Patent Application
20070055789
The present invention generally relates to routing of data elements. The invention relates more specifically to a method and apparatus for managing routing of data elements.
The approach described in this section could be pursued, but are not necessarily approaches that have been previously conceived of pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Various routing management tools are available for managing routing of data elements such as data packets in a data communication network such as the Internet. One such tool is Optimized Exit Routing (OER), described in “Cisco Optimized Edge Routing Deployment Guide” which is available at the time of this writing on the file “networking_solutions_whitepaper09186a008022dbfa.shtml” in the directory” enS/netso1/ns471” of the domain “cisco.com” on the World Wide Web.
The OER feature will be well known to the skilled reader and so is described only in summary here. In particular the OER feature tracks the throughput, utilization, reachability and packet loss rate of a per-destination based and takes appropriate actions to manage routing in order, for example, to increase traffic performance. Referring to
In the realm of network security management, flow records may be exported to an external application for further security analysis. One such application is available from ARBOR Networks, Lexington, Mass., USA. A further such application comprises the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS), a successor to products from Protego Networks, Inc, Sunnyvale, Calif., USA. Such external applications detect anomalies in flows based on determination of specific flow behaviour. For example the applications may identify flows with identical source and destination IP addresses but different destination ports, or may use statistical analysis to detect abnormalities and in particular malicious attempts. In those circumstances an access-list (ACL) is created to allow filtering of malicious flows.
However existing applications do-not permit dynamic adaptation to malicious attempts but rely on static configurations of routers meaning that repetitive intrusion attempts are processed in the same manner each time.
A method and apparatus for managing routing of data elements is described. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled person in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.
Embodiments are described herein according to the following outline:
The needs identified in the foregoing Background, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method for managing routing of data elements, each having a plurality of characteristics having a respective attribute, in a data communications network. The method comprises creating a flow record of data elements having common attributes for one or more tracked characteristics; defining said flow record as a trackable object; tracking a state change of said trackable object; and performing a routing management step upon occurrence of a tracked state change.
In other aspects, the invention encompasses a computer apparatus and a computer-readable medium configured to carry out the foregoing steps.
2.0 Structural and Functional Overview
In overview a method of managing routing of data elements can be understood with reference to
At step 204 the filtered flow record is defined as a trackable object and at step 206 state changes of the object are tracked. For example the state change may comprise the creation or removal of the flow record or the flow record value such as number of packets or number of bytes exceeding or falling below respective pre-determined threshold values. Defining a filtered flow record as a trackable object may comprise, for example, using Enhanced Object Tracking (EOT) to track the record, as described further below. At step 208, on occurrence of a tracked state change a routing management step is performed. This may be, for example, rerouting of flows, changing of network metrics, diverting flows to a security management application or determination of flows dependent on the policy implemented. At step 210 the trackable object is distributed to other routers in the network in order that similar routing management steps can be implemented elsewhere on the network. Receiving routers can determine that the object is trackable using EOT.
For example where a malicious flow has been identified at a router it is characterized as a trackable object which is then distributed to other routers such that appropriate security steps can be implemented across the network. When a remote router receives the trackable object, therefore, it will detect that the object is trackable using EOT, implement the steps generally set out in
As a result enhanced flexible routing is enabled based on traffic measurements and statistics derivable from flow records to provide flexible flow based routing. Use of packet header inspection, traffic patterns and pattern treatment provides optimal information through a range of implementations as described in more detail below.
3.0 Method of Managing Routing of Data Elements
The method can be understood further with reference to
At step 300 an intrusion attempt is identified by an external application such as ARBOR, Protego, or Cisco Security MARS. In one example, an intrusion attempt has characteristics. Source/destination addresses: 1.1.1.1/2.2.2.2 Source/destination port: many/80
At step 302 the flow characteristics to be monitored are specified. In particular flexible NetFlow is used to specify the keys or characteristics defining a flow such as source and destination IP address, source and destination ports, protocol identifier, type of service and so forth. In addition values, in the form of record values, can be specified comprising extra information such as number of packets or number of bytes. As a result specific cache visibility is provided in terms of flow level details based on the specified requirements. In the current example the defined flow keys or characteristics are source address (src-addr), destination address (dst-addr) and destination port (dst-port). In addition flow record values comprising of number of packets (Nbr Packets) and the number of bytes (Nbr Bytes) are defined.
