USOO8000329B2
`
`(12) United States Patent
`Fendick et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,000,329 B2
`* Aug. 16, 2011
`
`(54) OPEN PLATFORMARCHITECTURE FOR
`INTEGRATING MULTIPLE
`HETEROGENEOUS NETWORK FUNCTIONS
`
`(75) Inventors: Kerry Fendick, Highlands, NJ (US);
`Lampros Kalampoukas, Brick, NJ
`(US); Thomas Woo, Short Hills, NJ
`(US)
`
`(73) Assignee: Alcatel Lucent, Paris (FR)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 722 days.
`This patent is Subject to a terminal dis
`claimer.
`
`(21) Appl. No.: 11/824,482
`
`(22) Filed:
`
`Jun. 29, 2007
`
`(65)
`
`Prior Publication Data
`US 2009/OOO3364 A1
`Jan. 1, 2009
`
`(51) Int. Cl.
`(2006.01)
`H04L 2/28
`(2006.01)
`H04L 2/56
`(52) U.S. Cl. ....................................................... 370/392
`(58) Field of Classification Search .................. 370/230,
`370/392, 235, 253,389, 463,350, 410, 408,
`370/401, 352,395,351, 353, 229,466, 338;
`709/239, 238,240, 220, 224, 226; 726/24,
`726/11: 379/88, 93, 900; 719/328; 455/445,
`455/466,417; 725/62; 704/9, 201
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`6,490.273 B1* 12/2002 DeNap et al. ................. 370,352
`6,606,325 B1
`8, 2003 Cain
`6,871,235 B1
`3, 2005 Cain
`6,952,728 B1 * 10/2005 Alles et al. .................... TO9,224
`7,042,888 B2
`5/2006 Berggreen
`7,254,114 B1
`8, 2007 Turner et al.
`7,315,900 B1
`1/2008 Ofelt et al.
`7.546,635 B1* 6/2009 Krohn et al. .................... T26, 11
`2003/0058872 A1
`3/2003 Berggreen et al.
`2004/0083403 A1
`4/2004 Khosravi
`2006/0079236 A1* 4/2006 Del Pino et al. .............. 455,445
`2006/0123481 A1* 6/2006 Bhatnagar et al. .............. T26/24
`2006/0294.584 A1* 12/2006 Sundaram ...
`726, 11
`2007/0058632 A1* 3, 2007 Back et al. ..
`370,392
`2007/0061844 A1
`3/2007 Hakusui et al. ................. 725/62
`2007/0168475 A1* 7/2007 Mullahy et al. ...
`TO9.220
`2008.0075016 A1* 3, 2008 Ashwood-Smith ........... 370.252
`2009,0003349 A1
`1/2009 Havemann et al. ........... 370,392
`
`
`
`FOREIGN PATENT DOCUMENTS
`O31.03238 A1 12/2003
`WO
`2004O21652 A2
`3, 2004
`WO
`* cited by examiner
`Primary Examiner — Hassan Phillips
`Assistant Examiner — Prenell P Jones
`(74) Attorney, Agent, or Firm — Brosemer, Kolefas &
`ASSoc., LLC
`ABSTRACT
`(57)
`A platform for seamlessly hosts a plurality of disparate types
`of packet processing applications. One or more applications
`are loaded onto a service card on the platform. A program
`mable path structure is included that maps a logical path for
`processing of the packets through one or more of the plurality
`of service cards according to characteristics of the packets.
`Multiple path structures may be programmed into the plat
`form to offer different service paths for different types of
`packets.
