a2) United States Patent
`Barsheshetet al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 10,652,111 B2
`May 12, 2020
`
`US010652111B2
`
`(54) METHOD AND SYSTEM FOR DEEP PACKET
`INSPECTION IN SOFTWARE DEFINED
`NETWORKS
`.
`(71) Applicant: ORCKITIP, LLC, Newton, MA (US)
`
`(72)
`
`Inventors: Yossi Barsheshet. Ashdod (IL);
`Simhon Doctori, Gan-Yavne (IL):
`Ronen Solomon, Ranat-Gan (IL)
`
`(73) Assignee: ORCKIT IP, LLC, Dover, DE (US)
`
`(58) Field of Classification Search
`CPC . HO4L 43/026; HO4L, 12/6418; HO4L 43/028;
`HO4L 49/70; HO4L, 69/161
`(Continued)
`
`(56)
`
`References Cited
`nn
`U.S. PATENT DOCUMENTS
`2010/0208590 AL*
`8/2010 Dolganow............ HO4L 43/026
`370/235
`
`8/2010 Dolganowet al.
`2010/0212006 AL
`
`(*) Notice:—Subject to any disclaimer, the termofthis (Continued)
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 306 days.
`
`FOREIGN PATENT DOCUMENTS
`
`(21) Appl. No.:
`
`15/126,288
`
`EP
`
`2672668 Al
`
`12/2013
`
`(22)
`
`PCTFiled:
`
`Apr. 21, 2015
`
`OTHER PUBLICATIONS
`
`(86) PCT No.:
`§ 371 (c)(1),
`Sep. 15, 2016
`(2) Date:
`Primary Examiner—Jae Y Lee
`(87) PCT Pub. No.: WO2015/164370
`Assistant Examiner — Jean F Voltaire
`PCT Pub. Date: Oct. 29, 2015 (74) Attorney, Agent, or Firm—May Patents Ltd. c/o
`
`Dorit Shem-Tov
`
`Supplementary Search Report of EP 15783292 dated Nov. 7, 2017.
`(Continued)
`
`PCT/US2015/026869
`
`(65)
`
`Prior Publication Data
`US 2017/0099196 Al
`Apr. 6, 2017
`
`Related U.S. Application Data
`(60) Provisional application No. 61/982,358,filed on Apr.
`22, 2014.
`
`(Sl)
`
`Int. Cl.
`HOAL 12/26
`HOAL 12/64
`
`(2006.01)
`(2006.01)
`(Continued)
`
`(52) U.S. Cl.
`CPC we HO4L 43/028 (2013.01); HO4L 12/6418
`(2013.01); HO4L 43/026 (2013.01);
`(Continued)
`
`ABSTRACT
`(57)
`A method for deep packet inspection (DPI) in a software
`defined network (SDN). The method includes configuring a
`plurality of network nodes operable in the SDN withatleast
`one probe instruction; receiving from a network nodea first
`packet of a flow,the first packet matches the at least one
`probe instruction and includes a first sequence number;
`receiving from a network node a second packet ofthe flow,
`the second packet matchesthe at least one probeinstruction
`and includes a second sequence number, the second packet
`is a responseofthe first packet; computing a mask value
`respective ofatleast the first and second sequence numbers
`indicating which bytes to be mirrored from subsequent
`packets belonging to the same flow; generating at least one
`
`(Continued)
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 1 of 15
`
`

`

`
`
`
`US 10,652,111 B2
`Page 2
`
`
`
`mirror instruction based on at Ieast the mask value; and
`
`
`
`
`
`
`
`
`
`configuring the plurality of network nodes with at least one
`
`
`
`
`
`
`
`
`
`mirror instruction.
`
`
`
`
`
`
`34 Claims, 6 Drawing Sheets
`
`
`
`
`
`
`
`2014/0052836 Al*
`
`
`
`
`2015/0124812 AL*
`
`2016/0020998 AL*
`
`
`
`
`
`2016/0197831 AL*
`
`
`
`
`2016/0219080 AL*
`
`
`
`/2014 Nguyen wu HO4L 45/306
`
`
`
`
`709/223
`5/2015 Agarwal wo. HOAL 45/24
`
`
`
`
`370/392
`1/2016 Bifulco oo... HO4L 45/64
`
`
`
`
`370/235
`7/2016 De Foy .......00.. HO4L 45/7453
`
`
`
`
`
`370/392
`7/2016 Huang we HO04T, 63/20
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(2013.01)
`(2013.01)
`(2006.01)
`
`
`
`
`
`(51)
`
`
`
`Int. Cl.
`
`
`HOAL 12/851
`
`
`HOAL 12/931
`
`
`HOAL 29/06
`
`
`(52) U.S. Ch
`
`
`
`
`CPC ou... HOAL 47/2483 (2013.01); HO4L 49/70
`
`
`
`
`
`
`(2013.01); HO4L 69/161 (2013.01)
`
`
`
`(58) Field of Classification Search
`
`
`
`
`
`
`USPC oie ceeccec ccc eeccne cee eeeereeneeceecaeenserseeeeeees 370/389
`
`
`See application file for complete search history.
`
`
`
`
`
`
`
`
`(56)
`
`
`
`References Cited
`
`
`
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`2011/0264802 Al
`
`2013/0329764 Al
`
`
`
`
`
`10/2011 Dolganowetal.
`
`
`
`
`12/2013 Chesla et al.
`
`
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`Seugwon Shin et al, “Fresco: Modular Composable Security Ser-
`
`
`
`
`
`
`
`
`vices for Software-Defined Networks”, NDSS Symposium 2013,
`
`
`
`
`
`
`
`Apr. 23, 2013, pp. 1-16 XP055422 187.
`
`
`
`
`
`
`International Search Report of PCT/US2015/026869 dated Aug. 6,
`
`
`
`
`
`
`
`
`2015.
`
`Minlan Yuet al, “Scalable flow-based networking with DIFANE”,
`
`
`
`
`
`
`
`
`
`Proceedings of the ACM SIGCOMM 2010 Conference on Appli-
`
`
`
`
`
`
`
`
`cations, Technologies, Architectures, and Protocols for Computer
`
`
`
`
`
`
`
`Communications, NewDelhi, India, Aug. 30-Sep. 3, 2010, ACM,
`
`
`
`
`
`
`
`
`
`pp. 351-362 XP058 189957.
`
`
`
`
`* cited by examiner
`
`
`
`
`
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 2 of 15
`
`Exhibit 1001
`Cisco v. Orckit – IPR2023-00554
`Page 2 of 15
`
`

