`
`
`as) United States
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 0) Pub. No.: US 2007/0237147 Al
`
`
`
`
`
`
`
`
`(43) Pub. Date: Oct. 11, 2007
`
`Quinnet al.
`
`
`US 20070237147A1
`
`
`
`
`
`
`
`
`(54) SYSTEM AND METHOD FOR SELECTIVELY
`
`
`
`APPLYING A SERVICE TO A NETWORK
`
`
`
`PACKET USING A PREEXISTING PACKET
`
`HEADER
`
`
`
`
`
`(75)
`
`
`
`
`
`
`
`
`
`Inventors: Paul Quinn, San Francisco, CA (US);
`
`
`
`
`Kenneth Durazzo, San Ramon, CA
`
`
`
`
`
`(US); Darrel Lewis, San Francisco, CA
`
`
`
`
`(US); Barry Raveendran Greene,
`
`
`Cupertino, CA (US)
`
`
`Correspondence Address:
`
`
`
`
`
`Trellis Intellectual Property Law Group, PC
`
`
`
`1900 EMBARCADERO ROAD
`
`SUITE 109
`
`
`
`
`PALO ALTO, CA 94303 (US)
`
`
`
`
`
`
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`
`
`
`
`(21) Appl. No.:
`
`—-11/400,695
`
`(22)
`
`
`
`Filed:
`
`
`
`
`
`Apr. 7, 2006
`Publication Classification
`
`
`
`
`(51)
`
`
`
`
`Int. CL
`
`HOAL
`
`
`(52) US. CMe
`
`
`
`
`(2006.01)
`12/56
`
`
`
`ecccsscssssscsssessssseesesenseseee 370/392; 370/401
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`
`A system for selectively applying a service to a packet in a
`
`
`
`
`
`
`network. In a specific embodiment, the system includes a
`
`
`
`
`
`
`mechanism for encoding service information in a network-
`
`
`
`
`
`
`
`
`compatible packet header and providing encoded data in
`
`
`
`
`
`
`
`
`response thereto. In a more specific embodiment, the net-
`
`
`
`
`
`work-compatible header includes a Multi-Protocol Label
`
`
`
`
`
`
`Switching (MPLS) header, a Generic Route Encapsulation
`
`
`
`
`
`
`
`(GRE)header, and/or a Layer-2 Tunneling Protocol (L2TP)
`header.
`
`
`
`
`wn 14
`
`Packet Payload
`
`
`
`
`
`74
`
`
`
`
`
`
`
`72
`Vv
`m1
`
`
` Packet Payload
`
`
`
`
`
`Packet Header(s)
`
`(MPLS)
`
`
`
`
`1 FW (Notyet applied.)
`
`
`
`
`
`2 NAM (Notyet applied.)
`
`
`
`
`3 IDS (Notyet applied.)
`
`
`
`
`
`
`
`
`
`
`
`
`Classification
`
`
`Service
`
`
`
`
`
`
`
`
`
`
`Packet Payload
`
`
`
`
`
`
`
`
`
`
`
`3 IDS (Notyet applied.)
`
`
`
`
`
`
`Packet Header(s)
`
`(MPLS)
`
`
`
`1 FW (Applied.)
`
`
`
`2 NAM (Notyet applied)
`
`
`
`
`
`
`
`
`Service
`
`
`
`
`
`
`
`6758
`Packet Payload
`
`
`
`
`
`Packet Header(s)
`
`(MPLS)
`
`78
`
`
`
`
`3 IDS (Applied.
`
`
`
`
`
`Page 1 of 11
`
`Netskope Exhibit 101 1
`
`Page 1 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`
`
`
`
`
`
`Patent Application Publication Oct. 11,2007 Sheet 1 of 3
`
`
`
`US 2007/0237147 Al
`
`
`
`WOL/OL
`
`Jayjo
`
`ylomjou
`
`‘sopou
`
`
`
`
`
`ZSPON9d1AIaS
`
`(sap
`
`(Ma)|SPONSdIAlag
`
`ISt
`
`
`
`-OO1AINGpuodas
`
`UOTILSTTISSETD
`
`ouisuq
`
`.
`
`
`
`SuIpremJoyISI]
`
`oursuq
`
`
`
`-201AI99ISI
`
`UONeoJISseTD
`
`smnpoW
`
`———
`
`Sy
`
`0BpIOJU]
`
`Jos)09
`
`
`s[apoy]SUIPIeMIO|Puoses
`
`
`
`om794}0
`
`9¢“Sopou
`
`yIOMIOU
`
`WO1/O],
`
`Page 2 of 11
`
`Netskope Exhibit 101 1
`
`Page 2 of 11
`
`Netskope Exhibit 1011
`
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Oct. 11,2007 Sheet 2 of 3
`
`
`
`US 2007/0237147 Al
`
`72
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`we 14
`
`
`
`
`
`Packet Payload
`Packet Header(s)
`
`(MPLS)
`
`74
`
`
`
`
`1 FW (Notyet applied.)
