°
`a2) United States Patent
`Lin et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 9,264,400 B1
`Feb. 16, 2016
`
`US009264400B1
`
`(54) SOFTWARE DEFINED NETWORKINGPIPE
`FOR NETWORK TRAFFIC INSPECTION
`:
`(71) Applicant: Trend Micro Incorporated, Tokyo(JP)
`
`(72)
`
`Inventors: Chuan-HungLin, Taipei (TW);
`Ching-Yi Li, Taipei (TW); Po-Cheng
`Liang, Taipei (TW)
`(73) Assignee: Trend Micro Incorporated, Tokyo (JP)
`(*) Notice:
`Subject to any disclaimer, the termofthis
`patent is extended or adjusted under 35
`US.C. 154(b)by 121 days.
`Appl. No.: 14/094,442
`
`(21)
`
`2011/0286324 Al* 11/2011 Bellagamba........ HO4L 41/0677
`a:
`370/219
`2012/0210416 AL®
`8/2012 Mihelich ........... HO4L 63/0218
`726/11
`2013/0291088 AL® 10/2013 Shieh o.com HOAL 630218
`726/11
`5/2014 Chiueh wc HO4L 41/12
`.
`370/256
`7/2014 Takenaka .....0..0....... Hoarasa
` S/2018) Pani HO4L. Sonoae
`6/2015 Beheshti-Zavareh . HO4L 45/121
`370/400
`8/2015 Clark cece Hoarsas
`8/2015 Chung .oacccoeonn HO4L 69/02
`709221
`
`2014/0133360 AL*®
`
`2014/0211807 Al*
`2015/0124629 AL*®
`2015/0163150 Al*
`
`2015/0222491 AL*®
`2015/0236900 AL*
`
`OTHER PUBLICATIONS
`
`(22)
`
`Filed:
`
`Dee. 2, 2013
`
`(51)
`
`(2013.01)
`(2006.01)
`
`OpenFlow— Wikipedia, the free encyclopedia, 3 sheets [retrieved on
`Int. Cl.
`Nov. 15, 2013], retrieved fromthe internet: http://en. wikipedia.org’
`G06F21/00
`wiki/OpenFlow.
`HOAL 29/06
`ONF—Open Networking Foundation, White Paper, Software-De-
`fined Networking: The New Form Normfor Networks, Apr. 13,2012,
`(52) U.S. Cl.
`fines
`CPC............ HO4L 63/02 (2013.01); HO4L 63/0245
`caer
`.
`(2013.01),
`cited by examiner
`
`(58) Field of Classification Search
`
`PrimaryExaminer —Lisa Lewis
`CPC ceececsscesesseseseensee HO4L 63/02; HO4L 63/0245
`(74) Attorney, Agent, or Firm — Okamoto & Benedicto LLP
`See applicationfile for completesearch history.
`(57)
`ABSTRACT
`References Cited
`U.S. PATENT DOCUMENTS
`A software defined networking (SDN) computer network
`includes an SDN controller and an SDN switch. The SDN
`
`
`controllerinserts flow rulesin a flow table ofthe SDN switch
`2/2004 COOK rssrresseerseeen GOGF 21/31
`.
`.
`.
`6/2004 Lipp oo. HO4L 49/201
`to create an SDN pipe between a sender component and a
`370/390
`security component. A broadcast function of the SDN switch
`8.339.959 BL* 12/2012 Moisand............. HOAL 63/0236
`to the ports that form the SDN pipe maybe disabled. The SDN
`370/235
`pipe allows outgoing packetssent bythe sender componentto
`1/2003 KUO v-rssseirersereen Hote
`2003/0021230 AL*
`be received bythe security component. The securityCompo-
`2/2006 Demis ............... GO6F 13/4282
`2006/0036780 A1*
`nent inspects the outgoing packets for compliance with secu-
`710/36
`rity policies and allows the outgoing packets to be forwarded
`2009/0249472 Al” 10/2009 Litwin wo... HO4L 63/0263
`to their destination when the outgoing packets pass inspec-
`726/14
`----rss-eessssee HO4L oe tion. The SDN controller mayalso insert a flowrule in the
`2009/0300353 AL* 12/2009 Hatt
`20100269171 AL* 10/2010 RAZ csceeccccccccccoscsee GO6F 17/00
`flowtable ofthe SDN switchto bypass inspectionofspecified
`726/13
`packets.
`2010/0278180 AL*® LL2010 Ma vices HOA4L 49/354
`370/392
`
`(56)
`
`6,697,806 BL®
`6,751,219 BL*
`
`17 Claims, 8 Drawing Sheets
`
`
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 1 of 15
`
`

`

`
`
`
`
`
`
`
`Manageflow tables
`
`Flow Tables
`
`Lookuprule
`
`Packets
`
`U.S. Patent
`
`Feb. 16, 2016
`
`Sheet 1 of 8
`
`US 9,264,400 B1
`
`OpenFlow Controller
`(Control Plane)
`
`Flow policy
`database
`
`To next hop
` OpenFlow Switch
`
`(Data Plane)
`
`LG. [
`(PRIOR ART)
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 2 of 15
`
`

`

`U.S. Patent
`
`Feb. 16, 2016
`
`Sheet 2 of 8
`
`US 9,264,400 B1
`
`100
`
`~~
`
`107
`
`102
`
`106
`
`USER INPUT
`
`DATA
`
`104
`
`103
`
`DISPLAY
`
`
`
`
`710
`
`SOFTWARE MODULES
`
`
`COMPUTER
`NETWORK
`INTERFACE
`
`
`COMPUTER
`NETWORK
`
`
`
`HG. 2
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 3 of 15
`
`