`
`17 Claims, 12 Drawing Sheets
`
`Packet Services Platform
`212(1)
`
`Control
`Element
`
`206(1)
`206(N)
`
`ControPlane
`
`202(1)
`Forwarding Plane
`
`Fortinet Ex. 2011, Page 1 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 1 of 12
`
`US 8,000,329 B2
`
`104
`
`
`
`
`
`/ 1OO
`
`102
`
`Platform
`
`Second Network
`
`Fig. 1
`
`Fortinet Ex. 2011, Page 2 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 2 of 12
`
`US 8,000,329 B2
`
`
`
`106
`
`204(1)
`
`Packet services Platform
`212(1)
`
`
`
`212(N)
`
`Control
`Element
`
`Control
`Element
`
`
`
`
`
`NetWorks
`102/104
`(
`)
`O O O (Ports
`204(N)
`Ingress/
`Egress
`
`I/O
`Card
`
`O O O
`
`I/O
`Card
`
`206(1)
`206(N)
`
`F eature O O O Feature
`Server
`
`214(1)
`Control Plane
`
`214(N)
`
`202(1)
`Forwarding Plane
`
`
`
`
`
`201
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fortinet Ex. 2011, Page 3 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 3 of 12
`
`US 8,000,329 B2
`
`
`
`Service
`Card
`
`202(2)
`
`202(3)
`
`302
`
`Fig. 3
`
`Fortinet Ex. 2011, Page 4 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 4 of 12
`
`US 8,000,329 B2
`
`208
`
`/O
`Card
`
`
`
`402
`
`202(1)
`
`202(2)
`
`202(3)
`206(2)
`
`
`
`40 2
`
`Fig. 4
`
`Fortinet Ex. 2011, Page 5 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 5 of 12
`
`US 8,000,329 B2
`
`208
`
`Service Card
`
`Application
`
`502
`
`202(1)
`202(2)
`
`Fig. 5
`
`
`
`Characteristic
`
`Classifier
`
`Service Path
`
`Fortinet Ex. 2011, Page 6 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 6 of 12
`
`US 8,000,329 B2
`
`
`
`Ingress
`
`
`
`
`
`Ingress
`
`
`
`
`
`
`
`
`
`Application
`N
`
`Fortinet Ex. 2011, Page 7 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 7 of 12
`
`US 8,000,329 B2
`
`Application 1
`
`AND / OR
`
`Application 2
`
`Application 3
`
`Fig. 8A
`
`
`
`A 1 H A2 HAND
`
`A 10
`
`Fortinet Ex. 2011, Page 8 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 8 of 12
`
`US 8,000,329 B2
`
`
`
`Service Card
`
`Memory
`
`Operating System
`922
`
`Service Engine
`950
`
`Processor
`
`Application(s)
`956
`
`Communicatoins
`Module
`970
`
`Application/
`Configuration
`Data 958
`
`Fortinet Ex. 2011, Page 9 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 9 of 12
`
`US 8,000,329 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`212
`
`Control Element(s)
`
`Feature Server(s)
`
`
`
`Security
`Manager
`
`
`
`
`
`
`
`Ser Defined
`Control/
`Management
`Process
`
`Control Plane
`
`Data Plane
`
`2O2
`
`Service Card
`
`Fig. 10
`
`Fortinet Ex. 2011, Page 10 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 10 of 12
`
`US 8,000,329 B2
`
`Receive Packet
`
`1103
`
`
`
`
`
`
`
`
`
`
`
`Control
`Packet
`
`Control or
`Data?
`
`Data Packet
`
`Determine Characteristic of Packet
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`-to
`
`1102
`
`1105
`
`Route to Control
`Elements/Feature
`Servers
`
`1105A
`
`Packet
`Originates from
`Platform
`
`Select Partial Or Full Service Path
`Based On Characteristic of the
`Packet, Route Packet According to
`Service Path(s)
`
`Route Packet to I/O Card Or Service
`Card for Processing and Egress
`
`1106
`
`1108
`
`Fig. 11
`
`Fortinet Ex. 2011, Page 11 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 11 of 12
`
`US 8,000,329 B2
`
`
`
`Control
`Elements
`
`Control Plane
`
`Data Plane
`
`Feature
`Servers
`
`Fortinet Ex. 2011, Page 12 of 21
`
`

`

`U.S. Patent
`
`Aug. 16, 2011
`
`Sheet 12 of 12
`
`US 8,000,329 B2
`
`212
`
`Control
`Elements
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`214
`
`Feature Server
`
`User Defined
`Control/
`Management
`PrOCeSS
`
`C
`Z\
`
`
`
`
`
`Control Plane
`203
`
`Forwarding
`Plane
`201
`
`2O2
`
`I/O Card
`
`2O6
`
`Service Card
`
`Fig. 13
`
`Fortinet Ex. 2011, Page 13 of 21
`
`

`

`US 8,000,329 B2
`
`1.
`OPEN PLATFORMARCHITECTURE FOR
`INTEGRATING MULTIPLE
`HETEROGENEOUS NETWORK FUNCTIONS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`The present patent application is related to the following
`U.S. Patent Applications, filed concurrently herewith, and
`commonly assigned herewith: U.S. patent application Ser.