`
`
`
`
`
`2 NAM (Notyet applied.)
`
`
`
`
`
`3 IDS (Notyet applied.)
`
`
`
`
`ea 14
`
`Packet Payload
`
`
`
`
`
`Classification
`
`Service
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`eo 14
` Packet Header(s)
`Packet Payload
`
`
`
`
`
`(MPLS)
`
`
`
`
`76
`1 FW (Applied.)
`
`
`
`
`
`2 NAM (Notyet applied)
`
`
`
`
`
`
`3 IDS (Notyet applied.)
`
`
`
`
`e~58
`
` Packet Payload
`
`
`
`
`Packet Header(s)
`
`
`(MPLS)
`78
`
`
`
`
`
`3 IDS (Applied.)
`
`
`
`
`
`Service
`
`
`Fig. 2
`
`Page 3 of 11
`
`Netskope Exhibit 1011
`
`Page 3 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Oct. 11,2007 Sheet 3 of 3
`
`
`
`US 2007/0237147 Al
`
`100
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`77102
`
`
`
`
`
`
`
`Define service-coding information that is compatible with network-compatible
`
`
`
`
`
`
`
`
`headers, such as Multi-Protocol Label Switching (MPLS)protocol, to identify
`
`
`
`
`services and/or service chains.
`,
`
`
`
`
`
`
`
`
`
`
`
`Configure network devices to read predefined service-coding information to/from
`
`
`
`the network-compatible headers.
`
`
`
`7106
`
`
`
`
`
`
`
`Assign packet classes to services and/or service chains.
`
`
`
`
`
`
`
`
`
`
`
`Assign bits to packet classifications based on predefined service-coding
`
`information.
`
`
`
`108
`
`
`
`110
`
`
`
`
`
`
`
`
`
`
`
`Classify packets based on packet type and/or service needs, and encode packet
`
`
`
`
`
`class information in the network-compatible headers.
`
`c7l12
`
`
`
`
`
`
`
`
`Attach bits to packets in network-compatible headers based on the packetclass
`
`information.
`
`
`
`
`
`
`
`
`
`
`
`
`Selectively apply services to packets based on packet header contents
`
`
`
`Page 4 of 11
`
`Netskope Exhibit 1011
`
`Page 4 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`US 2007/0237147 Al
`
`
`
`Oct. 11, 2007
`
`
`
`SYSTEM AND METHOD FOR SELECTIVELY
`
`
`
`
`APPLYING A SERVICE TO A NETWORK PACKET
`
`
`
`USING A PREEXISTING PACKET HEADER
`
`
`
`
`
`
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0001] This inventionis related in general to networks and
`
`
`
`
`
`
`
`
`
`more specifically relates to systems and methods for con-
`
`
`
`
`
`
`
`trolling how services are applied to data in a network.
`
`
`
`
`
`
`
`[0002] For the purposesof the present discussion, services
`
`
`
`
`
`
`
`may be any software or hardware applications that imple-
`are
`ment
`actions on information. Network services
`
`
`
`
`
`
`
`
`
`
`
`
`
`employed in various demanding applications including net-
`
`
`
`
`
`
`
`
`work security, voice services, load balancing, and network
`
`
`
`
`
`
`
`
`analysis for various enterprise networks, such as data centers
`
`
`
`
`
`
`and Internet-Service-Provider (ISP) networks. Such appli-
`
`
`
`
`
`
`
`cations demandversatile mechanismsfor efficiently apply-
`
`
`
`
`ing networkservices to data.
`
`
`
`
`
`
`[0003] Conventionally, network data is encapsulated and
`
`
`
`
`
`
`
`transferred in packets. Packets may be sent sequentially
`
`
`
`
`
`
`
`through various service nodes, which may be applications
`
`
`
`
`
`
`that implement various services. Alternatively, a network
`
`
`
`
`
`
`
`
`device, such as a router, will analyze each packet indepen-
`
`
`
`
`
`
`
`
`
`dently and then send each packet to specific service nodes
`
`
`
`
`
`
`
`based on the analysis, but without knowledge of previous
`
`
`
`
`services applied to each packet.
`
`
`
`
`
`
`
`
`[0004] Unfortunately, such systems and methods for pro-
`
`
`
`
`
`
`
`
`visioning services often result in complex services that are
`
`
`
`
`
`
`
`
`
`difficult to deploy, and often further result in redundant
`
`
`
`
`
`
`
`processing as packets sent between devices must be reana-
`
`
`
`
`
`
`
`
`lyzed and classified by each device to determine which
`
`
`
`
`
`
`services shall be applied to a packet. Furthermore reclassi-
`
`
`
`
`
`
`
`
`
`fication at each network device may cause application of
`
`
`
`
`
`
`
`
`redundant services to a given packet, and the services may
`
`
`
`
`
`
`
`be applied in a suboptimal order. Accordingly, network
`
`
`
`
`
`
`throughput and resources may be compromised by use of
`
`
`
`
`
`
`inefficient service provisioning systems and methods.