`

`U.S. Patent
`
`May12, 2020
`
`Sheet 1 of 6
`
`US 10,652,111 B2
`
` Application
`
`Application
`servers
`120
`
`Application
`servers
`120
`
`servers
`120
`
`
`
`
`IP traffic
`
`
`
`
`100i
`
`Central Controller
`
`111
`
`130
`
`130
`
`i
`
`
`
`
`
`
`
`7
`
`Network node
`112
`
`112
`
`etwork node
`4412
`
`FIG. 1
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 3 of 15
`
`

`

`
`
`
`
`
`
`
`
`yuajed‘SN
`
`
`
`
`
`
`
`200
`
`
`
`
`
`
`
`
`
`
`
`
`
`> C
`
`
`
`
`
`
`
`
`
`Y [
`
`
`bytes]
`
`
`
`
`aCIAGIA
`
`
`0707‘
`
`
`
`
`
`
`
`
`
`
`
`9JO7JooUs
`7HTITzs90rSn
`
`DATA 220
`KEY 210
`
`
`
`
`
`
` Client IP
`Server IP
`Client>
`Client»
`Server>
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`source
`address
`address
`destination
`Server
`Client
`Server
`Client
`
`timestamp|Server
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Hit counter X
`lient
`data buffer
`TCP
`number
`sequence
`sequence
`TCP port
`
`
`
`
`
`
`Hit
`number M
`number N
`[bytes]
`
`
`
`counter
`
`209.1.4.4 Client buffer Server Ox3c98b9ab Creation Server Client>
` protocol
` Server>
`
`
`
`port
`
`
`
`
`
`
`
`
`
`192.1.1.1
`
`
`
`
`
`
`
`
`
`
`
`
`
`Oxf46d5e34
`
`
`
`
`
`
`
`
`
`
`
`
`
`15:32:13
`
`
`
`
`
`
`
`
`FIG. 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 4 of 15
`
`Exhibit 1001
`Cisco v. Orckit – IPR2023-00554
`Page 4 of 15
`
`

`

`U.S. Patent
`
`May12, 2020
`
`Sheet 3 of6
`
`US 10,652,111 B2
`
`DPI Flow Detection unit
`3114
`
`Mirror
`Packets
`
`DPI
`Engine
`312
`
`TCP Flag
`
`
`
`FIG. 3
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 5 of 15
`
`

`

`U.S. Patent
`
`May12, 2020
`
`Sheet 4 of 6
`
`US 10,652,111 B2
`
`TCPflags
`flow creation
`
`312
`
`DPI
`Engine
`
`el|Ihier0
`
`counter
`
`Probe sequence
`
`
`
`112
`
`FIG. 4
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 6 of 15
`
`

`

`
`U.S. Patent
`
`
`
`May12, 2020
`
`
`
`
`
`Sheet 5 of6
`
`
`
`
`US 10,652,111 B2
`
`
`
`
`500
`
`
`501 {
`
`
`
`
`
`MASK(filed, ...,
`
`Matchfields
`
`
`
`
`
`
`
`
`
`
`
`AGE
`
`
`
`
`a
`Go to probe table
`
`
`
` os
`
`
`TFProriyTTrastractionJ
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Go to next table ID
`<srclP, destIP, ....>
`
`
`<srclP, destIP, ....>
`Go to next table ID
`
`
`
`
`
`
`
`511
`
`
`
`
`
`
`
`
`
`Probe table 510
`
`511
`
`
`
`
`512
`
`
`
`
`
`
`
`
`
`
`
`<srclP, destIP, ....>
`
`
`
`
`<srclP, destIP, ....>
`
`
`
`MASK (filed1, ..., )
`
`
`
`
`
`MASK(filed, ...,
`)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Go to next table ID
`
`
`
`
`
`
`Go to next table ID
`
`
`
`Output: controller
`
`
`
`
`Medium Output: controller
`
`
`
`513 {
`
`
`
`
`
`
`MASKallfields
`
`
`
`
`
`
`
`
`
`Goto next table ID
`
`
`
`
`
`
`FIG. 5
`
`
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 7 of 15
`
`Exhibit 1001
`Cisco v. Orckit – IPR2023-00554
`Page 7 of 15
`
`

