What technology area does this patent fall under?

Primary CPC classification H04L45/02. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Jan 07 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Distributed network connection policy management

US2016006767A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016006767-A1
Application number	US-201514852052-A
Country	US
Kind code	A1
Filing date	Sep 11, 2015
Priority date	Mar 7, 2008
Publication date	Jan 7, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898 ) and others of the nodes (computers B, C, filters B 1 , B 2 , C 1 , C 2 , hosts 890, 892 ) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorised as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised. This can provide reassurance that changes in versions of the connection policy won't transiently open a risk of undetected unwanted communication.

First claim

Opening claim text (preview).

1 .- 19 . (canceled) 20 . A method of implementing a connection policy for a given node in a network, the method comprising: receiving, by the given node, a new version of an application; determining, by the given node, a connection policy for the new version of the application; determining, based on the connection policy, allowable paths for the new version of the application to addresses known to the given node; and determining, by the given node, that one of the allowable paths for the new version of the application between the given node and another node is dual authorized in response to a determination that the path is also indicated as being allowable by the another node. 21 . The method of claim 20 , wherein the connection policy comprises rules, and the method further comprises: removing one of the allowable paths by removing one of the rules from the connection policy. 22 . The method of claim 20 , further comprising: adding a path to the allowable paths by adding a new rule to the connection policy. 23 . The method of claim 20 , wherein determining the connection policy for the new version of the application comprises evaluating a symbolic expression of ranges of endpoint addresses using information associated with the given node. 24 . The method of claim 23 , wherein determining that one of the allowable paths is dual authorized comprises carrying out a Boolean AND of the symbolic expression for the connection policy of the given node and a symbolic expression for the connection policy of the another node. 25 . The method of claim 20 , further comprising: changing the connection policy to allow a connection of the dual authorized path for the new version of the application; and blocking a connection for an old version of the application in response to the allowance of the connection for the new version of the application. 26 . A computer device comprising a processor; and a non-transitory computer readable medium storing instructions to cause the processor to: receive a new version of an application, determine a connection policy for the new version of the application, determine, based on the new connection policy, allowable paths for the new version of the application to addresses known to the computer device, and determine that one of the allowable paths for the new version of the application between the computer device and an another device is dual authorized in response to a determination that the path is also indicated as being allowable by the another node. 27 . The computer device of claim 26 , wherein the connection policy comprises rules, and wherein the instructions are to cause the processor to remove one of the allowable paths by removing one of the rules from the connection policy. 28 . The computer device of claim 26 , wherein the instructions are to cause the processor to add a path to the allowable paths by adding a new rule to the connection policy. 29 . The computer device of claim 26 , wherein, to determine the connection policy for the new version of the application, the instructions are to cause the processor to evaluate a symbolic expression of ranges of endpoint addresses using information associated with the computer device. 30 . The computer device of claim 29 , wherein, to determine the connection policy for the new version of the application, the instructions are to cause the processor to carry out a Boolean AND of the symbolic expression for the connection policy of the computer device and a symbolic expression for the connection policy of the another device to obtain an expression for the dual authorized path as a function of node addresses. 31 . The computer device of claim 30 , wherein the instructions are to cause the processor to substitute an address of the another node into the expression for the dual authorized path. 32 . The computer device of claim 26 , wherein the instructions are to cause the processor to: change the connection policy to allow a connection of the dual authorized path for the new version of the application; and block a connection for an old version of the application in response to the allowance of the connection for the new version of the application. 33 . A non-transitory computer readable medium storing instructions to implement a connection policy of a given node in a network, wherein the connection policy indicates which paths between the given node and other nodes in the network are allowable paths, wherein the instructions when executed by a processor cause the processor to: obtain, by the given node, a connection policy for another node in the network; and determine, by the given node, whether one of the allowable paths between the given node and the another node is dual authorized in response to a determination that the path is also indicated as being allowable by the connection policy of the another node. 34 . The non-transitory computer readable medium of claim 33 , wherein the connection policy comprising rules, and wherein the instructions are to cause the processor to remove one of the allowable paths by removing one of the rules from the connection policy. 35 . The non-transitory computer readable medium of claim 33 , wherein the instructions are to cause the processor to add a path to the allowable paths by adding a new rule to the connection policy. 36 . The non-transitory computer readable medium of claim 33 , wherein the instructions are further to cause the processor to determine the connection policy for the given node by evaluating a symbolic expression of ranges of endpoint addresses using information associated with the given node. 37 . The non-transitory computer readable medium of claim 36 , wherein, to determine whether one of the allowable paths is dual authorized, the instructions are to cause the processor to carry out a Boolean AND of the symbolic expression for the connection policy of the given node and a symbolic expression for the connection policy of the another node to obtain an expression for the dual authorized path as a function of node addresses. 38 . The non-transitory computer readable medium of claim 37 , wherein the instructions are to cause the processor to substitute an address of the another node into the expression for the dual authorized path. 39 . The non-transitory computer readable medium of claim 33 , wherein the instructions are to cause the processor to: receive a new version of an application; change the connection policy to allow a connection of the dual authorized path for the new version of the application; and block a connection for an old version of the application in response to the allowance of the connection for the new version of the application.

Assignees

Hewlett Packard Development Co

Inventors

Classifications

H04L45/02Primary
Topology update or discovery · CPC title
H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L45/76
Routing in software-defined topologies, e.g. routing between virtual machines · CPC title
H04L41/0894
Policy-based network configuration management · CPC title
H04L41/0895
Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements · CPC title

Patent family

Related publications grouped by family.

View patent family 39327706

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016006767A1 cover?: A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898 ) and others of the nodes (computers B, C, filters B 1 , B 2 , C 1 , C 2 , hosts 890, 892 ) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes…
Who is the assignee on this patent?: Hewlett Packard Development Co
What technology area does this patent fall under?: Primary CPC classification H04L45/02. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Jan 07 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).