PATENT
`Attorney Docket No. 17814-10.00
`
`METHOD FOR AUTOMATICALLY CLASSIFYING TRAFFIC IN A
`POLICY BASED BANDWIDTH ALLOCATION SYSTEM
`
`BACKGROUND OF THE INVENTION
`
`This invention relates to digital packet telecommunications, and particularly to
`management of network bandwidth based on information ascertainable from multiple
`layers of OSI network model. It is particularly useful in conjunction with bandwidth
`allocation mechanisms employing traffic classification in a digitally-switched packet
`telecommunications environment normally not subject to data flow rate control, as
`well as in monitoriing, security and routing.
`
`The ubiquitous TCP/IP protocol suite, which implements the world-wide data
`communication network environment called the Internet and is also used in private
`networks (Intranets), intentionally omits explicit supervisory function over the rate of
`data transport over the various media which comprise the network. While there are
`certain perceived advantages, this characteristic has the consequence of juxtaposing
`very high-speed packet flows and very low-speed packet flows in potential conflict for
`network resources, which results in inefficiencies. Certain pathological loading
`conditions can result in instability, overloading and data transfer stoppage. Therefore,
`it is desirable to provide some mechanism to optimize efficiency of data transfer while
`minimizing the risk of data loss. Early indication of the rate of data flow which can or
`must be supported is imperative. In fact, data flow rate capacity information is a key
`factor for use in resource allocation decisions. For example, if a particular path is
`inadequate to accommodate a high rate of data flow, an alternative route can be
`sought out.
`
`NOAC EX1032 Page 1
`
`

`

`Internet/Intranet technology is based largely on the TCP/IP protocol suite, where IP,
`or Internet Protocol, is the network layer protocol and TCP, or Transmission Control
`Protocol, is the transport layer protocol. At the network level, IP provides a
`“"datagram”"delivery service. By contrast, TCP builds a transport level service over
`the datagram service to provide guaranteed, sequential delivery of a byte stream
`between two IP hosts.
`
`TCP flow control mechanisms operate exclusively at the end stations to limit the rate
`at which TCP endpoints emit data. However, TCP lacks explicit data rate control. The
`basic flow control mechanism is a sliding window, superimposed on a range of bytes
`beyond the last explicitly-acknowledged byte. Its sliding operation limits the amount
`of unacknowledged transmissible data that a TCP endpoint can emit.
`
`Another flow control mechanism is a congestion window, which is a refinement of the
`sliding window scheme, which employs conservative expansion to fully utilize all of
`the allowable window. A component of this mechanism is sometimes referred to as
`“"slow start”".
`
`The sliding window flow control mechanism works in conjunction with the
`Retransmit Timeout Mechanism (RTO), which is a timeout to prompt a retransmission
`of unacknowledged data. The timeout length is based on a running average of the
`Round Trip Time (RTT) for acknowledgment receipt, i.e. if an acknowledgment is not
`received within (typically) the smoothed RTT+4*mean deviation, then packet loss is
`inferred and the data pending acknowledgment is retransmitted.
`
`Data rate flow control mechanisms which are operative end-to-end without explicit
`data rate control draw a strong inference of congestion from packet loss (inferred,
`
`NOAC EX1032 Page 2
`
`

`

`typically, by RTO). TCP end systems, for example, will ‘"back-off’", i.e., inhibit
`transmission in increasing multiples of the base RTT average as a reaction to
`consecutive packet loss.
`
`Bandwidth Management in TCP/IP Networks
`
`Conventional bandwidth management in TCP/IP networks is accomplished by a
`combination of TCP end systems and routers which queue packets and discard packets
`when certain congestion thresholds are exceeded. The discarded, and therefore
`unacknowledged, packet serves as a feedback mechanism to the TCP transmitter.
`(TCP end systems are clients or servers running the TCP transport protocol, typically
`as part of their operating system.)
`The term “"bandwidth management”" is often used to refer to link level
`bandwidth management, e.g. multiple line support for Point to Point Protocol (PPP).
`Link level bandwidth management is essentially the process of keeping track of all
`traffic and deciding whether an additional dial line or ISDN channel should be opened
`or an extraneous one closed. The field of this invention is concerned with network
`level bandwidth management, i.e. policies to assign available bandwidth from a single
`logical link to network flows.
`
`In a copending U.S. patent application SerialSer. No. 08/742,994, now U.S. Pat. No.
`6,038,216, in the name of Robert L. Packer, entitled “"Method for Explicit Data Rate
`Control in a Packet Communication Environment Without Data Rate Supervision,”" a
`technique for automatically scheduling TCP packets for transmission is disclosed.
`Furthermore, in a copending U.S. Patent Application SerialPat. No.
`08/762,8285,802,106, in the name of Robert L. Packer, entitled “"Method for Rapid
`Data Rate Detection in a Packet Communication Environment Without Data Rate
`Supervision,”" a technique for automatically determining the data rate of a TCP
`
`NOAC EX1032 Page 3
`
`

