-
公开(公告)号:US08677453B2
公开(公告)日:2014-03-18
申请号:US12123227
申请日:2008-05-19
申请人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
发明人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
IPC分类号: H04L29/06
CPC分类号: G06F21/6227 , G06F21/6218 , G06F2221/2141 , H04L63/101
摘要: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于高度并行评估XACML策略的技术。 在一个实施例中,从包括用户属性和环境属性中的至少一个的资源的访问请求中提取属性。 在存储有以XACML编写的规则和策略的策略存储器中,并行地执行多个单独搜索,每个搜索属性中的每一个,其中使用位向量算法优化地存储规则和策略。 然后将与属性相关联的单独搜索结果组合以使用预定的策略组合算法来生成单个最终结果。 然后,基于单个最终结果确定客户端是否有资格访问数据中心的所请求的资源,包括执行第七层访问控制过程,其中网络元件作为到数据中心的应用服务网关操作。 还描述了其它方法和装置。
-
公开(公告)号:US20090288136A1
公开(公告)日:2009-11-19
申请号:US12123227
申请日:2008-05-19
申请人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
发明人: David Chang , Nagaraj Bagepalli , Harsha Narayan , Abhijit Patra
IPC分类号: G06F21/00
CPC分类号: G06F21/6227 , G06F21/6218 , G06F2221/2141 , H04L63/101
摘要: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
摘要翻译: 本文描述了用于高度并行评估XACML策略的技术。 在一个实施例中,从包括用户属性和环境属性中的至少一个的资源的访问请求中提取属性。 在存储有以XACML编写的规则和策略的策略存储器中,并行地执行多个单独搜索,每个搜索属性中的每一个,其中使用位向量算法优化地存储规则和策略。 然后将与属性相关联的单独搜索结果组合以使用预定的策略组合算法来生成单个最终结果。 然后,基于单个最终结果确定客户端是否有资格访问数据中心的所请求的资源,包括执行第七层访问控制过程,其中网络元件作为到数据中心的应用服务网关操作。 还描述了其它方法和装置。
-
公开(公告)号:US07680978B1
公开(公告)日:2010-03-16
申请号:US11850074
申请日:2007-09-05
IPC分类号: G06F12/00
CPC分类号: G06F12/0811 , G11C15/00 , Y02D10/13
摘要: A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
摘要翻译: 一种方法可以包括对内容可寻址存储器(CAM)中的多个条目中的每一个条目匹配一次或多次搜索的次数进行计数; 基于CAM中的多个条目中的每一个与一个或多个搜索匹配的次数将CAM中的条目分组成第一子集和第二子集; 以及搜索所述第一子集以获得匹配条目,并且如果没有找到匹配条目,则搜索所述第二子集以获得所述匹配条目。
-
4.发明申请公开(公告)号:US20060221956A1
公开(公告)日:2006-10-05
申请号:US11170230
申请日:2005-06-28
申请人: Harsha Narayan , Alok Kumar
发明人: Harsha Narayan , Alok Kumar
IPC分类号: H04L12/28
CPC分类号: H04L63/101 , H04L29/12801 , H04L45/00 , H04L45/54 , H04L45/7457 , H04L61/6004
摘要: Methods for performing packet classification via prefix pair bit vectors. Unique prefix pairs in an access control list (ACL) are identified, with each prefix pair comprising a unique combination of a source prefix and a destination prefix. Corresponding prefix pair bit vectors (PPBVs) are defined for each unique source prefix and unique destination prefix in the ACL, with each PPBV including a string of bits and each bit position in the string associated with a corresponding prefix pair. A list of transport field value combinations are associated with each prefix pair based on corresponding entries in the ACL. During packet-processing operations, PPBV lookups are made using the source and destination prefix header values, and the PPBVs are logically ANDed to identify applicable prefix pairs. A search is then performed on transport field value combinations corresponding to the prefix pairs and the packet header to identify a highest priority rule.
