`
`as) United States
`
`
`
`
`
`
`
`
`
`a2) Patent Application Publication o) Pub. No.: US 2003/0118029 Al
`
`
`
`
`
`
`(43) Pub. Date: Jun. 26, 2003
`
`
`
`
`Maher,III et al.
`
`US 20030118029A1
`
`
`
`
`
`
`
`(54) METHOD AND APPARATUS FOR
`ENFORCING SERVICE LEVEL
`
`
`
`AGREEMENTS
`
`
`
`
`(76)
`
`
`
`
`
`Publication Classification
`
`
`
`
`
`
`
`
`
`
`(SV)
`Tint. C07 eee
`eeeecceecccceeeecceeseeeeeceeneseeenneeees HO4L 12/28
`
`
`
`
`
`(52) U.S. C1.
`eeececeseceteeeesneenee 370/395.21; 370/395.43
`
`
`
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`A network device for enforcing service level agreements is
`
`
`
`
`
`
`
`
`described that is able to scan the contents of entire data
`
`
`
`
`
`
`
`
`
`
`packets including header and payload information. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network device includes memory for storing subscriber
`
`
`
`
`
`
`
`
`information,policies andstatistics. Thetraffic flow scanning
`
`
`
`
`
`
`
`
`processor scans the header and payload information from
`
`
`
`
`
`
`
`
`
`each data packet, which is used to associate each data packet
`.
`:
`:
`.
`
`
`
`
`
`
`
`
`with a particular subscriber, classify the type of network
`
`
`
`
`
`
`
`
`
`traffic in the data packet and to enforce the particular policies
`
`
`
`
`
`
`
`
`associated with the subscriber. The traffic flow scanning
`
`
`
`
`
`
`
`
`processor producesa treatmentfor the data packet based on
`
`
`
`
`
`
`
`
`
`the scanning. The scanned data packets and the associated
`
`
`
`
`
`
`
`treatments are then passed to a quality of service processor,
`
`
`
`
`
`
`
`
`which modifies the data packets if necessary and enforces
`
`
`
`
`
`
`resource allocation according to the preprogrammed poli-
`
`cies.
`
`
`
`
`
`Inventors: Robert Daniel MaherIII, Plano, TX
`
`
`
`
`
`
`
`
`
`
`(US); James Robert Deerman, Lucas,
`
`
`
`
`
`TX (US); Milton Andre Lie,
`
`
`
`McKinney, TX (US); Mark Warden
`
`
`
`Hervin, Plano, TX (US)
`.
`
`
`Craig|Con Address:
`
`
`Netrake Corporation
`
`
`Suite 100
`
`
`3000 Technology Drive
`
`
`
`
`
`
`Plano, TX 75074 (US)
`.
`
`
`
`(21) Appl. No.:
`Filed:
`
`
`
`10/260,768
`
`(22)
`
`
`Sep. 30, 2002
`
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`
`
`(63) Continuation of application No. 09/653,521, filed on
`
`
`
`
`
`Aug. 31, 2000, now abandoned.
`
`ee 36
`a pf
`i)
`
`
`
`
`
`
`
`
`a
`»
`:
`\
`Ya ee
`ENTERRISE
`Py
`we)
`/
`- a7!
`(WE
`
`
`
`
`
`
`
`
`
`
`an
`38
`IN IN
`\
`
`
`
`
`
`
`
`
`/
`Cy
`| a a
`TOn
`
`
`
`
`
`f BN
`|
`en "
`a
`
`
`
`
`
`
`
`
`xeXxFH-G)
`i
`ea!
`
`
`
`|
`Se) eee
`Por
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`60 3B;fM4\ | 20 60
`ESTE] PS
`PON vasing
`|
`0 GN~
`
`
`
`
`
`
`
`
`<i AT
`EES80 |
`0
`yi
`
`
`
`
`
`
`
`
`f A 38
`38 /
`~~
`a“
`/
`
`50
`/ 80NYenvtceE~~ ~E,
`Jpof Ay 22
`uN
`
`
`
`
`
`
`
`
`SN.
`eee 60 /
`xX
`xX
`\
`CH
`fo
`PROVIDER
`|
`
`
`
`
`
`
`
`
`18 ~~,
`|
`0S
`16
`/
`|
`
`
`
`
`
`
`“EH
`| ener
`ve
`ays
`|
`24
`
`
`
`
`
`50S 1!reRAS PoC PRIVATE ; 4 |
`
`
`
`
`
`
`
`=
`1
`[ins
`10s ||
`“4
`|
`Ip
`
`
`
`
`
`
`
`22!
`\
`50
`|
`\
`|
`2B
`NETWORK
`i
`i8]
`= [ows
`-X<F-><
`Si
`4
`
`
`
`
`
`
`86
`L
`60
`es
`26
`50
`1
`1
`
`
`
`
`20
`60
`|}
`Oe ee Le
`\
`|
`
`
`
`
`
`
`
`
`
`
`VoIP} ct lh a]|30 |!\ |
`
`
`
`
`
`
`
`
`
`
`
`
`/ VOICE OVER IP
`4
`=e ay ay jl
`5 \0
`\
`47
`
`
`
`
`
`
`
`
`
`
`|
`i
`boc
`tr
`MB
`
`
`
`
`
`
`
`
`
`
`
`
`NETWORK
`\\
`/!
