`
`
`as) United States
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 10) Pub. No.: US 2007/0204018 Al
`
`
`
`
`
`
`
`(43) Pub. Date: Aug. 30, 2007
`
`Chandraetal.
`
`
`US 20070204018A1
`
`
`
`
`
`
`
`
`
`(54) METHOD AND SYSTEM FOR OBVIATING
`REDUNDANT ACTIONS IN A NETWORK
`
`
`
`
`
`
`(75)
`
`
`
`
`
`
`Inventors: Sekar Balasubramaniam Chandra,
`
`
`
`
`Chennai (IN); Balaji Venkat
`
`
`
`Venkataswami, Chennai (IN)
`
`
`Correspondence Address:
`
`
`
`
`
`Trellis Intellectual Property Law Group, PC
`1900 EMBARCADERO ROAD
`
`
`
`SUITE 109
`
`
`
`
`
`PALO ALTO, CA 94303 (US)
`
`
`
`
`
`
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`
`(US)
`
`
`
`Publication Classification
`
`
`
`
`
`
`(51)
`
`
`
`Int. CL
`
`
`
`(2006.01)
`GO6F 15/173
`
`
`
`
`(52) U.S. CMe
`ecsccsssessssessecestensssessesestenesinseevesee 709/223
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`(21) Appl. No.:
`
`
`
`Filed:
`
`(22)
`
`
`
`11/361,442
`
`
`
`
`
`Feb. 24, 2006
`
`
`
`
`
`
`
`
`
`
`Transmitting End
`
`
`
`
`
`
`Receiving End
`
`
`
`
`
`
`
`
`
`
`
`
`
`Methods, systems and apparatus for obviating redundant
`
`
`
`
`
`
`actions in a network are provided. A data packet is tagged
`
`
`
`
`
`
`
`
`with a label at a transmitting end, based on a set of labels
`
`
`
`
`
`
`
`
`registered with a receiving end. This label indicates a set of
`
`
`
`
`
`
`
`
`actions performed on the data packet at the transmitting end,
`and is used to determine another set of non-redundant
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`actions that have to be performed on the data packet at the
`
`
`
`
`
`
`
`receiving end. Thereby, obviating redundantactions, a found
`
`appropriate.
`
`
`
`
`
`204
`
`
`
`
`
`
`
`
`
`
`
`Network Link
`
`
` Transmitting
`Receiving
`Provider Edge
`216
`
`
`
`
`Provider Edge
`
`
`
`
`
`
`
`
`
`
`
`Transmitting
`
`Customer Edge
`
`
`
`
`Transmitting
`
`Network Device
`
`
`
`
` Receiving
`
`
`Customer Edge —
`
`
`Receiving
`Network Device
`
`
`
`
`
`
`
`
`214
`
`212
`
`200
`
`
`
`Page 1 of 19
`
`Netskope Exhibit 1004
`
`Page 1 of 19
`
`Netskope Exhibit 1004
`
`

`

`Patent Application Publication Aug. 30,2007 Sheet 1 of 8
`
`US 2007/0204018 Al
`
`100
`
`f
`
`+o
`
`O.=
`
`104
`
`104
`
`FIG.1 “4
`
`104
`
`104
`
`Page 2 of 19
`
`Netskope Exhibit 1004
`
`Page 2 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 2 of 8
`
`
`
`US 2007/0204018 A1
`
`07
`
`002
`
`
`
`¢Olas
`
`pugBulnisoey
`
`Bularsoey
`
`
`
`abpzJapiAodld
`
`Buiaisoey
`
`
`
`a6pyJewojsny
`
`Bulaisooy
`
`
`
`@dIA0C]YIOMJON
`
`
`
`
`
`YU]OMJON
`
`Buryywisuel|
`
`
`
`a6pzJapiAgid
`
`puyBunjiwsues)
`
`
`
`
`
`Huryywsuel|
`
`
`
`eOpysewojysny
`
`Bunwsuel|
`
`
`
`BOIAOC]YIOMJON
`
`Page 3 of 19
`
`Netskope Exhibit 1004
`
`Page 3 of 19
`
`Netskope Exhibit 1004
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 3 of 8
`
`
`
`
`Register a receiving
`end setof labels
`
`
`
`
`
`
`on the data packet
`
`
`
`Receive a data packet
`
`
`
`
`
`Identify a label tagged
`
`
`
`
`on the data packet
`
`
`
`
`Perform actions
`
`
`
`
`
