|||||||||||||||||||||||||||||l||||||||||||||||||||||||||||l|||||||||||l||||
`
`USIXJ6674743BI
`
`US 6,674,743 B1
`(10) Patent N0.:
`(12) United States Patent
`Amara et a1. Jan. 6, 2004 (45) Date of Patent:
`
`
`
`(54) METHOD AND AI'PARA’I‘US FOR
`PROVIDING POLICY-BASED SERVICES
`FOR INTERNAL APPLICATIONS
`
`(75)
`
`Inventors: Satish Amara, Mount Prospect, IL
`(US); Michael Freed, Arlington
`Heights, II. (US)
`
`(73) Assignee: 3Com Corporation, Santa Clara, CA
`(us)
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 091475,855
`
`”'30- 30; 1999
`
`FilCdi
`(2?-
`Int. Cl?
`(51)
`(52) U.S. Cl.
`
`H04L121'28
`3701351- 3701389 3701392
`’
`'
`’ 709,232;
`370929—235,
`(58) Field of Search
`3701351, 389—392, 412—418, 428, 401,
`402, 465, 466; 7091227, 228, 238, 240
`
`(56)
`
`References Cited
`‘
`‘
`,
`..
`.. \
`..
`U.S. l’Alel DOCUMleb
`
`OTHER PUBLICATIONS
`
`Corbridge et at, Packet Filtering in an IP Router, pp.
`227—232, LISA—V—Sep. 30—Oct. 3, 19913“
`Wakeman et al,lmplementing Real Time Packet Forwarding
`Policies using streams, pp. 1—12, Nov. 14, 1994.*
`_
`“lPSec Network Security Commands,” http:11www.c1sco-
`.com1nnivered1ec,r’td1doc1produets-“so ftwa re1iosl 201 12eger1
`56‘5“?- VSIPH‘USFiPSW-hims PP- 1*45 (1998}
`R. Rajan. S. Kamat, Internet Engineering Task Force (IETF),
`Internet Draft, “A Simple Framework and Architecture for
`Networking Policy," drat‘t—rajan—policy—framcwork-(KMXI.
`May 23, 1999, pp. i-Xxiii-
`H—W. Braun, Network Working Group, Request for Com-
`ments: 1104, "Models of Policy Based Routing,” Jun. 1989,
`PP- 1—10-
`D, Estrin, Network Working Group, Request for Comments:
`1125, "Policy Requirements for Inter Adminstrative Domain
`R°“Ei"3'" N0“ 1989’”: "ifl’
`,
`,
`9' ('mrk' W‘work .Woikmg 0‘0““ Raquel“ “3‘ 90mm“
`1123, “Policy Routing in Internet Protocols,“ May 1989, pp.
`1 "'
`* cited by examiner
`
`Primary Examiner—Dang Ton
`Assistant Examiner—Frank Duong
`(74) Array-nay, Agent, or Firm—McDonnell Boehnen
`Hulberl & Bergholf
`
`53,473,903 A
`3,328,393 A
`
`llausntan cl all.
`IZII‘Jilz-r
`611991) Walsh el al.
`
`37U1'8513
`370185.13
`
`(57)
`
`ABSTRACT
`
`
`----------
`511199" Ll” 3‘ “l-
`- 379185-13
`5530393 A
`31:33: 51112:?!“ e' “"
`3991:3311?
`22:11::(I); i
`611998 Adams etal ,9,12m:4,},
`33:?61:424 A
`
`‘
`8/1998 Pitcher et al.
`310,471
`55,90,554 A
`., 395,111,179
`9,;le Baehr et al.
`$802,320 A
`
`..
`.. 395111;:39
`1 111998 Sltwed el al.
`5,835,726 A
`
`
`.. 395120053
`1111998 Wong et at.
`5,835,121 A
`.. 3951200.?5
`311999 Bach: et a].
