-4 Communities is sometimes called coloring or “dyeing” BGP-4 routes.
Routing protocols frequently secure data by use of security information, which may be statically configured or dynamically distributed. In the latter case, security often flows down a hierarchy of trust. A common trusted source originates certificates, which are passed down to a set of trusted devices; these trusted devices in turn pass down this “trust” model to other devices. This model of trust flow is referred to as security delegation. Public Key Infrastructure includes certificates are passed down a security delegation chain to given nodes, in conformance with the security delegation model. Secure BGP (S-BGP) utilizes such certificates to attest that BGP route information has been certified as correct.
Policies may be loaded on individual routers via local static configuration or over an attached network. Manual configuration of policies on routers increases the likelihood of erroneous entries. Additionally, given the considerable number of nodes in communication over inter-networks, manual configuration suffers from obvious problems of scale and consistency. Dynamic configuration takes considerable time and system resources in ensuring consistency preservation, thereby delaying network convergence.
As illustrative examples of the complications inherent in preserving network consistency, consider common policy filters, such as firewalls and BGP routers. Firewalls may have up to contain from 10 to 100,000 filters for different types of information. BGP peers route 140,000 routes and may also have from 10 to 100,000 filters determining acceptable routes. A filter description that is encoded as an ASCII string for a command line interface may, in turn, consume 100-1000 bytes of data, as well as several seconds of interchange in order to change the filter. Despite the enormous amounts of traffic required to communicate these filters, this problem is dwarfed by the challenge of reducing the time required to change filters while preserving consistency.
In view of the issues raised above, there is a need for novel techniques for ensuring consistency amongst policies amongst communications nodes. Such techniques should ensure fast, efficient convergence of network policies. Furthermore, such consistency should be accomplished while allowing policies and network regions to be updated dynamically, and in a manner which assures the security of the network. These and other objects are addressed herein.
The invention includes methods and architectures for the enforcement of consistent policy across defined portions of one or more packet-switched networks. The invention enables nodes contained in these network regions to communicate and enforce policies that govern their operation. Illustrative examples of such policies include network functions such as routing, filtering, security, authentication, information summarization and expansion; these and other categories of network policy are elaborated upon further herein.
Embodiments of the invention include a feature referred to herein as a Policy Domain. The policy domain includes mechanisms for ensuring policy consistency within defined regions of one or more networks. As such, nodes within a policy domain may be coupled virtually, rather than physically. In some embodiments, these network regions may include nodes distributed across one or more Local Area Networks (LANs) or Wide Area Networks (WANs). As a non-limiting, illustrative example, a policy domain may include distinct nodes in different Autonomous Systems. The boundaries delineating a policy domain may also evolve over time.
Embodiments of the invention include hierarchies of policy categories. Policies which govern network processes may be categorized as follows:
Other relevant policy categories and alternative classifications of policy types will be apparent to those skilled in the art.
In some embodiments of the invention, each network policy in a policy domain is classified in exactly one category of a pre-defined hierarchy of policy categories. As a non-limiting, illustrative example, embodiments of the invention include the following policy hierarchy, listed in descending hierarchical order:
1. Peer policies
2. Security validation policies
3. Security delegation policies,
4. Summarization of information policies,
5. Expansion of information policies,
6. Selection policies,
7. Distribution policies,
8. Dynamic Distribution policies
9. Policy Distribution policies
Alternative policy hierarchies and classifications will be apparent to those skilled in the art.
Embodiments of the invention also include numerous algorithms and data structures for preserving consistency amongst the policies supported by the policy domain, and categorized according to the classification hierarchies discussed above. These and other embodiments are described in greater detail infra.
a and 3b illustrate data structures and algorithms for policy verification according to embodiments of the invention.
The invention includes mechanisms enabling the establishment, preservation, and dynamic evolution of Policy Domains, which allow distinct network regions to introduce policies in a manner that preserves consistency. The Policy Domain is a logical construct, and may comprise nodes which are distributed across one or more networks. In some embodiments, each Policy Domain is identified with an identification number.
