`
`Yu Claim Elements
`1. A policy engine comprising:
`
`U.S. Provisional Application No. 60/112,859
`Ex. _ (’859 Provisional), 2:
`“Policy Engine: A Policy Engine is a purpose-built hardware engine
`that takes in two inputs - network traffic and network policies. It
`then outputs regulated traffic flows based upon the specifications of
`the network policies. The Policy Engine preferably runs at wire
`speed.”
`
`Ex. __ (’859 Provisional), 4:
`“At the completion of the policy binding process, an entry for a
`given Stream is created on the policy engine which contains all the
`policy info (Action Specs, etc.).”
`
`Ex. __ (’859 Provisional), 4:
`“A policy engine is designed to address some or all of the above
`performance considerations. It preferably comes equipped with a
`Policy Engine API (PAPI). PAPI design takes into account the
`following considerations:
`1) Time-to-market for application developers – Understanding that
`time-to-market is a major concern for the application vendors, PAPI
`design preferably minimizes the development effort required by the
`application developers in order for the existing applications to take
`advantages of policy engine’s performance.”
`
`Ex. __ (’859 Provisional), 6:
`“Policy Engine
`“The policy engine has a built-in Stream Classifier and multiple of
`special purpose Action Processors. The stream classifier works in
`
`EX 1048 Page 1
`
`
`
`concert with the application’s flow classifier to accelerate the
`classification process. The action processors are specialized in
`executing specific action specs at the wire speed. Each of the action
`processors can be enabled or disabled on a per stream basis. The
`policy engine uses a data structure called Policy Cache to keep track
`of all the active streams and the action specs associated with the
`streams. The policy cache is created on the fly by the policy engine
`and they are referenced by the stream classifier and the action
`processors for acceleration of action execution. This data structure
`can be managed and controlled by the application through the policy
`engine API.”
`
`Ex. __ (’859 Provisional), 2:
`
`
`Ex. __ (’859 Provisional), 7:
`
`
`
`EX 1048 Page 2
`
`
`
`[1.1] a stream classification module;
`
`
`
`Ex. __ (’859 Provisional), 3:
` “A Stream Spec is the criteria used by the Stream Classifier to
`uniquely identify a stream. In one embodiment, it is the 5-tuple in a
`packet header- source and destination address, source and
`destination port, and protocol type.”
`
`Ex. __ (’859 Provisional), 4:
`“Stream Classifier
`“Stream Classifier is the component that classifies packets into
`Streams based upon the packets’ header info.”
`
`Ex. __ (’859 Provisional), 6:
`“The policy engine has a built-in Stream Classifier and multiple of
`special purpose Action Processors. The stream classifier works in
`concert with the application’s flow classifier to accelerate the
`classification process. The action processors are specialized in
`
`EX 1048 Page 3
`
`
`
`executing specific action specs at the wire speed. Each of the action
`processors can be enabled or disabled on a per stream basis. The
`policy engine uses a data structure called Policy Cache to keep track
`of all the active streams and the action specs associated with the
`streams. The policy cache is created on the fly by the policy engine
`and they are referenced by the stream classifier and the action
`processors for acceleration of action execution. This data structure
`can be managed and controlled by the application through the policy
`engine API.”
`
`Ex. __ (’859 Provisional), 11:
`“The Stream Classification Module, based on the policy cache,
`creates a Packet Service Header for each packet. The Packet Service
`Header indicates what policies need to be enforced, in what order,
`and it is software programmable. The Packet Service Header
`includes a number of pairs of AP ID and AP Pointers.”
`
`Ex. __ (’859 Provisional), 7:
`
`
`
`EX 1048 Page 4
`
`
`
`
`Ex. __ (’859 Provisional), 9:
`
`[1.2] a packet input/output module that places received
`packets in an external packet memory and that notifies the
`stream classification module of the packets in the external
`packet memory;
`
`
`
`Ex. __ (’859 Provisional), 11:
`“The Packet Input/Output Module places the received packets in
`the external packet memory and notifies the Stream Classification
`Module of such packets. Upon completion of all policies
`enforcement, Packet Input/Output Module transmits the packet from
`external packet memory to the network.”
`
`
`EX 1048 Page 5
`
`
`
`Ex. __ (’859 Provisional), 11:
`“Upon completion of all policy enforcement for a particular packet,
`the packet scheduler copies that packet to external packet memory.
`The Packet Input/[O]utput module is then notified and transmits the
`packet to the network.”