`
`
`
`
`
`US 2007/0204018 Al
`
`302
`
`
`
`304
`
`
`
`306
`
`
`
`308
`
`
`
`
`FIG. 3
`
`Page 4 of 19
`
`Netskope Exhibit 1004
`
`Page 4 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 4 of 8
`
`
`
`US 2007/0204018 Al
`
`
`
`
`
`Exchangedetails of labels
`
`
`
`402
`
`
`
`
`
`Exchangesets of labels
`
`
`
`404
`
`
`
`408
`
`
`
`
`Register the sets
`at Customer Edges
`
`
`
`
`
`406
`
`
`
`
`
`
`Register the sets
`
`
`
`at Provider Edges
`
`
`
`
`FIG. 4
`
`Page 5 of 19
`
`Netskope Exhibit 1004
`
`Page 5 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 5 of 8
`
`
`
`
`
`
`
`
`
`
`Performafirst set of
`502
`
`
`
`
`actions on a data packet
`
` US 2007/0204018 A1
`
`
`
`
`Tag the data packet
`
`
`with a CElabel indicating
`
`
`
`
`the first set of actions
`
`
`
`504
`
`
`
`
`
`
`
`Transmit the data packetto
`
`
`
`
`a transmitting Provider Edge
`
`506
`
`
`
`
`
`
`
`_ Transmit the data packet to
`
`
`
`
`a receiving Provider Edge
`
`508
`
`
`
`
`FIG. 5
`
`Page 6 of 19
`
`Netskope Exhibit 1004
`
`Page 6 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 6 of 8
`
`
`
`
`
`
`
`602
`
`
`
` US 2007/0204018 A1
`
`
`
`
`Compare a tagged label of a
`
`
`
`
`data packet with a registered
`
`
`
`receiving end set of iabeis
`
`
`
`
`
`
`
`
`
`Determineafirst set of actions
`604
`
`
`
`
`performed on the data packet
`
`
`
`
`
`
`Determine a second set
`
`
`of actions to be performed
`
`
`
`
`on the data packet
`
`
`
`
`606
`
`
`
`
`FIG. 6
`
`Page 7 of 19
`
`Netskope Exhibit 1004
`
`Page 7 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 7 of 8
`
`
`
`US 2007/0204018 Al
`
`
`
`
`
`
`
`
`
`
`
`
`
`Has a data
`
`
`packet been tagged
`
`
`with a label present
`
`
`in a registered
`
`
`set of iabeis’
`
`
`
`
`702
`
`
`
`
`
`
`
`
`704
`
`
`
`706
`
`
`
`
`
`
`
`
`
`
`Identify the data packet
`
`
`as non-secure
`
`
`
`
`
`
`
`Perform:a third set of
`actions on the data packet
`
`
`
`
`
`
`FIG. 7
`
`Page 8 of 19
`
`Netskope Exhibit 1004
`
`Page 8 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Aug. 30,2007 Sheet 8 of 8
`
`
`
`afpyJawojsnga6pysewojsnyg
`
`
`
`
`
`
`
`puzBunywsues,
`pugBularsooy
`
`Buiniaoey
`
`
`
`abpys9plAdld
`
`
`
`BulpiAqidOMJONdS]
`
`S8TINIBSNdASIdWdO
`
`
`
`
`
`
`
`9109JOPIAQId
`
`Bunjiuusued|
`
`
`
`aHpzJaplAoid
`
`
`
`BuiaisoayBuniwisueds
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2007/0204018 A1
`
`
`
`8Sls
`
`008
`
`BulAiaoey
`
`SHSNdA
`
`
`
`Buliusues
`
`BSNdA
`
`Page 9 of 19
`
`Netskope Exhibit 1004
`
`Page 9 of 19
`
`Netskope Exhibit 1004
`
`
`
`
`

`

`
`
`US 2007/0204018 Al
`
`
`
`Aug. 30, 2007
`
`
`
`‘METHOD AND SYSTEM FOR OBVIATING
`
`
`
`
`
`REDUNDANT ACTIONS IN A NETWORK
`
`
`
`
`BACKGROUND OF THE PRESENT
`
`
`INVENTION
`
`
`
`
`
`
`
`1. Field of Present Invention
`
`
`
`
`[0001]
`
`
`
`
`
`
`
`in
`[0002] Embodiments of the present invention relate,
`
`
`
`
`
`
`general, to networking. More specifically, the embodiments
`
`
`
`
`
`
`
`
`
`of the present invention relate to methods and systems for
`obviation of redundant actions in a network.