`
`
`
`
`
`
`
`[0009] Hence, certain embodiments of the present inven-
`
`
`
`
`
`
`
`
`tion leverage existing network support for certain headers,
`
`
`
`
`
`
`such as MPLS headers, to facilitate applying services to a
`
`
`
`
`
`
`
`packet. Certain embodiments described herein may provide
`
`
`
`
`
`
`
`a scalable user-friendly way of applying a service and/or
`
`
`
`
`
`
`
`tracking application of a service to a packet. The system may
`
`
`
`
`
`
`
`reside on platform blades and/or external appliances and/or
`
`
`
`
`
`
`
`
`
`as one or more processes within a platform. The system may
`
`
`
`
`
`
`
`be seamlessly integrated into an existing infrastructure.
`
`
`
`
`
`
`
`Certain embodiments of the present invention may further
`
`
`
`
`
`
`
`enhanceportability of a service node across plural customer
`
`
`
`networks or network segments.
`
`
`
`
`
`
`
`Forclarity, various well-known components, such
`[0010]
`
`
`
`
`
`
`
`
`as powersupplies, router blades, Internet Service Providers
`
`
`
`
`
`
`
`
`
`(ISPs), and so on, have been omitted from the figures.
`
`
`
`
`
`
`
`
`
`However, those skilled in the art with access to the present
`
`
`
`
`
`
`
`teachings will know which components to implement and
`
`
`
`
`
`
`
`
`how to implement
`them to meet
`the needs of a given
`
`application.
`
`
`
`
`
`
`
`FIG. 1 is a diagram illustrating system 10 for
`[0011]
`
`
`
`
`
`
`selectively performing a service on packet 14, 56, 58, 62 in
`
`
`
`
`
`
`
`network 12 according to an embodiment of the present
`
`
`
`
`
`
`invention. Examples of services include firewall filtering,
`
`
`
`
`
`
`
`intrusion detecting, content switching, secure socket layer-
`
`
`
`
`
`
`
`ing, anomaly detecting, network analyzing, global site
`
`
`
`
`
`
`
`selecting, and so on. Forillustrative purposes, system 10 is
`
`
`
`
`
`
`
`
`shown implementedin first router 16 and second router 18,
`
`
`
`
`
`
`
`which intercommunicate via one or more networkprotocols,
`
`
`
`
`
`
`such as Transmission Control Protocol (TCP)/Internet Pro-
`
`
`tocol (IP).
`
`
`
`
`
`
`[0012] First router 16 includesa first service-classification
`
`
`
`
`
`
`module 28 in communication with first forwarding engine
`
`
`
`
`
`
`
`
`22. First forwarding engine 22 communicates with first
`
`
`
`
`
`
`
`
`
`service node 32 and may send and receive packets, such as
`
`
`
`
`
`
`
`
`packets 58, 14 to/from other network entities, such as second
`router 18.
`
`
`
`
`
`
`
`[0013] First service-classification module 28 communi-
`
`
`
`
`
`
`
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`cates user interface 60 and the first forwarding engine 22.
`
`
`
`
`
`
`
`Forwarding engine 22 further communicates with first ser-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0005] FIG.1is a diagram illustrating a system for selec-
`vice node 32 and second forwarding engine 42. Second
`
`
`
`
`
`
`
`
`
`
`
`
`
`tively performing services on a packet in a network accord-
`forwarding engine 42 is located in second router 18. For
`
`
`
`
`
`
`
`
`
`
`
`ing to an embodimentofthe present invention.
`illustrative purposes, the first service node 32 implements a
`
`
`
`
`
`
`
`
`
`
`
`
`FireWall (FW) and/or a Network Analysis Module (NAM).
`[0006] FIG. 2 is a diagram illustrating exemplary contents
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of a packet header as the packet traverses various modules
`[0014] Second router 18 includes
`second forwarding
`
`
`
`
`
`
`
`
`
`
`
`of the system of FIG.1.
`engine 42, second service-classification module 48, and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`second service node 52, which are analogous to modules 22,
`[0007]
`FIG.3 is a flow diagram of a methodthat is adapted
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`28, 32, respectively of first router 16. Second router 18 is
`for use with the system and accompanying network of FIG.
`
`
`
`
`
`
`
`
`
`
`similar to first router 16 with the exception that second
`1.
`
`router 18 communicates with a different service node 52 and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is not shownincluding a user interface. However, the second
`
`
`
`
`
`
`
`
`router 18 may be equipped with a user interface without
`
`
`
`
`
`
`
`departing from the scope of the present invention.