`
`Ex. __ (’859 Provisional), 9:
`
`[1.3] wherein the stream classification module creates a
`packet service header for each packet in the external packet
`
`Ex. __ (’859 Provisional), 10:
`
`
`
`EX 1048 Page 6
`
`
`
`memory indicating, based on a policy cache, policies to be
`enforced on that packet;
`
`“Packet Service Header: 12-byte Packet Service Header is stored
`in the On Chip Packet Buffers. One Packet Service Header is
`generated per incoming packet.”
`
`Ex. __ (’859 Provisional), 11:
`“The Stream Classification Module, based on the policy cache,
`creates a Packet Service Header for each packet. The Packet Service
`Header indicates what policies need to be enforced, in what order,
`and it is software programmable. The Packet Service Header
`includes a number of pairs of AP ID and AP Pointers. An AP ID
`uniquely defines an Action Processor, and the AP pointer points to
`the Action Spec required to enforce such policy. An example of an
`action processor is a DES engine which needs a 56-bit or 112-bit
`key to do the encryption or decryption. The policy cache can be
`modified if network requirements changes. In addition to that, the
`order of different policy enforcement can also be programmed to
`achieve different application requirements.”
`
`Ex. __ (’859 Provisional), 11:
`“A Next AP field, together with the AP IDs in the Packet Service
`Header, tells the Policy Enforcement Module where is the next
`destination Action Processor of each cell.”
`
`Ex. __ (’859 Provisional), 4:
`“Policy Cache
`“At the completion of the policy binding process, an entry for a
`given Stream is created on the policy engine which contains all the
`policy info (Action Specs, etc.). The collection of all active entries is
`called Policy Cache.”
`
`Ex. __ (’859 Provisional), 6:
`
`EX 1048 Page 7
`
`
`
`“The policy engine uses a data structure called Policy Cache to keep
`track of all the active streams and the action specs associated with
`the streams. The policy cache is created on the fly by the policy
`engine and they are referenced by the stream classifier and the
`action processors for acceleration of action execution. This data
`structure can be managed and controlled by the application through
`the policy engine API.”
`
`Ex. __ (’859 Provisional), 7:
`“As shown in Fig. 5, in one particular implementation, a stream
`oriented table is implemented as the policy cache to cache the policy
`(action specs) on a per stream basis.”
`
`Ex. __ (’859 Provisional), 8:
`“Upon the completion of policy binding process, the policy engine
`may immediately take control of the bound stream and execute the
`appropriate actions per action specs (e.g., in the policy cache)
`without any intervention from the “host” (policy-based) application.
`The application need not “see” any packets belonging to that stream
`after the binding (unless the stream is actually destined for the
`host.).”
`
`Ex. __ (’859 Provisional), 11:
`“In addition to this, it is capable of reading the required action spec
`based on the AP pointer on the packet Service Header. Each Action
`Processor may also have an input and output FIFO to buffer the
`cells.
`“Each cell is routed to the next Action Processor based on the Packet
`Service Header and Cell Service Header. The cell routing is
`preferably distributed to each Action Processor, instead of being
`centralized to a cell routing unit.
`
`EX 1048 Page 8
`
`
`
`
`Ex. __ (’859 Provisional), 9:
`
`
`Ex. __ (’859 Provisional), 5:
`
`
`
`EX 1048 Page 9
`
`
`
`
`Ex. __ (’859 Provisional), 10:
`
`
`
`[1.4] a policy enforcement module to enforce policies on the
`packets, including a packet scheduler that fragments each
`packet into cells and schedules enforcement of the policies
`on each cell based on the packet service header;
`
`
`
`Ex. __ (’859 Provisional), 11:
`“The Policy Enforcement Module includes a Packet Scheduler, an
`On Chip packet Buffer(s), and several Action Processors. The
`Packet Scheduler copies packets from external packet memory to On
`Chip Packet Buffer. After copying the packets to the Packet Buffer,
`packets are fragmented into 64 bytes cells. An 8-bit Cell Service
`Header is added to the beginning of each 64-byte cell. The Cell
`
`EX 1048 Page 10
`
`
`
`Service Header has a packet Number to uniquely identify a packet in
`the Policy Enforcement Module pipeline and a Start and Stop bit to
`indicate the first and last cell of a packet. A Next AP field, together
`with the AP IDs in the Packet Service Header, tells the Policy
`Enforcement Module where is the next destination Action Processor
`of each cell.