`\
`
`
`
`
`\\
`i]
`\
`cl Z
`VN
`j/
`.
`Lo
`
`
`
`
`N92
`Le
`oe ye A
`NLS
`«650 480
`48
`48
`«648
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`;
`;
`
`
`
`60
`
`EY
`
`
`
`\
`
`
`
`
`
`\
`
`
`|
`
`10
`
`
`
`
`
`b0~-60
`
`
`
`og
`
`BE
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1025
`
`Page 1
`
`Splunk Inc. Exhibit 1025 Page 1
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 26,2003 Sheet 1 of 5
`
`
`
`US 2003/0118029 Al
`
`
`
`mae
`
`
`
`
`et
`2
`\SHRa eg [9
`
`
`
`
`
`
`
`
`
`\ So, L AC 2 ‘Ix z 3|| yAj
`HAL
`:
`= my
`
`
`
`
`
`
`
`
`
`Ng lEr® &
`SBA
`
`
`
`
`
`
`
`
`°
`
`a!
`
`—
`
`©=m
`
`e
`iC
`S
`
`
`
`
`
`
`
`
`
`ae
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ormUlUCDTOlUlClUWDO™_MCUDD
`ml
`wo
`wm
`wm
`
`Splunk Inc.
`
`Exhibit1025
`
`Page 2
`
`Splunk Inc. Exhibit 1025 Page 2
`
`

`

`
`
`
`
`
`
`
`
`
`
`Jun. 26, 2003 Sheet 2 of 5
`
`
`
`US 2003/0118029 A1
`
`021ee|
`
`INSWIOVNYH
`
`HOSS3I0Ud
`
`
`PyTJABEQvOAWdWaQVH«Id
`Patent Application Publication
`
`__|ayvauaint1IZATYNYyossaq0dd||zovayainr)|
`cet4|SI——_201iruvaa|—§
`NE|val~|-92t
`
`
`ech JE}BchSch
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`on
`
`ee
`
`
`
`Splunk Inc.
`
`Exhibit 1025
`
`Page 3
`
`Splunk Inc. Exhibit 1025 Page 3
`
`
`
`
`
`
`

`

`||||HE;USINGSHOSPe)yNODiYSISTOwe
`2E6
`ULF=|,|
` ve||Peesevevessereneseseousee
`
`
`
`AYOWSW
`
`NTHISAMONAN|[)|ABOWSH
` WW3)INTYLS|ONTYLS|lLEOLE39
`
`—°:BEEEE||
`g3€J3e
`AYONSN|AYOWSN|ONTYLS|}]ONTELS
`
`jJOVSUSINT
`od.
`
` |3youlnoa|||AgoI]oraHE|_taTtsgatoy||fastwraff|
`
`
`AYOW3H|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`LXSINO)
`
`Su3s4Nd
`
`Layd
`
`AMOHIN
`
`YSTTOULNOD
`
`
`
`
`
`
`
`ANIONSAT8WaSS¥3Y
`
`LST]
`
`WIINOISS3S
`
`
`
`
`Patent Application Publication
`
`
`
`
`
`Jun. 26, 2003 Sheet 3 of 5
`
`
`
`US 2003/0118029 A1
`
`
`
`
`
`
`
`45)
`
`SONTYIS
`
`JUYdWO)
`
`SUISING
`
`
`
`
`
`
`
`AMOWSHWy)
`
`cht02E
`
`Splunk Inc.
`
`Exhibit 1025
`
`Page 4
`
`Splunk Inc. Exhibit 1025 Page 4
`
`
`
`
`
`
`
`
`
`

`

`i30+
`
`
`
`
`
`
`
`INSMOWNYN=
`
`wOssso0ud
`
`INSHSOWNYHee2coh|ll.7%
`geoPCuv)!clr:
`
`
`
`Patent Application Publication
`
`
`
`
`
`
`
`
`
`Jun. 26, 2003 Sheet 4 of 5
`US 2003/0118029 A1
`
`
`00OP
`
`SSTHONT
`
`
`
`S09
`
`WOSsaadud
`
`
`
`
`
`HOLINS
`
`sTuav-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit 1025
`
`Page 5
`
`Splunk Inc. Exhibit 1025 Page 5
`
`
`
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`Jun. 26, 2003 Sheet 5 of 5
`
`
`
`US 2003/0118029 Al
`
`300
`
`
`
`
`ASSOCIATE DATA PACKET WITH
`
`
`
`CUSTOMER INFORMATION AND CLASSIFY
`
`
`
`CONTENTS OF DATA PACKET
`
`FIG. §
`
`
`302
`
`
`
`
`
`FOR TRAFFIC TYPE
`
`
`
`COMPARE AVAILABLE
`
`
`
`CAPACITY FOR TRAFFIC
`
`
`
`TYPE WITH UNIT CAPACITY
`
`
`
`
`
`
`
`
`
`
`
`
`208
`
`
`
`
`
`
`
` ENOUGH
`
`
`
`
`
`AVAILABLE
`
`CAPACITY
`
`
`NO
`
`
`
`Ymm wa
`
`316
`
`
`
`
`
`
`CHECK OTHER NAT QUEUES
`
`
`
`FOR AVAILABLE CAPACITY
`
`306
`
`
`
`510
`
`SEND DATA PACKET T0
`
`
`
`
`
`
`APPROPRIATE VARIABLE
`
`
`
`BIT RATE NAT-QUEUE
`
`a12
`
`
`DECREMENT AVAILABLE
`
`CAPAC
`I
`TY BY
`UNIT CAPACITY
`
`
`
`
`
`
`504
`
`
` ARE_CONTENTS
`
`
`
`
`
`
`REAL TIME OR NON
`
`
`
`
`REAL TIME
`
`
`
`NRT
`
`AT
`
`
`
`
`
`COMPARE SIZE OF
`
`
`
`DATA PACKET WT
`AVAILABLE CAPACITY
`
`
`
`
`
`526
`
`
`
`
`
`
`
`928 YES
`
`
`
`
`
`
`
`
`
`
`
`
`‘0
`
`
`
`
`MARK PACKET
`On
`
`
`
`
`
`FOR DELETION
`5
`
`
`
`
`
`AVATLABLE
`
`SEND TO APPROPRIATE|-~20
`YES
`
`
`
`CAPACITY IN OTHER
`
`
`
`
`
`
`
`
`NAT QUEUE
`FORWARD TO
`1-536
`VBR.