`
`
`
`
`
`
`
`
`[0003]
`2. Description of the Background Art
`
`
`
`
`
`
`
`[0004]
`In a typical network, data is transferred between
`
`
`
`
`
`
`
`network devices. Examples of network devices include
`
`
`
`
`
`
`
`personal computers, servers, mobile phones, etc. Examples
`
`
`
`
`
`
`
`
`of networks include Local Area Networks (LANs), Wide
`
`
`
`
`
`
`Area Networks
`(WANs), Metropolitan Area Networks
`
`
`
`
`
`
`
`
`(MANS), and the Internet. Since data transferred across such
`
`
`
`
`
`
`
`networks may be accessed by unauthorized users,
`it
`is
`
`
`
`
`
`
`
`preferred to transfer data in an encrypted form. A Virtual
`
`
`
`
`
`
`
`
`Private Network (VPN) can be used for a secure transfer of
`
`
`
`
`
`
`
`data, which can also be transferred in an encrypted form in
`
`
`
`
`
`
`
`
`
`the VPN. The VPNis a network that uses a public network,
`
`
`
`
`
`
`
`
`
`like the Internet, to connect remotesites or users. Thesesites
`
`
`
`
`
`
`
`
`
`are herein referred to as VPN sites. In a typical VPN, only
`
`
`
`
`
`
`
`
`specified users are allowed to access the data transferred in
`
`
`
`
`
`
`
`
`
`the VPN. This access can be provided on the basis of a user
`
`
`
`
`
`
`identification code and password. Security mechanisms,
`
`
`
`
`
`
`
`such as authentication and encryption, are used to create a
`secure tunnel between two VPNsites. Such secure tunnels
`
`
`
`
`
`
`
`
`
`facilitate secure transfer of data within a VPN.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0005] Further, a VPN site includes a security device, such
`
`
`
`
`
`
`
`
`as a firewall, to control access. Firewalls enforce security
`
`
`
`
`
`
`
`actions on incoming and outgoing data packets, based on
`
`
`
`
`
`
`
`
`certain policies defined within the VPNsite. These policies
`include rules on the basis of which certain actions are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`performed on the incoming and the outgoing data packets.
`
`
`
`
`
`
`
`
`[0006]
`It can be possible for these policies to be uniform
`
`
`
`
`
`
`
`
`
`
`amongall the VPN sites within a VPN.This can result in the
`
`
`
`
`
`
`
`
`same action being performed by more than one VPNsite.
`
`
`
`
`
`
`
`
`
`
`For example,
`the action can befirst performed on the
`
`
`
`
`
`
`
`
`
`outgoing data packets when they are inspected by the
`
`
`
`
`
`
`
`
`transmitting VPN site’s firewall. Further,
`the same data
`
`
`
`
`
`
`
`
`packets enter a receiving VPN site, where its firewall can
`enforce the same action.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0007] Enforcing the same action more than once on a data
`
`
`
`
`
`
`
`
`packet makes the action redundant. The enforcement of
`
`
`
`
`
`
`
`
`repeated redundant actions results in wastage of time and
`
`
`
`
`
`
`
`
`other resources, and places unnecessary burden on the
`
`
`
`
`
`
`system that is performing these redundant actions.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`FIG.1 illustrates a typical network environmentfor
`[0008]
`
`
`
`
`
`implementing an embodiment of the present invention.
`
`
`
`
`
`
`FIG.2 illustrates various elements of a system for
`[0009]
`
`
`
`
`
`obviating redundant actions in a network,
`in accordance
`
`
`
`
`with an embodiment of the present invention.
`
`
`
`
`
`[0010] FIG. 3 is a flowchart,
`illustrating a method for
`
`
`
`
`
`obviating redundant actions in a network,
`in accordance
`
`
`
`
`with an embodiment of the present invention.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`illustrating a method for
`FIG. 4 is a flowchart,
`[0011]
`
`
`
`
`
`registering sets of labels, in accordance with an embodiment
`
`
`
`
`of the present invention.
`
`
`
`
`
`
`illustrating a method for
`[0012]
`FIG. 5 is a flowchart,
`
`
`
`
`
`
`transmitting a data packet from a transmitting end to a
`
`
`
`
`
`
`receiving end, in accordance with an embodiment of the
`
`
`present invention.
`
`
`
`
`
`
`illustrating a method for
`FIG. 6 is a flowchart,
`[0013]
`
`
`
`
`
`
`
`
`performing actions on the data packets at the receiving end,
`
`
`
`
`
`
`in accordance with an embodimentofthe present invention.
`
`
`
`
`
`
`[0014]
`FIG. 7 is a flowchart,
`illustrating a method for
`
`
`
`
`
`
`performing actions on a non-secure data packet, in accor-
`
`
`
`
`
`
`dance with an embodimentof the present invention.
`
`
`
`
`
`
`[0015]
`FIG.8 illustrates various elements of a system for
`
`
`
`
`
`
`obviating redundant actions in a Virtual Private Network
`
`
`
`
`
`(VPN), in accordance with an embodiment of the present
`invention.
