Security in software defined network
US-2017324781-A1 · Nov 9, 2017 · US
Communication apparatus, system, method, and non-transitory medium for securing network communication
US10601632B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10601632-B2 |
| Application number | US-201515572871-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 11, 2015 |
| Priority date | May 11, 2015 |
| Publication date | Mar 24, 2020 |
| Grant date | Mar 24, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A communication apparatus comprising a plurality of communication processes, each of the communication processes configured to be executed in an environment allocated thereto and isolated from each of one or more environments arranged for remaining one or more processes, each of the communication processes performing communication processing on a flow associated thereto, a network interface connected to a network; a dispatcher that dispatches a packet to the communication process based on a dispatch rule that defines association of a flow with a communication process.
First claim
Opening claim text (preview).
What is claimed is: 1. A communication apparatus comprising: a processor; a memory storing therein program instructions executable by the processor; and a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute: a plurality of switch processes, each of the plurality of the switch processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing switch processing on a flow associated thereto; and a dispatcher process that receives a packet from at least one of the plurality of the network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process, wherein the associated switch process, upon reception of the packet dispatched thereto by the dispatcher process, performs matching of header field information of the packet with a flow entry for handling a flow, and handling of the packet based on a result of the matching, wherein the flow entry includes a match field for being matched with header field information of a packet received; and an action field to prescribe handling of a matching packet, wherein the communication apparatus further includes; a transmitter that, when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sends a query for the dispatch rule for the first flow to a controller that controls the communication apparatus, and wherein the processor is configured to, on receipt of the dispatch rule for the first flow sent from the controller, create an isolated environment, invoke a first switch process associated with the first flow in the isolated environment, and cause the transmitter to send a response to the controller, wherein the first switch process associated with the first flow, upon reception of a first flow entry for handling the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry. 2. The communication apparatus according to claim 1 , wherein the processor is configured to execute a switch process that performs an integrity control process that performs control to enable decryption of cipher text to plain text, when the integrity control process finds that a system integrity measured at a time of the decryption is identical as a system integrity measured at a time of encryption of the plain text. 3. A communication apparatus, comprising: a processor; a memory storing therein program instructions executable by the processor; and a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute: a plurality of management processes, each of the plurality of the management processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of management processes being isolated from each of one or more environments arranged for remaining one or more management processes, each management process performing communication with a controller that controls the communication apparatus; and a dispatcher process, wherein the communication apparatus further comprises a packet processing hardware unit arranged between the plurality of the network interfaces and the dispatcher process, the packet processing hardware unit performing packet processing according to a flow entry for handling a flow, wherein a management process receives and deletes a flow entry to and from the packet processing hardware, wherein the dispatcher process monitors addition and deletion of each flow entry for handling a flow and on reception of a notification sent from the packet processing hardware unit when there is no flow entry matching a packet header of a received packet, the dispatcher process forwards the notification to a corresponding management process according to a dispatch rule. 4. The communication apparatus according to claim 1 , wherein the processor is further configured to execute: an access control that controls access from a switch process to a shared resource shared by the plurality of the switch processes. 5. The communication apparatus according to claim 1 , wherein the communication apparatus is a switch apparatus. 6. A controller apparatus comprising: a processor; a memory storing therein program instructions executable by the processor; and a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the processor is configured to execute: a plurality of controller processes, each of the plurality of the controller processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the controller processes being isolated from each of one or more environments arranged for remaining one or more controller processes, each of the plurality of the controller processes performing control of one or more associated switch processes; and a dispatcher process that dispatches a message from a switch to an associated controller process, based on a dispatch rule that defines association of a switch with a controller process to which a message from the switch is dispatched. 7. A communication system comprising: a switch; a controller to control the switch, wherein the switch comprises: a first processor; a memory storing therein program instructions executable by the first processor; and a plurality of network interfaces, each of the plurality of the network interfaces adapted to be connected to a network, wherein the first processor is configured to execute: a plurality of switch processes, each of the plurality of the switch processes configured to be executed in an environment allocated thereto, the environment arranged for each of the plurality of the switch processes being isolated from each of one or more environments arranged for remaining one or more switch processes, each of the plurality of the switch processes performing switch processing on a flow associated thereto; and a dispatcher process that receives a packet from at least one of the plurality of the network interfaces and dispatches the packet to an associated switch process, based on a dispatch rule that defines association of a flow with a dispatch destination switch process, wherein the switch further includes; a transmitter that, when a dispatch rule for a first flow indicated by header field information of a packet received from at least one of the plurality of the network interfaces is not present, sends a query for the dispatch rule for the first flow to the controller, wherein the first processor is configured to, on receipt of the dispatch rule for the first flow sent from the controller, create an isolated environment, invoke a first switch process associated with the first flow in the isolated environment, and cause the transmitter to send a response to the controller, and wherein the first switch process associated with the first flow, upon reception of a first flow entry for handling the first flow from the controller, handles one or more packets associated with the first flow, based on the first flow entry. 8. The communication system according to claim 7 , wherein the associated switch process receives the packet dis
Assignees
Inventors
Classifications
using separate channels for security data · CPC title
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Isolation or security of virtual machine instances · CPC title
for separating internal from external traffic, e.g. firewalls · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10601632B2 cover?
- A communication apparatus comprising a plurality of communication processes, each of the communication processes configured to be executed in an environment allocated thereto and isolated from each of one or more environments arranged for remaining one or more processes, each of the communication processes performing communication processing on a flow associated thereto, a network interface con…
- Who is the assignee on this patent?
- Nec Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 24 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).