`
`
`
`
`
`
`
`[0015] For the purposes of the present discussion, a ser-
`
`
`
`
`
`
`
`
`vice node may be any software or hardware routine(s) or
`
`
`
`
`
`
`
`
`
`module(s)
`that perform actions on data,
`such as data
`
`
`
`
`
`
`included in a packet. A service node generally implements a
`
`
`
`
`
`
`
`service, such as Intrusion Detection Service (IDS), Secure
`
`
`
`
`
`
`
`Socket Layer (SSL), FireWall (FW), and so on.
`
`
`
`
`
`
`
`
`[0016] A header maybe anysection of a packet, message,
`
`
`
`
`
`
`
`
`frame, or other information that can store information. A
`
`
`
`
`
`
`network-compatible packet header may be a headerthat is
`
`
`
`
`
`
`DETAILED DESCRIPTION OF EMBODIMENTS
`
`
`OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0008] A preferred embodiment of the present invention
`
`
`
`
`
`
`implements a system for selectively performing a service on
`
`
`
`
`
`
`
`or applying a service to a packet in a network. The system
`
`
`
`
`
`
`includes a mechanism for encoding service information in a
`
`
`
`
`
`
`network-compatible packet header and providing encoded
`
`
`
`
`
`
`
`data in response thereto. In a more specific embodiment, the
`
`
`
`
`
`network-compatible header includes a Multi-Protocol Label
`
`
`
`
`
`
`Switching (MPLS) header, a Generic Route Encapsulation
`
`
`
`
`
`
`
`(GRE) header, and/or a Layer-2 Tunneling Protocol (L2TP)
`header.
`
`
`Page 5 of 11
`
`Netskope Exhibit 101 1
`
`Page 5 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`US 2007/0237147 Al
`
`
`
`Oct. 11, 2007
`
`
`
`
`
`
`
`
`
`
`
`
`
`readable by plural nodes in a network. Packet headers that
`
`
`
`
`
`
`
`are often compatible with existing enterprise networks
`
`
`
`
`
`
`
`include MPLS, Generic Route Encapsulation (GRE), and
`
`
`
`
`
`
`
`Layer-2 Tunneling Protocol
`(L2TP) headers. An MPLS
`
`
`
`
`
`
`
`
`
`header may be any headerthat plural network entities are
`
`
`
`
`
`
`
`
`adapted to process. Generally, any header that could be
`
`
`
`
`
`
`employed for MPLS purposes may be considered an MPLS
`header.
`
`
`
`
`
`
`
`[0017] A packet may be any information that is encapsu-
`
`
`
`
`
`lated for transmission in a network. Examples of packets
`
`
`
`
`
`include frames, messages, or sections thereof.
`
`
`
`
`
`
`[0018] A network platform, such as a Layer-3 switch or
`
`
`
`
`
`
`
`
`
`router, may be any network device or entity that can com-
`
`
`
`
`
`
`
`
`municate with another network device or entity via a pro-
`
`
`
`
`
`
`
`tocol employed by network devices to communicate via the
`
`
`
`
`
`
`
`
`associated network. The terms network nodes and platforms
`
`
`
`are employed interchangeably.
`
`
`
`
`
`
`
`[0019] A network entity may be any thing, such as a
`
`
`
`
`
`
`device, module, or data, that is in or coupled to a network.
`
`
`
`
`
`
`
`Network entities may be software, hardware, and/or data
`
`
`
`
`
`
`
`entities. Examples of network entities include switches,
`
`
`
`
`
`
`
`routers, forwarding engines, service nodes, databases, pack-
`
`
`
`
`
`
`
`ets, and so on. A protocol may beanyset of instructions or
`
`
`
`
`method for communicating information.
`
`
`
`
`
`
`
`[0020]
`incoming
`In an exemplary operative scenario,
`
`
`
`
`
`
`
`packets 14, 56 received bythefirst forwarding engine 22 are
`transferred to the first service-classification module 28 for
`
`
`
`
`
`
`initial service classification. The first service-classification
`
`
`
`
`
`
`
`
`
`
`
`
`
`module may employ various methods to classify packets.
`
`
`
`
`
`
`
`The resulting packet classifications will determine what
`
`
`
`
`
`
`
`
`available services 32, 52 should be appliedto the packets 14,
`
`
`
`
`
`
`
`56. Exact packet-classification methods are application spe-
`
`
`
`
`
`
`
`
`cific and may be determined by those skilled in the art to
`
`
`
`
`
`
`
`meetthe needs of a given application without undue experi-
`mentation.
`
`
`
`
`
`
`
`[0021] First service-classification module 28 may append
`
`
`
`
`
`
`
`
`a network-compatible packet header, such as an MPLS
`
`
`
`
`
`
`
`header to each packet 14, 56 based on packetclassifications.