`
`
`NAT QUEUE
`
`QUEUE
`
`
`NO
`594
`
`
`
`
`SEND TO AVAILABLE
`
`
`
`BIT RATE QUEUE
`
`
`
`
`FOR BEST EFFORTS
`
`TREATMENT
`
`
`-~2
`
`22
`
`
`
`
`
`318
`
`
`
`
`
`
`
`
`
`
`
`DECREMENT AVAILABLE
`CAPACITY OF QUEUE
`
`C)
`
`540
`
`
`532
`
`
`
`
`
`
`
`
`DECRENENT AVAILABLE
`
`
`ACITY
`CAPACITY
`BY
`
`
`PACKETSIZE
`
`
`
`() 340
`
`
`
`-~~9d4
`
`C)
`
`540
`
`
`940
`
`
`
`SEND 10 APPROPAIATE
`REAL TIME VBR QUEUE
`
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1025
`
`Page6é
`
`Splunk Inc. Exhibit 1025 Page 6
`
`

`

`
`
`US 2003/0118029 Al
`
`
`
`Jun. 26, 2003
`
`
`
`METHOD AND APPARATUS FOR ENFORCING
`
`
`
`
`
`SERVICE LEVEL AGREEMENTS
`
`
`
`CROSS-REFERENCE TO RELATED
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0001] This application is a continuation of application
`
`
`
`
`
`
`
`
`
`
`Ser. No. 09/653,521 which wasfiled on Aug. 31, 2000.
`TECHNICAL FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`[0002] The present invention relates to broadband data
`
`
`
`
`
`
`networking equipment. Specifically, the present invention
`relates to a method and network device that
`is able to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`classify networktraffic based on type and application and to
`
`
`
`
`
`
`
`
`shape and manage networktraffic in order to enforce Service
`
`
`Level Agreements.
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0003] Almost everyone is using Internet and web-based
`
`
`
`
`
`
`
`services as a primary means of conducting business. Ser-
`
`
`
`
`
`
`
`
`vices such as email, e-commerce, Voice over IP (VoIP), and
`
`
`
`
`
`
`web-browsing have become critical
`to communication
`
`
`
`
`
`
`
`
`within and across organizations. As reliance on network
`
`
`
`
`
`
`based services increase, so do consumer demandsfor avail-
`
`
`
`
`
`
`
`ability reliability, and responsiveness of the services. Typi-
`
`
`
`
`
`
`
`
`cally, the customers do not care how the service is com-
`
`
`
`
`
`
`
`
`
`posed,
`to them the quality of service (QoS) is what
`is
`
`
`
`
`
`
`
`important. These quality of service expectations are driving
`
`
`
`
`
`
`
`customers to negotiate guarantees with their service provid-
`
`
`
`
`
`
`
`
`
`ers that will meet customerservice requirements for specific
`
`
`
`
`
`
`
`
`QoSlevels. In order to offer end-to-end QoS guarantees to
`
`
`
`
`
`
`
`
`customers, more and more providers and customers are
`
`
`
`
`
`
`entering into Service Level Agreements (SLAs).
`
`
`
`
`
`
`
`[0004] An SLAis a contract between a provider and a
`
`
`
`
`
`
`
`customerthat guarantees specific levels of performance and
`
`
`
`
`
`
`
`reliability for a certain cost. Traditionally, SLAs have
`
`
`
`
`
`
`
`included performance guarantees such as response time and
`
`
`
`
`
`
`
`network availability,
`in addition to specifying customer
`
`
`
`
`
`
`
`
`
`support and help desk issues. One major problem with
`
`
`
`
`
`
`
`
`SLAs, however, is that they are limited to collecting statis-
`
`
`
`
`
`
`
`tical information on network performance and availability
`
`
`
`
`
`
`
`
`
`since the current state of the art does not allow manipulation
`
`
`
`
`
`
`
`
`
`
`of the networkitself or the data flowing over the networkat
`
`
`
`
`
`
`
`
`
`wire speed. Because SLAs are enforced after the fact based
`
`
`
`
`
`
`
`
`onstatistical information, the only recourse to both provider
`
`
`
`
`
`
`and customeris an adjustment to payments orcredits applied
`for future services.