`No. 1 1/824,555; entitled “NETWORKSYSTEM HAVING
`AN EXTENSIBLE CONTROL PLANE; and; and U.S.
`patent application Ser. No. 1 1/824,565, entitled “NETWORK
`SYSTEM HAVING AN EXTENSIBLE FORWARDING
`PLANE'. The contents of the aforementioned applications
`15
`are fully incorporated herein by reference.
`
`10
`
`TECHNICAL FIELD
`
`The present invention relates generally to networking, and
`more specifically, to integrating different networking appli
`cations on a single platform.
`
`BACKGROUND
`
`Edge devices provide packet connectivity entry points into
`a core network. They typically control and analyze the flow of
`traffic entering the core network, provide security to the core
`network by preventing harmful traffic from entering it, or
`provide enhancements to applications.
`Examples of edge devices that monitor and analyze traffic,
`include traffic monitoring systems, traffic analysis systems,
`flow replication systems, and various other systems that
`monitor and control the type of traffic entering the core net
`work.
`Examples of edge devices that analyze the content of data
`entering the network to provide security to the core network
`include firewalls and detection/prevention equipment.
`Briefly, a firewall refers to a device which limits access to
`a network by only allowing authorized flowS/users access to a
`private network.
`Whereas, detection/prevention equipment refers to sys
`tems that identify and block malicious code from entering a
`network, Such as, but not limited to: computer viruses,
`worms, trojan horses, spam, malware, Spyware, adware, and
`other malicious and unwanted Software. Intrusion detection
`equipment may also include systems that detect when an
`attack is being perpetrated on a core network, Such as a
`denial-of-service attack.
`Examples of edge devices that provide enhancement of
`applications include applications that enhance the flow of
`packets, content adaptation applications, and acceleration
`application functions.
`In many instances companies and organizations will pur
`chase the best-in-class edge device solutions for use at the
`edge of a network. For example, an organization may pur
`chase Vendor A's virus detection product, Vendor's B fire
`wall, Vendor's C flow replication product, and Vendor's D
`router, because each is the best-in-class or for some other
`CaSO.
`As a result most devices found at the edge of a core net
`work, are a hodgepodge of dissimilar interconnected devices
`each performing a different task. The total cost for setting-up
`and operating these disparate edge Solutions is soaring out of
`control. Besides purchasing all these different solutions, there
`are costs associated with keeping the equipment running, and
`managing software on all of the disparate pieces of equip
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`ment. Moreover, adding equipment to the edge of the network
`to handle growing network demands is often complicated and
`inflexible.
`Furthermore, with multiple types of equipment needed to
`examine packets for different purposes, such as malware,
`DDoS, firewalls, routing, and so forth, there may be multiple
`examinations of packets between the time a packet is received
`at the edge of a network, and the time it is routed to a desti
`nation. Unfortunately each time a packet is examined and
`analyzed there is a delay incurred, which is undesirable, espe
`cially for packets that require quality-of-service, such as
`packets containing real-time data Such as voice or video.
`Presently, there is no flexible way to service different types
`of packets or traffic flows. When a packet enters the edge it is
`routed through a fixed series of vendor's solutions. There is
`little choice on selecting which services are performed on
`each packet entering a network, regardless of the type of
`packet. For example, it is difficult for certain packet types
`having a higher priority level (or trusted Source) to bypass
`certain packet analysis equipment to increase efficiency. It is
`also difficult to thread (e.g. route) packet flows through dif
`ferent combinations of vendor's devices and services.
`Furthermore, much of the functionality provided by differ
`ent vendors equipment has fixed functionality limited in
`Scope to particular application. Accordingly, while it may be
`possible to reprogram (upgrade) the particular application for
`its intended use, it is not presently possible to dynamically
`reprogram a device to change its intended purpose entirely.
`For example, it is not presently possible to convert a device
`for running spyware into a device for performing transcoding.
`Thus, there is presently a desire to more efficiently service
`packets entering a network to reduce the quantity of exami
`nations to a minimum desired level per packet type. There is
`also a desire to ensure Quality of Service is not sacrificed with
`the ability to route certain packets classified at the highest
`priority level through a more efficient examination process at
`the edge of a network. Further, there is also a present desire to
`simplify and more flexibly integrate the various disparate
`types of functionalities performed at the edge of a network or
`elsewhere, often provided by different vendors.