`
`
`
`
`
`
`
`Contents of a given packet header, such as information
`
`
`
`
`
`
`
`indicating how a given service should be applied to a packet,
`
`
`
`
`
`
`
`
`
`mayberetrieved from the service nodes 32, 52 or from the
`
`
`
`
`
`
`
`user interface 60, by the first service-classification module
`
`
`
`
`
`
`
`
`
`
`via the first forwarding engine 22 and/or the second for-
`
`
`
`
`
`
`
`
`warding engine 42. In the preferred embodiment, packet
`
`
`
`
`
`
`
`header is an MPLSheaderthatis selectively augmented with
`service information.
`
`
`
`
`
`
`
`
`
`
`[0022]
`the service
`In the present specific embodiment,
`
`
`
`
`
`information includes service-coding information indicating
`
`
`
`
`
`
`
`
`
`service codes that correspond to the services 32, 52. The
`
`
`
`
`
`
`
`service coding may further specify mappings between a
`
`
`
`
`
`
`
`given service and a packet classification. For example, a
`
`
`
`
`
`
`
`certain class of packet may require application of a specific
`
`
`
`
`
`
`
`
`
`service. The service may be identified via one or more codes,
`
`
`
`
`
`
`
`
`
`and the service may be associated with a specific class or
`
`
`
`
`
`
`
`
`
`type of packet. The codes may be implemented via bit
`
`
`
`
`
`
`
`sequences that are selectively placed in packet headers as
`
`
`
`
`discussed more fully below.
`
`
`
`
`
`
`
`
`Service coding details indicating what bits or
`[0023]
`
`
`
`
`
`
`
`
`sequences of bits represent what service(s) and/or service
`
`
`
`
`
`
`
`
`status may be negotiated between nodes 16, 18 in advance
`
`
`
`
`
`
`
`of applying a service to a packet. In the preferred embodi-
`
`
`
`
`
`
`
`
`
`
`
`ment, the packet header used to maintain service informa-
`
`
`
`
`
`
`
`
`tion, and optionally service status, is or can be handledlike
`an MPLSheader.
`
`
`
`
`
`
`
`
`
`
`[0024] First service node 32 receives incoming packets
`
`
`
`
`
`
`
`that have been classified by the first service-classification
`
`
`
`
`
`
`
`module 28, the second service-classification module 48, or
`
`
`
`
`
`
`other service-classification module (not shown) connected
`to the network 12. Packet headers associated with the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`received packets, also called ingress packets, are analyzed
`
`
`
`
`
`
`
`
`by the first service node 32 to determine packet status, such
`
`
`
`
`
`
`
`
`
`as whether one or more of the services 32, 52 have been
`
`
`
`applied to the packets.
`
`
`
`
`
`
`
`[0025] First forwarding engine 22 may check incoming
`
`
`
`
`
`
`packet 14 to determine if packet 14 has been classified in
`
`
`
`
`
`accordance with an embodimentof the present invention.If
`
`
`
`
`
`
`
`packet 14 has been classified, such as by second service-
`
`
`
`
`
`
`
`classification module 48, then the service information main-
`
`
`
`
`
`
`
`tained in the header is employedbyfirst forwarding engine
`
`
`
`
`
`
`
`
`22 to send packet 14 to the appropriate service 32 if
`indicated in the header.
`
`
`
`
`
`
`
`
`
`
`
`
`[0026]
`If incoming packet 14 has not been classified, the
`
`
`
`
`
`
`packet is sent to first service-classification module 28 for
`classification. First service-classification module 28 deter-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mines the service needs of packet 14,
`i.e. classifies the
`
`
`
`
`
`
`
`
`
`packet, and then assigns the packet a service if needed based
`
`
`
`
`
`
`
`
`
`
`on the service needs, 1.e., packet class. The packet class may
`
`
`
`
`
`
`
`
`
`be generally based on packet type, where a packet type may
`
`
`
`
`
`
`
`
`be defined based on various factors or characteristics,
`
`
`
`
`
`including accompanying traffic details, user-identification
`
`
`
`
`
`
`
`numbers associated with given packets, and so on.
`
`
`
`
`
`
`
`[0027] Alternatively, first forwarding engine 22, instead of
`
`
`
`
`
`
`first service-classification module 28, includes packet-clas-
`
`
`
`
`
`
`
`sification routines to observe all incoming packets and then
`
`
`
`
`
`
`classify them as needed in accordance with predetermined
`
`
`
`
`
`
`service coding rules. Alternatively, instead of determining
`
`
`
`
`
`
`
`
`packet type or class and then assigning a predetermined
`
`
`
`
`
`
`
`
`
`service thereto based on the packettype or class, each packet
`
`
`
`
`
`
`
`may be assigned a custom service based on other packet
`characteristics.