`

`U.S. Patent
`
`May12, 2020
`
`Sheet6 of 6
`
`US 10,652,111 B2
`
`Start
`
`$610
`
`600
`
`Configure nodeswith a set of probe
`instructions
`
`$620
`
`Receiveafirst TCP packet with FLAG
`SYN=1 and a sequence number M
`
`$630
`
`Receive a first TCP packet with FLAG
`ACK=1 and a sequence number N
`
`S640
`Compute a mask value
`
`S650
`
`Generate and send mirroring instructions
`
`to nodes
`
`S660
`
`(a)
`
`Inspect received mirrored bytes using DPI
`
`$670
`
`
`Terminate
`
`Inspection?
`
`Yes
`s¢6go
`
`=—(*)
`
`Removerelated exiting flows from flow table
`
`FIG. 6
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 8 of 15
`
`

`

`
`
`US 10,652,111 B2
`
`
`
`1
`
`METHOD AND SYSTEM FOR DEEP PACKET
`
`
`
`
`
`INSPECTION IN SOFTWARE DEFINED
`
`
`
`
`NETWORKS
`
`
`
`
`
`CROSS REFERENCE‘TO RELATED
`
`
`
`APPLICATIONS
`
`
`
`
`
`This application claims the benefit of U.S. provisional
`
`
`
`
`
`
`
`application No. 61/982,358 filed on Apr. 22, 2014,
`the
`
`
`
`
`
`
`
`
`contents of which are herein incorporated byreference.
`
`
`
`
`
`
`
`
`TECHNICAL FIELD
`
`
`
`
`
`
`
`
`This disclosure generally relates to techniques for deep
`
`
`
`
`
`
`
`
`
`
`
`packet inspection (DPI), and particularly for DPIoftraffic in
`
`
`
`
`
`
`
`
`
`
`cloud-based networks utilizing software defined networks.
`
`
`
`
`
`
`BACKGROUND
`
`
`
`
`
`
`
`
`
`2
`
`The straightforward approach ofrouting all trafic from
`
`
`
`
`
`
`
`
`network nodes to the central controller introduces some
`
`
`
`
`
`
`
`
`significant drawbacks, such as increased end-to-endtraflic
`
`
`
`
`
`
`
`delays between the client and the server; overflowing the
`
`
`
`
`
`
`
`
`
`controller capability to perform other networking functions;
`
`
`
`
`
`
`
`and a single point of failure for the re-routed traflic.
`
`
`
`
`
`
`
`
`
`
`Therefore, it would be advantageous to provide a solution
`
`
`
`
`
`
`
`
`that overcomes the deficiencies noted above and allow
`
`
`
`
`
`
`
`
`eflicient DPI in SDNs.
`
`
`
`
`
`
`SUMMARY
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`A summary of several cxample cmbodiments of the
`
`
`
`
`
`
`
`disclosure follows. This summary is provided for the con-
`
`
`
`
`
`
`
`
`venience of the reader to provide a basic understanding, of
`
`
`
`
`
`
`
`
`
`
`such embodiments and does not whollydefine the breadth of
`
`
`
`
`
`
`
`
`
`
`the disclosure. This summaryis not an extensive overview
`
`
`
`
`
`
`
`
`
`of all contemplated embodiments, and is intended to neither
`
`
`
`
`
`
`
`
`
`identify key or critical nodes ofall aspects nor delineate the
`
`
`
`
`
`
`
`
`
`
`
`scope of any or all embodiments. Its sole purpose is to
`
`
`
`
`
`
`
`
`
`
`
`present some concepts of one or more embodiments in a
`
`
`
`
`
`
`
`
`
`
`simplified form as a prelude to the more detailed description
`
`
`
`
`
`
`
`
`
`is presented later. For convenience,
`the term some
`thal
`
`
`
`
`
`
`
`
`
`embodiments may be used herein to refer to a single
`
`
`
`
`
`
`
`
`
`
`embodiment or multiple embodiments of the disclosure.
`
`
`
`
`
`
`
`Certain embodiments disclosed herein include a method
`
`
`
`
`
`
`for deep packet
`inspection (DPI) in a software defined
`
`
`
`
`
`
`
`
`network (SDN), wherein the method is performed by a
`
`
`
`
`
`
`
`
`central controller of the SDN. The method comprises: con-
`
`
`
`
`
`
`
`
`figuring a plurality of network nodes operable in the SDN
`
`
`
`
`
`
`
`
`
`
`with at least one probe instruction; receiving from a network
`
`
`
`
`
`
`
`
`
`nodea first packet ofa flow, whereinthefirst packet matches
`
`
`
`
`
`
`
`
`
`
`the at least one probe instruction, wherein the first packe
`
`
`
`
`
`
`
`
`
`
`includesa first sequence number; recciving from a network
`
`
`
`
`
`
`
`
`
`node a second packet ofthe flow, wherein the second packe
`
`
`
`
`
`
`
`
`
`
`matches the at
`least one probe instruction, wherein the
`
`
`
`
`
`
`
`
`
`second packet includes a second sequence number, wherein
`
`
`
`
`
`
`
`
`the second packetis a response ofthe first packet; computing
`
`
`
`
`
`
`
`
`
`
`a mask value respective of at least the first and second
`
`
`
`
`
`
`
`
`
`
`
`sequence numbers, wherein the mask value indicates which
`
`
`
`
`
`
`
`
`bytes to be mirrored from subsequent packets belonging to
`
`
`
`
`
`
`
`
`
`the same flow, wherein the mirrored bytes are inspected;
`
`
`
`
`
`
`
`
`
`generating at least one mirror instruction based on at leas
`
`
`
`
`
`
`
`
`
`
`the mask value; and configuring the plurality of network
`
`
`
`
`
`
`
`
`
`nodes with at least one mirror instruction.
`
`
`
`
`
`
`
`Certain embodiments disclosed herein include a system
`
`
`
`
`
`
`for deep packet
`inspection (DPI) in a software defined
`
`
`
`
`
`
`
`
`network (SDN), wherein the method is performed by a
`
`
`
`
`
`
`
`
`central controller of the SDN. The system comprises: a
`
`
`
`
`
`
`
`
