WO2008100729A3 - Automatic discovery of blocking access-list id and match statements in a network - Google Patents

Automatic discovery of blocking access-list id and match statements in a network Download PDF

Info

Publication number
WO2008100729A3
WO2008100729A3 PCT/US2008/052971 US2008052971W WO2008100729A3 WO 2008100729 A3 WO2008100729 A3 WO 2008100729A3 US 2008052971 W US2008052971 W US 2008052971W WO 2008100729 A3 WO2008100729 A3 WO 2008100729A3
Authority
WO
WIPO (PCT)
Prior art keywords
list
network
blocking access
automatic discovery
packet
Prior art date
Application number
PCT/US2008/052971
Other languages
French (fr)
Other versions
WO2008100729A2 (en
Inventor
Benoit Claise
Emmanuel Tychon
Original Assignee
Cisco Tech Inc
Benoit Claise
Emmanuel Tychon
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Tech Inc, Benoit Claise, Emmanuel Tychon filed Critical Cisco Tech Inc
Priority to EP08728973A priority Critical patent/EP2127220B1/en
Priority to CN2008800046718A priority patent/CN101606357B/en
Priority to AT08728973T priority patent/ATE504999T1/en
Priority to DE602008006048T priority patent/DE602008006048D1/en
Publication of WO2008100729A2 publication Critical patent/WO2008100729A2/en
Publication of WO2008100729A3 publication Critical patent/WO2008100729A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS

Abstract

In one embodiment, a method can include: (i) receiving an incoming probe packet in a network device; (ii) de-encapsulating the incoming probe packet to provide a packet content portion and a drop result portion; (iii) testing the packet content portion against a local access control list (ACL) to determine a local drop result; and (iv) inserting the local drop result and encapsulating an outgoing probe packet.
PCT/US2008/052971 2007-02-14 2008-02-05 Automatic discovery of blocking access-list id and match statements in a network WO2008100729A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP08728973A EP2127220B1 (en) 2007-02-14 2008-02-05 Automatic discovery of blocking access-list id and match statements in a network
CN2008800046718A CN101606357B (en) 2007-02-14 2008-02-05 Automatic discovery of blocking access-list ID and match statements in a network
AT08728973T ATE504999T1 (en) 2007-02-14 2008-02-05 AUTOMATIC DISCOVERY OF BLOCKED ACCESS LIST ID AND MATCH NOTIFICATIONS ON A NETWORK
DE602008006048T DE602008006048D1 (en) 2007-02-14 2008-02-05 AUTOMATIC DISCOVERY OF BLOCKED ACCESS LIST ID AND CONFORMITY NOTIFICATIONS IN A NETWORK

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/706,087 2007-02-14
US11/706,087 US7817571B2 (en) 2007-02-14 2007-02-14 Automatic discovery of blocking access-list ID and match statements in a network

Publications (2)

Publication Number Publication Date
WO2008100729A2 WO2008100729A2 (en) 2008-08-21
WO2008100729A3 true WO2008100729A3 (en) 2008-11-13

Family

ID=39685714

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/052971 WO2008100729A2 (en) 2007-02-14 2008-02-05 Automatic discovery of blocking access-list id and match statements in a network

Country Status (6)

Country Link
US (1) US7817571B2 (en)
EP (1) EP2127220B1 (en)
CN (1) CN101606357B (en)
AT (1) ATE504999T1 (en)
DE (1) DE602008006048D1 (en)
WO (1) WO2008100729A2 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8385207B2 (en) * 2008-05-27 2013-02-26 International Business Machines Corporation Method and apparatus for end-to-end network congestion management
US8149721B2 (en) * 2008-12-08 2012-04-03 Advantest Corporation Test apparatus and test method
EP2410698B1 (en) * 2010-07-19 2014-05-07 Alcatel Lucent A method for routing and associated routing device and destination device
US9264320B1 (en) 2014-06-17 2016-02-16 Ca, Inc. Efficient network monitoring
US9985861B2 (en) * 2014-10-13 2018-05-29 Cisco Technology, Inc. SGT feature trace using netflow
US11283696B2 (en) 2014-11-19 2022-03-22 British Telecommunications Public Limited Company Diagnostic testing in networks
US10505899B1 (en) * 2017-08-14 2019-12-10 Juniper Networks, Inc Apparatus, system, and method for applying firewall rules on packets in kernel space on network devices
US10868748B1 (en) * 2018-09-27 2020-12-15 Amazon Technologies, Inc. Testing forwarding states on multiple pipelines of a network device
US11539668B2 (en) * 2020-06-03 2022-12-27 Juniper Networks, Inc. Selective transport layer security encryption