`
`DESCRIPTION OF VARIOUS EMBODIMENTS
`
`
`
`
`
`
`
`
`
`[0016] Various embodiments of the present invention pro-
`
`
`
`
`
`
`
`vide methods, systems, and computer-readable media for
`
`
`
`
`
`
`obviating redundantactions in a network. In the description
`
`
`
`
`
`
`herein for embodiments of the present invention, numerous
`
`
`
`
`
`
`
`specific details are provided, such as examples of compo-
`
`
`
`
`
`
`nents and/or methods, to provide a thorough understanding
`
`
`
`
`
`
`
`of embodiments of the present invention. One skilled in the
`
`
`
`
`
`
`
`relevant art will recognize, however, that an embodiment of
`
`
`
`
`
`
`
`
`the present invention can be practiced without one or more
`
`
`
`
`
`
`
`
`
`of the specific details, or with other apparatus, systems,
`
`
`
`
`
`
`assemblies, methods, components, materials, parts, and/or
`
`
`
`
`
`
`
`the like. In other instances, well-knownstructures, materials,
`
`
`
`
`
`
`
`
`or operations are not specifically shown or described in
`
`
`
`
`
`
`
`
`detail to avoid obscuring aspects of embodiments of the
`
`
`present invention.
`
`
`
`
`
`
`[0017] A transmitting end performs certain actions on a
`
`
`
`
`
`
`
`
`data packet before transmitting it to a receiving end. When
`
`
`
`
`
`
`
`
`this data packet is received at the receiving end, certain
`
`
`
`
`
`
`
`
`actions may be performed on it at the receiving end also.
`
`
`
`
`
`
`
`
`
`Theseactionsare typically performed to ensure that the data
`
`
`
`
`
`
`
`packet is secure. In this process, a particular action may be
`
`
`
`
`
`
`
`
`performedat the transmitting end and again at the receiving
`
`
`
`
`
`
`
`end. However, once an action is performed at the transmit-
`
`
`
`
`
`
`
`ting end, it is redundant to perform it again at the receiving
`
`
`
`
`
`
`
`
`end. Obviation of such redundant actions helps in saving
`
`
`
`
`
`
`
`
`time and other resources on a system that is performing these
`redundantactions.
`
`
`
`
`
`
`
`
`[0018] Embodiments of the present invention provide a
`methodthat enables the obviation of these redundant actions
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`by tagging a data packet with a label indicating a first set of
`
`
`
`
`
`
`
`actions performed on the data packet at a transmitting end.
`It should be notedthat the first set of actions can include no
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`action. The tagged label helps to determine a secondset of
`
`
`
`
`
`
`
`
`actions that has to be performed on the data packet at a
`
`
`
`
`
`
`
`
`receiving end. In accordance with an embodiment of the
`
`
`
`
`
`
`
`
`
`present invention, the second set of actions includes non-
`
`
`
`
`
`
`
`
`
`redundantactions that have not been performed on the data
`
`
`
`
`
`
`
`
`
`the transmitting end.
`In accordance with an
`packet at
`
`
`
`
`
`
`
`
`embodiment of the present
`invention,
`the second set of
`
`
`
`
`
`
`
`
`
`actions can include redundant actions that has been per-
`
`
`
`
`
`
`
`formed on the data packet at the transmitting end. Further, it
`should be noted that the second set of actions can include no
`
`
`
`
`
`
`
`
`action.
`
`
`Page 10 of 19
`
`Netskope Exhibit 1004
`
`Page 10 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`US 2007/0204018 Al
`
`
`
`Aug. 30, 2007
`
`
`
`
`
`
`
`
`
`[0019]
`In accordance with an embodimentof the present
`
`
`
`
`
`
`
`
`
`invention, the transmitting end tags the data packet with a
`
`
`
`
`
`
`
`
`label, based on a set of labels registered with the receiving
`
`
`
`
`
`
`
`
`end. This set of labels is registered, based on information
`
`
`
`
`
`
`
`
`exchanged between the transmitting end and the receiving
`
`
`
`
`
`
`
`
`end. The exchanged information includes details about cer-
`
`
`
`
`
`
`
`
`
`tain rules on the basis of which actions are performedat each
`end.
`
`
`
`
`
`
`
`
`
`[0020] The exchange of information between the trans-
`
`
`
`
`
`
`
`
`
`mitting end and the receiving end also makesit possible to
`
`
`
`
`
`
`
`enforce various rules in a distributed manner. For example,
`
`
`
`
`
`
`
`
`a transmitting end may enforce a sub-part of a rule that is
`
`
`
`
`
`
`
`
`relevantto it, while a receiving end may enforce the remain-
`
`
`
`
`
`
`
`ing sub-part of the rule. This is hereinafter referred to as
`distributed enforcement ofrules.
`
`
`
`
`
`
`
`
`
`
`[0021] Referring now to the drawings, particularly by their
`
`
`
`
`
`
`reference numbers, FIG.1 illustrates a network environment
`
`
`
`
`
`
`100 for implementing an embodimentof the present inven-
`tion. Network environment 100 includes a network 102 and
`
`
`
`
`
`
`
`
`network devices 104 connected to network 102. Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`102 can be a collection of individual networks, intercon-
`
`
`
`
`
`
`
`
`
`nected with each other and functioning as a single large
`
`
`
`
`
`
`
`
`network. Examples of network 102 include, but are not
`
`
`
`
`
`
`
`
`
`limited to, Local Area Networks (LANs), Wide Area Net-
`
`
`
`
`
`
`
`works (WANs), and Metropolitan Area Networks (MANs).