`

`connection is disclosed. FurthermoreFinally, in a copending U.S. PatentPat.
`application SerialSer. No. __________,08/977,376, now abandoned, in the name of
`Robert L. Packer, entitled “"Method for Managing Flow Bandwidth Utilization at
`Network, Transport and Application Layers in Store and Forward Network,” (attorney
`docket number 17814-5.10)" a technique for automatically allocating bandwidth
`based upon data rates of TCP connections according to a hierarchical classification
`paradigm is disclosed.
`
`Automated tools assist the network manager in configuring and managing the network
`equipped with the rate control techniques described in these copending applications.
`In a related copending application, a tool is described which enables a network
`manager to automatically produce policies for traffic being automatically detected in a
`network. It is described in a copending U.S. Provisional patent application SerialSer.
`No. _________09/198,051, still pending, in the name of Guy Riddle, entitled
`“"Method for Automatically Determining a Traffic Policy in a Policy Based
`Bandwidth Allocation System,” (attorney docket number 17814-9.00)Packet
`Communications Network", based on U.S. Provisional Patent Application Ser. No.
`60/066,864. The subject of the present invention is also a tool designed to assist the
`network manager.
`
`While these efforts teach methods for solving problems associated with scheduling
`transmissions, automatically determining data flow rate on a TCP connection,
`allocating bandwidth based upon a classification of network traffic and automatically
`determining a policy, respectively, there is no teaching in the prior art of methods for
`automatically classifying packet traffic based upon information gathered from a
`multiple layers in a multi-layer protocol network.
`
`Bandwidth has become the expensive commodity of the ‘'90s, as traffic expands faster
`
`NOAC EX1032 Page 4
`
`

`

`than resources, the need to “"prioritize”" a scarce resource, becomes ever more
`critical. One way to solve this is by applying “"policies”" to control traffic classified
`as to type of service required in order to more efficiently match resources with traffic.
`
`Traffic may be classified by type, e.g. E-mail, web surfing, file transfer, at various
`levels. For example, to classify by network paradigm, examining messages for an
`IEEE source/destination service access point (SAP) or a sub-layer access protocol
`(SNAP) yields a very broad indicator, i.e., SNA or IP. More specific types exist, such
`as whether an IP protocol field in an IP header indicates TCP or UDP. Well known
`connection ports provide indications at the application layer, i.e., SMTP or HTTP.
`
`Classification is not new. Firewall products like “"CheckPoint FireWall-1,”" a product
`of CheckPoint Software Technologies, Inc., a company with headquarters in Redwood
`City, CACalif., have rules for matching traffic. Bandwidth managers such as
`“"Aponet,”" a product of Aponet, Inc., a company with headquarters in San Jose,
`CACalif., classify by destination. The PacketShaper, a product of Packeteer, Inc., a
`company with headquarters in CampbellCupertino, CACalif., allows a user to
`manually enter rules to match various traffic types for statistical tracking, i.e.,
`counting by transaction, byte count, rates, etc. However, manual rule entry requires a
`level of expertise that limits the appeal for such a system to network savvy customers.
`What is really needed is a method for analyzing real traffic in a customer’scustomer's
`network and automatically producing a list of the “"found traffic.”"
`
`SUMMARY OF THE INVENTION
`
`According to the invention, in a packet communication environment, a method is
`provided for automatically classifying packet flows for use in allocating bandwidth
`resources and the like by a rule of assignment of a service level. The method
`
`NOAC EX1032 Page 5
`
`