`
`
`
`
`
`
`[0028] First service-classification module 28 may imple-
`
`
`
`
`
`
`
`ment additional functions other than classifying packets and
`
`
`
`
`
`
`assigning a service thereto. For example,
`first service-
`
`
`
`
`
`
`classification module 28 may implement one or more rou-
`
`
`
`
`
`
`
`tines for selectively inserting a service, 1.e., code corre-
`
`
`
`
`
`
`sponding thereto, into a packet MPLSheader.
`
`
`
`
`
`
`[0029] Exact details as to when a service is inserted in a
`
`
`
`
`
`
`packet header by first service-classification module 28 are
`
`
`
`
`
`
`
`application specific. In one implementation, a service may
`
`
`
`
`
`
`
`
`be inserted into packet header when a service becomes
`
`
`
`
`
`
`
`
`available. User interface 60, such as a switch console with
`
`
`
`
`
`
`Command Line Interface (CLI)
`functionality, may be
`
`
`
`
`
`employedto controlfirst service-classification module 28 to
`
`
`
`
`
`
`facilitate incorporation of a service into system 10.
`
`
`
`
`
`[0030] First service-classification module 28 may further
`
`
`
`
`
`
`implement one or more routines to automatically assign
`
`
`
`
`
`packet classes to a service in accordance with predetermined
`
`
`service coding.
`
`
`
`
`
`
`
`[0031] After a packet is classified, the appropriate service
`
`
`
`
`
`
`information is incorporated into a header of the packet to
`
`
`
`
`
`
`
`
`
`enable first forwarding engine 22 to read the header and then
`
`
`
`
`
`
`
`
`
`
`
`Page 6 of 11
`
`Netskope Exhibit 101 1
`
`Page 6 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`US 2007/0237147 Al
`
`
`
`Oct. 11, 2007
`
`
`
`
`
`
`
`
`
`
`
`send the packet to the service 32 if indicated in the header.
`
`
`
`
`
`
`Packet classification information, such as status information
`
`
`
`
`
`
`
`
`indicating whether a packet has been classified and infor-
`
`
`
`
`
`
`
`
`mation indicating whatservice class the packet is associated
`
`
`
`
`
`
`
`with, may be encoded in separate fields in a header.
`
`
`
`
`
`
`
`
`[0032]
`In the preferred embodiment, the employed header
`
`
`
`
`
`
`
`is a header that is currently understood by network nodes,
`
`
`
`
`
`
`
`
`such as routers 16, 18, i.e., the header is network-compat-
`
`
`
`
`
`
`
`ible. This greatly facilitates conveying service information
`
`
`
`
`
`
`
`
`between network nodes 16, 18. Examples of suitable headers
`
`
`
`
`
`
`
`
`include, but are not limited to MPLS, Layer-2 Tunneling
`
`
`
`
`
`
`
`Protocol (L2TP), and Generic Route Encapsulation (GRE)
`headers.
`
`
`
`
`
`
`
`
`
`[0033]
`Inthe exemplary operative scenario, first packet 14
`
`
`
`
`
`
`
`
`is classified as a packet that should be acted upon byfirst
`
`
`
`
`
`
`
`service 32. First forwarding engine 22 is adapted to selec-
`
`
`
`
`
`
`
`
`tively send packet 14to first service 32 for processing after
`
`
`
`
`
`
`
`
`classification based on the packet header and service code(s)
`
`
`
`
`
`
`includedtherein. After packet 14is filtered by the FW offirst
`
`
`
`
`
`
`
`
`service 32, first service 32 updates the status of the packet
`
`
`
`
`
`
`
`by appropriately modifying the header to indicate that FW
`
`
`
`
`
`
`
`
`
`has been applied to packet 14. First service node 32 may
`
`
`
`
`
`
`
`
`then send the processed packet and accompanying updated
`
`
`
`
`
`
`
`header to an forwarding engine internal to the first service
`
`
`
`
`
`
`
`node 32 or elsewhere, such asthe first forwarding engine 22
`
`
`
`
`
`
`
`
`or the second forwarding engine 42. another forwarding
`
`
`
`
`
`
`engine. In certain embodiments, such service-status infor-
`
`
`
`
`
`
`mation is omitted from the packet headers.
`
`
`
`
`
`
`
`
`
`[0034]
`In the present operative scenario, after first service
`
`
`
`
`
`
`
`
`
`32 has been applied to packet 14, packet 14 is sent to second
`
`
`
`
`
`
`
`router 18 as partially processed packet 58. Various modules
`
`
`
`
`
`
`42, 48 of second router 18 operate similarly to correspond-
`
`
`
`
`
`
`
`
`
`ing modules 22, 28 of first router 16 with the exception that
`
`
`
`
`
`
`
`second forwarding engine 22 communicates with second
`
`
`
`
`
`
`
`service 52, which implements an Intrusion Detection System
`
`
`
`
`
`(IDS) in the present specific embodiment.