`processor; a memory connected to the processor and con-
`
`
`
`
`
`
`
`
`figured to contain a plurality of instructions that when
`
`
`
`
`
`
`
`
`
`executed by the processor configure the system to: set a
`
`
`
`
`
`
`
`
`
`
`plurality of network nodes operable in the SDN withat least
`
`
`
`
`
`
`
`
`
`
`
`one probe instruction; reccive from a network nodea first
`
`
`
`
`
`
`
`
`
`
`packet of a flow, wherein the first packet matchestheat least
`
`
`
`
`
`
`
`
`
`
`
`one probeinstruction, wherein the first packet includesa first
`
`
`
`
`
`
`
`
`
`sequence number; receive [rom a network node a second
`
`
`
`
`
`
`
`
`
`packet of the flow, wherein the second packet matches the at
`
`
`
`
`
`
`
`
`
`
`
`least one probe instruction, wherein the second packet
`
`
`
`
`
`
`
`
`includes a second sequence number, wherein the second
`
`
`
`
`
`
`
`
`packet is a response of the first packet; compute a mask
`
`
`
`
`
`
`
`
`
`
`
`value respective of at least the first and second sequence
`
`
`
`
`
`
`
`
`
`
`numbers, wherein the mask value indicates which bytes to
`
`
`
`
`
`
`
`
`
`be mirrored from subsequent packets belonging to the same
`
`
`
`
`
`
`
`
`
`flow, wherein the mirrored bytes are inspected: generate at
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 9 of 15
`
`Deep packet inspection (DPI) technology is a form of
`
`
`
`
`
`
`
`
`
`network packet scanning technique that allows specific data
`
`
`
`
`
`
`
`
`patterns to be extracted from a data communication channel.
`
`
`
`
`
`
`
`
`
`Extracted data patterns can then be used. by various appli-
`
`
`
`
`
`
`
`
`
`cations, such as security and data analytics applications. DPI
`
`
`
`
`
`
`
`
`currently performs across various networks, suchas internal
`
`
`
`
`
`
`
`networks, Internet service providers (ISPs), and public net-
`
`
`
`
`
`
`
`works provided to customers. Typically,
`the DPI is per-
`
`
`
`
`
`
`
`
`formed by dedicated engines installed in such networks.
`
`
`
`
`
`
`
`
`A software defined networking is a relatively new type of 3
`
`
`
`
`
`
`
`
`
`
`networking architecture thal provides centralized manage-
`
`
`
`
`
`ment of network nodesrather than a distributed architecture
`
`
`
`
`
`
`
`utilized by conventional networks. The SDN is prompted by
`
`
`
`
`
`
`
`
`an ONT’ (open network foundation). The leading communi-
`
`
`
`
`
`
`
`cation standard that currently defines communication
`
`
`
`
`
`between the central controller (e.g., a SDN controller) and
`
`
`
`
`
`
`
`
`the network nodes (e.g., vSwitches) is the OpenFlow™
`
`
`
`
`
`
`
`standard.
`
`Specifically, in SDN-based architectures the data forward-
`
`
`
`
`
`
`ing (e.g. data plane) is typically decoupled from control
`
`
`
`
`
`
`
`
`
`decisions(c.g. control plane), such as routing, resources, and
`
`
`
`
`
`
`
`
`
`other management functionalities. he decoupling may also
`
`
`
`
`
`
`
`allow the data plane and the control plane to operate on
`
`
`
`
`
`
`
`
`
`
`
`
`different hardware, in different runtime environments, and/
`
`
`
`
`
`
`
`
`
`
`or operate using different models. As such,
`in an SDN
`
`
`
`
`
`
`
`
`
`
`network, the network intelligence is logically centralized in
`
`
`
`
`
`
`
`
`he central controller which configures, using Open I'low
`
`
`
`
`
`
`
`
`protocol, network nodes and to control application data
`
`
`
`
`
`
`
`
`raffic flows.
`
`
`wn S
`the OpenFlow protocol allows addition of 5
`
`
`
`
`
`
`
`programmability to network nodes for the purpose of pack-
`
`
`
`
`
`
`
`
`ets-processing, operations under the control of the central
`
`
`
`
`
`
`
`
`controller, the OpenFlow does not support any mechanism
`
`
`
`
`
`
`
`
`o allow DPI of packets through the various networking
`
`
`
`
`
`
`
`
`
`ayers as defined by the OSI model. Specifically, the current
`
`
`
`
`
`
`
`
`
`
`OpenFlowspecification defines a mechanism to parse and
`
`
`
`
`
`
`
`
`extract only packet headers, in layer-2 through layer-4, from
`
`
`
`
`
`
`
`
`
`packets flowing via the network nodes. The OpenFlow
`
`
`
`
`
`
`
`
`specification does not define or suggest any mechanism to
`
`
`
`
`
`
`
`
`
`extract non-generic, uncommon, and/or arbitrary data pat-
`
`
`
`
`
`
`erns contained in layer-4 to layer 7 fields. In addition, the
`
`
`
`
`
`
`
`
`
`
`
`Openl'low specification does not define or suggest any
`
`
`
`
`
`
`
`
`mechanism to inspect or to extract content from packets
`
`
`
`
`
`
`
`
`
`belonging to a specific flow or session. This is a major
`
`
`
`
`
`
`
`
`
`
`
`imitation as it would not require inspectionof the packet for
`
`
`
`
`
`
`
`
`
`
`
`he purposeof identification of, for example, securitythreats
`
`
`
`
`
`
`
`
`
`detection.
`
`
`
`
`
`
`
`
`
`
`
`
` Although,
`
`)
`
`
`
`2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`us on
`
`iNa
`
`a a
`
`ao
`
`
`
`Exhibit 1001
`Cisco v. Orckit – IPR2023-00554
`Page 9 of 15
`
`