`

`U.S. Patent
`
`Feb. 16, 2016
`
`Sheet 3 of 8
`
`US 9,264,400 B1
`
`essEgress|Packets -Tonextho
`ackets
`Ingr
`Egress ”a
`
`Fromsender
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 4 of 15
`
`HG.3
`
`2Do
`
`= P
`
`

`

`U.S. Patent
`
`Feb. 16, 2016
`
`Sheet 4 of 8
`
`US 9,264,400 B1
`
`Packets
`
`
`Packets me]es
`
`
`
`
`
`From sender| Por
`
`User ----===-=--——
`API cal
`
`
`Intercept
`port/tunnel
`
`
` Virtual
`
`
`vendoranniecinterceptionmechanism| Tonexthop
`—__hypervisor
`
`
`
`
`Packets
`
`machine
`
`Virtual
`machine
`
`Virtual
`machine
`
`HG, 5
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 5 of 15
`
`

`

`—600
`
`a
`
`
`
`yuayed“SN
`
`SDN Controller
`
`Flow policy
`database
`
`677
`
`620
`
`601~ Manageflow tables
`
`
`
`
`g a
`
`
`
`627 Flow Tables| Rules|-|674 %
`
`622
`=
`607—~
`
`Dn
`=oO
`
`=n
`
`m°=o
`
`e
`
`co
`—N
`
`>a
`-
`s
`
`SS w
`
`a_
`
`
`
`
`
`
`
`——» NEXT HOP
`
`
`SDN Switch
`
`
`604
`
`Copies
`
`HG. 6
`°
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 6 of 15
`
`

`

`620
`
`
`
`
`627 Flow Tables|Rules||674
`
`623—]
`
`622
`
`Outgoing
`652— Lookuprule
`
`
`packets
`
`
`CSF7
`
`
`657-\
`
`SDN Switch
`
`yuajed‘SN
`
`
`9107‘91“494
`8JO919045
`
`1d0066976SA
`
`SDN Controller
`
`database
`
`Flow policy
`
`600
`
`a
`
`677
`
`HG. 7
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 7 of 15
`
`

`

`
`
`yuszed“SN
`
`>
`
`DN=eo
`I
`°—
`on
`
`&~
`
`~610
`
`
`SDN Controller
`——-—
`
`
`| Flow policy
`database
`
`=Co
`S
`aa
`nN
`t
`aN
`
`
`
`
`027)__FlowTables[Rules}{04 =
`
`7
`
`625-2
`627
`025 7
`Incoming
`675— Lookuprule
`
`i
`
`620
`
`
`O00
`
`677
`
`Flow Tables
`
`
`
`
`
`SDN Switch
`
`
`625-5 Incoming
`
`cN sS
`
`S 2
`
`3eS
`
`S w
`
`a_
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 8 of 15
`
`HG. &
`
`

`

`U.S. Patent
`
`Feb. 16, 2016
`
`Sheet8 of 8
`
`US 9,264,400 B1
`
`SET BYPASS FLOW RULES TO BYPASS PACKETS
`THAT DO NOT NEED SECURITY INSPECTION
`
`707
`
`SET REDIRECT FLOW RULE TO FORWARD PACKETS
`FROM INGRESS PORT TO REDIRECT PORT
`
`SET REDIRECT FLOW RULE TO FORWARD PACKETS
`FROM REDIRECT PORT TO INGRESS PORT
`
`702
`
`FOS
`
`704
`
`DISABLE BROADCAST TO REDIRECT AND INGRESS PORTS
`
`PERFORM SECURITY INSPECTION OF PACKETS
`REDIRECTED TO SECURITY COMPONENT
`
`7OS
`
`JOE
`
`FORWARD PACKETSTHAT PASS SECURITY INSPECTION
`
`707
`
`PERFORM SECURITY ACTION ON PACKETSTHATFAIL SECURITY INSPECTION
`
`LG. 9
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 9 of 15
`
`