`

`comprises applying individual instances of traffic classification paradigms to packet
`network flows based on selectable information obtained from a plurality of layers of a
`multi-layered communication protocol in order to define a characteristic class, then
`mapping the flow to the defined traffic class. It is useful to note that the automatic
`classification is sufficiently robust to classify a complete enumeration of the possible
`traffic.
`
`An advantage of traffic classification techniques according toIn the present invention
`is that network managers need not know the technical aspects of each kind of traffic in
`order to configure traffic classes.
`and A further advantage of the present invention is that traffic classes may
`include information such as a URI for web traffic.
`A yet further advantage of the present invention is that service aggregates bundle traffic to
`provide a convenience to the user, by clarifying processing and enables the user to
`obtain group counts of all parts comprising a service.
`
`The invention will be better understood upon reference to the following detailed
`description in connection with the accompanying drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1A depicts a representative client server relationship in accordance with a
`particular embodiment of the invention;
`
`FIG. 1B depicts a functional perspective of the representative client server
`relationship in accordance with a particular embodiment of the invention;
`
`FIG. 1C depicts a representative internetworking environment in accordance with a
`particular embodiment of the invention;
`
`FIG. 1D depicts a relationship diagram of the layers of the TCP/IP protocol suite;
`
`FIGS. 2A-2B depict representative divisions of bandwidth;
`
`FIG. 3 depicts a component diagram of processes and data structures in accordance
`
`NOAC EX1032 Page 6
`
`

`

`with a particular embodiment of the invention; and
`
`FIGS. 4A-4B depict flowcharts of process steps in automatically classifying traffic in
`accordance with a particular embodiment of the invention.
`
`DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS
`A preferable embodiment of a flow bandwidth management system according to the invention
`has been reduced to practice and will be made available under the trade name “PacketShaper™.”
`1.0 Introduction
`
`The present invention provides techniques to automatically classify a plurality of
`heterogeneous packets in a packet telecommunications system for management of
`network bandwidth in systems such as a private area network, a wide area network or
`an internetwork. Systems according to the present invention enable network managers
`to: automatically define traffic classes, for which policies may then be created for
`specifying service levels for the traffic classes and isolating bandwidth resources
`associated with certain traffic classes. Inbound as well as outbound traffic may be
`managed. Table 1 provides a definitional list of terminology used herein.
`
`TABLE 1 LIST OF DEFINITIONAL TERMS
`ADMISSIONS CONTROL A policy invoked whenever a system according to the
`invention detects that a guaranteed information rate cannot be maintained. An
`admissions control policy is analogous to a busy signal in the telephone world.
`CLASS SEARCH ORDER A search method based upon traversal of a N-ary tree data
`structure containing classes.
`COMMITTED INFORMATION RATE(CIR) A rate of data flow allocated to
`reserved service traffic for rate based bandwidth allocation for a committed
`bandwidth. Also called a guaranteed information rate (GIR).
`EXCEPTION A class of traffic provided by the user which supersedes an
`automatically determined classification order.
`EXCESS INFORMATION RATE(EIR) A rate of data flow allocated to reserved
`service traffic for rate based bandwidth allocation for uncommitted bandwidth
`resources.
`FLOW A flow is a single instance of a traffic class. For example, all packets in a TCP
`connection belong to the same flow. As do all packets in a UDP session.
`GUARANTEED INFORMATION RATE (GIR) A rate of data flow allocated to
`reserved service traffic for rate based bandwidth allocation for a committed
`bandwidth. Also called a committed information rate (CIR).
`HARD ISOLATION Hard isolation results from the creation of an entirely separate logical channel
`for a designated set of classes.
`INSIDE On the system side of an access link. Outside clients and servers are on the
`other side of the access link.
`
`NOAC EX1032 Page 7
`
`