`
`
`
`
`
`
`
`
`
`
`
`
`[0005] Technology that would allow real time monitoring
`
`
`
`
`
`
`
`
`and dynamic allocation of network resources would allow
`
`
`
`
`
`
`
`
`providers and customers to take SLAs and service level
`
`
`
`
`
`
`
`management (SLM) to the next level. Such a technology
`
`
`
`
`
`
`
`
`would identify network resources that were reaching their
`
`
`
`
`
`
`
`maximum performance and allow the network to dynami-
`
`
`
`
`
`
`
`cally allocate additional resources, which could be metered
`
`
`
`
`
`
`
`
`and billed to the customer. Additionally,
`the customers
`would not be limited to resources in increments of carrier
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`size, such as D3s, T1s or T3s, but instead would be able to
`
`
`
`
`
`
`
`
`
`specify their exact requirement and pay for exactly the
`resources consumed.
`
`
`
`
`
`
`
`
`[0006] Further, new technology could be incorporated to
`
`
`
`
`
`
`
`
`include security features such as prevention of denial of
`
`
`
`
`
`
`
`
`
`service and monitoring for email viruses and worms. This
`
`
`
`
`
`
`
`
`
`would allow the provider to differentiate his services from
`
`
`
`
`
`
`
`
`other providers and would provide content that could be
`
`
`
`
`
`
`
`
`charged for by the provider. The customer would benefit by
`
`
`
`
`
`
`
`increased availability of their resources as well as being able
`
`
`
`
`
`
`
`
`to offload the expenseofinstalling and maintaining security
`
`
`
`equipmentto the provider.
`
`
`
`
`
`
`[0007] Accordingly, what is needed is a network device
`
`
`
`
`
`
`
`
`that can enforce service level agreements by being able to
`
`
`
`
`
`
`
`recognize networktraffic at wire speeds and by dynamically
`
`
`
`
`
`
`
`
`modifying the traffic or the network to accommodate per-
`
`
`
`
`
`
`
`
`formance and resource policies agreed to between the pro-
`
`
`
`
`
`
`
`
`vider and customer. Further, the network device is able to
`
`
`
`
`
`
`
`
`provide security for the network that is maintained by the
`
`
`
`
`provider as a service to the customer.
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`invention provides for a network
`[0008] The present
`
`
`
`
`
`
`
`
`
`
`device or apparatus that is able to enforce service level
`
`
`
`
`
`
`
`agreements between providers and customers. The network
`
`
`
`
`
`
`
`device includes memory, which contains information spe-
`
`
`
`
`
`
`
`
`
`cific to each customer, or subscriber. The memory also
`
`
`
`
`
`
`
`
`includespolicies defined to enforce the terms of the service
`
`
`
`
`
`
`
`level agreements such as resource allocation and particular
`
`
`
`
`
`
`
`
`
`
`service levels, as well as statistics that are kept for each
`
`
`
`
`
`
`
`subscriber allowing the provider to provide metering and
`
`
`
`
`
`
`
`billing, as well as to allow the subscriber to keep detailed
`
`
`
`
`
`
`information on the subscribers network usage. The memory
`
`
`
`
`
`
`
`is connected to a traffic flow scanning processor which is
`
`
`
`
`
`
`
`
`
`operable to scan both the header and payload of all data
`
`
`
`
`
`
`
`
`
`packets flowing through the network device. Thetraffic flow
`
`
`
`
`
`
`
`scanning processor scans each packet to associate it with a
`
`
`
`
`
`
`
`
`particular subscriber and to identify the type and nature of
`
`
`
`
`
`
`
`
`
`
`the network traffic. Once the subscriber and type oftraffic
`
`
`
`
`
`
`
`
`
`have been identified, the policies for that subscriber can be
`
`
`
`
`
`
`
`
`
`enforced and events or statistics can be logged. This is
`
`
`
`
`
`
`
`accomplished by the traffic flow scanning processor deter-
`
`
`
`
`
`
`
`
`
`mining a treatment for each data packet based on the
`
`
`
`
`
`
`
`scanning and preprogrammedpolicies. This treatment and
`
`
`
`
`
`
`
`
`
`the data packet itself are forwarded to a quality of service
`
`
`
`
`
`
`
`processor connected to the traffic flow scanning processor.
`
`
`
`
`
`
`
`
`The quality of service processor modifies the data packet, if
`
`
`
`
`
`
`
`necessary, and assigns it to a quality of service queue based
`on the treatment.