`
`
`
`
`
`
`
`Further, network 102 may be a wireless or wired network.
`
`
`
`
`
`
`Network 102 provides a communication medium to network
`devices 104 for data to be transmitted from one network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device to another network device. Network devices 104 may
`
`
`
`
`
`
`
`for example, personal computers,
`servers, mobile
`be,
`
`
`phones, etc.
`
`
`
`
`
`
`
`
`
`[0022]
`It is to be understood that the specific designation
`for network devices 104 is for the convenience of the reader
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and is not to be construed as limiting network environment
`
`
`
`
`
`
`100 to a specific number of network devices 104 or to
`
`
`
`
`
`
`
`
`specific types of network devices 104 present in network
`environment 100.
`
`
`
`
`
`
`
`
`
`
`[0027] Further, network 102 includes transmitting PE 210
`
`
`
`
`
`
`
`
`and receiving PE 216 connected through a network link 218,
`for data transmission. Networklink 218 can be a wireless or
`
`
`
`
`
`
`
`
`wired communication link.
`
`
`
`
`
`
`
`
`
`[0028] Further, system 200 includes a CE and a PE asso-
`
`
`
`
`
`
`
`
`
`ciated with each network device from network devices 104,
`
`
`
`
`
`
`in accordance with an embodimentofthe present invention.
`It should be noted that a CE is not limited to be associated
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with only a single network device from network devices
`
`
`
`
`
`
`
`104. A plurality of such network devices can be associated
`
`
`
`
`
`
`
`
`
`with a single CE. Further,
`it should also be noted that a
`
`
`
`
`
`
`
`
`
`plurality of such CEs can be associated with a single PE.
`
`
`
`
`
`
`
`[0029] Further, it should be noted that transmitting end
`
`
`
`
`
`
`
`
`
`202 and receiving end 204 can be any identifiable part or
`
`
`
`
`
`
`
`
`region of network 102, such as one or more network devices
`
`
`
`
`
`
`
`
`from network devices 104, processes, network links or
`
`
`
`
`
`
`
`resources, controlled or owned domains, etc. Further, trans-
`
`
`
`
`
`
`
`
`
`
`mitting end 202 and receiving end 204 can include a CE, a
`
`
`
`
`
`
`
`
`
`
`PEassociated with the CE, and one or more network devices
`from network devices 104 associated with the CE.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0030] When transmitting network device 206 transmits
`
`
`
`
`
`
`
`
`
`the data packet, various actions are performed on the data
`
`
`
`
`
`
`
`
`packet before it reaches receiving network device 212. Some
`
`
`
`
`
`
`
`
`of these actions are performedat transmitting CE 208, while
`
`
`
`
`
`
`someare performedat receiving CE 214. In accordance with
`
`
`
`
`
`
`an embodiment of the present invention, transmitting CE
`
`
`
`
`
`
`208 and receiving CE 214 are security-based devices, posi-
`
`
`
`
`
`
`tioned at the edges of the customer networks of transmitting
`
`
`
`
`
`
`
`
`network device 206 and receiving network device 212,
`
`
`
`
`
`respectively. Transmitting CE 208 and receiving CE 214 can
`
`
`
`
`
`
`
`
`be, for example, Intrusion Detection Systems (IDSs), fire-
`
`
`walls, etc.
`
`
`
`
`
`
`
`
`[0031] Transmitting network device 206 transmits the data
`
`
`
`
`
`
`
`packet to transmitting CE 208. Transmitting CE 208 per-
`
`
`
`
`
`
`
`
`
`
`formsa first set of actions on the data packet, and tags the
`
`
`
`
`
`
`
`
`
`data packet with a CE label indicatingthe first set of actions
`
`
`
`
`
`
`
`
`that has been performed. It should be noted that tagging a
`
`
`
`
`
`
`
`
`data packet with a label includes any way of associating
`
`
`
`
`
`
`
`
`
`information with the data packet. After tagging the data
`
`
`
`
`
`
`[0023]
`In accordance with an embodimentof the present
`
`
`
`
`
`
`
`packet with the CE label, transmitting CE 208 transmits the
`
`
`
`
`
`
`
`
`invention, a network device from network devices 104 can
`
`
`
`
`
`
`tagged data packet to transmitting PE 210. Transmitting PE
`
`
`
`
`
`
`
`
`transmit data, while another network device from network
`
`
`
`
`
`
`
`
`
`
`
`210 tags the data packet with two PE labels, to identify
`devices 104 can receive data.
`
`
`
`
`
`
`
`
`
`
`
`receiving PE 216 and receiving CE 214 to which the tagged
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`data packet has to be further transmitted. Transmitting PE
`FIG.2 illustrates various elements of a system 200
`[0024]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`210 then transmits the tagged data packet to receiving PE
`for obviating redundant actions in network 102, in accor-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`216 through networklink 218. Transmitting PE 210 as well
`dance with an embodimentofthe present invention. System
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`as receiving PE 216 act as an interface between transmitting
`200 includes a transmitting end 202 and a receiving end 204.