At step 304 the flows are filtered to remove non-interesting flow records. For example, filtering involves using an access-list applied to the flows defined in step 302, and cached in a NetFlow cache, allowing pre-filtering of traffic. In the example described here the filter can be applied to allow flows with source address 1.1.1.1 AND destination address 2.2.2.2 AND destination port 80 and to deny all other flows. As a result the suspicious flow, which has been determined by the external application in step 300, is described as a single flow record entry in the cache.
At step 306 the flow record obtained is characterised by the definition of an object whose status is to be tracked. This can be implemented, for example, using Enhanced Object Tracking (EOT), which feature will be familiar to the skilled reader and is described in “Enhanced Object Tracking” which is available at the time of writing on the file “fth/fthsrptk” in the directory “univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15” of the domain “cisco.com” of the World Wide Web. Implementation of the EOT feature will be well known to the skilled reader and so is only described in summary here. In particular EOT creates a stand alone tracking process in order to monitor the status of different objects allowing an external process to register to the EOT process and take appropriate actions based on object status change.
At step 308 a state change is detected. Various states are possible, for example existence of the object meaning that a flow has been identified, threshold over a given value, where the record value such as number of bytes or packets is above a given threshold for a given time window, or threshold below a given value where the value of the object is below a given threshold for a given time window. In the example given, therefore, appropriate rules can be defined. For example if the number of packets per second (NbrPackets/second) is higher than 1000 then the change may be detected. Similarly if the number of packets per second is lower than 500 then again a state change may be identified. The rules may be set in such a way that they remain active for a duration of a pre-determined number of hours or days even if the object does not exist allowing the router to react quickly to further identical malicious attempt.
At step 310 the appropriate routing management steps can be taken upon detection of the state change. This may be achieved, for example, by implementation of an appropriate policy such that the router performs corrective actions such as installing or removing a policy that will discard packets belonging to the flow and/or encapsulate (if necessary) and redirect traffic towards a packet pay load analyser for further inspection, or any other appropriate routing management step. In the example described if NPR packets/second is higher than 1000 then the policy applied may be that any packets within the flow are simply dropped whereas if NPR packet/second is lower than 500 then the previously applied policy may be removed by this flow. As a result it will be see that the flexible flow based routing can be implemented.
At step 312 the object that has been created can be distributed to other routers in order for them to react similarly in the case of a corresponding detected flow, for example, an identical malicious attempt. In particular the object definition, creation and tracking together with the corrective action information can be distributed to any other router that may be subject to the same security issue allowing faster reaction as there is no reliance on initial detection mechanisms.
As a result a system is provided allowing dynamic adaptation to intrusion attempts incorporating a co-operative mechanism between intrusion attempt to detection and subsequent routing decision. In particular where malicious attempts are detected by determination of specific flow behaviour in an external application such as Arbor, Protego, or Cisco Security MARS, a trackable objection is automatically created to allow appropriate policy-based actions to be taken, and the process to be exported to other routers by distribution of the object and associated policies and actions.
The steps taken at a remote router receiving the distributed object can be understood in more detail with reference to
It will further be seen that the approach described herein can be implemented in a range of routing management implementations in addition to network security management implementations.
It will be seen that any flow record characteristics or parameters can be monitored including packet header fields, for example destination IP address, destination port number, packet characteristics for example label stack depth in Multi Protocol Label Switching (MPLS) packets, packet processing or treatment derived, for example nexthop IP address, output interface and so forth. In addition any appropriate routing management steps can be taken dependent on the status of the object tracked, for example different routing changes can be propagated, such as IGP metric changes, Equal Cost Multi Path (ECMP) route insertion, policy based routing, BGP changes, static route insertion, and discarding of packets for example by “black-holing” static routes to null 0.
In all of these cases it will further be seen that a trackable object can be created which can be tracked within a given router and also distributed to other routers to propagate relevant treatment of flow behaviour across the network. Further, appropriate behaviour can be detected automatically to trigger creation and tracking of an object either by virtue of an external application or by virtue of appropriately implemented policies.
For example referring to
In an alternative arrangement, where agreements are in place between parties such as internet service providers (ISP) and customers or other peers, satisfaction of the agreement terms can be implemented using the approaches described herein.
Yet a further improvisation is shown in
It will be seen that in all of these alternative implementations, the object can then be distributed as appropriate. In addition initial identification and creation of objects can be implemented automatically as appropriate.
It will further be seen that the approach as described above can be implemented in any appropriate manner for example on any router platform or other network device and in relation to a network of any type and scale including large service providers and enterprise networks. It will be appreciated by the skilled reader that the steps described herein can be implemented in any appropriate manner, for example by incorporating appropriate code or instructions into existing flow monitoring applications and object tracking applications such that detailed description is not required herein.