`5,878,231 A
`
`.. 395113101
`311999 Bflehr 6* al-
`5,W,035 A
`
`.. 3951200151
`31999 T119119” el al-
`13,339,953 A
`$1333 Ellis): etawl‘
`" 39345333:
`gig-2:2 :
`
`I ”19"” Abraham at d}.
`”10912-24
`33,983,211} A
`,.
`812000 Haddock N at.
`310,235
`61043,“ A ,.
`
`6:157,955 A a 12412,“) Narad et a].
`7091228
`
`W0
`wo
`
`FOREIGN PATENT DOCUMENTS
`9848987
`91' 1998
`9911003
`311999
`
`A packet-forwarding device for providing policy-based ser-
`vices has at least a first interface, a second interface, and a
`packet forwarder for forwarding enternal packets between
`the dust and second interfaces.
`lhe packet-forwarding
`device also runs internal applications that may be remotely
`accessed. The first and second interfaces transmit and
`receive internal and external packets, the internal packets
`being those packets generated or received by the internal
`applications during remote access, and the external packets
`being those packets destined for devices other than the
`packet—forwarding device. The packet forwarder forwards
`external packets between the ltrst and second tnterl aces. Ari
`internal
`intertaee forwards internal packets between the
`internal applications and the first and second interfaces, and
`a policy engine logically connected to the internal interface
`applies a policy to the internal packets.
`
`48 Claims, 3 Drawing Sheets
`
`
`
`
`
`1M
`
`(cid:20)
`
`ARISTA 1004
`(cid:36)(cid:53)(cid:44)(cid:54)(cid:55)(cid:36)(cid:3)(cid:20)(cid:19)(cid:19)(cid:23)
`
`

`

`US. Patent
`
`Jan. 6, 2004
`
`Sheet 1 0f 3
`
`US 6,674,743 B1
`
`353mb... E<moan.
`
`._<zmm._.z_
`
`mafia—En?
`
`hwy—OE
`
`mmom<3m0m
`
`
`
`szzw>039“.madmmmkg
`
`mm3
`
`(cid:21)
`
`_,.9".
`
`wzfizm>030;
`
`szzm>o_._on_maize;
`
`

`

`US. Patent
`
`Jan. 6, 2004
`
`Sheet 2 0f3
`
`US 6,674,743 B1
`
`
`
`POLICYENGINE
`
`INTERNAL
`
`APPLICATIONS
`
`PACKETICLASSIFIER
`
`EE
`
`
`
`FIG.2
`
`INTERFACE
`
`PACKETF0RWARDER
`INTERNALINTERFACE l.5
`CLASSIFIER
`
`0%
`E50
`
`El
`5‘3
`E
`
`SE1-
`
`INTERFACE
`
`(cid:22)
`
`

`

`US. Patent
`
`Jan. 6, 2004
`
`Sheet 3 0f 3
`
`US 6,674,743 B1
`
`
`
`mzazwrezon—
`
`N
`
`
`
`285.4%Eggme
`
`
`
`mmmamfio
`
`
`
`x05.
`
`32E;99¢mzazw5:84
`E
`
` mzazw5:8EOEBEE;H2m8m_«mmwmfiuI85¢ng
`-mmifimfio-QUEmofimmkz.
`
`szzm>039.
`
`3NN
`
`on
`
`3N
`
`3N
`
`(cid:23)
`
`
`
`
`

`

`US 6,674,743 B]
`
`1
`METHOD AND APPARATUS FOR
`PROVIDING POLICY-BASED SERVICES
`FOR INTERNAL AI’PI .ICA'I‘IONS
`
`BACKGROUND OF THE INVENTION
`
`A. Field of the Invention
`
`2
`in a set of rules. to all outbound packets transmitted from the
`LAN to the Internet and to all
`inbound packets from the
`Internet to the LAN.
`Similarly, Haddock et al., PCT Publication No. W0
`99r'11003 discloses a packet—forwarding device having a
`comparison engine. The comparison engine examines the
`packets arriving at each input port to determine with which
`tralIic group each packet
`is associated, the traffic groups
`defining different 008 levels.