`
`
`
`
`
`
`
`[0035]
`If packet 14 is partially processed by 32, yielding
`
`
`
`
`
`
`
`
`
`the partially processed packet 58, and if the partially pro-
`
`
`
`
`
`
`
`
`cessed packet 58 does not require further classification, the
`
`
`
`
`
`
`partially processed packet 58 may be forwardeddirectly to
`
`
`
`
`
`
`
`
`second service node 52 or via the second forwarding engine
`
`
`
`
`
`
`
`42. Consequently, partially processed packet 58 may avoid
`second service-classification module 48.
`
`
`
`
`
`
`
`
`
`
`
`[0036] Second forwarding engine 42 mayreceivepartially
`
`
`
`
`
`
`
`
`processed packet 58 and then observe the relevant packet
`
`
`
`
`
`
`
`header to determine whether or not to apply the second
`
`
`
`
`
`
`
`service 52 to the packet 58. Codes corresponding to second
`
`
`
`
`
`
`
`service 52 maybe incorporated into the header of the packet
`
`
`
`
`
`
`
`
`
`58, called the service header, upon classification of the
`
`
`
`
`
`
`packet by second service-classification module 48 if
`
`
`
`
`
`
`
`required and if not already done so byfirst service-classi-
`fication module 28.
`
`
`
`
`
`
`
`
`
`
`[0037] Hence, second forwarding engine 42 references the
`
`
`
`
`
`
`
`
`service header and then forwards packet 58 to the second
`
`
`
`
`
`
`service 52 if indicated in the packet header. Alternatively,
`
`
`
`
`
`
`
`first service node 32 forwards packet 58 to second service
`
`
`
`
`
`
`
`
`node 52, bypassing first forwarding engine 22 and second
`
`
`
`
`
`
`
`
`forwarding engine 42. After completion of the IDS service
`
`
`
`
`
`
`
`
`by second service 52, packet 58 is marked, by second service
`
`
`
`
`
`
`
`
`node 52, as having been processed by second service node
`52.
`
`
`
`
`
`
`
`
`
`[0038] First forwarding engine 22 and second forwarding
`
`
`
`
`
`
`engine 42 may facilitate selectively applying a service to
`
`
`
`
`
`
`
`
`other packets 56, 62, respectively, received from different
`
`
`
`
`
`
`
`devices in network 12. Furthermore, forwarding engines 22,
`
`
`
`
`
`
`
`
`
`42 may forward packets,
`to which services have been
`
`
`
`
`
`applied, to other devices in network 12.
`
`
`
`
`
`
`FIG.2 is a diagram illustrating exemplary contents
`[0039]
`
`
`
`
`
`
`
`
`
`
`of packet header 82-86 that is adapted for use with system
`
`
`
`
`
`
`
`
`
`10 of FIG. 1 as packet 14, 58 traverses between various
`
`
`
`
`
`
`modules of system 10 of FIG. 1. With reference to FIGS. 1
`
`
`
`
`
`
`
`
`
`and 2, in first stage 72, packet 14 passes to first service-
`classification module 28.
`
`
`
`
`
`
`
`
`
`
`[0040] For the purposes of the present discussion, service
`
`
`
`
`
`
`information may be any information specifying a service to
`
`
`
`
`
`
`
`be applied to a packet. Service information may optionally
`
`
`
`
`
`include service-status information and service-sequence
`
`
`
`
`
`
`
`information indicating whether a service has been applied to
`
`
`
`
`
`
`
`
`
`a packet and the order in which services should be applied.
`
`
`
`
`
`
`
`
`[0041]
`In the present operative scenario, after packet 14
`
`
`
`
`
`
`
`passes throughfirst service-classification module 28, initial
`
`
`
`
`
`
`
`
`header 82 is added to the packet 14 at second stage 74. Initial
`
`
`
`
`
`
`header 82 has been modified by first service-classification
`module 28 to indicate service information. The service
`
`
`
`
`
`
`
`
`
`
`
`
`
`information identifies services to be performed, such as FW,
`
`
`
`
`
`
`
`
`IDS, and NAM;the order in which the services should be
`
`
`
`
`
`
`
`performed, such as FW--NAM-IDS; andthestatus indi-
`
`
`
`
`
`
`
`
`
`cating whetheror not a given service has been applied. Exact
`
`
`
`
`
`
`
`methods for encoding such information are application
`
`
`
`
`
`
`
`
`specific and may be determined by those skilled in the art
`
`
`
`
`
`
`
`
`with access to the present teachings without undue experi-
`mentation.
`
`
`
`
`
`
`
`
`[0042] After packet classification, packet 14 passes back
`
`
`
`
`
`
`
`
`to first service node 32 for application ofthe first service to
`
`
`
`
`
`
`
`
`
`
`the packet 14. At third stage 76, certain services have been
`
`
`
`
`
`
`applied to packet 14 as indicated in second updated header
`
`
`
`
`
`
`
`
`
`84. Second updated header 84 has been updated by first
`
`
`
`
`
`
`service node 22 to indicate that FW correspondingto first
`
`
`
`
`
`
`
`service has been applied to the packet 14.