`

`
`
`US 9,264,400 B1
`
`
`
`1
`
`SOFTWARE DEFINED NETWORKINGPIPE
`
`
`
`FOR NETWORKTRAFFIC INSPECTION
`
`
`
`
`
`
`
`
`BACKGROUNDOF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`1. Field of the Invention
`
`
`
`
`
`The present invention relates generally to compuler secu-
`
`
`
`
`
`
`
`rity, and more particularly but not exclusively to software
`
`
`
`
`
`
`
`
`defined networking.
`
`
`2. Description ofthe Background Art
`
`
`
`
`
`
`Software defined networking (SDN)is an emerging archi-
`
`
`
`
`
`
`
`tecture for computer networking. Unlike traditional computer
`
`
`
`
`
`
`
`network architectures, SDN separates the control plane from
`
`
`
`
`
`
`
`
`the data plane. This provides many advantages, including
`
`
`
`
`
`
`
`
`relatively fast experimentation and optimization of switching
`
`
`
`
`
`
`
`and rouling policies. SDN is applicableto both physical (i.e.,
`
`
`
`
`
`
`
`
`
`
`real) and virtual computer networks.
`
`
`
`
`
`The OpenFlow™protocolis an open protacol for remotely
`
`
`
`
`
`
`
`
`controlling forwarding tables of network switches thal are
`
`
`
`
`
`
`
`enabled for SDN. Generally speaking, the OpenFlow proto-
`
`
`
`
`
`
`
`col allows direct access to and manipulation ofthe forwarding
`
`
`
`
`
`
`
`
`
`
`plane of network devices, such as switches and routers. A
`
`
`
`
`
`
`
`
`
`
`control plane of an OpenFlow™ protocol-compliant com-
`
`
`
`
`
`
`puter network(also referred to as an “OpenFlow™control-
`
`
`
`
`
`
`
`
`ler”) may communicate with OpenFlow™switches(i.e., net-
`
`
`
`
`
`
`
`work switches that are compliant with the OpenI‘low™
`
`
`
`
`
`
`
`
`protocol) to set flow policies that specify howthe switches
`
`
`
`
`
`
`
`
`
`
`should manipulate packets of network traffic. Example
`
`
`
`
`
`
`
`packet manipulation actions include forwarding a packet to a
`
`
`
`
`
`
`
`
`specific port, modifying one or more fields of the packet,
`
`
`
`
`
`
`
`
`
`
`asking, the controller for action to perform on the packet, or
`
`
`
`
`
`
`
`
`
`
`
`dropping the packet.
`
`
`
`FIG. 1 shows a schematic diagram of an SDN computer
`
`
`
`
`
`
`
`
`
`
`network that is compliant with the OpenFlow™protocol.
`
`
`
`
`
`
`
`
`Generally speaking, the OpenFlow™protocol separates the
`
`
`
`
`
`
`
`control plane [rom the data plane.An OpenFlow™controller
`
`
`
`
`
`
`
`
`
`serves as a control plane for making forwarding decisions
`
`
`
`
`
`
`
`
`
`based. on flow policics, which maybe stored in a flow policy
`
`
`
`
`
`
`
`
`
`
`
`database. The controller determines flow policies in conjunc-
`
`
`
`
`
`
`
`tion with network forwarding setting and network topology.
`
`
`
`
`
`
`
`
`Theflowpolicics maycontain a condition and corresponding
`
`
`
`
`
`
`
`
`action to be performed whenthe condition is met. The action
`
`
`
`
`
`
`
`
`
`
`
`may specify howto manipulate a packet.
`
`
`
`
`
`
`An OpenFlaw™ switch serves as the data plane that for-
`
`
`
`
`
`
`
`
`
`wards packets, ¢.g., [rom an ingress port to an egress port,
`
`
`
`
`
`
`
`
`
`
`
`according to flow tables maintained bythe data plane. The
`
`
`
`
`
`
`
`
`
`
`data plane is a replacementoftraditional switches. When the
`
`
`
`
`
`
`
`
`
`
`data plane does not know howlo manipulate a specific packet,
`
`
`
`
`
`
`
`
`
`
`the data plane mayrequest the controller to receive a flowrule
`
`
`
`
`
`
`
`
`
`
`
`for the specific packet, and store the flow rule in the flow
`
`
`
`
`
`
`
`
`
`
`
`
`tables. Other packets that meet the same condition as the
`
`
`
`
`
`
`
`
`
`
`specific packet will be processed in accordance with the flow
`
`
`
`
`
`
`
`
`
`
`rule. The control plane mayalso activelyinsert flowrules into
`
`
`
`
`
`
`
`
`
`
`
`the flowtables.
`
`
`
`
`
`
`SUMMARY
`
`
`
`In one embodiment, a software defined networking (SDN)
`
`
`
`
`
`
`
`computer network includes an SDN controller and an SDN
`
`
`
`
`
`
`
`
`
`switch. The SDN controller inserts flowrules in a flowtable
`
`
`
`
`
`
`
`
`
`
`ofthe SDN switch to create an SDN pipe between a sender
`
`
`
`
`
`
`
`
`
`
`
`component and a security component. A broadcast function
`
`
`
`
`
`
`
`ofthe SDN switchto the ports that form the SDN pipe may be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`disabled. The SDNpipe allows oulgoing packets sent by the
`
`
`
`
`
`
`
`
`
`
`sender componentto be received by the security component.
`
`
`
`
`
`
`
`
`
`The security component inspects the outgoing packets for
`
`
`
`
`
`
`
`
`compliance with security policies and allows the oulgoing
`
`
`
`
`
`
`
`
`
`16
`
`
`
`
`