`
`
`
`
`
`
`
`
`
`
`
`[0009] Further, the present invention sets for a method for
`
`
`
`
`
`
`
`enforcing resource allocation defined by a service level
`
`
`
`
`
`
`
`
`agreement. The method associates each data packet with a
`
`
`
`
`
`
`
`
`subscriber, or customer, and classifies the data packet by
`
`
`
`
`
`
`
`
`
`traffic type, each traffic type being further classified as either
`
`
`
`
`
`
`
`
`real time or non-real time. Once the packetis classified and
`
`
`
`
`
`
`
`associated with a subscriber, the method checksfor available
`
`
`
`
`
`
`
`bandwidth according to the preprogrammedpolicies forthat
`
`
`
`
`
`
`
`
`subscriber. The data packet is then sent to the appropriate
`
`
`
`
`
`
`
`
`
`quality of service queue for transmission back onto the
`network.
`
`
`
`
`
`
`
`
`
`[0010] The foregoing has outlined, rather broadly, pre-
`
`
`
`
`
`
`
`ferred and alternative features of the present invention so
`
`
`
`
`
`
`
`
`
`those skilled in the art may better understand the
`that
`
`
`
`
`
`detailed description of the invention that follows. Additional
`features of the invention will be described hereinafter that
`
`
`
`
`
`
`
`
`
`
`
`form the subject of the claims of the invention. Those skilled
`
`
`
`
`
`
`
`
`
`
`in the art will appreciate that
`they can readily use the
`
`
`
`
`
`
`disclosed conception and specific embodimentasa basis for
`
`
`
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1025
`
`Page 7
`
`Splunk Inc. Exhibit 1025 Page 7
`
`

`

`
`
`US 2003/0118029 Al
`
`
`
`Jun. 26, 2003
`
`
`
`
`
`
`
`
`
`
`
`designing or modifying other structures for carrying out the
`
`
`
`
`
`
`
`
`same purposesof the present invention. Those skilled in the
`
`
`
`
`
`
`
`
`
`art will also realize that such equivalent constructions do not
`
`
`
`
`
`
`
`
`
`
`
`depart from the spirit and scope of the invention in its
`broadest form.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`[0011] For a more complete understanding of the present
`
`
`
`
`
`
`
`invention, reference is now made to the following descrip-
`
`
`
`
`
`
`
`tions taken in conjunction with the accompanying drawings,
`in which:
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0012] FIG. 1 is a network topology diagram illustrating
`
`
`
`
`
`
`example environments in which the present invention can
`
`operate;
`
`
`
`
`[0013] FIG. 2 is a block diagram of a “bump-in-the-line”
`
`
`
`
`
`
`network apparatus according to the present invention;
`
`
`
`
`
`
`FIG.3 is a block diagram of the payload scanning
`[0014]
`
`
`
`
`engine from FIG. 2; and
`
`
`
`
`
`
`[0015] FIG. 4 is a block diagram of a routing network
`
`
`
`
`
`
`apparatus according to the present invention; and
`
`
`
`
`
`
`
`FIG.5 isa flow chart illustrating a method accord-
`[0016]
`
`
`
`
`
`
`
`
`ing to the present invention for enforcing resource allocation
`
`
`
`
`according to a Service Level Agreement.
`
`
`
`
`
`
`
`DETAILED DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`[0017] Referring now to FIG. 1, a network topology is
`
`
`
`
`
`
`
`shown which is an example of several network infrastruc-
`
`
`
`
`
`
`
`
`tures that connect in some manner to a broader public IP
`
`
`
`
`
`
`
`
`network 10 such as the internet. FIG. 1 is in no way meant
`
`
`
`
`
`
`
`to be a precise network architecture, but only to serve as a
`
`
`
`
`
`
`
`
`rough illustration of a variety of network structures which
`can exist on a broadband IP network. Public IP network 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`can be accessed in a variety of ways. FIG. 1 showsthe
`
`
`
`
`
`
`
`
`public IP network being accessed through a private IP
`
`
`
`
`
`
`
`network 12 which can be the IP network of a company such
`
`
`
`
`
`
`
`
`as MCI or UUNETwhichprovideprivate core networks. An
`
`
`
`
`
`
`
`endless variety of network structures can be connected to
`
`
`
`
`
`
`
`
`private IP network 12 in order to access other networks
`
`
`
`
`
`
`connected to private IP network 12 or to access public IP
`network 10.
`
`
`
`
`
`
`
`
`
`[0018] One example of a network structure connecting to
`
`
`
`
`
`
`
`
`private IP network 12 is hosting network 14. Hosting net-
`
`
`
`
`
`
`work 14 is an example of a networkstructure that provides
`
`
`
`
`
`
`
`
`hosting services for internet websites. These hosting ser-
`
`
`
`
`
`
`
`vices can be in the form of webfarm 16. Webfarm 16 begins
`with webservers 30 and database 32 which contain the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`webpages, programs and databases associated with a par-
`
`
`
`
`
`
`ticular website such as amazon.com or yahoo.com. Web-
`servers 30 connect to redundant load balancers 28 which
`
`
`
`
`
`
`
`
`
`
`
`
`
`receive incoming internet traffic and assign it to a particular
`webserver to balance the loads across all of webservers 30.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Redundant
`intrusion detection systems 26 and firewalls
`
`
`
`
`
`
`
`
`to load balancers 28 and provide security for
`connect
`webfarm 16. Individual webfarms 16 and 17 connect to
`
`
`
`
`
`
`
`
`
`
`
`
`
`hosting network 14’s switched backbone 18 by meansof a
`
`
`
`
`
`
`
`
`network of switches 20 and routers 22. Hosting network 14’s
`
`
`
`
`
`
`switched backbone 18 is itself made up of a network of
`switches 20 which then connect to one or more routers 22 to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to private IP network 12. Connections between
`connect
`individual webfarms 16 and 17 and the switched backbone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`18 of hosting network 14 are usually made at speeds such as
`
`
`
`
`
`
`
`OC-3 or OC-12 (approx. 150 megabits/sec or 625 megabits/
`
`
`
`
`
`
`
`
`sec), while the connection from router 22 of hosting network
`
`
`
`
`
`
`
`
`
`14 to private IP network 12 are on the order OC-48 speeds
`
`
`
`(approx. 2.5 gigabits/sec).