`“It is preferable to have the On Chip Packet Buffer because it allows
`Action Processors very low latency and high bandwidth access to
`the packets as compared with external Packet Memory. In case the
`next Action Processor is busy for a cell, the On Chip Packet Buffer
`serves as temporary storage for that cell. This prevent the blocking
`of following cells which need to go through this particular Action
`Processor. Each Action Processor performs a particular policy
`enforcement. In addition to this, it is capable of reading the required
`action spec based on the AP pointer on the packet Service Header.
`Each Action Processor may also have an input and output FIFO to
`buffer the cells.
`“Each cell is routed to the next Action Processor based on the Packet
`Service Header and Cell Service Header. The cell routing is
`preferably distributed to each Action Processor, instead of being
`centralized to a cell routing unit. This distributed approach allows
`for adding and removing policies much more easily. Upon
`completion of all policy enforcement for a particular packet, the
`packet scheduler copies that packet to external packet memory The
`Packet Input/[O]utput module is then notified and transmits the
`packet to the network.”.”
`
`Ex. __ (’859 Provisional), 11:
`“The Packet Service Header includes a number of pairs of AP ID
`and AP Pointers. An AP ID uniquely defines an Action Processor,
`and the AP pointer points to the Action Spec required to enforce
`such policy. An example of an action processor is a DES engine
`
`EX 1048 Page 11
`
`
`
`which needs a 56-bit or 112-bit key to do the encryption or
`decryption. The policy cache can be modified if network
`requirements changes. In addition to that, the order of different
`policy enforcement can also be programmed to achieve different
`application requirements.”
`
`Ex. __ (’859 Provisional), 3:
`“The found action spec is then passed to a[n] action processor for
`policy enforcement.”
`
`Ex. __ (’859 Provisional), 9:
`
`
`
`EX 1048 Page 12
`
`
`
`
`Ex. __ (’859 Provisional), 6:
`
`[1.5] on-chip packet buffer circuitry to temporarily hold the
`packets during policy enforcement; and
`
`
`
`Ex. __ (’859 Provisional), 11:
`“The Policy Enforcement Module includes a Packet Scheduler, an
`On Chip packet Buffer(s), and several Action Processors. The
`Packet Scheduler copies packets from external packet memory to On
`Chip Packet Buffer. After copying the packets to the Packet Buffer,
`packets are fragmented into 64 bytes cells.”
`
`Ex. __ (’859 Provisional), 11:
`“It is preferable to have the On Chip Packet Buffer because it allows
`Action Processors very low latency and high bandwidth access to
`the packets as compared with external Packet Memory. In case the
`
`EX 1048 Page 13
`
`
`
`next Action Processor is busy for a cell, the On Chip Packet Buffer
`serves as temporary storage for that cell. This prevent the blocking
`of following cells which need to go through this particular Action
`Processor. Each Action Processor performs a particular policy
`enforcement.”
`
`Ex. __ (’859 Provisional), 10:
`“Packet Service Header: 12-byte Packet Service Header is stored
`in the On Chip Packet Buffers. One Packet Service Header is
`generated per incoming packet.”
`
`Ex. __ (’859 Provisional), 10:
`“Pkt #: Relative Packet number to ensure packet ordering. Pkt # is
`given when copied to
`On Chip Packet Buffer., 00>01>10>11>00”
`
`Ex. __ (’859 Provisional), 9:
`
`EX 1048 Page 14
`
`
`
`[1.6] a plurality of action processors, each action processor
`performing a particular policy enforcement on a cell and
`routing the cell to a next one of the action processors.
`
`
`
`Ex. __ (’859 Provisional), 4:
`“Action Processor
`Action Processor is the component that executes the action based
`upon the action spec.”
`
`Ex. __ (’859 Provisional), 6:
`“The policy engine has a built-in Stream Classifier and multiple of
`special purpose Action Processors. The stream classifier works in
`concert with the application’s flow classifier to accelerate the
`classification process. The action processors are specialized in
`executing specific action specs at the wire speed. Each of the action
`
`EX 1048 Page 15
`
`
`
`processors can be enabled or disabled on a per stream basis. The
`policy engine uses a data structure called Policy Cache to keep track
`of all the active streams and the action specs associated with the
`streams. The policy cache is created on the fly by the policy engine
`and they are referenced by the stream classifier and the action
`processors for acceleration of action execution. This data structure
`can be managed and controlled by the application through the policy
`engine API.”