`

`ISOLATION Isolation is the degree that bandwidth resources are allocable to traffic
`classes.
`OUTSIDE On the opposite side of an access link as viewed from the perspective of
`the system on which the software resides.
`PARTITION Partition is an arbitrary unit of network resources.
`POLICY A rule for the assignment of a service level to a flow.
`POLICY INHERITANCE A method for assigning policies to flows for which no
`policy exists in a hierarchical arrangement of policies. For example, if a flow is
`determined to be comprised of FTP packets for Host A, and no corresponding policy
`exists, a policy associated with a parent node, such as an FTP policy, may be located
`and used. See also POLICY SEARCH ORDER.
`POLICY BASED SCALING An adjustment of a requested data rate for a particular
`flow based upon the policy associated with the flow and information about the
`flow’sflow's potential rate.
`RESERVED SERVICE Reserved service is a service level intended for traffic which “bursts” or
`sends chunks of data. Reserved service is defined in terms of a scaled rate.
`SCALED RATE Assignment of a data rate based upon detected speed.
`SERVICE LEVEL A service paradigm having a combination of characteristics
`defined by a network manager to handle a particular class of traffic. Service levels
`may be designated as either reserved or unreserved.
`SOFT ISOLATION Restricting GIR allocated for traffic classes in a partition.
`TARGET RATE A target rate is a combination of a guaranteed rate and an excess rate. Target rate is
`a policy-based paradigm. Excess rate is allocated by systems according to the invention from
`bandwidth that is not consumed by reserved service. Policies will demand excess rate at a given
`priority and systems according to the invention satisfy this demand by a priority level.
`TRAFFIC CLASS All traffic between a client and a server endpoints. A single
`instance of a traffic class is called a flow. Traffic classes have properties or class
`attributes such as, directionality, which is the property of traffic to be flowing inbound
`or outbound.;
`UNRESERVED SERVICE Unreserved service is a service level defined in terms of
`priority in which no reservation of bandwidth is made.
`
`Table 1
`
`URI A Universal Resource Identifier is the name of the location field in a web
`reference address. It is also called a URL or Universal Resource Locator
`
`1.1 Hardware Overview
`
`The method for automatically classifying heterogeneous packets in a packet
`telecommunications environment of the present invention is implemented in the
`C programming language and is operational on a computer system such as
`
`NOAC EX1032 Page 8
`
`

`

`shown in FIG. 1A. This invention may be implemented in a client-server
`environment, but a client-server environment is not essential. This figure shows
`a conventional client-server computer system which includes a server 20 and
`numerous clients, one of which is shown as client 25. The use of the term
`“"server”" is used in the context of the invention, wherein the server receives
`queries from (typically remote) clients, does substantially all the processing
`necessary to formulate responses to the queries, and provides these responses to
`the clients. However, server 20 may itself act in the capacity of a client when it
`accesses remote databases located at another node acting as a database server.
`
`The hardware configurations are in general standard and will be described only
`briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a
`bus subsystem 32. These peripheral devices typically include a storage
`subsystem 35, comprised of a memory subsystem 35a and a file storage
`subsystem 35b holding computer programs (e.g., code or instructions) and data,
`a set of user interface input and output devices 37, and an interface to outside
`networks, which may employ Ethernet, Token Ring, ATM, IEEE 802.3, ITU
`X.25, Serial Link Internet Protocol (SLIP) or the public switched telephone
`network. This interface is shown schematically as a “"Network Interface”"
`block 40. It is coupled to corresponding interface devices in client computers
`via a network connection 45.
`
`Client 25 has the same general configuration, although typically with less
`storage and processing capability. Thus, while the client computer could be a
`terminal or a low-end personal computer, the server computer is generally a
`high-end workstation or mainframe, such as a SUN SPARC server.
`Corresponding elements and subsystems in the client computer are shown with
`corresponding, but primed, reference numerals.
`
`Bus subsystem 32 is shown schematically as a single bus, but a typical system
`has a number of buses such as a local bus and one or more expansion buses
`(e.g., ADB, SCSI, ISA, EISA, MCA, NuBus, or PCI), as well as serial and
`parallel ports. Network connections are usually established through a device
`such as a network adapter on one of these expansion buses or a modem on a
`serial port. The client computer may be a desktop system or a portable system.
`
`The user interacts with the system using interface devices 37’' (or devices 37 in
`a standalone system). For example, client queries are entered via a keyboard,
`communicated to client processor 30’', and thence to modem or network
`interface 40’' over bus subsystem 32’'. The query is then communicated to
`
`NOAC EX1032 Page 9
`
`