`

`
`
`US 10,652,111 B2
`
`
`
`3
`
`least one mirror instruction based onat least the mask value;
`
`
`
`
`
`
`
`
`
`
`
`and configure the plurality of network nodes with at least
`
`
`
`
`
`
`
`
`
`
`one mirror instruction.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`The subject matter disclosed herein is particularly pointed
`
`
`
`
`
`
`
`
`out and distinctly claimed in the claims at the conclusion of
`
`
`
`
`
`
`
`
`
`
`
`the specification. The foregoing and other objects, features,
`
`
`
`
`
`
`
`
`and advantages of the invention will be apparent from the
`
`
`
`
`
`
`
`
`
`
`following detailed description taken in conjunction with the
`
`
`
`
`
`
`
`
`accompanying drawings.
`
`
`FIG. 1 is a schematic diagram of a network system
`
`
`
`
`
`
`
`
`
`utilized to describe the various disclosed embodiments.
`
`
`
`
`
`
`
`FIG. 2 illustrates is a schematic diagram of a flow table
`
`
`
`
`
`
`
`
`
`stored in a central controller.
`
`
`
`
`
`FIG. 3 is a schematic diagram of a system utilized for
`
`
`
`
`
`
`
`
`
`
`describing the process of flow detection as performed bya
`
`
`
`
`
`
`
`
`
`
`central controller and a network node according to one
`
`
`
`
`
`
`
`
`
`embodiment.
`
`FIG. 4 is a schematic diagram ol a system utilized for
`
`
`
`
`
`
`
`
`
`
`describing the process of flow termination as performed by
`
`
`
`
`
`
`
`
`
`a central controller and a network node according to one
`
`
`
`
`
`
`
`
`
`
`embodiment.
`
`FIG. 5 is a data structure depicting the organization of
`
`
`
`
`
`
`
`
`
`flows according to one embodiment.
`
`
`
`
`
`FIG. 6 is flowchart illustrating the operationof the central
`
`
`
`
`
`
`
`
`
`controller according to one embodiment.
`
`
`
`
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`
`It is important to note that the embodiments disclosed
`
`
`
`
`
`
`
`
`
`herein are only examples of the many advantageous uses of
`
`
`
`
`
`
`
`
`
`
`the innovative teachings herein. In general, statements made
`
`
`
`
`
`
`
`
`in the specification of the present application do not neces-
`
`
`
`
`
`
`
`
`
`sarily limit any of the various claimed embodiments. More-
`
`
`
`
`
`
`
`
`over, some statements mayapply to some inventive features
`
`
`
`
`
`
`
`
`
`but not to others. In general, unless otherwise indicated,
`
`
`
`
`
`
`
`
`
`singular nodes maybein plural and vice versa with no loss
`
`
`
`
`
`
`
`
`
`
`
`
`of generality. In the drawings, like numerals refer to like
`
`
`
`
`
`
`
`
`
`
`parts through several views.
`
`
`
`
`FIG. 1 is an exemplary and non-limiting diagram of a
`
`
`
`
`
`
`
`
`
`network system 100 utilized to describe the various dis-
`
`
`
`
`
`
`
`
`closed embodiments. The network system 100 includes a
`
`
`
`
`
`
`
`
`software defined network (SDN) 110 (not shown) containing
`
`
`
`
`
`
`
`
`a central controller 111 and a plurality of network nodes 112.
`
`
`
`
`
`
`
`
`
`
`The network nodes 112 communicate with the central con-
`
`
`
`
`
`
`
`
`troller 111 using, for example, an Open Flow protocol. The
`
`
`
`
`
`
`
`
`
`
`central controller 111 can configure the network nodes 112
`
`
`
`
`
`
`
`
`
`to perform certain data path operations. The SDN 110 can be
`
`
`
`
`
`
`
`
`
`
`
`implemented in wide area networks (WANs),
`local area
`
`
`
`
`
`
`
`
`networks (I.ANs), the Internet, metropolitan area networks
`
`
`
`
`
`
`
`(MANs), ISP backbones, datacenters, inter-datacenter net-
`
`
`
`
`
`works, and the like. Each network node 112 in the SDN may
`
`
`
`
`
`
`
`
`
`
`
`be a router, a switch, a bridge, and so on.
`
`
`
`
`
`
`
`
`
`
`The central controller 111 provides inspected data (such
`
`
`
`
`
`
`
`
`as application metadata) to a plurality of application servers
`
`
`
`
`
`
`
`
`
`(collectively referred to as application servers 120, merely
`
`
`
`
`
`
`
`
`for simplicity purposes). An application server 120 execules,
`
`
`
`
`
`
`
`
`for example, security applications (e.g., T'irewall, intrusion
`
`
`
`
`
`
`
`detection, etc.), data analytic applications, and so on.
`
`
`
`
`
`
`
`
`In the exemplary network system 100, a plurality of client
`
`
`
`
`
`
`
`
`devices (collectively referred to as client devices 130,
`
`
`
`
`
`
`
`merely for simplicity purposes) communicate with a plural-
`
`
`
`
`
`
`ity of destination servers (collectively referred to as desti-
`
`
`
`
`
`
`
`
`
`nation servers 140, merely for simplicity purposes) con-
`
`
`
`
`
`
`
`nected over the network 110. A client device 130 may be, for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ran °
`
`
`
`ra w
`
`
`2S
`
`
`
`
`
`ir) 2
`
`
`
`us on
`
`
`
`AC°
`
`
`
`iNa
`
`
`
`wn S
`
`
`
`a a
`
`
`
`ao
`
`
`
`
`
`
`
`
`
`
`4
`example, a smart phone, a tablet computer, a personal
`
`
`
`
`
`
`
`
`
`computer, a laptop computer, a wearable computing, device,