`ty
`
`
`
`
`
`wa
`
`
`
`
`
`AC
`
`
`
`
`
`wa
`
`
`
`
`
`Qa
`
`
`
`
`
`2
`
`packets to be forwardedto their destination whenthe outgo-
`
`
`
`
`
`
`
`
`
`ing packets pass inspection. The SDN controller may also
`
`
`
`
`
`
`
`
`
`insert a flowrule in the flowtable ofthe SDN switch to bypass
`
`
`
`
`
`
`
`
`
`
`
`
`
`inspection of specified packets.
`
`
`
`
`These and other features of the present invention will be
`
`
`
`
`
`
`
`
`
`readily apparent to persons of ordinary skill in the art upon
`
`
`
`
`
`
`
`
`
`
`reading the entirety of this disclosure, which includes the
`
`
`
`
`
`
`
`
`accompanying drawings and claims.
`
`
`
`
`
`DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1 shows a schematic diagram of an SDN computer
`
`
`
`
`
`
`
`
`
`network that is compliant with the OpenFlow™protocol.
`
`
`
`
`
`
`
`
`FIG. 2 shows a schematic diagram of a computer system
`
`
`
`
`
`
`
`
`that may be employed with embodiments of the present
`
`
`
`
`
`
`
`
`invention.
`
`FIGS. 3-5 show schematic diagrams of computer networks
`
`
`
`
`
`
`
`that are capable of intercepting network traffic.
`
`
`
`
`
`
`
`FIG. 6 shows a schematic diagram of an SDN computer
`
`
`
`
`
`
`
`
`
`network in accordance with an embodiment of the present
`
`
`
`
`
`
`
`
`invention.
`
`FIG. 7 schematically illustrates imspection of oulgoing
`
`
`
`
`
`
`
`packets sent by a sender component in the SDN computer
`
`
`
`
`
`
`
`
`
`
`network of FIG. 6 in accordance with an embodimentof the
`
`
`
`
`
`
`
`
`
`
`
`present invention.
`
`
`TIG. 8 schematically illustrates inspection of incoming
`
`
`
`
`
`
`packets to be received by a sender component in the SDN
`
`
`
`
`
`
`
`
`
`
`computer network of FIG. 6 in accordance with an embodi-
`
`
`
`
`
`
`
`
`
`ment of the present invention.
`
`
`
`
`
`FIG. 9 shows a flow diagram of a computer-implemented
`
`
`
`
`
`
`
`method of inspecting network traffic in an SDN computer
`
`
`
`
`
`
`
`
`network in accordance with an embodiment of the present
`
`
`
`
`
`
`
`
`invention.
`
`The use of the same reference label in different drawings
`
`
`
`
`
`
`
`
`
`indicates the sameor like components.
`
`
`
`
`
`
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In the present disclosure, numerous specific details are
`
`
`
`
`
`
`
`provided, such as examples of apparatus, components, and
`
`
`
`
`
`
`
`methods, to provide a thorough understanding of embodi-
`
`
`
`
`
`
`
`ments ofthe invention. Persons ofordinary skill in the art will
`
`
`
`
`
`
`
`
`
`
`
`recognize, however, that the invention can be practiced with-
`
`
`
`
`
`
`
`
`out one or more of the specific details. In other instances,
`
`
`
`
`
`
`
`
`
`
`
`well-known details are not shown or described to avoid
`
`
`
`
`
`
`
`
`
`obscuring aspects of the invention.
`
`
`
`
`
`FIG. 2 shows a schematic diagram of a computer system
`
`
`
`
`
`
`
`
`
`100 that may be employed with embodimentsof the present
`
`
`
`
`
`
`
`
`
`
`invention. The computer system 100 may be employed as a
`
`
`
`
`
`
`
`
`
`
`control plane and/or a data plane, for example. As another
`
`
`
`
`
`
`
`
`
`
`example, the computer system 100 may be employedto host
`
`
`
`
`
`
`
`
`
`
`a virtualization environment that supports a plurality of vir-
`
`
`
`
`
`
`
`
`tual machines. The computer system 100 mayhave fewer or
`
`
`
`
`
`
`
`
`
`more components to meet the needs of a particular applica-
`
`
`
`
`
`
`
`
`tion. The computer system 100 may include one or more
`
`
`
`
`
`
`
`
`
`
`processors 101. The computer system 100 may have one or
`
`
`
`
`
`
`
`
`
`
`more buses 103 coupling its various components. The com-
`
`
`
`
`
`
`
`
`puter system 100 mayinclude one or moreuser input devices
`
`
`
`
`
`
`
`
`
`
`
`102 (e.g., keyboard, mouse), one or more data storage devices
`
`
`
`
`
`
`
`
`
`
`106 (e.g., hard drive, optical disk, Universal Serial Bus
`
`
`
`
`
`
`
`
`
`memory), a display monitor 104 (¢.g., liquid crystal display,
`
`
`
`
`
`
`
`
`
`flat panel monitor), a computer network interface 105 (e.g.,
`
`
`
`
`
`
`
`
`
`network adapter, modem), and a main memory 108 (c.g.,
`
`
`
`
`
`
`
`
`
`random access memory). The computer network imterlace
`
`
`
`
`
`
`
`105 maybe coupled to a computer network 109.
`
`
`
`
`
`
`
`
`
`The computer system 100 is a particular machine as pro-
`
`
`
`
`
`
`
`
`
`grammed with software modules 110. The software modules
`
`
`
`
`
`
`
`
`
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 10 of 15
`
`Exhibit 1005
`Cisco v. Orckit – IPR2023-00554
`Page 10 of 15
`
`