`
`SUMMARY
`
`To address the above-discussed deficiencies of the prior art,
`the present invention provides a single network platform that
`seamlessly hosts a plurality of disparate types of packet pro
`cessing applications, where each application may be provided
`by different vendors. As used herein a “platform” may include
`a single physical device, or may include multiple devices
`linked together (at one or more sites), but administered logi
`cally as a single network entity.
`In one embodiment, the platform includes a plurality of
`service cards forming a forwarding plane, each service card
`configured to execute one or more particular packet process
`ing applications (applications) associated with performing
`network security, transcoding, traffic analysis, or other packet
`processing functionalities. The platform may also include one
`or more input/output (I/O) cards each card configured to route
`the packets from ingress to egress of the platform. A program
`mable service path structure is included that maps a logical
`path for processing of the packets through one or more of the
`plurality of service cards and one or more of the I/O cards,
`according to characteristics of the packets. Multiple path
`structures may be programmed into the network platform to
`offer different service paths for different types of packets.
`In one embodiment, decisions as to how a packet enters or
`exits the platform (i.e., forwarding of a packet from the plat
`
`Fortinet Ex. 2011, Page 14 of 21
`
`

`

`US 8,000,329 B2
`
`3
`form) are segregated from decisions as to which applications
`are traversed (e.g., executed) for processing a packet.
`In another embodiment, a fabric is included on the platform
`having a plurality of input and output ports configured to
`physically route the packets from and to one or more plurality
`of service cards and one or more I/O cards, according to the
`programmable service path structure.
`In another embodiment, each service card may be repro
`grammed dynamically during runtime, such as upgrading an
`application or completely deleting an application and replac
`ing it with a new application having a completely new pur
`pose and functionality. For example, it is possible to dynami
`cally reconfigure a service card from executing an application
`associated with performing virus protection to executing an
`application associated with transcoding.
`A feature and advantage of the innovative platform is the
`ability to incorporate traditional functionality of a router
`coupled with the ability to flexibly integrate multiple network
`packet service applications, usually found in separate
`devices.
`Additional exemplary implementations and features/ad
`vantages are described in the Detailed Description in con
`junction with the accompanying drawings below.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`FIG. 12 is a logical block diagram showing how a control
`packet flow is routed to feature servers a control plane, and a
`data packet flow is routed to service cards of a forwarding
`plane.
`FIG. 13 shows a programming model of how it is possible
`to implement user defined control/management processes in a
`feature server to access core control functions of a platform.
`
`DETAILED DESCRIPTION
`
`Introduction
`Reference hereinto “one embodiment”, “an embodiment,
`“an implementation' or “one implementation” or similar for
`mulations herein, means that a particular feature, structure,
`operation, or characteristic described in connection with the
`embodiment, is included in at least one embodiment of the
`present invention. Thus, the appearances of Such phrases or
`formulations herein are not necessarily all referring to the
`same embodiment. Furthermore, various particular features,
`structures, operations, or characteristics may be combined in
`any Suitable manner in one or more embodiments.
`In the following description, for purposes of explanation,
`specific numbers, materials and configurations are set forth in
`order to provide a thorough understanding of the present
`invention. However, it will be apparent to one skilled in the art
`that the present invention may be practiced without each
`specific example. In other instances, well-known features are
`omitted or simplified to clarify the description of the exem
`plary embodiments of the present invention, and thereby, to
`better explain the present invention.
`Exemplary Environment
`FIG. 1 illustrates an exemplary environment 100 in which
`the invention may be implemented. Environment 100
`includes a first network 102 and a second network 104. First
`network 102 and second network 104 are computer or tele
`communication networks. For instance, in one embodiment
`first network 102 is a core network. A core network typically
`forms a backbone of a communications network (i.e., service
`provider) and includes a combination of high capacity
`Switches and other data transmission devices.
`Whereas, second network 104 is a computer or telecom
`munication network that may be connected to a service pro
`vider network, and may have different administrative authori
`ties. For instance, in one embodiment, second network 104 is
`an access network, which forms a portion of a communica
`tions network which connects users and other networks to
`first network 102, and vice versa. In other embodiments sec
`ond network 104 may represent another core network, or a
`customer network, such as that of a private organization or
`government entity.
`Interposed between first network 102 and second network
`104 is a packet services platform (platform) 106 for routing
`packets from access network 104 to core network 102, and
`Vice versa.