`A packet-forwarding device 10 that typifies the prior art
`approach of applying policies to packets. is shown in FIG. 1.
`FIG.
`I
`is a functional block diagram in which arrows
`illustrate the flow of packets between functional blocks.
`Device 10 may be a router, a remote access server, or other
`such device that
`forwards packets. Device 10 includes
`interfaces 12, 14, and 16, that connect device 10 to nodes 18,
`20, and 22, respectively. Nodes 18—22 may represent hosts
`connected via a LAN or WAN or via the PSTN. Nodes
`
`18—22 may also represent other packet forwarding devices.
`Although device 10 is shown in FIG. I with three interfaces,
`device ll] may, in general. have a greater or fewer number
`of interfaces.
`
`interfaces
`As indicated by the double—headed arrows,
`12—16 are able to send packets to and to receive packets
`from nodes 18—22, respectively. Interfaces 12—16, in turn,
`are logically connected to a packet forwarder 24 via policy
`engines 26, 28, and 30. Internal applications 32 are also
`logically connected to packet forwarder 24. Internal appli-
`cations 32 include the applications on device 10, such as
`applications for controlling and configuring device 10, that
`arc accessible remotely, such as by SNMP or by Telnet.
`Packet forwarder 24 receives packets forwarded by inter
`faces 12—16, via policy engines 26—30, and by internal
`applications 32. Packet forwarder 24-,
`in turn, is able to
`forward packets to internal
`interfaces 12—16, via policy
`engines 26—30, and to internal applications 32. Packet
`forwarder 24 performs a routing functionality. Specifically,
`packet forwarder 24- determines, for each packet it receives,
`whether to forward the packet to one or more of interfaces
`12—16 andfor internal applications 32. Packet forwarder 24
`makes this routing determination for each packet based on
`the packet‘s destination address. Typically, packet forwarder
`24 has access to routing tables that specify where to send
`each destination address. Normally, packet forwarder 24 will
`forward a packet
`to internal applications 32 when the
`packet’s destination address matches one of the packet—
`forwarding device’s own IP addresses.
`Policy engines 26-30 apply policies to all packets for-
`warded between interfaces 12—16 and packet forwarder 24-.
`In this process, policy engines 26-30 trap each packet and
`examine various selector fields in each packet, such as
`source address, destination address. source port, destination
`port, and protocol type. Based on this information, policy
`engines 26—30 apply a set of rules that specify the manner
`in which the packets are to be handled. In general, policy
`engines 26—30 may be separately configured so as to apply
`different policies.
`The problem with this approach is that there is a high
`overhead associated with applying policies to all incoming
`and outgoing packets. This high overhead may increase the
`latency of each packet and may degrade the throughput of
`the packetwforwarding device. Another disadvantage with
`the prior art approach is the time and effort required to
`develop and manage policies for each interface. Finally, the
`overhead and management difficulties serve to limit
`the
`complexity of the policies that a packet-forwarding device
`can apply.
`
`This invention relates to the field of digital telecommu~
`nications. More particularly,
`this invention relates to a
`method and apparatus for applying policies in packet for-
`warding devices, such as routers and remote access servers.
`B. Description of Related Art
`l’ackebswitched networks, such as the Internet, typically
`include one or more packet forwarding devices, such as
`routers or remote access servers. Viewed at
`the simplest
`level, a router is a device having a plurality of interfaces,
`with each interface typically connected to a wide area
`network (WAN), a local area network (LAN), or a host.
`Internally, the router forwards packets from one interface to
`another based on the destination address contained in the
`header of each packet. A remote access server is similar to
`a router, except
`that,
`in addition to interfaces to WANs
`andior [.ANs, a remote access server also includes one or
`more interfaces to the public switched telephone network
`(PSTN) to provide dial-in access to the network. Remote
`access servers also forward packets from one interface to
`another based on the destination addresses of the packets.