`
`
`
`
`
`
`
`
`
`
`
`
`
`CE 208 and receiving CE 214 for data transmission. In an
`Transmitting end 202 transmits a data packet to receiving
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`embodimentof the present invention, transmitting PE 210
`end 204. It should be noted that a data packet can be any unit
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and receiving PE 216 are included in network 102.
`of data such as a byte, a word, a packet, a group of packets,
`
`
`
`
`
`
`
`
`
`
`
`a message,afile, etc.
`[0032] Receiving PE 216 analyzes the PE labels to iden-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tify receiving CE 214 to which the data packet has to be
`[0025] Transmitting end 202 includes a transmitting net-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`transmitted. Next, receiving PE 216 transmits the tagged
`work device 206, a transmitting Customer Edge (CE) 208,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`data packet to receiving CE 214. Receiving CE 214 popsoff
`and a transmitting Provider Edge (PE) 210. Transmitting
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the tagged CE label. Based on this CE label, receiving CE
`network device 206 is a network device,
`from among
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`214 identifies the first set of actions. According to the
`network devices 104, which is capable of transmitting data.
`
`
`
`
`
`
`identified first set of actions, receiving CE 214 determines a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0026]
`Similarly, receiving end 204 includes a receiving
`second set of actions that has to be performed on the data
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network device 212, a receiving CE 214, and a receiving PE
`packet. This determination is a part of the distributed
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`enforcement of the rules,
`in accordance with various
`216. Receiving network device 212 is a network device,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`from among network devices 104, which is capable of
`embodiments of the present invention. Following the deter-
`
`
`
`
`
`
`
`
`
`
`
`receiving data.
`mination of the second set of actions, receiving CE 214
`
`Page 11 of 19
`
`Netskope Exhibit 1004
`
`Page 11 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`US 2007/0204018 Al
`
`
`
`Aug. 30, 2007
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`performs the second set of actions on the data packet and
`
`
`
`
`
`
`transmits it to receiving network device 212.
`
`
`
`
`
`
`
`
`
`In orderto identify the first set of actions, receiving
`[0033]
`
`
`
`
`
`
`
`CE 214 hasto be capable of recognizing the tagged CE label.
`
`
`
`
`
`
`Forthis purpose, transmitting CE 208 and receiving CE 214
`
`
`
`
`
`
`
`
`
`exchange various CElabels that can be used for tagging the
`
`
`
`
`
`
`
`
`data packets. However, before transmitting CE 208 and
`
`
`
`
`
`
`
`receiving CE 214 can exchange the CE labels, they have to
`
`
`
`
`
`
`
`authenticate each other. For this purpose of authentication,
`
`
`
`
`
`
`
`system 200 includes an authentication module. The authen-
`
`
`
`
`
`
`
`tication module provides the authentication between trans-
`
`
`
`
`
`
`
`mitting CE 208 and receiving CE 214. Further, the authen-
`
`
`
`
`
`
`
`tication module also provides an authentication between
`
`
`
`
`
`
`transmitting CE 208 and transmitting PE 210, and between
`
`
`
`
`
`
`receiving CE 214 and receiving PE 216. The authentication
`module can use an authentication mechanism such as a
`
`
`
`
`
`
`
`
`
`
`
`
`Message-Digest Algorithm 5 (MD5) based authentication.
`
`
`
`
`
`
`
`
`it should be noted that other mechanisms of
`However,
`authentication can also be used.
`
`
`
`
`
`
`
`
`
`
`[0034] Once transmitting CE 208 and receiving CE 214
`
`
`
`
`
`
`
`
`authenticate each other, they can exchange the CE labels to
`
`
`
`
`
`
`
`
`
`
`
`be used for tagging the data packets. The CE labels are based
`
`
`
`
`
`
`
`
`on various rules, configured at transmitting CE 208 and
`
`
`
`
`
`
`
`
`receiving CE 214, to perform various actions on the data
`
`
`
`
`
`
`
`
`packets. After this exchange, these CE labels are registered
`
`
`
`
`
`
`as a transmitting endset of labels at transmitting CE 208 and
`
`
`
`
`
`
`
`
`
`
`
`as a receiving end set of labels at receiving CE 214. In
`
`
`
`
`
`
`accordance with various embodiments of the present inven-
`
`
`
`
`
`
`
`
`tion, the transmitting endset of labels and the receiving end
`
`
`
`
`
`
`
`
`
`
`set of labels are the same. Further, transmitting CE 208
`
`
`
`
`
`
`registers the transmitting end set of labels at transmitting PE
`
`
`
`
`
`
`
`210. Similarly, receiving CE 214 registers the receiving end
`
`
`
`
`set of labels at receiving PE 216.
