公开(公告)号：US11095518B2

公开(公告)日：2021-08-17

申请号：US16721274

申请日：2019-12-19

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/26 ,  H04L12/46 ,  H04L12/801 ,  H04L12/24 ,  H04L12/813 ,  H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.

公开(公告)号：US20170222873A1

公开(公告)日：2017-08-03

申请号：US15500628

申请日：2014-11-06

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Jung Gun Lee ,  Chaithan M. Prakash ,  Charles F. Clark ,  Dave Lenrow ,  Yoshio Turner ,  Sujata Banerjee ,  Yadi Ma ,  Joon-Myung Kang ,  Puneet Sharma

IPC: H04L12/24

CPC classification number: H04L41/0803 ,  H04L12/6418 ,  H04L41/085 ,  H04L41/0893 ,  H04L41/12

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

公开(公告)号：US20200136917A1

公开(公告)日：2020-04-30

申请号：US16176905

申请日：2018-10-31

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Joon-Myung Kang ,  Huazhe Wang ,  Puneet Sharma

IPC: H04L12/24 ,  H04L29/12 ,  H04L29/06

Abstract: Example method includes: identifying three relationships about a network function in an intent-based stateful network—(1) the network function forwarding a network packet implies that at least one previous network packet was received by the network function in the same direction prior to the network packet is forwarded, (2) an established state in the network function implies that at least one previous network packet was received at the network function, (3) the network function receiving the network packet as a downward network function implies the network packet was previously sent by a second network function acting as an upward network function; encoding the network function using a combination of at least one of the three identified relationships; and verifying a plurality of network intents in the intent-based stateful network based at least in part on the encoding of the network function.

公开(公告)号：US10992520B2

公开(公告)日：2021-04-27

申请号：US15500628

申请日：2014-11-06

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Junggun Lee ,  Chaithan M. Prakash ,  Charles F. Clark ,  Dave Lenrow ,  Yoshio Turner ,  Sujata Banerjee ,  Yadi Ma ,  Joon-Myung Kang ,  Puneet Sharma

IPC: G06F15/177 ,  H04L12/24 ,  H04L12/64

Abstract: Example implementations disclosed herein can be used to generate composite network policy graphs based on multiple network policy graphs input by network users that may have different goals for the network. The resulting composite network policy graph can be used to program a network so that it meets the requirements necessary to achieve the goals of at least some of the network users. In one example implementation, a method can include receiving multiple network policy graphs, generating composite endpoint groups based on relationships between endpoint groups and policy graph sources, generating composite paths based on the relationships between the endpoints and the network policy graphs, generating a composite network policy graph based on the composite endpoint groups and the composite paths, and analyzing the composite network policy graph to determine conflicts or errors.

公开(公告)号：US20200186429A1

公开(公告)日：2020-06-11

申请号：US16721274

申请日：2019-12-19

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/24 ,  H04L12/813 ,  H04L12/851

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.

公开(公告)号：US20180077037A1

公开(公告)日：2018-03-15

申请号：US15261701

申请日：2016-09-09

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Sujata Banerjee ,  Joon-Myung Kang

IPC: H04L12/26 ,  H04L29/06 ,  H04L29/12 ,  H04L12/803 ,  H04L29/08 ,  H04L12/66 ,  G06F17/30

CPC classification number: H04L43/0817 ,  G06F16/951 ,  H04L12/66 ,  H04L41/024 ,  H04L41/0866 ,  H04L43/18 ,  H04L61/2514

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

公开(公告)号：US10958547B2

公开(公告)日：2021-03-23

申请号：US15261701

申请日：2016-09-09

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ying Zhang ,  Sujata Banerjee ,  Joon-Myung Kang

IPC: G06F16/00 ,  H04L12/26 ,  H04L12/66 ,  G06F16/951 ,  H04L29/12 ,  H04L12/24

Abstract: In some examples, a system can verify a network function by inquiring a model using a query language is described. In some examples, the system can include at least a memory and a processor coupled to the memory. The processor can execute instructions stored in the memory to transmit a plurality of packets into at least one network function that is unverifiable; describe the at least one network function using a model comprising a set of match action rules and a state machine; inquire the model using a query language comprising a temporal logic to obtain a query result indicating an expected behavior of the plurality of packets; and verify the at least one network function based on the query result and the expected behavior of the plurality of packets.

公开(公告)号：US10771342B2

公开(公告)日：2020-09-08

申请号：US16176905

申请日：2018-10-31

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Joon-Myung Kang ,  Huazhe Wang ,  Puneet Sharma

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/12

Abstract: Example method includes: identifying three relationships about a network function in an intent-based stateful network—(1) the network function forwarding a network packet implies that at least one previous network packet was received by the network function in the same direction prior to the network packet is forwarded, (2) an established state in the network function implies that at least one previous network packet was received at the network function, (3) the network function receiving the network packet as a downward network function implies the network packet was previously sent by a second network function acting as an upward network function; encoding the network function using a combination of at least one of the three identified relationships; and verifying a plurality of network intents in the intent-based stateful network based at least in part on the encoding of the network function.

公开(公告)号：US10567384B2

公开(公告)日：2020-02-18

申请号：US15686552

申请日：2017-08-25

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Joon-Myung Kang ,  Mario Antonio Sanchez ,  Ying Zhang ,  Anu Mercian ,  Raphael Amorim Dantas Leite ,  Sujata Banerjee

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/60 ,  H04L12/26

Abstract: Example method includes: receiving, by a network device, a plurality of input policy graphs and a composed policy graph associated with the input policy graphs; dividing the composed policy graph into a plurality of sub-graphs, each sub-graph comprising a plurality of edges and a plurality of source nodes and destination nodes that the edges are connected to; selecting a first subset of sub-graphs that include, as a source node, a disjoint part of an original source EPG for each input policy graph; identifying a second subset within the first subset of sub-graphs that include, as a destination node, a disjoint part of an original destination EPG for the each input policy graph; and verifying whether connectivity in the composed policy graph reflects a corresponding policy in the plurality of input policy graphs for each sub-graph in the second subset.

公开(公告)号：US10541873B2

公开(公告)日：2020-01-21

申请号：US15775378

申请日：2015-11-20

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Ying Zhang ,  Jeongkeun Lee ,  Puneet Sharma ,  Joon-Myung Kang

IPC: H04L12/24 ,  H04L12/813 ,  H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: Example implementations relate to determining whether network invariants are violated by flow rules to be implemented by the data plane of a network. In an example, a verification module implemented on a device receives a flow rule transmitted from an SDN controller to a switch, the flow rule relating to an event. The module determines whether the flow rule matches any of a plurality of network invariants cached in the device. If determined that the flow rule matches one of the plurality of network invariants, the verification module determines whether the flow rule violates the matched network invariant. If determined that the flow rule does not match any of the plurality of network invariants, the verification module (1) reports the event associated with the flow rule to a policy management module, (2) receives a new network invariant related to the event from the policy management module, and (3) determines whether the flow rule violates the new network invariant. The verification module generates an alarm if determined that the flow rule violates any of the network invariants.