In embodiments of the invention, Policy Domains include mechanisms which reduce pre-existing policies into formal policy categories; verify common security policies; enable policy synchronization within the policy domain; and enforce consistency amongst polices governing the policy domain, while enabling new policies to be introduced to the policy domain.
In embodiments of the invention, the types of policies supported by a policy domain may be classified into distinct categories. One illustrative, non-limiting example of such categories is presented in
To illustrate the concept of policy hierarchies, the classifications presented in
The hierarchy 200 presented in
(a). Peer Policies
In embodiments of the invention, a peer policy operating at a node in the policy domain determines the network entities which may exchange information with the respective node. Peer policies include policies governing:
(b). Security Validation Policies
Validation policies for a policy domain may include further sub-categories, such as syntax, context, and attestation; additional sub-categories shall be apparent to those skilled in the art. Policies governing syntax validation enable nodes to determine whether packets conform to correct syntax. A relatively simple example of such validation is confirmation that an IP address in a packet conforms to either IPv4 standards, i.e., 32 bits, or IPv6 standards (128 bits). Other examples include verification that packets received are in conformance with the IETF specifications of the respective protocol. Context validation confirms that information received by a node is within a range specified for the appropriate information base. By way of non-limiting example, in BGP-4 the IPv6 addresses are only valid in the context of the multi-protocol path attribute. Attestation enables confirmation from appropriate sources that information received at a node remains valid after having being transmitted through the network. The authority that attests the validation may be instantiated in different forms: such an authority can be an algorithm, an entity on the network, or other entity as shall be apparent to those skilled in the art. One such entity may comprise a router that uses a public key infrastructure to secure the information. Security validation policies may be implied or explicitly stated in protocol documents, or determined by network policy. Other appropriate sources of security validation policies shall be apparent to those skilled in the art.
(c). Security Delegation Policies
Security delegation policies determine the appropriate authorities to validate syntax, context and attestation information. As elaborated above, these polices may be implicit or explicit in protocol specifications, or otherwise transmitted in the network. An illustrative, non-limiting example of such implied syntax and context is contained in the OSPF v2 specification, which specifies the syntax of the OSPF protocol messages as well as the content inside these messages. An example of an attestation policy is the public key infrastructure, or PKI, which specifies a root authority for passing out certifications, as well as intermediate nodes which can be used for certifications. Other relevant examples shall be apparent to those skilled in the art.
(d). Information Summarization Policies
Information summarization policies enable compression of information passed through a policy domain. Illustrative examples of summarization policies implemented in networks include the use of network subnets by OSPFv2 or proxy aggregation of routes in BGP-4; other such compression techniques are well-known to those skilled in the art. Policies for summarizing information may utilize levels of peer topology, or alternatively, may be based on a flat peer.
(e). Information Expansion Policies
Information expansion policies allow compressed or stored information to be elaborated. A simple, illustrative example of an information expansion policy is presented by the expansion of an entry for “Jane Doe” in a Directory Information Base, such as an LDAP directory, to the additional information associated with “Jane Doe”, such as job title, company, street address, telephone number and email address.
(f). Route Selection Policies
Route selection policies determine which pieces of information will be passed onto peers. Route selection policies may enable a given piece of information to traverse single or multiple network pathways. Sub-categories within the route selection polices may include:
In embodiments of the invention, policies filtered through the categorization hierarchy 200 are, upon arrival at the Route Selection Policy, filtered through the categories listed above.
(g). Distribution Policies
Distribution policies govern the information distributed to various peers in the peer topology. Distribution policies may also include sub-categories, such as:
(h). Dynamic Distribution Policies
Dynamic distribution policies govern actions undertaken upon the occurrence of an event and the receipt or presence of a particular type of information in the network. Events may be synchronous events, i.e., events scheduled at particular times, or asynchronous events triggered by an external source. Such events are elaborated upon further infra.