`Increasingly, routers and remote access servers are also
`performing more sophisticated handling of packets than
`simply routing them on the basis of destination address. In
`particular, some packets may be selected for special treat—
`ment in order to provide “policy-based services." “Policy-
`based services" encompass any disposition of packets that
`involves more than simply routing them based on their
`destination addresses. For example,
`routers and remote
`access servers may perform packet filtering, in which certain
`packets are dropped, diverted, andr’or logged. The router or
`remote access server may also perform network address
`translation (NAT),
`in which the source andlor destination
`addresses are changed. Certain packets may be encrypted or
`decrypted, such as provided for in the IPsec protocols.
`Finally, certain packets may be prioritized in the queue of
`the router or remote access server in order to provide a
`particular quality of service (008) level. Many other types
`of special handling of packets could also be performed.
`To identify the packets that are to be subject
`to such
`special handling, the router or remote access server typically
`examines more than the destination address of the packet. In
`general, the packet-forwarding device examines one or more
`"selector fields" within each packet, such as the source
`address, destination address, source port, destination port,
`and protocol
`type. User name, more particularly the IP
`address allocated to a particular user, may also be used as a
`selector
`filed in remote access servers. The packet- _
`forwarding device then enforces a “policy” by applying a set
`of rules to packets whose selector fields meet predefined
`criteria. The rules specify how the packets are to be handled.
`As a result of this policy enforcement, packets may be
`dropped,
`logged,
`translated, encrypted, decrypted, or
`prioritized, if the selector fields within the packets match
`certain predefined criteria.
`Typically, the “policy” is applied to all interfaces of the
`packet-forwarding device. For example, Abraham et al.,
`US. Pat. No. 5,983,270 discloses a network server through
`which all traffic between a LAN and the Internet passes. A
`filter engine in the network server applies a policy, embodied
`
`ID
`
`15
`
`so
`
`35
`
`4-!)
`
`45
`
`50
`
`60
`
`65
`
`(cid:24)
`
`

`

`3
`SUMMARY OF THE INVENTION
`
`US 6,674,743 B1
`
`4
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`FIG. 2 is a functional block diagram showing a packet-
`forwarding device 100 in accordance with a first preferred
`embodiment of the present invention. The arrows in FIG. 2
`illustrate the flow of packets between fu nctiona] blocks and,
`thus, the logical connections betwcen functional blocks. As
`used herein, two elements of a device are “logically con-
`nected” if packets are able to flow in at least one direction
`from one element to the other, either directly or via one or
`more intermediate elements, provided that the flow of pack-
`ets occurs within the device. Additionally, as used herein, a
`first element "forwards" packets to a second element when
`packets flow from the first element to the second element,
`either directly or via one or more intermediate elements.
`Device 100 may be a router, a remote access server, or
`other such device that
`forwards packets. Device 100
`includes interfaces 102—106 that are able to transmit packets
`to and to receive packets from nodes 108—112, respectively.
`Nodes 108—112 may represent either hosts or packet-
`fcrwarding devices, such as routers, that are connected to
`device 100 via digital networks or via the PSTN. Note that
`although device 100 is shown in FIG. 2 with three interfaces
`102—106, device 100 may have a greater or fewer number.
`If device 100 is a router, at least one of nodes 108—112
`will typically be a router or other device connected via a
`WAN, and another one of nodes 108—112 will typically be
`a host or other device connected via a IAN. If device 100
`is a remote access server, at least one of interfaces 102—106
`will include a modem, with the corresponding node being a
`user connected via the PSTN using a protocol such as PPP,
`and at least one other of interfaces 102—106 will be con—
`nected to a host or other device via a LAN or WAN.
`
`Running on device 100 are internal applications 1.14,
`which typically serve to to control or configure device 100.