`In one embodiment, platform 106 resides at the edge of a
`network, but can be located at points within a network other
`than the edge of a network. Platform 106 is used to facilitate
`communications between networks 102 and 104. For
`example, in the illustration of FIG. 1, platform 106 provides
`connectivity access between first network 102 and second
`network 104. Platform 106 may also provide connectivity
`between other core networks or access points.
`Platform 106 hosts a plurality of disparate network func
`tionalities in a single integrated platform. Each of the dispar
`ate network functionalities may be selected from different
`vendors. Examples of the different types of functionality that
`may be incorporated in platform 106 include, but are not
`
`10
`
`15
`
`25
`
`30
`
`35
`
`The detailed description is explained with reference to the
`accompanying figures. In the figures, the left-most digit(s) of
`a reference number identifies the figure in which the reference
`number first appears. It should be noted that the figures are not
`necessarily drawn to Scale and are for illustration purposes
`only.
`FIG. 1 illustrates an exemplary environment in which the
`invention may be implemented.
`FIG. 2 illustrates a packet services platform (platform 106)
`within which the present invention can be either fully or
`partially implemented.
`FIG.3 illustrates a logical service path structure for routing
`packets by the platform.
`FIG. 4 shows another one of a myriad of exemplary logical
`service path structures for routing packets.
`FIG. 5 shows another example of a programmable service
`path structure for servicing and processing packets.
`FIG. 6 shows a chart illustrating various characteristics for
`packets and corresponding programmable classifiers and
`logical paths for servicing the packets.
`FIG. 7 shows a logical view for forwarding packets from
`ingress to egress of a platform that includes load balancing
`capability.
`FIG. 8 shows another logical view of a data path for the
`flow of packets, which is linear.
`FIG. 8A shows a logical view of a data path for the flow of
`55
`packets, which is non-linear
`FIG. 8B shows an extensive example of how applications
`may be linked together using AND and OR operators.
`FIG. 9 illustrates a generic platform for implementing a
`service card, within which aspects of the invention can be
`either fully or partially implemented.
`FIG. 10 illustrates a logical view of a feature server imple
`mented as part of a control plane for an integrated platform,
`which includes a sandbox.
`FIG. 11 illustrates an exemplary method for flexibly rout
`ing packets through a platform having disparate network
`functions.
`
`40
`
`45
`
`50
`
`60
`
`65
`
`Fortinet Ex. 2011, Page 15 of 21
`
`

`

`US 8,000,329 B2
`
`5
`necessarily limited to: packet routing, security services (such
`as firewall(s), Denial of Services detection, malware detec
`tion), packet analysis (such as traffic accounting, and flow
`monitoring), and other present or future packet service tech
`nologies.
`Thus, platform 106 according to one aspect of the invention
`includes all the traditional functionality of a router coupled
`with the ability to flexibly integrate multiple network packet
`service applications, usually found in separate devices.
`Exemplary Packet Services Platform
`FIG. 2 illustrates a packet services platform (platform 106)
`within which the present invention can be either fully or
`partially implemented. In one implementation, platform 106
`includes a plurality of service cards 202(1), . . . . 202(N),
`input/output cards 206, a fabric 208, control elements 212,
`and feature services 214. The index “N” as used in the figures
`denotes a number that is equal to or greater than 1. The index
`N may represent a different quantity of devices per device.
`For example, N may equal eight with respect to service cards,
`but may only refer to the number two, with respect to I/O
`cards 206.
`The interface between first network 102 and second net
`work 104 is provided by input/output (I/O) cards 206 for
`receiving packets from second network 104 and sending the
`packets to a destination via first network 102, and vice versa.
`Packets may be in the form of data or control packets. As
`used herein a packet refers to any formatted block of infor
`mation carried by a network. In certain examples herein, the
`term packet, may refer to a single packet, packet flows (a
`collection of packets) or some other delineation of one or
`more packets, such as frames.
`Platform 106 generally includes a forwarding plane 201
`and a control plane 203. In general, forwarding plane 201
`transports packets and performs packet processing services
`associated with the flow of packets. Control plane 103 pro
`cesses control information for managing and administering
`platform 106.