`
`
`
`
`
`
`[0019] Another example of network structures connecting
`
`
`
`
`
`
`
`
`
`to private IP networksare illustrated with service provider
`
`
`
`
`
`
`
`network 34. Service provider network 34 is an example of
`
`
`
`
`
`
`
`
`a network structure for Internet Service Providers (ISPs) or
`
`
`
`
`
`
`
`
`Local Exchange Carriers (LECs) to provide both data and
`
`
`
`
`
`
`
`voice access to private IP network 12 and public IP network
`
`
`
`
`
`
`
`10. Service provider network 34 provides services such as
`
`
`
`
`
`
`
`
`internet and intranet access for enterprise networks 36 and
`
`
`
`
`
`
`
`
`37. Enterprise networks 36 and 37 are, for example, com-
`
`
`
`
`
`
`
`
`pany networks such as the company network for Lucent
`
`
`
`
`
`
`Technologies or Merrill Lynch. Each enterprise network,
`
`
`
`
`
`
`
`
`such as enterprise network 36, includes a plurality of net-
`work servers and individual workstations connected to a
`
`
`
`
`
`
`
`
`
`
`
`
`
`switched backbone 18, which can be connected by routers
`
`
`
`
`
`22 to service provider network 34.
`
`
`
`
`
`
`
`
`
`[0020]
`In addition to internet access for enterprise net-
`
`
`
`
`
`
`
`works, service provider network 34 provides dial-up internet
`
`
`
`
`
`
`
`access for individuals or small businesses. Dial-up access is
`
`
`
`
`
`
`provided in service provider network 34 by remote access
`
`
`
`
`
`
`
`server (RAS) 42, which allows personal computers (PCs) to
`
`
`
`
`
`
`
`
`call into service provider network 34 through the public
`
`
`
`
`
`
`
`switched telephone network (PSTN), not shown. Once a
`connection has been made between the PC 50 and RAS 42
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through the PSTN, PC 50 can then access the private or
`
`
`
`
`public IP networks 12 and 10.
`
`
`
`
`
`
`
`
`[0021] Service provider network 34 also provides the
`
`
`
`
`
`
`
`
`
`ability to use the internet to provide voice calls over a data
`
`
`
`
`
`
`
`network referred to as Voice over IP (VoIP). VoIP networks
`
`
`
`
`
`
`
`
`
`46 and 47 allow IP phones 48 and PCs 50 equipped with the
`
`
`
`
`
`
`
`proper software to make telephonecalls to other phones, or
`
`
`
`
`
`
`
`
`PCs connected to the internet or even to regular phones
`
`
`
`
`
`
`
`
`connected to the PSTN. VoIP networks, such as VoIP net-
`
`
`
`
`
`
`
`
`work 46, include media gateways 52 and other equipment,
`
`
`
`
`
`
`
`
`
`not shown, to collect and concentrate the VoIP calls which
`
`
`
`
`
`
`
`
`
`are sent through service provider network 34 and private and
`
`
`
`
`
`
`
`
`public internet 12 and 10 as required. As mentioned, the
`advent of VoIP as well as other real time services such as
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`video over the internet make quality of service a priority for
`
`
`
`
`
`
`
`service providers in order to match the traditional telephone
`
`
`
`
`
`service provided bytraditional telephone companies.
`
`
`
`
`
`
`
`
`[0022] Service providers often enter into service level
`
`
`
`
`
`
`
`
`agreements with their customers. These service level agree-
`
`
`
`
`
`
`
`
`ments set out service and availability requirements, which
`are then monitored andstatistics collected. These statistics
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`are used to determine whether the service provider met,
`
`
`
`
`
`
`
`
`
`failed to meet, or exceeded the service levels set out in the
`
`
`
`
`
`
`
`
`service level agreement. The service provider can then be
`
`
`
`
`
`
`
`
`subject to either monetary penalties or rewards for the level
`
`
`
`of service provided.
`
`
`
`
`
`
`[0023] Service provider network 34 includes a switched
`
`
`
`
`
`
`backbone 18 formed by switches 20 as well as routers 22
`
`
`
`
`
`
`
`
`
`between it and its end users and between it and private IP
`
`
`
`
`
`
`
`
`network 12. Domain nameservers 44 and other networking
`
`
`
`
`
`
`
`equipment, which are not shown,are also included in service
`
`
`
`
`
`
`
`
`provider network 34. Similar to hosting network 34, con-
`
`
`
`
`
`
`
`
`nection speeds for service provider network 34 can range
`
`
`
`
`
`
`
`
`
`from speeds such as T1, T3, OC-3 and OC-12 for connecting
`
`Splunk Inc.