`

`server 20 via network connection 45. Similarly, results of the query are
`communicated from the server to the client via network connection 45 for
`output on one of devices 37’' (say a display or a printer), or may be stored on
`storage subsystem 35’'.
`
`FIG. 1B is a functional diagram of a computer system such as that of FIG. 1A.
`FIG. 1B depicts a server 20, and a representative client 25 of a plurality of
`clients which may interact with the server 20 via the Internet 45 or any other
`communications method. Blocks to the right of the server are indicative of the
`processing steps and functions which occur in the server’sserver's program and
`data storage indicated by blocks 35a and 35b in FIG. 1A. A TCP/IP “"stack”"
`44 works in conjunction with Operating System 42 to communicate with
`processes over a network or serial connection attaching Server 20 to Internet
`45. Web server software 46 executes concurrently and cooperatively with other
`processes in server 20 to make data objects 50 and 51 available to requesting
`clients. A Common Gateway Interface (CGI) script 55 enables information
`from user clients to be acted upon by web server 46, or other processes within
`server 20. Responses to client queries may be returned to the clients in the form
`of a Hypertext Markup Language (HTML) document outputs which are then
`communicated via Internet 45 back to the user.
`
`Client 25 in FIG. 1B possesses software implementing functional processes
`operatively disposed in its program and data storage as indicated by block 35a’'
`in FIG. 1A. TCP/IP stack 44’', works in conjunction with Operating System
`42’' to communicate with processes over a network or serial connection
`attaching Client 25 to Internet 45. Software implementing the function of a web
`browser 46’'executes concurrently and cooperatively with other processes in
`client 25 to make requests of server 20 for data objects 50 and 51. The user of
`the client may interact via the web browser 46’' to make such queries of the
`server 20 via Internet 45 and to view responses from the server 20 via Internet
`45 on the web browser 46’'.
`
`Network Overview
`
`FIG. 1C is illustrative of the internetworking of a plurality of clients such as
`client 25 of FIGS. 1A and 1B and a plurality of servers such as server 20 of
`FIGS. 1A and 1B as described herein above. In FIG. 1C, network 7060 is an
`example of a Token Ring or frame oriented network. Network 7060 links host
`7161, such as an IBM RS6000 RISC workstation, which may be running the
`AIX operating system, to host 7262, which is a personal computer, which may
`be running Windows 95, IBM OS0S/2 or a DOS operating system, and host
`
`NOAC EX1032 Page 10
`
`

`

`7363, which may be an IBM AS/400 computer, which may be running the
`OS/400 operating system. Network 7060 is internetworked to network 6070 via
`a system gateway which is depicted here as router 75, but which may also be a
`gateway having a firewall or a network bridge. Network 6070 is an example of
`an Ethernet network that interconnects host 6171, which is a SPARC
`workstation, which may be running SUNOS operating system with host 6272,
`which may be a Digital Equipment VAX6000 computer which may be running
`the VMS operating system.
`
`Router 75 is a network access point (NAP) of network 70 and network 60.
`Router 75 employs a Token Ring adapter and Ethernet adapter. This enables
`router 75 to interface with the two heterogeneous networks. Router 75 is also
`aware of the Inter-network Protocols, such as ICMP ARP and RIP, which are
`described herein below.
`
`FIG. 1D is illustrative of the constituents of the Transmission Control
`Protocol/Internet Protocol (TCP/IP) protocol suite. The base layer of the
`TCP/IP protocol suite is the physical layer 80, which defines the mechanical,
`electrical, functional and procedural standards for the physical transmission of
`data over communications media, such as, for example, the network connection
`45 of FIG. 1A. The physical layer may comprise electrical, mechanical or
`functional standards such as whether a network is packet switching or frame-
`switching; or whether a network is based on a Carrier Sense Multiple
`Access/Collision Detection (CSMA/CD) or a frame relay paradigm.
`
`Overlying the physical layer is the data link layer 82. The data link layer
`provides the function and protocols to transfer data between network resources
`and to detect errors that may occur at the physical layer. Operating modes at the
`datalink layer comprise such standardized network topologies as IEEE 802.3
`Ethernet, IEEE 802.5 Token Ring, ITU X.25, or serial (SLIP) protocols.
`
`Network layer protocols 84 overlay the datalink layer and provide the means
`for establishing connections between networks. The standards of network layer
`protocols provide operational control procedures for internetworking
`communications and routing information through multiple heterogenous
`networks. Examples of network layer protocols are the Internet Protocol (IP)
`and the Internet Control Message Protocol (ICMP). The Address Resolution
`Protocol (ARP) is used to correlate an Internet address and a Media Access
`Address (MAC) for a particular host. The Routing Information Protocol (RIP)
`is a dynamic routing protocol for passing routing information between hosts on
`networks. The Internet Control Message Protocol (ICMP) is an internal
`
`NOAC EX1032 Page 11
`
`