`Incoming packets enter ports of I/O cards 206 and are sent
`to either forwarding plane 201 or control plane 203 of plat
`form 106. That is, incoming packets enter I/O cards 206 and
`are forwarded to one or more service cards 202, control ele
`ments 212, or feature servers 214, via fabric 208. Incoming
`packets may also be forwarded directly to another I/O card
`206 if no additional services are needed, such as for egress.
`I/O cards 206 generally determine whether packets are sent to
`either forwarding plane 201 or control plane 203 when
`received by the cards. However, in other implementations,
`other elements may determine whether packets are sent to
`forwarding plane 201 or control plane 203. For example, a
`service card 202 may perform the function of an I/O card.
`Service cards 202 comprise a portion of a forwarding plane
`for platform 106 for processing packets. Each service card
`202 includes at least one packet processing application for
`performing a packet processing service. Examples packet
`processing services include: performing policy enforcement
`(such as implementing firewall(s), and traffic conditioners),
`performing intrusion detection and prevention (such as
`Denial of Services detection, malware detection), performing
`packet analysis (such as accounting/metering and traffic
`monitoring), performing Network Address Translation,
`transcoding, or other Suitable packet services that may be
`deployed in a network. Other packet processing services may
`be performed as would be readily appreciated by those skilled
`in the art having the benefit of this disclosure.
`In one implementation, at least one service card 202 is
`physically implemented as a slot card, also commonly
`
`40
`
`45
`
`6
`referred to as a blade or circuit pack that is processor-based
`with the ability to execute code, associated with one or more
`network applications.
`It should be appreciated by those skilled in the art after
`having the benefit of this disclosure that a service card may
`take other forms. For example, in one implementation, a
`service card 202 may be implemented in firmware such as
`using configurable Field Programmable Gate Arrays (FP
`GAS) and may be reprogrammable.
`In still another implementation, a service card 202 may be
`hardware based, such as implemented using Application Spe
`cific Integrated Circuits (ASIC).
`Although shown as residing on platform 106, it is appreci
`ated by those skilled in the art after having the benefit of this
`disclosure, that one or more service cards 202 may be remote
`from platform 106. For instance, service cards 202 may be
`multiple hops away from platform 106, and not co-located
`therein.
`I/O cards 206(1) . . . . 206(N), form a portion of the for
`warding plane for platform 106. One or more I/O cards 206
`are configured to route a packet from ingress to egress of
`platform 106. That is, each I/O card 206 may process an
`incoming packet received from I/O ports 204 or fabric 208,
`and may send it to an appropriate I/O port 204 for forwarding.
`I/O cards 206 may also process an incoming packet previ
`ously processed by one or more service cards 202 or other I/O
`cards 206 via fabric 208. I/O cards 206 process packets, and
`may make routing decisions including Such as determining a
`next-hop or destination for packets, based on forwarded rules
`loaded onto I/O cards 206 via fabric 208 by control elements
`212.
`Alternatively, in another embodiment, one or more service
`cards 202 may form part of the forwarding for platform 106.
`That is, one or more service cards 202 may process packets,
`and make routing decisions including determining a next-hop
`or destination for packets, based on routing rules loaded onto
`service cards 202 via fabric 208 by control elements 212.
`Packets may be forwarded to a next-hop destination via a
`fabric 208, and a port 204 of an I/O card 206.
`Although shown as residing on platform 106, it is appreci
`ated by those skilled in the art after having the benefit of this
`disclosure, that one or more I/O cards 206 may be remote
`from platform 106. For instance, I/O cards 202 may be mul
`tiple hops away from platform 106, and not co-located
`therein.
`Control elements 212 form a portion of control plane 203
`for platform 106. Control elements 212 may transmit con
`figuration information for configuring service cards 202, and
`I/O cards 206. Also, feature server 214 (to be described in
`more detail) may transmit configuration information to con
`figure service cards 202. Additionally, control elements 212
`may also configure feature servers 214 to install new feature
`server applications. Control elements 212 may interact with
`logic (not shown) for controlling fabric 208 to effectively
`establish connections between service cards 202 and the I/O
`cards 206. Control elements 212 may also provide informa
`tion to service cards 202 for routing packets within platform
`106, referred to as a “programmable service path structure'
`(see FIGS. 3-5 to be described). The programmable service
`path structure may be conveyed to each service card 202 via
`fabric connection 208.