`
`
`
`
`
`
`
`
`and the like. The destination servers 140 are accessed by the
`
`
`
`
`
`
`
`
`
`
`
`devices 130 and may be, for example, web servers.
`
`
`
`
`
`
`
`
`
`According to some embodiments,
`the central controller
`
`
`
`
`
`
`
`111 is configured to perform deep packet
`inspection on
`
`
`
`
`
`
`
`
`
`designated packets from designated flows or TCP sessions.
`
`
`
`
`
`
`
`
`To this end, the central controller 111 is further configured
`
`
`
`
`
`
`
`
`
`
`to instruct each of the network nodes 112 which of the
`
`
`
`
`
`
`
`
`
`
`
`packets and/or sessions should be directed to the controller
`
`
`
`
`
`
`
`
`
`111 for packet inspections.
`
`
`
`
`According to some embodiments, each network node 112
`
`
`
`
`
`
`
`
`is configured ta determine if an incoming packet requires
`
`
`
`
`
`
`
`
`
`inspection or not. ‘he determination is performed based on
`
`
`
`
`
`
`
`
`
`a set of instructions provided by the controller 111. A packet
`
`
`
`
`
`
`
`
`
`
`
`that requires inspection is either redirected to the controller
`
`
`
`
`
`
`
`
`
`111 or mirrored and a copy thereof is sent to the controller
`
`
`
`
`
`
`
`
`
`
`
`111. It should be notedthat traffic flows that are inspected are
`
`
`
`
`
`
`
`
`
`
`
`
`not affected by the operation of the network node 112. In an
`
`
`
`
`
`
`
`
`
`
`
`
`embodiment, each network node 112 is configured to extract
`
`
`
`
`
`
`
`
`
`and send only a portion of a packet data that contains
`
`
`
`
`
`
`
`
`
`
`
`meaningful information.
`
`
`The set of instructions that the controller 111 configures
`
`
`
`
`
`
`
`
`each of the network nodes 112 with include “probe instruc-
`
`
`
`
`
`
`
`
`
`tions”, “mirroring instructions”, and “termination instruc-
`
`
`
`
`
`tions.” According to some exemplary and non-limiting
`
`
`
`
`
`
`embodiments, the probe instructions include:
`
`
`
`
`
`If (TCP FLAG SYN=1) then (re-direct packet to central
`
`
`
`
`
`
`
`
`controller);
`
`If (TCP FLAG SYN=1 and ACK=1) then (re-direct packet
`
`
`
`
`
`
`
`
`to central controller); and
`
`
`
`
`If (TCP FLAG ACK=1) then (forward packet directly to a
`
`
`
`
`
`
`
`
`
`destination server).
`
`
`The termination instructions include:
`
`
`
`
`If (TCP FLAG FIN=1) then (re-direct packet to controller);
`
`
`
`
`
`
`
`
`
`If (TCP FLAG FIN=1 and ACK=1) then(re-direct packet to
`
`
`
`
`
`
`
`
`
`controller); and
`
`
`If (TCP FLAG RST=1) then(re-direct packet to controller).
`
`
`
`
`
`
`
`
`
`The TCP FILAG SYN, TCP FLAG ACK, TCP FILAG FIN,
`
`
`
`
`
`
`
`
`
`
`TCP FLAG RSTarefields in a TCP packet’s header that can
`
`
`
`
`
`
`
`
`
`
`
`be analyzed by the network nodes 112. That is, cach node
`
`
`
`
`
`
`
`
`
`
`
`112 is configured to receive an incoming packet (either a
`
`
`
`
`
`
`
`
`
`
`
`request from a client device 130 or response for a server
`
`
`
`
`
`
`
`
`
`
`
`140), analyze the packet’s header, and perform the action
`
`
`
`
`
`
`
`
`
`(redirect the packet to controller 111 or send to destination
`
`
`
`
`
`
`
`
`
`
`server 140) respective of the value of the TCP flag.
`
`
`
`
`
`
`
`
`
`
`The controller 111 also configures each of the network
`
`
`
`
`
`
`
`
`
`nodes 112 with mirroring instructions with a mirror action of
`
`
`
`
`
`
`
`
`
`X numberof bytes within a packet. The mirrored bytes are
`
`
`
`
`
`
`
`
`
`
`sent
`to the controller 111 to perform the DPI analysis.
`
`
`
`
`
`
`
`
`
`
`According to some exemplary embodiments,
`the set of
`
`
`
`
`
`
`
`
`mirroring instructions have the following format:
`
`
`
`
`
`
`If (source IP Address=V1 and destination IP Address=V2
`
`
`
`
`
`
`
`
`and source TCP port—V3 and destination IP address—V4 and
`
`
`
`
`
`
`
`
`
`‘TCP sequence—V5 and ‘TCP sequence mask—V6) then (mir-
`
`
`
`
`
`
`
`ror V7 bytes)
`
`
`
`‘The values V1 through V7 are determined by the con-
`
`
`
`
`
`
`
`
`
`troller 111 per network nodeorfor all nodes 112. The values
`
`
`
`
`
`
`
`
`
`
`
`of the TCP sequence, and TCP sequence mask are computed,
`
`
`
`
`
`
`
`
`
`bythe controller 111, as discussed in detail below.
`
`
`
`
`
`
`
`
`
`In another embodiment, in order to allowanalysis of TCP
`
`
`
`
`
`
`
`
`
`
`packets’ headers by a network node 112 and tracks flows,
`
`
`
`
`
`
`
`
`
`
`newtype-length-value (TLV) structures are provided. The
`
`
`
`
`
`
`
`TLVstructures may be applied to be utilized by an Open-
`
`
`
`
`
`
`
`
`
`
`Flow protocol standard as defined, for example,
`in the
`
`
`
`
`
`
`
`
`OpenFlow 1.3.3 specification published by the Open Flow
`
`
`
`
`
`
`
`Foundation on Sep. 27, 2013 or OpenFlow 1.4.0 specifica-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 1001
`Cisco v. Orckit — IPR2023-00554
`Page 10 of 15
`
`Exhibit 1001
`Cisco v. Orckit – IPR2023-00554
`Page 10 of 15
`
`