`

`protocol for passing control messages between hosts on various networks.
`ICMP messages provide feedback about events in the network environment or
`can help determine if a path exists to a particular host in the network
`environment. The latter is called a “"Ping”". The Internet Protocol (IP)
`provides the basic mechanism for routing packets of information in the Internet.
`IP is a non-reliable communication protocol. It provides a “"best efforts”"
`delivery service and does not commit network resources to a particular
`transaction, nor does it perform retransmissions or give acknowledgments.
`
`The transport layer protocols 86 provide end-to-end transport services across
`multiple heterogenous networks. The User Datagram Protocol (UDP) provides
`a connectionless, datagram oriented service which provides a non-reliable
`delivery mechanism for streams of information. The Transmission Control
`Protocol (TCP) provides a reliable session-based service for delivery of
`sequenced packets of information across the Internet. TCP provides a
`connection oriented reliable mechanism for information delivery.
`
`The session, or application layer 88 provides a list of network applications and
`utilities, a few of which are illustrated here. For example, File Transfer
`Protocol (FTP) is a standard TCP/IP protocol for transferring files from one
`machine to another. FTP clients establish sessions through TCP connections
`with FTP servers in order to obtain files. Telnet is a standard TCP/IP protocol
`for remote terminal connection. A Telnet client acts as a terminal emulator and
`establishes a connection using TCP as the transport mechanism with a Telnet
`server. The Simple Network Management Protocol (SNMP) is a standard for
`managing TCP/IP networks. SNMP tasks, called “"agents”", monitor network
`status parameters and transmit these status parameters to SNMP tasks called
`“"managers.”" Managers track the status of associated networks. A Remote
`Procedure Call (RPC) is a programming interface which enables programs to
`invoke remote functions on server machines. The Hypertext Transfer Protocol
`(HTTP) facilitates the transfer of data objects across networks via a system of
`uniform resource indicators (URI).
`
`The Hypertext Transfer Protocol is a simple protocol built on top of
`Transmission Control Protocol (TCP). It is the mechanism which underlies the
`function of the World Wide Web. The HTTP provides a method for users to
`obtain data objects from various hosts acting as servers on the Internet. User
`requests for data objects are made by means of an HTTP request, such as a
`GET request. A GET request as depicted below is comprised of 1) the GET
`request keyword; followed by 2) the full path of the data object; followed by 3)
`the name of the data object; followed by 4) an HTTP protocol version, such as
`
`NOAC EX1032 Page 12
`
`