`Control elements 212 may also communicate with fabric
`connection 208 to establish connections between service
`cards 202 and I/O cards 206. Control elements 212 maintain
`knowledge of links status between network elements (not
`shown) in network 102, route changes, and update informa
`tion when changes are made in routing configurations. Con
`
`10
`
`15
`
`25
`
`30
`
`35
`
`50
`
`55
`
`60
`
`65
`
`Fortinet Ex. 2011, Page 16 of 21
`
`

`

`7
`trol elements 212 may also provide control for the overall
`general operation of platform 106.
`Although shown as residing on platform 106, it is appreci
`ated by those skilled in the art after having the benefit of those
`disclosure, that one or more control elements 212 may be
`remote from platform 106. For instance, control elements 212
`may be multiple hops away from platform 106, and not co
`located therein. Accordingly, when platform 106 boots-up
`(powers-on), platform 106 discovers control elements 112,
`which become associated with platform 106. In such an
`implementation, some logic or control unit provides initial
`direct contact between the data plane and control plane. Fur
`ther details of how control elements 212 may be bound to
`forwarding plane 201, Such as during boot-up are described in
`commonly owned U.S. Patent Application Publication No.
`20060092974 entitled “Softrouter, which is fully incorpo
`rated in its entirety herein by reference.
`It should also be appreciated by those skilled in the art, after
`having the benefit of this disclosure that FIG. 2 illustrates only
`one embodiment for implementing control plane 203 for plat
`form 106. Although several control elements 212 are shown
`in FIG. 2, it is appreciated that control plane 203 may only
`include a single control element. Additionally, some portions
`of control plane 203 may be implemented remotely as
`described above, while some portions of control plane 203
`may reside on the same physical platform as forwarding plane
`201. It should also be appreciated that forwarding plane 201
`and control plane 203 are illustrated as being logically dis
`tinct from each other, but may physically reside and/or oper
`ate in an integrated fashion.
`Fabric 208 is illustrated as a single block and serves a
`communication hub for all elements comprising in platform
`106. Fabric 208 may be implemented as a cross-bar switch,
`interconnected Switches, other Suitable cross-point technol
`ogy, and a combination of Such connectivity technology, as
`would be appreciated by those skilled in the art having the
`benefit of this disclosure.
`For instance, in one implementation, fabric 208 may
`include an internally contained Switched network, Such as a
`Gigabit Ethernet network using several Ethernet switches
`acting in concert.
`Fabric 208 also facilitates multiple parallel communication
`sessions of traffic, as well as, permits multiple entities, such as
`control elements 212 and service cards 202, to communicate
`with each other in a simultaneous fashion. It is noted that
`while fabric 208 is generally shown to reside within a single
`platform or chassis, it is possible that one or more portions of
`fabric 208 may be distributed across a network at different
`sites and linked together forming a single mass fabric.
`As shall be explained, the intra-routing of packets (i.e., the
`path structure) within platform 106 is programmable. That is,
`the exact order of servicing packets by service cards 202 is
`completely configurable. Thus, platform 106 facilitates the
`integration of functions provided by each service card 202
`into programmable combinations of one or more different
`services, each Such combination of services performed on
`incoming packets based on characteristics of the packets.
`Exemplary Programmable Service Combinations
`FIG. 3 illustrates a logical service path structure 302 for
`routing packets by platform 106. Logical service path struc
`ture 302 maps a logical path for processing of a packet
`through one or more of a plurality of service cards 202
`according to characteristics of a packet received by platform
`106.
`In the illustrated example, a packet is received at an ingress
`port by I/O card 206(1) and forwarded to service card 202(2)
`via fabric 208, according to logical service path structure 302.
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 8,000,329 B2
`
`10
`
`15
`
`8
`The packet is processed by at least one application 222 asso
`ciated with a service card 202(2), and forwarded to a next
`service card 202(3). Next, the packet is serviced by at another
`application 222 on service card 202(3), and forwarded to I/O
`card 206(2), in accordance with logical service path structure
`302. Finally, the packet is forwarded to first network 104 or
`second network 102 via an egress port 204 of I/O card 206(2).
`FIG. 4 shows another one of a myriad of exemplary logical
`service path structures (e.g., service path structure 402) for
`routing packets by platform 106. In this example, according
`to service path structure 402 a packet flow is serviced by
`application 222 on service card 202(1), and then skips service
`cards 202(2) and 202(3), prior to egress port 204 via I/O card
`206(2).
`FIG. 5 shows another example of a programmable service
`path structure 502 for s