`
`Exhibit1025
`
`Page8
`
`Splunk Inc. Exhibit 1025 Page 8
`
`

`

`
`
`US 2003/0118029 Al
`
`
`
`Jun. 26, 2003
`
`
`
`
`
`
`
`
`
`
`to enterprise networks 36 and 37 as well as VoIP networks
`
`
`
`
`
`
`
`
`46 and 47 all
`the way to OC-48 and conceivably even
`
`
`
`
`
`
`OC-192 for connections to the private IP network.
`
`
`
`
`
`
`
`
`
`
`It can easily be seen that aggregation points 60
`[0024]
`
`
`
`
`
`
`
`
`exist at the edges of these various network structures where
`
`
`
`
`
`
`
`
`data is passed from one network structure to another at
`
`
`
`
`
`
`
`
`
`speeds such as OC-3, OC-12, and OC-48. One major prob-
`lem in the network structures shown in FIG.1 is the lack of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`any type of intelligence at these aggregation points 60 which
`
`
`
`
`
`
`
`
`would allow the network to provide services such as secu-
`
`
`
`
`
`
`
`
`
`rity, metering and quality of service. The intelligence to
`
`
`
`
`
`
`
`
`
`provide these services would require that the network under-
`
`
`
`
`
`
`
`
`
`stand the type of data passing through the aggregation points
`
`
`
`
`
`
`
`
`
`60 and not just the destination and/or source information
`
`
`
`
`
`
`
`whichis currently all that is understood. Understanding the
`
`
`
`
`
`
`
`
`
`type of data, or its contents, including the contents of the
`
`
`
`
`
`
`
`
`associated payloads as well as header information, and
`
`
`
`
`
`
`further understanding and maintaining a state awareness
`across each individual traffic flow would allow the network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to configure itself in real time to bandwidth requirements on
`
`
`
`
`
`
`
`
`the network for applications such as VoIP or video where
`
`
`
`
`
`
`quality of service is a fundamental requirement. An intelli-
`
`
`
`
`
`
`
`
`
`
`gent, or “content aware”, network would also be able to
`
`
`
`
`
`
`
`
`
`identify and filter out security problems such as email
`
`
`
`
`
`
`
`
`worms,viruses, denial of service (DoS) attacks, and illegal
`
`
`
`
`
`
`
`hacking in a manner that would be transparent to end users.
`
`
`
`
`
`
`
`
`Further, a content aware network would provide for meter-
`
`
`
`
`
`
`
`ing capabilities by hosting companies and service providers,
`
`
`
`
`
`
`
`allowing these companies to regulate the amount of band-
`
`
`
`
`
`
`width allotted to individual customers as well as to charge
`
`
`
`
`
`
`
`
`precisely for bandwidth and additional features such as
`
`security.
`
`
`
`
`
`
`
`
`forth
`In accordance with the requirements set
`[0025]
`
`
`
`
`
`
`
`
`above, the present invention provides for a network device
`
`
`
`
`
`
`
`
`
`that is able to scan, classify, and modify network traffic
`
`
`
`
`
`
`including payload information at speeds of OC-3, OC-12,
`
`
`
`
`
`
`
`OC-48 and greater thereby providing a “content aware”
`network.
`
`
`
`
`
`
`
`
`[0026] Referring now to FIG. 2, one embodiment of a
`
`
`
`
`
`
`network apparatus according to the present
`invention is
`
`
`
`
`
`
`
`shown. Network apparatus 100, as shown,acts as a “bump-
`
`
`
`
`
`
`
`
`in the-line” type device by accepting data received from a
`
`
`
`
`
`
`
`
`high-speed network line, processing the data, and then
`
`
`
`
`
`
`
`
`
`placing the data back on the line. Network apparatus 100
`
`
`
`
`
`
`
`
`
`accepts data from the line by means of input physical
`
`
`
`
`
`
`
`
`interface 102. Input physical interface 102 can consist of a
`
`
`
`
`
`
`
`
`
`plurality of ports, and can accept any number of network
`
`
`
`
`
`
`
`
`speeds and protocols, including such high speeds as OC-3,
`
`
`
`
`
`
`
`OC-12, OC-48, and protocols including 10/100 Ethernet,
`
`
`
`
`
`
`
`
`gigabit Ethernet, and SONET.Input physical interface 102
`
`
`
`
`
`
`
`
`
`
`
`takes the data from the physical ports, frames the data, and
`
`
`
`
`
`
`
`
`
`
`then formats the data for placementon fast-path data bus 126
`
`
`
`
`
`
`
`which is preferably an industry standard data bus such as a
`
`
`
`
`
`
`
`POS-PHY Level 3, or an ATM UTOPIALevel 3 type data
`bus.
`
`
`
`
`
`
`
`
`
`
`
`
`[0027] Fast-path data bus 126 feeds the data to traffic flow
`
`
`
`
`
`
`
`scanning processor 140, which includes header processor
`
`
`
`
`
`
`
`
`
`
`104 and payload analyzer 110. The datais first sent to header
`
`
`
`
`
`
`
`processor 104, which is operable to perform several opera-
`
`
`
`
`
`
`
`
`tions using information containedin the data packet headers.