`

`
`
`US 9,264,400 B1
`
`
`
`
`
`
`3
`110 comprise computer-readable program code stored non-
`
`
`
`
`
`
`transitory in the main memory 108 for execution bythe pro-
`
`
`
`
`
`
`
`
`
`
`cessor 101. The computer system 100 may be configured to
`
`
`
`
`
`
`
`
`
`
`performits functions by executing the software modules 110.
`
`
`
`
`
`
`
`
`
`The software modules 110 may be loaded. from the data
`
`
`
`
`
`
`
`
`
`
`storage device 106 to the main memory 108. An article of
`
`
`
`
`
`
`
`
`
`
`
`manufacture may be embodied as computer-readable storage
`
`
`
`
`
`
`
`medium including instructions that when executed by a com-
`
`
`
`
`
`
`
`puter causes the computer to be operable to perform the
`
`
`
`
`
`
`
`
`
`functions of the software modules 110.
`
`
`
`
`
`
`Network security vendors provide network security ser-
`
`
`
`
`
`
`vices, suchas firewall or deep packet inspection (DPI). Gen-
`
`
`
`
`
`
`
`
`
`erally speaking, to provide networksecurity services, packets
`
`
`
`
`
`
`
`
`of networktraffic are intercepted for inspection. One way of
`
`
`
`
`
`
`
`
`
`
`intercepting networktraffic is to place the securityservice in
`
`
`
`
`
`
`
`
`
`
`the middle ofthe packet forwarding path. This is illustrated in
`
`
`
`
`
`
`
`
`
`
`
`FIG. 3, where packets from a sender component (e.g., a
`
`
`
`
`
`
`
`
`
`
`sender computer) are received in an ingress port of a switch,
`
`
`
`
`
`
`
`
`
`
`forwarded to an egress port of the switch, and forwarded to
`
`
`
`
`
`
`
`
`
`
`
`the ingress port of a security component, such as a security
`
`
`
`
`
`
`
`
`
`
`service. The security service may inspect the packets, and
`
`
`
`
`
`
`
`
`
`forward the packets to an egress port of the switch toward the
`
`
`
`
`
`
`
`
`
`
`
`
`next hop, which maybe another switchor a destination com-
`
`
`
`
`
`
`
`
`
`ponent(e.g., destination computer), for example.
`
`
`
`
`
`
`Another wayof intercepting network traffic is to mirror the
`
`
`
`
`
`
`
`
`
`
`packets to be inspected on a switch that provides vendor
`
`
`
`
`
`
`
`
`
`
`specific mirroring application programming interface (API)
`
`
`
`
`
`
`as shown in FIG. 4. A user may make an API call suchthat
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`particular packetsthat enter the ingress port of the switch are
`
`
`
`
`
`
`
`
`
`
`
`redirected or mirrored to the security service by way of a
`
`
`
`
`
`
`
`
`
`
`connection tunnel or a mirror port. The security service may
`
`
`
`
`
`
`
`
`
`forward the redirected or mirrored packets back to an egress
`
`
`
`
`
`
`
`
`
`
`port of the switch after inspection.
`
`
`
`
`
`
`In a virtualized computing environment, network traffic
`
`
`
`
`
`
`
`from a virtual machine may be intercepted as the network
`
`
`
`
`
`
`
`
`
`
`traffic passes through the hypervisor that runs the virtual
`
`
`
`
`
`
`
`
`
`machines. This is illustrated in FIG. 5, where packets trans-
`
`
`
`
`
`
`
`
`
`mitted by virtual machines are intercepted at the virtualiza-
`
`
`
`
`
`
`
`
`tion hypervisor for redirectionto a security service.
`
`
`
`
`
`
`
`
`Referring nowto FIG.6, there is shown a schematic dia-
`
`
`
`
`
`
`
`
`
`gram ofan SDN computer network 600 in accordance with an
`
`
`
`
`
`
`
`
`
`
`
`embodimentofthe present invention. In one embodiment, the
`
`
`
`
`
`
`
`
`
`SDN computer network 600 is compliant with the Open-
`
`
`
`
`
`
`
`
`Flow!™ protocol. Accordingly, in one embodiment, the SDN
`
`
`
`
`
`
`
`
`controller 610 comprises an OpenI‘low™controller and the
`
`
`
`
`
`
`
`
`SDN switch 620 comprises an OpenFlow™switch. The SDN
`
`
`
`
`
`
`
`
`
`controller 610 and the SDN switch 620 comprise the control
`
`
`
`
`
`
`
`
`
`
`plane and data plane, respectively, of the SDN computer
`
`
`
`
`
`
`
`
`
`network 600. The SDN computer network 600 may have a
`
`
`
`
`
`
`
`
`
`
`plurality of SDN switches 620 but only one is shown for
`
`
`
`
`
`
`
`
`
`
`
`clarity of illustration. The SDN controller 610 and the SDN
`
`
`
`
`
`
`
`
`
`
`switch 620 are logically separate components.
`
`
`
`
`
`
`In one embodiment, the SDN computer network 600 is a
`
`
`
`
`
`
`
`
`
`
`virtual computer network that allows for transmission of
`
`
`
`
`
`
`
`
`packets from one virtual machineto another. Accordingly, the
`
`
`
`
`
`
`
`
`
`SDN controller 610 may comprise a virtual OpenFlow™
`
`
`
`
`
`
`
`
`controller and the SDN switch 620 may comprise a virtual
`
`
`
`
`
`
`
`
`
`
`OpenFlow™switch. The SDN computer network 600 may be
`
`
`
`
`
`
`
`
`
`implemented in a computer system comprising one or more
`
`
`
`
`
`
`
`
`computers
`that host a virtualization environment. For
`
`
`
`
`
`
`
`example, the SDN computer network 600 may be imple-
`
`
`
`
`
`
`
`
`mented in the Amazon Web Services™ virtualization envi-
`
`
`
`
`
`
`
`ronment. The sender component 622 may be a virtual
`
`
`
`
`
`
`
`
`machine in that embodiment.
`
`
`
`
`The SDN computer network 600 may also be implemented
`
`
`
`
`
`
`
`
`using physical or a combination of physical and virtual com-
`
`
`
`
`
`
`
`
`ponents. For example, the SDN controller 610 may comprise