`Internal applications 114 communicate with other devices
`remote to device 100, through the use of protocols such as
`PPTP, L2TP, SNMP or Telnet. As part of such remote access,
`internal applications 114 generate internally-packets and use
`internally-destined packets. These internally-generated
`packets and internally-destined packets together constitute
`the “internal" packets. These internal packets are transmitted
`and received by one or more of interfaces 102406.
`In addition to such “internal" packets, interfaces 102—106
`also transmit and receive “external” packets. The "external"
`packets are packets that are not associated with internal
`applications 114 but are, instead, destined for devices other
`than device 1th. For example,
`if device 101] is a remote
`access server, node 108 may represent a remote user con-
`nected via the PSTN and node 110 may represent a server on
`a LAN or a WAN being accessed by the remote user. In that
`case, the packets associated with the remote user that are
`transmitted and received by interfaces 102 and 104 would all
`be external packets.
`Packet classifiers 116—120, which are logically connected
`to interfaces 102—106, respectively, classify the packets
`received at interfaces 102w106 as either internally-destined
`or external packets, based on the destination address of the
`packets. In particular, the internally-destined packets will
`have a destination address that
`is one of the addresses
`assigned to device 100 itself. The external packets will have
`destination addresses that correspond to devices other than
`device 100. Packet classifiers 116—120 forward the
`internally-destined packets to an internal interface 122 and
`the external packets to a packet forwarder 124.
`Internal interface 122 serves as an interface for internal
`
`applications .114.
`
`Internal
`
`interface 122 is preferably a
`
`It)
`
`15
`
`In a first principal aspect, the present invention provides
`a method for providing policy-based services in a packet-
`forwarding device running an internal application and hav-
`ing a first
`interface and a second interface. The internal
`application generates internally-generated packets. A policy
`is applied to the internally—generated packets, and the
`internally-generated packets are forwarded to the first inter-
`face. External packets are received at the second interface,
`and these external packets are forwarded to the first interface
`without applying the policy to them.
`In a second principal aspect, the present invention pro-
`vides a method for providing policy-based services in a
`packet-fonvarding device running an internal application
`and having a first interface and a second interface. Incoming
`packets, each of which has a source address, are received at
`the first interface. The incoming packets are classitied as
`internally-destined packets if their source addresses are in a
`first set of addresses and as external packets if their source
`addresses are in a second set of addresses. A policy is applied .
`to the internally-destined packets, and the internally-
`destined packets are forwarded to the internal application.
`However, the external packets are forwarded to the second
`interface without applying the policy to them.
`In a third principal aspect, the present invention provides H
`a packet-forwarding device comprising first and second
`interfaces for transmitting and receiving packets, an internal
`application running on the packet-forwarding device, an
`internal
`interface logically connected to the internal
`application, a packet forwarder logically connected to the
`first and second interfaces, and a policy engine logically
`connected to the internal interface and the internal applica-
`tion. The internal application generates internally-generated
`packets and uses internally-destined packets. The internal
`interface forwards the internally-generated packets to the
`first interface and forwards the intemally~rtestined packets to
`the internal application. The packet
`forwarder forwards
`packets betvveen the first and second interfaces. The policy
`engine applies a policy to internal packets,
`the internal
`packets being selected from the group consisting of
`internally-generated packets and internally-destined pack-
`ets.
`
`so
`
`35
`
`4t)
`
`In a fourth principal aspect, the present invention provides
`an improvement to a packet-forwarding device. The packetw
`forwarding device has a first interface, a second interface, a
`packet forwarder forwarding packets between the first and
`second interfaces, and runs an internal application. The
`internal application generates internally-generated packets
`and uses internally-destined packets. The improvement
`comprises an internal interface logically connected to the
`internal application and a policy engine logically connected
`to the internal
`interface. The internal
`interface forwards
`internal packets, the internal packets being selected from the
`group consisting of internally—generated packets and
`internally-destined packets. The policy engine applies a .
`policy to the internal packets.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`45
`
`50
`
`is a functional block diagram of a packet-
`1
`FIG.