`
`
`
`
`
`
`
`[0035] The registered transmitting end set of labels is used
`
`
`
`
`
`
`
`
`by transmitting CE 208 to tag the data packet with the CE
`
`
`
`
`
`
`
`
`label indicating the first set of actions performed on the data
`
`
`
`
`
`
`
`packet. Similarly, the registered receiving end set of labels
`
`
`
`
`
`
`
`
`is used by receiving CE 214 to determine the first set of
`
`
`
`
`
`actions performedon the data packetat transmitting CE 208,
`
`
`
`
`
`
`
`and accordingly, determine the second set of actions to be
`
`
`
`
`
`
`
`
`performed on the data packet before transmitting the data
`
`
`
`
`
`
`
`
`packet to receiving network device 212. Since the second set
`
`
`
`
`
`
`
`of actions includes non-redundant actions, redundant actions
`
`
`
`
`
`
`
`are obviated. Details regarding the process of obviation of
`redundant actions have been described with reference to
`
`
`
`
`
`
`
`FIG.3.
`
`
`
`
`
`
`
`illustrating a method for
`[0036] FIG. 3 is a flowchart,
`
`
`
`
`
`
`obviating redundant actions in network 102, in accordance
`
`
`
`
`
`
`with an embodiment of the present invention. At step 302,
`
`
`
`
`
`
`
`the receiving endset of labels is registered at receiving end
`
`
`
`
`
`
`
`
`
`204. This receiving end set of labels is registered after the
`
`
`
`
`
`
`exchange of labels between receiving CE 214 and transmit-
`
`
`
`
`
`
`
`
`ting CE 208. Details regarding the same have been described
`with reference to FIG. 4.
`
`
`
`
`
`
`
`
`
`
`
`
`[0037] Onceregistered, receiving end 204 uses the receiv-
`
`
`
`
`
`
`
`
`
`
`
`ing end set of labels to determine first set of actions
`
`
`
`
`
`
`
`
`performed on the data packet at
`transmitting end 202.
`
`
`
`
`
`
`
`
`
`
`Transmitting end 202 transmits the data packet oncethefirst
`
`
`
`
`
`
`
`
`
`
`
`set of actions has been performed and the data packet has
`
`
`
`
`
`
`
`
`
`been tagged. Details regarding the same have been described
`
`
`
`
`
`
`
`
`
`with reference to FIG. 5. At step 304, receiving end 204
`
`
`
`
`
`
`
`
`
`
`receives the data packet from transmitting end 202. The data
`
`
`
`
`
`
`
`
`
`
`packet is tagged with the CE label indicating thefirst set of
`
`
`
`
`
`actions performed onthe data packetat transmitting CE 208.
`
`
`
`
`
`
`
`
`At step 306, receiving CE 214 identifies the CE label. This
`
`
`
`
`
`
`
`
`
`CE label is present in the registered receiving end set of
`
`
`
`
`
`
`labels, and therefore, can be recognized by receiving CE
`
`
`
`
`
`
`
`
`
`214. Next, at step 308, receiving CE 214 performs the
`
`
`
`
`
`
`
`
`
`second set of actions on the data packet. The second set of
`
`
`
`
`
`
`
`
`actions includes non-redundantactions that are not present
`
`
`
`
`
`
`
`
`
`
`in the first set of actions. Therefore, redundant actions are
`
`
`
`
`
`
`obviated and not performed at receiving CE 214.
`
`
`
`
`
`
`FIG. 4 is a flowchart,
`illustrating a method for
`[0038]
`
`
`
`
`
`
`
`
`registering the transmitting end set of labels and the receiv-
`
`
`
`
`
`
`ing endset of labels, in accordance with an embodimentof
`
`
`
`
`
`
`
`the present invention. At step 402, transmitting CE 208 and
`
`
`
`
`
`
`receiving CE 214 exchange details regarding the transmit-
`
`
`
`
`
`
`
`
`
`ting endset of labels and the receiving endset of labels. For
`
`
`
`
`
`
`
`this purpose, transmitting CE 208 requests a label corre-
`
`
`
`
`
`
`
`
`sponding to one or more rules associated with certain
`
`
`
`
`
`
`
`
`actions, from receiving CE 214. In this way, requests for
`
`
`
`
`
`
`
`
`labels correspondingto all the rules are made. In accordance
`
`
`
`
`
`
`with an embodiment of the present invention, transmitting
`
`
`
`
`
`
`
`
`CE 208 provides a description of these rules and actions with
`
`
`the request.
`
`
`
`
`
`
`
`[0039] At step 404, transmitting CE 208 and receiving CE
`
`
`
`
`
`
`
`
`
`
`214 exchange the transmitting end set of labels and the
`
`
`
`
`
`
`
`
`receiving end set of labels. This is accomplished when
`
`
`
`
`
`
`receiving CE 214 transmits the requested labels to transmit-
`
`
`
`
`
`
`
`
`
`ting CE 208, in responseto all the requests. These labels are
`
`
`
`
`
`
`
`
`required for transmitting the data packet from transmitting
`
`
`
`
`
`end 202 to receiving end 204.