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`4
`
`one or more computers that serve as a control plane for the
`
`
`
`
`
`
`
`
`
`
`
`
`SDN switch 620. In that embodiment, the SDN switch 620
`
`
`
`
`
`
`
`
`
`
`may comprise an SDN-compliant physical network switch,
`
`
`
`
`
`
`
`such as an OpenFlow™protocol-cnabled physical network
`
`
`
`
`
`
`
`switch. The sender component 622 may be a computer
`
`
`
`
`
`
`
`
`
`coupledto a port of the physical network switch.
`
`
`
`
`
`
`
`
`
`The SDN controller 610 provides a logically centralized
`
`
`
`
`
`
`
`frameworkfor controlling the behavior of the SDN computer
`
`
`
`
`
`
`
`
`network 600. This is in marked contrast to traditional com-
`
`
`
`
`
`
`
`
`
`puter networks where the behaviorofthe computer network is
`
`
`
`
`
`
`
`
`
`
`controlled by low-level device configurations of switches and
`
`
`
`
`
`
`
`
`other network devices. The SDN controller 610 may include
`
`
`
`
`
`
`
`
`
`a flow policy database 611. The flow policy database 611 may
`
`
`
`
`
`
`
`
`
`
`
`comprise flowpolicies that are enforced bythe controller 610
`
`
`
`
`
`
`
`
`
`
`on network traflic transmitted over the SDN computer net-
`
`
`
`
`
`
`
`
`work 600. The flowpolicies may specify security policies that
`
`
`
`
`
`
`
`
`
`govern transmission of packets over the SDN computer net-
`
`
`
`
`
`
`
`
`work 600. Theflow policies may be enforced in terms of flow
`
`
`
`
`
`
`
`
`
`
`
`
`rules (labeled as 624) thatare stored in the flow tables 621 of
`
`
`
`
`
`
`
`
`
`
`
`
`
`the SDN switch 620. Asa particular example,a flow policyin
`
`
`
`
`
`
`
`
`
`
`the flow policy database 611 may indicate inspection ofpar-
`
`
`
`
`
`
`
`
`
`ticular packets(e.g., those that meet one or more conditions)
`
`
`
`
`
`
`
`
`
`by a security service 630. That flow policy maybe imple-
`
`
`
`
`
`
`
`
`
`
`mented as a flowrule that forwards the particular packets
`
`
`
`
`
`
`
`
`
`
`received in an ingress port 623-1 to the redirect port 623-2 for
`
`
`
`
`
`
`
`
`
`
`
`
`inspection, for example.
`
`
`
`The SDNswitch 620 may comprise a plurality ofports 623
`
`
`
`
`
`
`
`
`
`
`(.e., 623-1, 623-2, 623-3, 623-4, etc.). The SDN switch 620
`
`
`
`
`
`
`
`
`
`
`may forward packets from one port 623 to another port 623 in
`
`
`
`
`
`
`
`
`
`
`
`
`accordance with flow rules in the flow tables 621. In the
`
`
`
`
`
`
`
`
`
`
`
`example of FIG. 6, the port 6231-1 is coupled to a sender
`
`
`
`
`
`
`
`
`
`
`
`
`component 622. The port 623-1 is referred to as an “ingress
`
`
`
`
`
`
`
`
`
`
`
`port” in that it is a port for receiving outgoing packets sent by
`
`
`
`
`
`
`
`
`
`
`
`
`the sender component 622. Similarly,
`the port 623-4 is
`
`
`
`
`
`
`
`
`
`referred to as an “egress port” in thatit is a port for transmit-
`
`
`
`
`
`
`
`
`
`
`
`
`ting outgoing packets sent by the sender component 622. It is
`
`
`
`
`
`
`
`
`
`
`
`97 66
`to be noted that any port 623 may be employedas an “ingress
`
`
`
`
`
`
`
`
`
`
`
`
`
`port,” “egress port,”
`“redirect port,” or “re-inject port.” ‘The
`
`
`
`
`
`
`
`
`
`aforementioned labels are used herein merely to illustrate
`
`
`
`
`
`
`
`
`processing of packets relative to the sender component 622.
`
`
`
`
`
`
`
`
`
`Packets going in the opposite direction,i.e., incoming packets
`
`
`
`
`
`
`
`
`
`that are going to the sender component 622, maybe received
`
`
`
`
`
`
`
`
`
`
`
`in the egress port 623-4, forwarded to the re-inject port 623-3,
`
`
`
`
`
`
`
`
`
`
`
`received in the redirect port 623-2, and forwarded to the
`
`
`
`
`
`
`
`
`
`
`ingress port 623-1 toward the sender component 622.
`
`
`
`
`
`
`
`
`The SDNswitch 620 may comprise one or moreflow tables
`
`
`
`
`
`
`
`
`
`
`
`621. The flow tables 621 may comprise one or moreflowrules
`
`
`
`
`
`
`
`
`
`
`
`
`(labeled as 624) that indicate howto manipulate or process
`
`
`
`
`
`
`
`
`
`
`packets that are passing through the SDN switch 620. As a
`
`
`
`
`
`
`
`
`
`
`
`particular example, a flow rule may indicate that a packet
`
`
`
`
`
`
`
`
`
`
`received in the ingress port 623-1 is to be forwarded to the
`
`
`
`
`
`
`
`
`
`
`
`
`redirect port 623-2. Another flow rule mayindicate that a
`
`
`
`
`
`
`
`
`
`
`packetreceived in the redirect port 623-2 is to be forwarded to
`
`
`
`
`
`
`
`
`
`
`
`
`the ingress port 623-1. The just mentionedpair offlow rules
`
`
`
`
`
`
`
`
`
`
`
`are redirect flowrules that create an SDN pipe between the
`
`
`
`
`
`
`
`
`
`
`
`sender component 622 and the security service 630, allowing
`
`
`
`
`
`
`
`
`
`the securily service 630 to inspect packets sent byor going to
`
`
`
`
`
`
`
`
`
`
`
`
`the sender component 622. Table 1 shows an example flow
`
`
`
`
`
`
`
`
`
`
`table with flow rules that create an SDN pipe between the
`
`
`
`
`
`
`
`
`
`
`
`securily service 630 and the sender component 622.
`
`
`
`
`
`
`
`
`
`16
`
`
`
`
`
`ty
`
`
`
`Nva
`
`
`
`wa
`
`
`
`
`
`AC
`
`
`
`
`
`wQ
`
`
`
`wncn
`
`
`
`Qa
`
`
`
`aCn
`
`
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 11 of 15
`
`Exhibit 1005
`Cisco v. Orckit – IPR2023-00554
`Page 11 of 15
`
`