`

`
`
`US 10,652,111 B2
`
`
`
`
`
`
`
`5
`
`tion published on Oct. 14, 2013, for parsing and identifying
`
`
`
`
`
`
`
`
`
`any arbitrary fields within a packet. According to non-
`
`
`
`
`
`
`
`
`limiting and exemplary embodiments,
`the TLVstructures
`
`
`
`
`
`
`disclosed herein include:
`
`
`
`
`1, TCP_FLG_OXM_HEADER(Ox80FE, 2, 1). This TVL
`
`
`
`
`
`
`
`
`
`structure allows identification of the TCP header flags.
`
`
`
`
`
`
`
`
`
`he ‘Ox80FE’ value represents a unique vendor iden-
`
`
`
`
`
`
`
`tification (ID), the value ‘2’ represents a unique Type=2
`
`
`
`
`
`
`
`value for the TLV, and the ‘1° value is 1-byte total
`
`
`
`
`
`
`
`
`
`
`length that stores the TCP flags header.
`
`
`
`
`
`
`
`
`
`2. TCP_SEQ_OXM_HEADER(Ox80FE,1, 4). This TLV
`
`
`
`
`
`
`
`
`structure allows identification of the TCP sequence
`
`
`
`
`
`
`
`numberficld. The ‘Ox80FE’ value represents a unique
`
`
`
`
`
`
`
`
`vendor ID, the value ‘1’ represents a unique ‘lype—1
`
`
`
`
`
`
`
`
`
`value for this TLV, and the value ‘4’ is a 4-byte total
`
`
`
`
`
`
`
`
`
`
`
`
`length that stores the1'CP sequence number.
`
`
`
`
`
`
`
`In order to track the flows, the central controller 111 also
`
`
`
`
`
`
`
`
`
`
`
`maintains a flow table having a structure 200 asillustrated
`
`
`
`
`
`
`
`
`
`
`in the exemplary and non-limiting FIG. 2. The flow table
`
`
`
`
`
`
`
`
`
`
`200 contains two main fields KEY 210 and DATA 220. The
`
`
`
`
`
`
`
`
`
`
`
`KEY field 210 holds information with respect
`to the
`
`
`
`
`
`
`
`
`
`
`addresses/port numbers of a client device 130 and a desti-
`
`
`
`
`
`
`
`
`nation server 140. The DATAfield 220 contains information
`
`
`
`
`
`
`
`
`
`with respect to a TCP flow, such as a flow ID, a request
`
`
`
`
`
`
`
`
`
`
`
`
`
`(client to server) sequence number M,a response(server to
`
`
`
`
`
`
`
`
`
`
`client) sequence numberN,a flow state (e.g., ACK, FIN), a
`
`
`
`
`
`
`
`
`
`
`
`creation timestamp, a client to server hit counter, server to
`
`
`
`
`
`
`
`
`
`
`client hit counter Y [bytes], clicnt to server data buffer,
`
`
`
`
`
`
`
`
`
`
`server to client buffer, and an aging bit.
`
`
`
`
`
`
`
`
`2 2
`FIG. 3 shows an exemplary and non-limiting schematic 3
`
`
`
`
`
`
`
`
`diagram ofa system 300 for describing the process of flow
`
`
`
`
`
`
`
`
`
`
`detection as performed by the central controller 111 and a
`
`
`
`
`
`
`
`
`
`
`network node 112 according to one embodiment. In an
`
`
`
`
`
`
`
`
`
`exemplary implementation,
`the central
`controller 111
`
`
`
`
`
`
`includes a DPI flow detection module 311, a DPI engine 312,
`
`
`
`
`
`
`
`
`
`and a memory 313, and a processing unit 314. The DPI
`
`
`
`
`
`
`
`
`
`
`
`engine 312 in configured to inspect a packet or a number of
`
`
`
`
`
`
`
`
`
`
`bytes to provide application metadata as required by an
`
`
`
`
`
`
`
`
`
`application executed by an application server 120.
`
`
`
`
`
`
`
`According to various embodiments discussed in detail
`
`
`
`
`
`
`
`above, the DPI flow detection module 311 is configured to
`
`
`
`
`
`
`
`
`
`
`detect all ‘CP flows and maintain them in the flow table
`
`
`
`
`
`
`
`
`
`
`
`table 200). The module 311 is also configured to
`(e.g.,
`
`
`
`
`
`
`
`
`
`
`generale and provide the network logs with the required
`
`
`
`
`
`
`
`
`
`instructions to monitor, redirect, and mirror packets. The
`
`
`
`
`
`
`
`
`DPI flow detection module 311 executes certain functions
`
`
`
`
`
`
`
`
`including, but not limited to, flow management, computing
`
`
`
`
`
`
`
`
`sequence masks, and TCP flow analysis. These functions are
`
`
`
`
`
`
`
`