摘要翻译: 通过前缀对比特向量执行分组分类的方法。 标识访问控制列表(ACL)中的唯一前缀对,每个前缀对包含源前缀和目标前缀的唯一组合。 为ACL中的每个唯一的源前缀和唯一的目的地前缀定义相应的前缀对比特向量(PPBV),其中每个PPBV包括与一个对应的前缀对相关联的比特串和每个比特位置。 根据ACL中的相应条目,传输字段值组合的列表与每个前缀对相关联。 在分组处理操作期间,使用源和目标前缀头值进行PPBV查找,并且PPBV在逻辑上进行AND运算以识别适用的前缀对。 然后对与前缀对和分组报头相对应的传输字段值组合执行搜索以识别最高优先级规则。
-
公开(公告)号:US20060221967A1
公开(公告)日:2006-10-05
申请号:US11096960
申请日:2005-03-31
申请人: Harsha Narayan , Alok Kumar
发明人: Harsha Narayan , Alok Kumar
IPC分类号: H04L12/56 , H04L12/28 , G01R31/08 , G08C15/00 , H04L12/26 , G06F11/00 , H04J3/14 , H04J1/16 , H04L1/00
CPC分类号: H04L45/00 , H04L29/12801 , H04L45/54 , H04L45/7457 , H04L61/6004 , H04L63/101
摘要: Methods for performing packet classification via partitioned bit vectors. Rules in an access control list (ACL) are partitioned into a plurality of partitions, wherein each partition is defined by a meta-rule comprising a set of filter dimension ranges and/or values covering the rules in that partition. Filter data structures comprising rule bit vectors are then built, each including multiple filter entries defining packet header filter criteria corresponding to one or more filter dimensions. Partition bit vectors identifying, for each filter entry, any partition having a meta-rule defining a filter dimension range or value that covers that entry's packet header filter criteria are also generated and stored in a corresponding data structure.
摘要翻译: 通过分割位向量进行分组分类的方法。 访问控制列表(ACL)中的规则被划分成多个分区,其中每个分区由包括一组过滤器维度范围和/或覆盖该分区中的规则的值的元规则定义。 然后,构建包括规则位向量的过滤器数据结构,每个包括定义与一个或多个过滤器维度相对应的包头过滤标准的多个过滤条目。 对于每个过滤器条目,分配位向量识别具有限定覆盖该条目的包头过滤器标准的过滤器维度范围或值的元规则的任何分区也被生成并存储在相应的数据结构中。
-
公开(公告)号:US20060221954A1
公开(公告)日:2006-10-05
申请号:US11097628
申请日:2005-03-31
申请人: Harsha Narayan , Alok Kumar
发明人: Harsha Narayan , Alok Kumar
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L45/306 , H04L47/2441
摘要: Methods for performing packet classification. In one embodiment, packets are classified using a rule bit vector optimization scheme, wherein original rule bit vectors in recursive flow classification (RFC) chunks are optimized by removing useless bits that have no effect on the ultimate rule identified by an associated RFC lookup process. The unique optimized rule bit vectors for associated chunks are then cross-producted to produce an optimized downstream chunk. In another embodiment, a rule database splitting scheme is employed. Under this technique, split criteria is defined to split a rule database, such as splitting based on a particular field value or range. A respective set of downstream chunks is then generated for each partition, beginning with the chunks in a split phase. The applicable rule bit vectors for the chunks associated with a common group and partition are identified, and then unique applicable rule bit vectors for those chunks are cross-producted to produce downstream chunks.
摘要翻译: 执行分组分类的方法。 在一个实施例中,使用规则位向量优化方案对分组进行分类,其中递归流分类(RFC)块中的原始规则位向量通过去除对由相关RFC查找过程所标识的最终规则没有影响的无用位来优化。 然后将相关块的唯一优化规则位向量交叉产生以产生优化的下游块。 在另一个实施例中,采用规则数据库分割方案。 根据这种技术,分割条件被定义为拆分规则数据库,例如基于特定字段值或范围的分割。 然后,对于每个分区,生成相应的下游组块,从分割阶段的组块开始。 识别与公共组和分区相关联的块的适用规则位向量,然后交叉产生这些块的唯一适用规则位向量以产生下游块。
-
公开(公告)号:US07984235B2
公开(公告)日:2011-07-19
申请号:US12697063
申请日:2010-01-29
IPC分类号: G06F12/00
CPC分类号: G06F12/0811 , G11C15/00 , Y02D10/13
摘要: A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
-
公开(公告)号:US07975097B2
公开(公告)日:2011-07-05
申请号:US12697071
申请日:2010-01-29
IPC分类号: G06F12/00
CPC分类号: G06F12/0811 , G11C15/00 , Y02D10/13
摘要: A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
摘要翻译: 一种方法可以包括对内容可寻址存储器(CAM)中的多个条目中的每一个条目匹配一次或多次搜索的次数进行计数; 基于CAM中的多个条目中的每一个与一个或多个搜索匹配的次数将CAM中的条目分组成第一子集和第二子集; 以及搜索所述第一子集以获得匹配条目,并且如果没有找到匹配条目,则搜索所述第二子集以获得所述匹配条目。
-
-
-
-
-
-
-
搜索结果
8 条记录 (耗时 0.024 秒)