`forwat'ding device typifying the prior art approach of apply-
`ing policies.
`FIG. 2 is a functional block diagram of a packet-
`forwarding device in accordance with a
`first preferred
`embodiment of the present invention.
`FIG. 3 is a functional block diagram of a packet-
`forwarding device in accordance with a second preferred
`embodiment of the present invention
`
`60
`
`65
`
`(cid:25)
`
`

`

`US 6,674,743 B1
`
`5
`pseudo interface implemented by software, rather than a
`physical interface. Internal interface 122 is logically con-
`nected to internal applications 114, via a policy engine 126,
`to packet forwarder 124, and to packet classifiers 116—120.
`internal interface 122 forwards the internally-destined packn
`ets from packet classifiers 116—120 to internal applications
`114 and forwards the internally—generated packets from
`internal applications 114 to packet forwarder 124.
`Policy engine 126 applies a policy to the internal packets.
`Specifically, policy engine 126 examines one or more selec-
`tor fields present
`in the internal packets. Typical selector
`fields include the source address, destination address, source
`port, destination port, and protocol type. Policy engine 126
`also applies a set of rules specifying the manner in which a
`given packet should be handled if the selector fields of the
`given packet match certain predefined criteria. Such han—
`dling can include without limitation dropping the packet,
`logging the packet, encrypting or decrypting the packet,
`performing network address translation andt'or port address
`translation on the packet, and prioritizing the packet
`for
`008. Policy engine 126 may apply a policy to internally»
`generated packets that differs from the policy apply to the
`internally-destined packets. However, policy engine 126
`typically applies the same policy to internally—destined and
`internally-generated packets.
`Packet forwarder 124 forwards the external packets from
`packet classifiers 116—120 and the internally-generated
`packets from internal
`interface 122 to one or more of
`interfaces 102—106. More particularly, packet forwarder 124
`provides a routing functionality by determining to which of
`interfaces 102-115 to forward each packet, based on each
`packet ‘s destination address. Packet forwarder 124 typically
`has access to routing tables to perform this routing.
`Notably, device 100 applies policies to the internal
`packets, by means of policy engine 126, but does not apply
`policies to the external packets. This approach offers several
`advantages. Typically, most of the packets transmitted and
`received by device 100 will be external packets. In fact,
`internal packets comprise less than 5% of the traffic in most
`remote access servers. I-Iowever, security and other policy-
`related concerns are most significant for the internal packets,
`because these packets, being associated with internal appli-
`cations 114, can affect the configuration and management of
`device 100. Thus, by applying a policy only to internal
`packets, the packets for which policies are typically most
`important, the overhead and latency that would be associ-
`ated with examining all packets is greatly reduced.
`Additionally, the task of policy management
`is simplified
`because policies are applied at only a single interface,
`internal
`interface 122, rather than at each of interfaces
`102406.
`
`it)
`
`15
`
`3o
`
`35
`
`4!)
`
`45
`
`50
`
`It is also possible to extend this approach to allow policies
`to be applied to the external packets as well as to the internal
`packets. A device 200 utilizing this approach is shown in
`FIG. 3. Device 200 includes interfaces 202—206 that trans-
`mit packets to and receive packets from nodes 208—212,
`respectively. Packet classifiers 214—2 18 classify the packets ‘
`received by nodes interfaces 202—206, respectively, as either
`internally-destined packets or external packets, based on the
`packets destination addresses. Packet classifiers 214—218
`forward the internally-destined packets to an internal inter-
`face 220, and packet classifiers 214—2 18 forward the exter-
`nal packets to a packet forwarder 222 via policy engines
`224—228, respectively.
`Internal
`interface 220 is logically connected to packet
`classifiers 214—218, to packet forwarder 222, and to internal
`applications 230 via a policy engine 232. Internal interface
`220 forwards the internally-destined packets from packet
`classifiers 214—2 18 to internal applications 230 and forwards
`
`60
`
`6
`the internally-generated packets from internal applications
`230 to packet forwarder 222.