`

`
`
`US 9,264,400 B1
`
`
`
`
`5
`TABLE 1
`
`
`
`
`TN_PORT
`
`Ingress_port_ID
`
`Redirect_port_ID
`
`
`
`
`
`MAC MAC
`
`sro
`dsr
`
`
`*
`*
`*
`*
`
`.
`IP
`IP
`
`
`sre_det_. - Action
`
`
`
`
`* Redirectport
`*
`
`
`
`* =" Ingress port
`
`
`
`
`
`
`
`Count
`10
`
`10
`
`
`
`6
`The SDN controller 610 may insert flow rules in the flow
`
`
`
`
`
`
`
`
`
`
`
`tables 621 (sce arrow 601) to create an SDN pipe (labeled as
`
`
`
`
`
`
`
`
`
`
`
`
`625) between the sender component 622 and the security
`
`
`
`
`
`
`
`
`
`service 630. The SDN pipe allows outgoing packets sent by
`
`
`
`
`
`
`
`
`
`
`the sender component 622 or incoming packets going to the
`
`
`
`
`
`
`
`
`
`
`sender component 622 to be redirected Lo the securily service
`
`
`
`
`
`
`
`
`
`
`630 for inspection before the packets are sent out ofthe SDN
`
`
`
`
`
`
`
`
`
`
`
`
`switch 620. In one embodiment, the SDN pipe is created by
`
`
`
`
`
`
`
`
`
`
`
`creating a first flow rule that forwards packets received in the
`
`
`
`
`
`
`
`
`
`
`ingress port 623-1 to the redirect port 623-2, and a second
`
`
`
`
`
`
`
`
`
`
`
`flow rule that forwards packets received in the redirect port
`
`
`
`
`
`
`
`
`
`
`623-2 to the ingress port 623-1.
`
`
`
`
`
`
`Once outgoing packets from the sender component 622 are
`
`
`
`
`
`
`
`
`
`inspected by the security service 630 and re-injected by the
`
`
`
`
`
`
`
`
`
`
`security service 630 back into the SDN switch 620 through
`
`
`
`
`
`
`
`
`
`
`the re-inject port 623-3 and then forwarded out to the egress
`
`
`
`
`
`
`
`
`
`
`
`port 623-4, the I.2 switching logic of the SDN computer
`
`
`
`
`
`
`
`
`
`
`network 600 (which is controlled by the SDN controller 610)
`
`
`
`
`
`
`
`
`
`
`remembers that packets destined for the sender component
`
`
`
`
`
`
`
`
`622 and entering the SDN switch 620 by wayof the egress
`
`
`
`
`
`
`
`
`
`
`
`
`port 623-4 are to be forwarded to the re-inject port 623-3. This
`
`
`
`
`
`
`
`
`
`
`
`
`allowsthe security service 630 to also receive incoming pack-
`
`
`
`
`
`
`
`
`
`ets going to the sender component 622 for inspection.
`
`
`
`
`
`
`
`
`
`In one embodiment, the creation of the SDN pipe also
`
`
`
`
`
`
`
`
`
`
`includes disabling the broadcast function of the SDN switch
`
`
`
`
`
`
`
`
`
`620 to the ingress port 623-1 and the redirect port 623-2. That
`
`
`
`
`
`
`
`
`
`
`
`
`is, packets that are broadcastto all ports of the SDN switch
`
`
`
`
`
`
`
`
`
`
`
`
`620 will not be sent to the ports that form the SDN pipe.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Instead, packets that are broadcasted by the SDN switch 620
`
`
`
`
`
`
`
`
`
`
`are received by the security service 630 only through the
`
`
`
`
`
`
`
`
`
`
`re-inject port 623-3, and forwarded by the security service
`
`
`
`
`
`
`
`
`
`630 to the sender component 622 by way of the SDNpipe
`
`
`
`
`
`
`
`
`
`
`
`
`between the ingress port 623-1 and the redirect port 623-2.
`
`
`
`
`
`
`
`
`
`
`The sender component 622 reccives broadcast packets only
`
`
`
`
`
`
`
`
`from the security service 630 in that embodiment. In one
`
`
`
`
`
`
`
`
`
`
`embodiment, the SDN controller 610 disables the broadcast
`
`
`
`
`
`
`
`
`function to the ports forming the SDN pipe using the Open
`
`
`
`
`
`
`
`
`
`
`
`vSwitch!™database (OVSDB) management protocol, which
`
`
`
`
`
`
`is an OpenFlow™configuration protocol.
`
`
`
`
`
`After the redirect flow rules for creating the SDN pipe are
`
`
`
`
`
`
`
`
`
`
`
`inserted in the flow tables 621, any packet received by the
`
`
`
`
`
`
`
`
`
`
`
`SDNswitch 620 in the ingress port 623-1 will be identified as
`
`
`
`
`
`
`
`
`
`
`
`
`to be forwarded to the redirect port 623-2, and any packet
`
`
`
`
`
`
`
`
`
`
`
`received by the SDN switch 620 in the redirect port 623-2 will
`
`
`
`
`
`
`
`
`
`
`
`
`beidentified as to be forwarded to the ingress port 623-1 (see
`
`
`
`
`
`
`
`
`
`
`
`
`arrow 602). This allows the security service 630 to receive
`
`
`
`
`
`
`
`
`
`
`fromthe redirect port 623-2 all outgoing packets sent by the
`
`
`
`
`
`
`
`
`
`
`
`sender component 622 to the ingress port 623-1. The security