`
`discussed in detail below.
`
`
`
`
`wn S
`the network node 112 5
`In exemplary implementation,
`
`
`
`
`
`
`
`includes a probe flow module 321, a memory 322, and a
`
`
`
`
`
`
`
`
`
`
`
`processing unit 323. The prohe flow module 321 is config-
`
`
`
`
`
`
`
`
`
`ured to redirect any new TCP connection state initiation
`
`
`
`
`
`
`
`
`
`packets to the DPI flow detection module 311, as well as to
`
`
`
`
`
`
`
`
`
`
`
`
`extract several packets from each detected ‘ICP flow and
`
`
`
`
`
`
`
`
`
`mirror them to the flaw detection module 311. In an embodi-
`
`
`
`
`
`
`
`
`
`
`ment, probe flow module 321 executes functions and/or
`
`
`
`
`
`
`
`
`implements logic to intercept TCP flags, redirect packets,
`
`
`
`
`
`
`
`
`and count sequence numbers.
`
`
`
`
`Both processing units 314 and 323 uses instructions
`
`
`
`
`
`
`
`
`stored in the memories 313 and 322 respectively to execule
`
`
`
`
`
`
`
`
`
`
`tasks generally performed by the central controllers of SDN
`
`
`
`
`
`
`
`
`
`as well as to control and enable the operation of behavioral
`
`
`
`
`
`
`
`
`
`
`
`network intelligence processes disclosed herewith. In an
`
`
`
`
`
`
`
`embodiment, the processing unit (314, 323) may include one
`
`
`
`
`
`
`
`
`
`or more processors. The one or more processors may be
`
`
`
`
`
`
`
`
`
`
`implemented with any combination of general-purpose
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ra w
`
`
`
`
`
`
`us on
`
`a a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6
`
`microprocessors, multi-core processors, microcontrollers,
`
`
`
`
`digital signal processors (DSPs), field programmable gate
`
`
`
`
`
`
`
`array (FPGAs), programmable logic devices (PLDs), con-
`
`
`
`
`
`
`trollers, state machines, gated logic, discrete hardware com-
`
`
`
`
`
`
`
`ponents, dedicated hardware finile state machines, or any
`
`
`
`
`
`
`
`
`other suitable entities that can perform calculations or other
`
`
`
`
`
`
`
`
`
`manipulations of information. The memories 313 and 322
`
`
`
`
`
`
`
`
`may be implemented using any form of a non-transitory
`
`
`
`
`
`
`
`
`computer readable medium.
`
`
`
`Prior to performing the flow detection process the net-
`
`
`
`
`
`
`
`
`work node 112 is sct with the probe instructions, such as
`
`
`
`
`
`
`
`
`
`
`
`those discussed above. Referring to FIG. 3, at S301, a packet
`
`
`
`
`
`
`
`
`
`
`arrives from a clicnt (c.g., client 130, FIG. 1) at a port (not
`
`
`
`
`
`
`
`
`
`
`
`
`
`shown)at the network node 112. The packet is a‘CP packet
`
`
`
`
`
`
`
`
`
`
`
`with a header including the following value [TCP FLAG
`
`
`
`
`
`
`
`
`
`SYN-1, SEQUENCE-M].
`
`
`As the header' value matchesa redirect action, at S302,
`
`
`
`
`
`
`
`
`
`
`the probe flow module 321 redirects the packet to the
`
`
`
`
`
`
`
`
`
`
`controller 111, and in particular to the module 311.
`
`
`
`
`
`
`
`
`
`In response, at $303, the module 311 traps the packet and
`
`
`
`
`
`
`
`
`
`
`
`creates a new flow-id in the flow table (e.g., table 200) and
`
`
`
`
`
`
`
`
`
`
`
`
`marks the flow-id’s state as ‘SYN’. The flow table is saved
`
`
`
`
`
`
`
`
`
`
`
`in the memory 313. The initial sequence from the client to
`
`
`
`
`
`
`
`
`
`
`
`a destination server number equals M and saved in the flow
`
`
`
`
`
`
`
`
`
`
`
`table as well. Then, the packet is sent to the node 112 for
`
`
`
`
`
`
`
`
`
`
`
`
`
`further processing.
`
`
`At $304, a response packet arrives from a destination
`
`
`
`
`
`
`
`
`
`server (c.g., server 140, FIG. 1) with header value [TCP
`
`
`
`
`
`
`
`
`
`
`FLAG SYN-1, TCP FLAG ACK—-1, SEQUENCE-N]. ‘The
`