`Packet forwarder 222 performs a routing functionality,
`forwarding the external packets from packet classifiers
`214—218 and the internally-generated packets from internal
`interface 220 to one or more of interfaces 202—206, via
`policy engines 224—228, based on the destination addresses
`of the packets.
`Policy engine 232 applies a policy to the internal packets,
`i.e., the intemally-generated packets generated by internal
`applications 230 and the internally-destined packets used by
`internal applications 230. Policy engines 224—228 apply
`policies to the external packets forwarded by packet classi-
`fiers 214—218, respectively. Policy engines 224—228 typi—
`cally also apply policies to the external packets forwarded
`by packet forwarder 222.
`In this way, device 2011 applies policies to the internal
`packets and to the external packets. In general, the policies
`applied to the internal and external packets may differ. The
`approach used in device 200 may not realize the efficiency
`advantage afforded by the approach used in device 100.
`However, by applying policies to internal packets using
`policy engine 232,
`regardless of which of interfaces
`202—206 may transmit or receive the packet, the task of
`policy management is greatly simplified.
`Although various embodiments of this invention have
`been shown and described,
`it should be understood that
`various modifications and substitutions, as well as rear-
`rangements and combinations of the preceding
`embodiments, can be made by those skilled in the art,
`without departing from the novel spirit and scope of this
`invention. Accordingly,
`the true spirit and scope of the
`invention is defined by the appended claims,
`to be inter
`preted in light of the foregoing specification.
`We claim:
`
`In a packet-forwarding device running an internal
`1.
`application and having a first
`interface and a second
`interface, a method for providing policy-based services, said
`method comprising the steps of:
`said internal application generating internally-generated
`packets;
`applying a first policy to said internally-generated pack-
`ets;
`forwarding said internally-generated packets to said first
`interface;
`receiving second incoming packets at said second
`interface, said second incoming packets having desti-
`nation addresses;
`classifying said second incoming packets as internally-
`destined packets if said destination addresses of said
`second incoming packets are in a first set of one or
`more addresses and classifying said second incoming
`packets as second external packets if said destination
`addresses of said second incoming packets are in a
`second set of one or more addresses; and
`forwarding said second external packets to said first
`interface without applying said first policy to said
`second external packets.
`2. The method of claim 1, wherein said step of applying
`a first policy to said internally-generated packets includes
`the steps of:
`examining at least one selector field in each one of said
`internally-generated packets; and
`handling said internally-generated packets in a predeter-
`mined manner if said selector fields of said internally-
`generated packets meet predetermined criteria.
`3. The method of claim 2, wherein said at
`least one
`selector field is selected from the group consisting of source
`
`(cid:26)
`
`

`

`US 6,674,743 B1
`
`7
`address, destination address. source port, destination port.
`and protocol type.
`4. The method of claim 2, wherein said step of handling
`said internally-generated packets in a predetermined manner
`includes the step of dropping said internally-generated pack-
`ets.
`
`5. The method of claim 2, wherein said step of handling
`said intemally-generated packets in a predetermined manner
`includes the step of translating the source addresses and
`destination addresses of said internally-generated packets.
`6. The method of claim 2, wherein said step of handling
`said intenally-generated packets in a predetermined manner
`includes the step of encrypting said internally-generated
`packets.
`7. The method of claim 2, wherein said step of handling
`said internally-generated packets in a predetermined manner
`includes the step of prioritizing said internally—generated
`packets.
`S. The method of claim 1, further comprising the step of:
`applying a second policy to said second external packets,
`said second policy differing from said first policy.
`9. The method of claim 1, further comprising the steps of:
`applying a third policy to said internally-destined packets;
`and
`
`forwarding said internally-destined packets to said inter-
`nal application.