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5935268A (en) * 1997-06-03 1999-08-10 Bay Networks, Inc. Method and apparatus for generating an error detection code for a modified data packet derived from an original data packet
US6651096B1 (en) * 1999-04-20 2003-11-18 Cisco Technology, Inc. Method and apparatus for organizing, storing and evaluating access control lists
US6662223B1 (en) * 1999-07-01 2003-12-09 Cisco Technology, Inc. Protocol to coordinate network end points to measure network latency
US7336660B2 (en) 2002-05-31 2008-02-26 Cisco Technology, Inc. Method and apparatus for processing packets based on information extracted from the packets and context indications such as but not limited to input interface characteristics
US7349382B2 (en) * 2002-08-10 2008-03-25 Cisco Technology, Inc. Reverse path forwarding protection of packets using automated population of access control lists based on a forwarding information base
US7346706B2 (en) * 2003-05-02 2008-03-18 Alcatel Equivalent multiple path traffic distribution in communications networks
US7304996B1 (en) * 2004-03-30 2007-12-04 Extreme Networks, Inc. System and method for assembling a data packet
GB2422507A (en) 2005-01-21 2006-07-26 3Com Corp An intrusion detection system using a plurality of finite state machines
US7389377B2 (en) 2005-06-22 2008-06-17 Netlogic Microsystems, Inc. Access control list processor
US20070055789A1 (en) * 2005-09-08 2007-03-08 Benoit Claise Method and apparatus for managing routing of data elements

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ADEL EL-ATAWY ET AL: "An Automated Framework for Validating Firewall Policy Enforcement", POLICIES FOR DISTRIBUTED SYSTEMS AND NETWORKS, 2007. POLICY '07. EIGHTH IEEE INTERNATIONAL WORKSHOP ON, IEEE, PI, 1 June 2007 (2007-06-01), pages 151 - 160, XP031184677, ISBN: 978-0-7695-2767-3 *
DUNN C MARTIN SI INTERNATIONAL J: "Methodology for Forwarding Information Base (FIB) based Router Performance; draft-ietf-bmwg-fib-meth-03.txt", IETF STANDARD-WORKING-DRAFT, INTERNET ENGINEERING TASK FORCE, IETF, CH, vol. bmwg, no. 3, 14 February 2005 (2005-02-14), XP015016089, ISSN: 0000-0004 *
GROUT ET AL: "An argument for simple embedded ACL optimisation", COMPUTER COMMUNICATIONS, ELSEVIER SCIENCE PUBLISHERS BV, AMSTERDAM, NL, vol. 30, no. 2, 19 December 2006 (2006-12-19), pages 280 - 287, XP005808354, ISSN: 0140-3664 *
SEDAYAO, JEFF: "Cisco IOS Access Lists, Chapter 5, Debugging Access Lists", June 2001 (2001-06-01), pages 1 - 22, XP002494461, ISBN: 1-56592-385-5, Retrieved from the Internet <URL:http://oreilly.com/catalog/cisrtlist/chapter/ch05.html> [retrieved on 20080903] *

Also Published As

Publication number Publication date
US20080192641A1 (en) 2008-08-14
DE602008006048D1 (en) 2011-05-19
EP2127220A2 (en) 2009-12-02
CN101606357B (en) 2013-03-27
US7817571B2 (en) 2010-10-19
CN101606357A (en) 2009-12-16
ATE504999T1 (en) 2011-04-15
WO2008100729A2 (en) 2008-08-21
EP2127220B1 (en) 2011-04-06

Similar Documents

Publication Publication Date Title
WO2008100729A3 (en) Automatic discovery of blocking access-list id and match statements in a network
WO2009005650A3 (en) Method and system for redirecting of packets to an intrusion prevention service in a network switch
WO2008076163A3 (en) Techniques for managing security in next generation communication networks
WO2007103504A3 (en) Access terminal for communicating packets using a home anchored bearer path or a visited anchored bearer path
WO2007144867A3 (en) Voice over ip capturing
GB2411320B (en) Access control management method, access control management system, and terminal device with access control management function
WO2008024818A3 (en) Apparatus and method of controlled delay packet forwarding
WO2009001067A3 (en) Network in-line tester
WO2006049672A3 (en) Empirical scheduling of networks packets using coarse and fine testing periods
PL2073444T3 (en) Terminal detection authentication method, device and operational management system in passive optical network
WO2009015218A3 (en) Method and system for managing content in a content processing system having multiple content delivery networks
WO2011021885A3 (en) Method and apparatus for sharing function of external device through complex network
EP2028870A4 (en) Radio access network configuration managing method, configuration managing system, and radio access network managing device
WO2007080558A3 (en) Communications network system and methods for using same
WO2007136937A3 (en) Implementation of reflexive access control lists on distributed platforms
EP2296425A4 (en) Information processing method for closed subscriber group, access control method, network system and device
FR2973901B1 (en) TESTING THE RESISTANCE OF A SECURITY MODULE OF A TELECOMMUNICATION DEVICE COUPLED TO AN NFC CIRCUIT AGAINST COMMUNICATION CHANNEL MISMATCH ATTACKS
WO2009008482A1 (en) Communication management system, communication management terminal device, communication management method and communication management program
EP2257881A4 (en) Memory device with network on chip methods, apparatus, and systems
EP2110752A4 (en) Content distribution management device, communication terminal, program, and content distribution system
TW200742461A (en) Method for switching communication networks
WO2008064885A3 (en) Method for the operation of an ethernet-compatible field bus device
BRPI0821764A8 (en) UPLOAD SYNCHRONISM ALIGNMENT METHOD IN USER EQUIPMENT
WO2008012792A3 (en) A method and system for detection of nat devices in a network
WO2008154885A8 (en) Method for repeating process of data packets, node and packet core device

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880004671.8

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 2008728973

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08728973

Country of ref document: EP

Kind code of ref document: A2