`
`Ex. __ (’859 Provisional), 11:
`“The Packet Service Header indicates what policies need to be
`enforced, in what order, and it is software programmable. The
`Packet Service Header includes a number of pairs of AP ID and AP
`Pointers. An AP ID uniquely defines an Action Processor, and the
`AP pointer points to the Action Spec required to enforce such
`policy. An example of an action processor is a DES engine which
`needs a 56-bit or 112-bit key to do the encryption or decryption. The
`policy cache can be modified if network requirements changes. In
`addition to that, the order of different policy enforcement can also be
`programmed to achieve different application requirements.
`“The Policy Enforcement Module includes a Packet Scheduler, an
`On Chip packet Buffer(s), and several Action Processors. The
`Packet Scheduler copies packets from external packet memory to On
`Chip Packet Buffer. After copying the packets to the Packet Buffer,
`packets are fragmented into 64 bytes cells. An 8-bit Cell Service
`Header is added to the beginning of each 64-byte cell. The Cell
`Service Header has a packet Number to uniquely identify a packet in
`the Policy Enforcement Module pipeline and a Start and Stop bit to
`indicate the first and last cell of a packet. A Next AP field, together
`with the AP IDs in the Packet Service Header, tells the Policy
`Enforcement Module where is the next destination Action Processor
`of each cell.
`
`EX 1048 Page 16
`
`
`
`“It is preferable to have the On Chip Packet Buffer because it allows
`Action Processors very low latency and high bandwidth access to
`the packets as compared with external Packet Memory. In case the
`next Action Processor is busy for a cell, the On Chip Packet Buffer
`serves as temporary storage for that cell. This prevent the blocking
`of following cells which need to go through this particular Action
`Processor. Each Action Processor performs a particular policy
`enforcement. In addition to this, it is capable of reading the required
`action spec based on the AP pointer on the packet Service Header.
`Each Action Processor may also have an input and output FIFO to
`buffer the cells.
`“Each cell is routed to the next Action Processor based on the Packet
`Service Header and Cell Service Header. The cell routing is
`preferably distributed to each Action Processor, instead of being
`centralized to a cell routing unit. This distributed approach allows
`for adding and removing policies much more easily. Upon
`completion of all policy enforcement for a particular packet, the
`packet scheduler copies that packet to external packet memory. The
`Packet Input/[O]utput module is then notified and transmits the
`packet to the network.”
`
`Ex. __ (’859 Provisional), 10:
`“AP x ID: The #x Action Processor ID.
`“AP x Ptr: A pointer to Action Processor’s action spec (e.g. DES
`key) of the #x
`“Cell Service Header: For the purpose of creating deep pipeline to
`maximize the policy engine performance. Packets are fragmented
`into fixed-sized cells. One-byte Cell Service Header is attached to
`each cell and travel along with cells to the Action Processors….
`“Next AP: Next Action Processor to perform on the cell. “0000”
`indicates completion of all action processing.”
`
`EX 1048 Page 17
`
`
`
`
`Ex. __ (’859 Provisional), 2:
`“The application can speed up the overall system performance by
`turning on the appropriate acceleration functions (action processors)
`on the policy engine.”
`
`Ex. __ (’859 Provisional), 3:
`“When a packet arrives, a flow classifier typically classifies the
`packet and finds a action spec according to some predefined
`matching criteria. The found action spec is then passed to a action
`processor for policy enforcement. The process of flow classification
`and action processing may repeat for many iterations as multiple
`policies are activated at the same time as shown in the Fig 2. For
`example, a VPN (virtual private network) application may comprise
`Firewall Policy, IPSEC Policy, IPCOMP (IP compression) policy,
`NAT (Network Address Translation) Policy, QoS (Quantity of
`Service)policy, Monitoring Policy, L2TP/PPTP (L2 Tunnel
`Protocol/Point To Point Tunnel Protocol) Tunnel Policy, and so on.”
`
`Ex. __ (’859 Provisional), 7:
`“The action specs activate the corresponding action processors to
`execute the actions for the specified stream.”
`
`Ex. __ (’859 Provisional), 4:
`“The flow classifiers may also differ per action processor for
`performance optimization.”
`
`Ex. __ (’859 Provisional), 3:
`
`EX 1048 Page 18
`
`
`
`
`Ex. __ (’859 Provisional), 7:
`
`
`
`
`Ex. __ (’859 Provisional), 9:
`
`
`
`EX 1048 Page 19
`
`
`
`Processot A
`
`Pol-1y Enforcement
`Module
`
`Strum Clamification
`Modalc
`
`Packet
`Inpuvmxpnl
`Module
`
`Packet
`Scheduler
`
`0n Chip
`Packet Bunk”
`
`Anion
`
`
`
`
`
`EX 1048 Page 20
`
`EX 1048 Page 20
`
`