`10. The method of claim 9, wherein said step of applying
`a third policy to said internally-destined packets includes the
`steps of:
`examining at least one selector field in each one of said
`internally—destined packets; and
`handling said internally-destined packets in a predeter-
`mined manner if said selector fields of said internally~
`destined packets meet predetermined criteria.
`11. The method of claim 10, wherein said at least one
`selector field is selected from the group consisting of source
`address, destination address, source port, destination port,
`and protocol type.
`12. 'lhe method ofclaim 10, wherein said step of handling
`said internally~destined packets in a predetermined manner
`includes the step of dropping said internally-destined pack-
`ets.
`
`13. The method ofclaim 10, wherein said step of handling
`said internally-destined packets in a predetermined manner
`includes the step of translating the source addresses and
`destination addresses of said internally-destined packets.
`14. The method ofclairn 10, wherein said step of handling
`said internallydcstined packets in a predetermined manner
`includes the step of decrypting said internally-destined pack-
`ets.
`
`15. The method ofclaim 10, wherein said step of handling
`said internally-destined packets in a predetermined mariner
`includes the step of prioritizing said internally-destined
`packets.
`16. The method of claim 8, further comprising the steps
`
`of:
`
`receiving first incoming packets at said first interface, said
`first incoming packets having destination addresses;
`classifying said first
`incoming packets as internally-
`destined packets if said destination addresses of said
`first incoming packets are in said lirst set ofone or more
`addresses and classifying said first incoming packets as
`first external packets if said destination addresses of
`said first incoming packets are in said second set of one
`or more addresses; and
`applying a fourth policy to said first extemal packets, said
`fourth policy differing from said first policy.
`17. The method of claim 1, wherein said second set ofone
`or more addresses includes at least one address assigned to
`said packet-forwarding device.
`
`5
`
`10
`
`15
`
`3n
`
`‘
`
`4!)
`
`50
`
`55
`
`60
`
`65
`
`8
`In a packet-forwarding device running an internal
`18.
`application and having a first
`interface and a second
`interface, a method for providing policy-based services, said
`method comprising the steps of:
`receiving incoming packets at said first interface, each one
`of said incoming packets having an address;
`classifying said incoming packets as internally—destined
`packets if said addresses of said incoming packets are
`in a first set of addresses and classifying said incoming
`packets as first external packets if said addresses of said
`incoming packets are in a second set of addresses;
`applying a first policy to said internally-destined packets;
`forwarding said internally-destined packets to said inter-
`nal application;
`forwarding said first external packets to said second
`interface without applying said first policy to said first
`external packets.
`19. The method ofclaim 18, wherein said step ofapplying
`a first policy to said internally-destined packets includes the
`steps of:
`examining at least one selector field in each one of said
`internally-destined packets; and
`handling said internally—destined packets in a predeterw
`mined manner if said selector fields of said internally—
`destined packets meet predetermined criteria.
`20. The method of claim 19, wherein said step of handling
`said internally-destined packets in a predetermined manner
`includes the step of dropping said internally-destined pack-
`ets.
`21. The method ofclaim 19, wherein said step of handling
`said internallydestined packets in a predetermined manner
`includes the step of translating the source addresses and
`destination addresses of said intemally-destined packets.
`22. The method of claim 19, wherein said step of handling
`said internallydestincd packets in a predetermined manner
`includes the step of encrypting said internally-desti rted pack-
`ets.
`
`23. The method of claim 19, wherein said step of handling
`said internally-destined packets in a predetermined manner
`includes the step of prioritizing said internally-destined
`packets.
`24. The method of claim 18, further comprising the step
`of:
`
`applying a second policy to said first external packets,
`said second policy differing from said first policy.
`25. The method of claim 18. further comprising the steps
`of:
`
`said internal application generating internally-generated
`packets;
`applying a third policy to said internally-generated pack-
`ets;
`forwarding said internally-generated packets to said first
`interface;
`receiving second external packets at said second interface;
`and
`
`forwarding said second external packets