Embodiments of the invention include algorithms and data structures for supporting the policies described above. These include algorithms and data structures for security validation, policy synchronization, and for enforcement of consistency amongst policies implemented in a policy domain. Examples of such mechanisms are described further herein.
(a). Mechanisms for Verifying Security Validation Policies
In embodiments of the invention, a Network Information Base (NIB) may include a data structure 300 as illustrated in
In embodiments of the invention, the security validation process checks for both exact and probabilistic matches to verify the security validation policies. As a first step, security validation identifiers may be compared between different policies 320322324326. If exact matches are not found, a determination is made of the percentage of sub-categories which match 328330332. This information is in turn reported to the processes enforcing policy validation; in embodiments these processes may reside on nodes within the respective policy domain. In alternative embodiments, these processes may be external to the policy domain.
(b). Mechanisms for Supporting Policy Synchronization
Embodiments of the invention distinguish between different cases of policy inconsistency; specifically, such embodiments include mechanisms for determining whether policies are truly inconsistent, or merely out-of-synch. Accordingly, such embodiments include mechanisms for synchronizing policies in a NIB. One such mechanism for synchronizing policies is illustrated by the policy instance database depicted in
Embodiments of the invention also include algorithms for synchronizing policies supported by a NIB. Such algorithms may reside on nodes within the appropriate policy domain, or on authorized external processors. One such algorithm is presented in pseudo-code as follows:
For each node in the Policy Domain for a NIB,
Each category with a sub-category uses the same algorithm to determine if the category identifiers are misaligned; however, the sub-category identifiers are the same. If all the sub-category identifiers are the same, then re-flood the category identifier with the list of sub-categories id. If the sub-category identifier is not the same, flood the information for that sub-category.
The algorithm is recursive to the depth of the category breakdown. Variants, equivalents, and alternative embodiments of the synchronization algorithm will be apparent to those skilled in the art.
(c). Topology of Policy Domains and Definition of Consistency
To enforce consistent policy within a Policy Domain, embodiments of the invention include topologies for ensuring such consistency.
Policy Consistency can be defined with reference to the topology of the Policy Domain. A Policy Domain supports consistent policies if the following conditions are met:
The “Then” clause in the definition above may be restated more specifically by reference to the example topology as follows:
(d). Consistency Enforcement Algorithms
Embodiments of the invention include methodologies and algorithms for ensuring that consistency is maintained between policies in a policy domain. Examples of such methods and algorithms are illustrated in the flowchart of
Upon securing the steps above, the consistency preservation techniques proceed as follows:
A non-limiting example of an inter-dependent set of policies is illustrated by BGP, which allows the addition of a community to “dye” routes a color; policies may subsequently be written on the color, thereby entailing interdependency of the routes in the color.
Embodiments of the invention also include algorithms for preserving consistency of dynamic route distribution policies, which proceed as follows:
Embodiments of the Invention include similar algorithms for preserving consistency amongst summarization and expansion policies, and for policy distribution policies.
From the foregoing, it will be appreciated that specific embodiments of the invention have been described herein for purposes of illustration, but that various modifications may be made without deviating from the spirit and scope of the invention. In particular, many equivalent algorithms may be used, and the examples presented here are for illustrative purposes only. Accordingly, the invention is not limited except as by the appended claims.
This application is a divisional of U.S. Utility patent application Ser. No. 10/648,141, entitled “Establishment And Enforcement Of Policies In Packet-Switched Networks” filed Aug. 25, 2003, which is related to U.S. Provisional Application No. 60/390,576, entitled “Fibonacci Heap for Use with Internet Routing Protocols,” U.S. Utility Application entitled “Fibonacci Heap for Use with Internet Routing Protocols,” U.S. Utility Application entitled “Systems and Methods for Routing Employing Link State and Path Vector Techniques,” filed on the same day herewith, and U.S. Utility Application entitled “Nested Components for Network Protocols,” also filed on the same day herewith, each of which is hereby incorporated by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
Parent | 10648141 | Aug 2003 | US |
Child | 11881231 | Jul 2007 | US |