4.0 Implementations Mechanisims—Hardware Overview
Computer system 140 includes a bus 142 or other communication mechanism for communicating information, and a processor 144 coupled with bus 142 for processing information. Computer system 140 also includes a main memory 146, such as a random access memory (RAM), flash memory, or other dynamic storage device, coupled to bus 142 for storing information and instructions to be executed by processor 144. Main memory 146 may also be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 144. Computer system 140 further includes a read only memory (ROM) 148 or other static storage device coupled to bus 142 for storing static information and instructions for processor 144. A storage device 150, such as a magnetic disk, flash memory or optical disk, is provided and coupled to bus 142 for storing information and instructions.
A communication interface 158 may be coupled to bus 142 for communicating information and command selections to processor 144. Interface 158 is a conventional serial interface such as an RS-232 or RS-422 interface. An external terminal 152 or other computer system connects to the computer system 140 and provides commands to it using the interface 158. Firmware or software running in the computer system 140 provides a terminal interface or character-based command interface so that external commands can be given to the computer system.
A switching system 156 is coupled to bus 142 and has an input interface and a respective output interface (commonly designated 159) to external network elements. The external network elements may include a plurality of additional routers 160 or a local network coupled to one or more hosts or routers, or a global network such as the Internet having one or more servers. The switching system 156 switches information traffic arriving on the input interface to output interface 159 according to pre-determined protocols and conventions that are well known. For example, switching system 156, in cooperation with processor 144, can determine a destination of a packet of data arriving on the input interface and send it to the correct destination using the output interface. The destinations may include a host, server, other end stations, or other routing and switching devices in a local network or Internet.
The computer system 140 implements as a router or network component the above described method. The implementation is provided by computer system 140 in response to processor 144 executing one or more sequences of one or more instructions contained in main memory 146. Such instructions may be read into main memory 146 from another computer-readable medium, such as storage device 150. Execution of the sequences of instructions contained in main memory 146 causes processor 144 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 146. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the method. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.
The term “computer-readable medium” as used herein refers to any medium that participates in providing instructions to processor 144 for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, optical or magnetic disks, such as storage device 150. Volatile media includes dynamic memory, such as main memory 146. Transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 142. Transmission media can also take the form of wireless links such as acoustic or electromagnetic waves, such as those generated during radio wave and infrared data communications.
Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, a CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge, a carrier wave as described hereinafter, or any other medium from which a computer can read.
Various forms of computer readable media may be involved in carrying one or more sequences of one or more instructions to processor 144 for execution. For example, the instructions may initially be carried on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 140 can receive the data on the telephone line and use an infrared transmitter to convert the data to an infrared signal. An infrared detector coupled to bus 142 can receive the data carried in the infrared signal and place the data on bus 142. Bus 142 carries the data to main memory 146, from which processor 144 retrieves and executes the instructions. The instructions received by main memory 146 may optionally be stored on storage device 150 either before or after execution by processor 144.
Interface 159 also provides a two-way data communication coupling to a network link that is connected to a local network. For example, the interface 159 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, the interface 159 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, the interface 159 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
The network link typically provides data communication through one or more networks to other data devices. For example, the network link may provide a connection through a local network to a host computer or to data equipment operated by an Internet Service Provider (ISP). The ISP in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet”. The local network and the Internet both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on the network link and through the interface 159, which carry the digital data to and from computer system 140, are exemplary forms of carrier waves transporting the information.
Computer system 140 can send messages and receive data, including program code, through the network(s), network link and interface 159. In the Internet example, a server might transmit a requested code for an application program through the Internet, ISP, local network and communication interface 158. One such downloaded application provides for the method as described herein.
The received code may be executed by processor 144 as it is received, and/or stored in storage device 150, or other non-volatile storage for later execution. In this manner, computer system 140 may obtain application code in the form of a carrier wave.
5.0 Extensions and Alternatives
In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. Aspect or examples or embodiments described can be juxtaposed or interchanged as appropriate.
It will be seen that the method described herein can be implemented in relation to any routing management steps example rerouting using BGP, IGP or a static route and so forth and based on any forwarding paradigm. The approach can be implemented in relation to any application capable of creating and tracking appropriate objects and any flow monitoring application. Furthermore any appropriate behaviour can be detected by defining parameters of network traffic and creating appropriate flow records.