`
`
`
`
`
`
`
`
`[0043]
`Subsequently, at fourth stage 78, packet 14 has
`
`
`
`
`
`
`
`been sent to second router 18 as partially processed packet
`
`
`
`
`
`
`
`
`58. At fourth stage 78, partially processed packet 58 has
`
`
`
`
`
`
`
`
`been processed by second service 52. For illustrative pur-
`
`
`
`
`
`
`
`
`poses, second service 52 has modified second updated
`
`
`
`
`
`
`
`header 84 by stripping certain header information and add-
`
`
`
`
`
`
`
`ing status information pertaining to second service 52, as
`
`
`
`
`
`
`
`indicated in third updated header 86. Information pertaining
`
`
`
`
`
`
`
`to the FW and NAMprocessing indicated in second updated
`
`
`
`
`
`
`
`header 84 is omitted from third updated header 86. However,
`
`
`
`
`
`
`third updated header 86 includes information pertaining to
`
`
`
`
`
`
`
`
`
`
`the IPS associated with first service 52. Exact details per-
`
`
`
`
`
`
`
`
`taining to whether, when, and how packet
`information,
`
`
`
`
`
`
`including service-status information,
`is stripped from or
`
`
`
`
`
`
`inserted into a packet header is application specific.
`
`
`
`
`
`
`[0044] While service information is shown occupying
`
`
`
`
`
`
`
`
`entire headers 82-86,
`the service information may be
`
`
`
`
`
`
`
`included in one or more specific sections of MPLS headers
`
`
`
`
`
`
`
`
`
`82-86 without departing from the scope of the present
`invention. The exact sections of MPLS headers 82-86 used
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`for maintaining service information are application specific.
`
`
`
`
`
`
`
`[0045] Hence, with reference to FIGS. 1 and 2, system 10
`
`
`
`
`
`
`
`acts as system 10 for selectively performing a service 32, 52
`
`Page 7 of 11
`
`Netskope Exhibit 101 1
`
`Page 7 of 11
`
`Netskope Exhibit 1011
`
`

`

`
`
`US 2007/0237147 Al
`
`
`
`Oct. 11, 2007
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`header that is supported by one or more desired platforms
`on packet 14, 15, 56, 60 in network 12 that includes first
`
`
`
`
`
`
`
`
`
`
`
`
`
`may be employed to implement embodiments of the present
`mechanism 28, 48 for determining a service 32, 52 to be
`
`
`
`
`
`
`
`
`
`invention.
`
`performed on packet 14, 15, 56, 60. Second mechanism 28,
`
`
`
`
`
`
`48 encodes
`information in network-compatible packet
`
`
`
`
`
`
`
`[0052] Certain embodiments may leverage existing sec-
`
`
`
`
`
`
`
`
`header 82-86, wherein the information pertains to service
`
`
`
`
`
`
`
`tions of such headers to provide a per-packet service context,
`
`
`
`
`
`
`
`
`32, 52 and provides encoded data in response thereto. Third
`
`
`
`
`
`
`
`
`which mayfacilitate service insertion and enhance network
`
`
`
`
`
`
`
`
`
`
`
`
`mechanism 32, 52 employs the encodeddata to selectively
`efficiency by eliminating unnecessary processing of packets.
`
`
`
`
`
`
`
`implement service 32, 52 to be performed on packet 14, 56,
`
`
`
`
`
`
`Certain embodimentsof the present invention are applicable
`
`
`58, 62.
`
`
`
`
`
`
`
`
`
`both within and between routers and switches, such as Cisco
`
`
`
`
`
`
`
`
`
`
`
`
`Category 6K switches with distributed forwarding engines.
`In the specific embodiment, network-compatible
`[0046]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`header 82-86 includes an MPLS header, which may be
`[0053] Any network nodes or devices, such as switches,
`
`
`
`
`
`
`
`
`
`
`
`
`employed by a preexisting protocol employed by nodes 16,
`may be adapted to employ embodiments of the present
`
`
`
`
`
`
`
`
`
`
`
`
`
`18, such as MPLSprotocol. System 10 is implemented in
`invention and to convey packet context, i.e., information,
`
`
`
`
`
`
`
`
`
`
`
`
`plural network platforms 16, 18.
`thereby enabling initial packet classification information and
`
`
`
`
`
`
`
`
`
`
`
`servicing requirements to be carriedto different participating
`[0047]
`System 10 may also be considered service-appli-
`nodes.
`
`
`
`
`
`
`
`
`cation system 10 for network 12. Service-application system
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`10 includes service-classification module 28, 48 that
`is
`[0054] The header information may detail paths that pack-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`adapted to classify information,
`such as
`information
`ets s