`
`
`
`
`
`[0040]
`Similarly, receiving CE 214 requests labels corre-
`
`
`
`
`
`
`sponding to rules associated with certain actions, from
`
`
`
`
`
`transmitting CE 208. In response to these requests, trans-
`
`
`
`
`
`mitting CE 208 transmits the requested labels to receiving
`CE 214.
`
`
`
`
`
`
`
`
`
`[0041] Next, at step 406, transmitting CE 208 and receiv-
`
`
`
`
`
`
`
`
`
`
`
`ing CE 214 register the exchanged sets of labels as the
`
`
`
`
`
`
`
`
`
`transmitting end set of labels and the receiving end set of
`
`
`
`
`
`
`
`labels, respectively. At step 408, transmitting CE 208 and
`
`
`
`
`
`
`
`receiving CE 214 register these registered sets of labels at
`
`
`
`
`
`
`transmitting PE 210 and receiving PE 216, respectively.
`
`
`
`
`
`
`[0042]
`In accordance with an embodimentof the present
`
`
`
`
`
`
`
`
`invention,
`transmitting CE 208 and transmitting PE 210
`
`
`
`
`
`
`
`authenticate each other, before step 408 is performed, as
`
`
`
`
`
`
`described earlier. Similarly, receiving CE 214 andreceiving
`
`
`
`
`
`
`
`
`
`PE 216 authenticate each other, before step 408 is per-
`
`
`
`
`
`formed. In accordance with an embodimentof the present
`
`
`
`
`
`
`
`
`invention,
`transmitting CE 208 and receiving CE. 214
`
`
`
`
`
`
`
`
`authenticate each other, before steps 402-408 are performed,
`as described earlier.
`
`
`
`
`
`
`
`
`
`
`[0043] After the registration, transmitting CE 208 can use
`
`
`
`
`
`
`
`
`the registered transmitting end set of labels to tag the data
`
`
`
`
`
`
`packet to be transmitted to receiving end 204. Receiving CE
`
`
`
`
`
`
`
`
`
`214 can recognize any label tagged on the data packet by
`
`
`
`
`
`
`
`transmitting CE 208, based on the registered receiving end
`set of labels.
`
`
`
`
`
`
`
`
`illustrating a method for
`[0044]
`FIG. 5 is a flowchart,
`
`
`
`
`
`
`
`
`transmitting the data packets from transmitting end 202 to
`
`
`
`
`
`
`receiving end 204, in accordance with an embodimentofthe
`
`
`
`
`
`
`
`
`present invention. The data packet emanating from trans-
`
`
`
`
`
`
`
`mitting network device 206 is further transmitted to trans-
`
`
`
`
`
`
`Page 12 of 19
`
`Netskope Exhibit 1004
`
`Page 12 of 19
`
`Netskope Exhibit 1004
`
`

`

`
`
`US 2007/0204018 Al
`
`
`
`Aug. 30, 2007
`
`
`
`
`
`
`
`
`
`transmitting endset of labels in a table. This transmitting CE
`
`
`
`
`
`
`
`
`
`table has information about each label
`in the registered
`
`
`
`
`
`
`
`transmitting end set of labels. The information abouta label
`
`
`
`
`
`
`
`includes rules corresponding to the label and address of a
`
`
`
`
`
`
`
`receiving CE with whom the label has been exchanged. In
`
`
`
`
`
`
`
`an exemplary embodiment of the present
`invention,
`the
`
`
`
`
`transmitting CE table can be as follows:
`
`Label
`
`
`
`Rules
`
`
`
`
`Receiving CE
`
`1256
`
`1257
`
`<untagged>
`
`
`
`Rules A and B
`
`Rules C and D
`
`
`Rule E
`
`Address of receiving CE 214
`
`
`Address of receiving CE 214
`
`
`
`
`Address of receiving CE 214
`
`
`
`
`
`
`
`
`
`
`
`
`mitting CE 208. At step 502, transmitting CE 208 performs
`
`
`
`
`
`
`
`
`
`
`the first set of actions on the data packet. Next, at step 504,
`
`
`
`
`
`
`
`
`transmitting CE 208 tags the data packet with the CE label
`
`
`
`
`
`
`
`
`
`indicating the first set of actions. Then, at step 506, trans-
`
`
`
`
`
`
`
`
`mitting CE 208 transmits the data packet tagged with the CE
`
`
`
`
`
`
`
`
`label to transmitting PE 210. At step 508, the tagged data
`
`
`
`
`
`
`packet is transmitted from transmitting PE 210 to receiving
`PE 216.
`
`
`
`
`
`
`
`
`[