`

`“HTTP/1.0”. In the GET request shown below, a request is being made for the
`data object with a path name of “/pub/” and a name of “MyData.html”:
`
`GET /pub/MyData.html HTTP-Version
`
`(1)
`
`Processing of a GET request entails the establishing of an TCP/IP connection with
`the server named in the GET request and receipt from the server of the data object specified.
`After receiving and interpreting a request message, a server responds in the form of an HTTP
`RESPONSE message.
`Response messages begin with a status line comprising a protocol version
`followed by a numeric Status Code and an associated textual Reason Phrase. These elements are
`separated by space characters. The format of a status line is depicted in line (2):
`
`Status-Line = HTTP-Version Status-Code Reason-Phrase
`
`(2)
`
`The status line always begins with a protocol version and status code, e.g.,
`“HTTP/1.0 200. “ The status code element is a three digit integer result code of the attempt to
`understand and satisfy a prior request message. The reason phrase is intended to give a short
`textual description of the status code.
`The first digit of the status code defines the class of response. There are five
`categories for the first digit. 1XX is an information response. It is not currently used. 2XX is a
`successful response, indicating that the action was successfully received, understood and
`accepted. 3XX is a redirection response, indicating that further action must be taken in order to
`complete the request. 4XX is a client error response. This indicates a bad syntax in the request.
`Finally, 5XX is a server error. This indicates that the server failed to fulfill an apparently valid
`request.
`
`2.0 Traffic Class
`
`A traffic class is broadly defined as traffic between one or more clients and one or
`more servers. A single instance of a traffic class is called a flow. Traffic classes have
`the property, or class attribute, of being directional, i.e. all traffic flowing inbound will
`belong to different traffic classes and be managed separately from traffic flowing
`
`NOAC EX1032 Page 13
`
`

`

`outbound. The directional property enables asymmetric classification and control of
`traffic, i.e., inbound and outbound flows belong to different classes which may be
`managed independent of one another.
`
`Traffic classes may be defined at any level of the TCP/IP protocol as well as for other
`non-IP protocols. For example, at the IP level, traffic may be defined as only those
`flows between a specificed set of inside and outside IP addresses or domain names.
`An example of such a low level traffic class definition would be all traffic between
`my network and other corporate offices throughout the Internet. At the application
`level, traffic classes may be defined for specific URIs within a web server. Traffic
`classes may be defined having “"Web aware”" class attributes. For example, a traffic
`class could be created such as all URIs matching “"*.html”" for all servers, or all
`URIsURI patterns matching “"*.gif”" for server X, or for access to server
`
`NOAC EX1032 Page 14
`
`

`

`Y with URI “pattern "/sales/*”" from client Z, wherein ‘`*’` is a wildcard character,
`i.e., a character which matches all other character combinations. Traffic class
`attributes left unspecified will simply match any value for that attribute. For example,
`a traffic class that accesses data objects within a certain directory path of a web server
`is specified by a URI pattern of the directory path to be managed, e.g. “"/sales/*”" .
`
`2.1 Classifying Traffic
`
`The present invention provides a method for classifying traffic according to a
`definable set of classification attributes selectable by the manager, including selecting
`a subset of traffic of interest to be classified. The invention provides the ability to
`classify and search traffic based upon multiple orthogonal classification attributes.
`
`Traffic class membership may be hierarchical. Thus, a flow may be classified by a
`series of steps through a traffic class tree, with the last step (i.e., at the leaves on the
`classification tree) mapping the flow to a policy. The policy is a rule of assignment for
`flows. For example, the first step in classification may be to classify a flow as web traffic, the
`next may further classify this flow as belonging to server X, and the final classification may be a
`policy for URI “*.avi”.Web traffic may also be classified by HTTP header types such as
`Content-Type (MIME type) or User-Agent.
`
`A classification tree is a data structure representing the hierarchical aspect of traffic
`class relationships. Each node of the classification tree represents a class, and has a
`traffic specification, i.e., a set of attributes or characteristics describing the traffic, and
`a mask associated with it. Leaf nodes of the classification tree may contain policies.
`According to a particular embodiment, the classification process checks at each level
`if the flow being classified matches the attributes of a given traffic class. If it does,
`processing continues down to the links associated with that node in the tree. If it does
`not, the class at the level that matches determines the policy for the flow being
`classified. If no policy specific match is found, the flow is assigned the default policy.
`
`In a preferablepreferred embodiment, the classification tree is an N-ary tree with its
`nodes ordered by specificity. For example, in classifying a particular flow in a
`classification tree ordered first by organizational departments, the attributes of the
`flow are compared with the traffic specification