`
`
`
`
`
`
`
`
`
`
`service 630 may inspect the outgoing packets for compliance
`
`
`
`
`
`
`
`
`
`with security policies. The security service 630 maydrop, or
`
`
`
`
`
`
`
`
`
`
`perform other security response, to packets that do not pass
`
`
`
`
`
`
`
`
`
`
`inspection (e.g., packets that do not meet firewall policies,
`
`
`
`
`
`
`
`
`
`packets containing prohibited payload, packets with mali-
`
`
`
`
`
`
`cious content, etc.). The security service 630 may forward
`
`
`
`
`
`
`
`
`
`those packets that pass inspection towardtheir destination by
`
`
`
`
`
`
`
`
`
`re-injecting the packets back into the SDN switch 620 by way
`
`
`
`
`
`
`
`
`
`
`
`ofthe re-inject port 623-3. Once back in the SDN switch 620
`
`
`
`
`
`
`
`
`
`
`
`
`by wayofthe re-inject port 623-3, the flowrulesthat govern
`
`
`
`
`
`
`
`
`
`
`
`
`packets received in the ingress port 623-1 andthe redirect port
`
`
`
`
`
`
`
`
`
`
`
`623-2 no longer apply. Accordingly, the re-injected packets
`
`
`
`
`
`
`
`
`are forwarded to the egress port 623-4 (or some other port)
`
`
`
`
`
`
`
`
`
`
`
`toward the next hop in accordance with the L2 switching logic
`
`
`
`
`
`
`
`
`
`
`
`of the SDN computer network 600.
`
`
`
`
`
`
`Incoming packets to the sender component 622 that enter
`
`
`
`
`
`
`
`
`
`the SDN switch 620 onthe egress port 623-4 are forwarded to
`
`
`
`
`
`
`
`
`
`
`
`
`the re-inject port 623-3 in accordance with the L2 switching
`
`
`
`
`
`
`
`
`
`
`logic of the SDN computer network 600. The securily service
`
`
`
`
`
`
`
`
`
`
`
`5
`
`
`
`a a
`
`
`
`
`
`ty
`
`
`
`Nva
`
`
`
`wa
`
`
`
`
`
`AC
`
`
`
`4.th
`
`
`
`wa
`
`
`
`
`
`Qa
`
`
`
`
`
`Exhibit 1005
`Cisco v. Orckit — IPR2023-00554
`Page 12 of 15
`
`A flow table may include columnsthat indicate one or more
`
`
`
`
`
`
`
`
`
`
`
`conditions, a columnthat indicates an action to take whenthe
`
`
`
`
`
`
`
`
`
`
`conditions are met, and a columnforstatistics. A row on the
`
`
`
`
`
`
`
`
`
`
`
`flow table may comprise a flow rule. In the example of Table
`
`
`
`
`
`
`
`
`
`
`
`1, the “Action” column indicates an action to take when
`
`
`
`
`
`
`
`
`
`
`conditions are met, and the “Count” column indicatesstatis-
`
`
`
`
`
`
`
`
`tics, such as byte count. The rest of the columns of Table 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`indicate conditions. For example, “IN_PORT”, “MACsrc”
`
`
`
`
`
`
`
`(media access control (MAC) address of the source of the
`
`
`
`
`
`
`
`
`
`
`packet), “MAC dst” (MAC address of the destination of the
`
`
`
`
`
`
`
`
`
`
`packet), “IP sre” (Internet Protocol (IP) address of the source
`
`
`
`
`
`
`
`
`
`
`of the packet), “IP dst” (IP address of the destination of the
`
`
`
`
`
`
`
`
`
`
`
`
`packet), etc. are conditions that identify a particular packet.
`
`
`
`
`
`
`
`
`When the conditions are met, i.e., the particular packet is
`
`
`
`
`
`
`
`
`
`
`identified, the action indicated in the corresponding “Action”
`
`
`
`
`
`
`
`
`columnis performed on the packet. Theasterisks in Table 1
`
`
`
`
`
`
`
`
`
`
`
`indicate an irrelevant condition.
`
`
`
`
`In the example ofTable 1, the first and second rows are
`
`
`
`
`
`
`
`
`
`
`
`
`redirect flow rules for forming an SDN pipe between the
`
`
`
`
`
`
`
`
`
`
`sender component 622 and the security service 630. More
`
`
`
`
`
`
`
`
`
`specifically, the first row of Table 1 is a flow rule instructing
`
`
`
`
`
`
`
`
`
`
`
`
`the SDN switch 620 to forward packets received in a port
`
`
`
`
`
`
`
`
`
`
`
`having the Ingress_port_ID (e.g., ingress port 623-1) to the
`
`
`
`
`
`
`
`
`
`redirectport (e.g., redirect port 623-2). Similarly, the second
`
`
`
`
`
`
`
`
`
`row of Table 1 is a flow rule instructing the SDN switch 620
`
`
`
`
`
`
`
`
`
`
`
`
`to forward packets received in a port having a “Redirect
`
`
`
`
`
`
`
`
`
`
`port_ID”to the ingress port.
`
`
`
`
`
`‘The SDN computer network 600 may include a security
`
`
`
`
`
`
`
`
`componentin the formof the security service 630. The secu-
`
`
`
`
`
`
`
`
`
`
`rity service 630 may comprisea virtual machinethat provides
`
`
`
`
`
`