`
`
`
`
`
`
`
`
`Header processor 104 stores the received data packets in
`
`
`
`
`
`
`
`
`
`packet storage memory 106 and scans the header informa-
`
`
`
`
`
`
`
`
`
`
`
`
`tion. The header information is scanned to identify the type,
`
`
`
`
`
`
`
`or protocol, of the data packet, which is used to determine
`
`
`
`
`
`routing information as well as to create a session id using
`
`
`
`
`
`predetermined attributes of the data packet.
`
`
`
`
`
`
`
`[0028]
`Inthe preferred embodiment,a sessionid is created
`
`
`
`
`
`
`
`using session information consisting of the source address,
`
`
`
`
`
`
`
`
`destination address, source port, destination port and proto-
`
`
`
`
`
`
`
`
`
`col, although one skilled in the art would understand that a
`
`
`
`
`
`
`
`
`session id could be created using any subsetof fields listed
`
`
`
`
`
`
`
`
`
`or any additionalfields in the data packet without departing
`
`
`
`
`
`
`
`
`
`
`from the scope of the present invention. In addition, the
`
`
`
`
`
`
`
`
`header information is used to identify the data packet with
`
`
`
`
`
`
`
`a particular customer or subscriber. When a data packet is
`
`
`
`
`
`
`
`
`
`received that has new session information the header pro-
`
`
`
`
`
`
`
`cessor creates a unique session id to identify that particular
`
`
`
`
`
`
`
`
`
`traffic flow. Each successive data packet with the same
`
`
`
`
`
`
`
`
`session information is assigned the same session id to
`
`
`
`
`
`
`
`
`
`
`identify each packet within that flow. Session idsare retired
`
`
`
`
`
`
`
`whenthe particular traffic flow is ended through an explicit
`
`
`
`
`
`
`
`
`
`action, or whenthetraffic flow times out, meaningthat a data
`
`
`
`
`
`
`
`
`
`
`packet for that traffic flow has not been received within a
`
`
`
`
`
`
`
`
`predetermined amount of time. While the session id is
`
`
`
`
`
`
`
`discussed herein as being created by the header processor
`
`
`
`
`
`
`
`
`104 the session id can be created anywhere in traffic flow
`
`
`
`
`
`
`
`scanning engine 140 including in payload analyzer 110.
`
`
`
`
`
`
`
`
`[0029] As will be discussed below, network apparatus 100
`
`
`
`
`
`
`
`
`in order to function properly needs to reorder out of order
`
`
`
`
`
`
`
`
`data packets and reassemble data packet fragments. Header
`
`
`
`
`
`
`
`
`processor 104 is operable to perform the assembly of
`
`
`
`
`
`
`
`
`asynchronoustransfer mode (ATM)cells into complete data
`
`
`
`
`
`
`
`
`packets (PDUs), which could include the stripping of ATM
`header information.
`
`
`
`
`
`
`
`
`
`[0030] Header processor 104 is also operable to perform
`
`
`
`
`
`
`
`routing functions. Routing tables and information can be
`
`
`
`
`
`
`
`stored in database memory 108. Routing instructions
`
`
`
`
`
`
`received by network apparatus 100 are identified, recorded
`
`
`
`
`
`
`
`and passed to microprocessor 124 by header processor 104
`
`
`
`
`
`
`
`
`
`so that microprocessor 124 is able to update the routing
`
`
`
`
`
`
`
`tables in database memory 108 accordingly. While network
`
`
`
`
`
`
`apparatus 100 is referred to as a “bump-in-the-line” appa-
`
`
`
`
`
`
`
`
`
`ratus, The input and the output could be formed by multiple
`
`
`
`
`
`
`
`
`lines, for example four OC-12 lines could be connected to
`
`
`
`
`
`
`
`network apparatus 100 which operates at OC-48 speeds. In
`
`
`
`
`
`
`
`such a case, “bump-in-the-line” network apparatus 100 will
`
`
`
`
`
`
`
`have limited routing or switching capabilities between the
`
`
`
`
`
`
`
`
`multiple lines, although the switching capability will beless
`
`
`
`
`
`
`than in a conventional router or switch. Additionally, a
`
`
`
`
`
`
`
`network apparatus can be constructed according to the
`
`
`
`
`
`
`
`principles of the present invention, which is able to operate
`
`
`
`
`
`
`as a network router or switch. Such an implementation is
`
`
`
`
`
`
`discussed in greater detail with reference to FIG. 4.
`
`
`
`
`
`
`
`
`[0031] After data packets have been processed by header
`
`
`
`
`
`
`
`
`processor 104 the data packets, their associated session id
`
`
`
`
`
`
`
`and any conclusion formed by the header processor, such as
`
`
`
`
`
`
`
`
`routing or QoS information,are sent on fast-data path 126 to
`
`
`
`
`
`
`
`
`
`the other half of traffic flow scanning engine 140, payload
`
`
`
`
`
`
`
`
`analyzer 110. The received packets are stored in packet
`
`
`
`
`
`
`
`
`storage memory 112 while they are processed by payload
`
`
`
`
`
`
`
`
`analyzer 110.