What technology area does this patent fall under?

Primary CPC classification H04L63/0254. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 12 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method to enable deep packet inspection (DPI) in openflow-based software defined network (SDN)

US9237129B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9237129-B2
Application number	US-201414276984-A
Country	US
Kind code	B2
Filing date	May 13, 2014
Priority date	May 13, 2014
Publication date	Jan 12, 2016
Grant date	Jan 12, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.

First claim

Opening claim text (preview).

What is claimed: 1. A method of deep packet inspection in a Software Defined Networking environment, the method comprising: receiving a set configuration command from a controller by a network switch, wherein the set configuration command sets an operational mode for deep packet inspection; receiving an address of a firewall; establishing communications with the firewall; receiving a get configuration request from the firewall; sending a configuration reply to the firewall, wherein the configuration reply includes the operational mode for deep packet inspection; receiving a first packet; determining, by hardware processor, whether information contained in the first packet does not match any entry in a flow table; and forwarding at least a portion of the first packet to the controller, and then forwarding at least a portion of the first packet to the firewall if the controller determines to DPI scan this flow, wherein the firewall performs deep packet inspection on the portion of the first packet; sending the first packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is an observation mode; receiving a second packet; determining that information contained in the second packet matches an entry in the flow table and DPI scan is configured on this flow; forwarding at least a portion of the second packet to the firewall when it is determined that the information contained in the second packet matches an entry in the flow table when a number of bytes forwarded from the first packet is less than a pre-determined number of bytes, wherein the firewall performs deep packet inspection on the portion of the second packet forwarded to the firewall; and sending the second packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is in the observation mode. 2. The method of claim 1 , further comprising: sending a copy of at least some bytes from the first packet to the controller before forwarding the portion of the first packet to the firewall; and receiving an instruction from the controller to forward the portion of the first packet to the firewall before forwarding the portion of the first packet to the firewall. 3. The method of claim 1 , further comprising: receiving an allow message from the firewall when the operational mode of the network switch is an enforce mode, wherein the allow message indicates that the first packet has passed a deep packet inspection. 4. The method of claim 3 , further comprising: receiving a deny message from the firewall when the operational mode of the network switch is the enforce mode, wherein the deny message indicates that the second packet failed a deep packet inspection; and dropping the second packet. 5. The method of claim 3 , further comprising receiving an allow message from the firewall when the operational mode of the network switch is the enforce mode, wherein the allow message indicates that the second packet passed a deep packet inspection. 6. The method of claim 5 , wherein the address of the firewall received is an IP address of the firewall, wherein the first packet is sent through a port to an address identified in the flow table after the first packet has passed deep packet inspection, and wherein the second packet is sent through the port to the address identified in the flow table after the second packet has passed deep packet inspection. 7. The method of claim 1 , wherein the at least portion of the first packet corresponds to a pre-determined number of bytes for performing deep packet inspection on a flow of packets. 8. The method of claim 1 , wherein: the communications established with the firewall are established by the controller communicating with the firewall and with the network switch, the configuration request received from the firewall is passed through the controller, and the configuration reply is sent by the network switch to the firewall through the controller. 9. A system for deep packet inspection in a Software Defined Networking environment, the system comprising: a network switch including a memory; a controller; and a firewall, wherein the network switch: receives a set configuration command from the controller by the network switch, wherein the set configuration command sets an operation mode for deep packet inspection; receives an address of a firewall; establishes communications with the firewall; sends a configuration reply to the firewall, wherein the configuration reply includes the operational mode for deep packet inspection; receives a first packet; determines whether information contained in the first packet does not match any entry in a flow table; and forwards at least a portion of the first packet to the controller, and then forwarding at least a portion of the first packet to the firewall if the controller determines to DPI scan this flow, wherein the firewall performs deep packet inspection of the portion of the first packet; wherein the network switch: sends the first packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is an observation mode; receives a second packet; determines that information contained in the second packet matches an entry in the flow table and DPI scan is configured on this flow; forwards at least a portion of the second packet to the firewall when it is determined that the information contained in the second packet matches an entry in the flow table when a number of bytes forwarded from the first packet is less than a pre-determined number of bytes, wherein the firewall performs deep packet inspection on the portion of the second packet forwarded to the firewall; and sends the second packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is the observation mode. 10. The system of claim 9 , wherein the network switch: sends a copy of at least some bytes from the first packet to the controller before forwarding the portion of the first packet to the firewall; and receives an instruction from the controller to forward the portion of the first packet to the firewall before forwarding the portion of the first packet to the firewall. 11. The system of claim 9 , wherein the network switch: receives an allow message from the firewall when the operational mode of the network switch is an enforce mode, wherein the allow message indicates that the first packet has passed a deep packet inspection. 12. The system of claim 11 , wherein the network switch: receives a deny message from the firewall when the operational mode of the network switch is the enforce mode, wherein the deny message indicates that the second packet failed a deep packet inspection; and drops the second packet. 13. The system of claim 12 , wherein the network switch receives an allow message from the firewall when the operational mode of the network switch is the enforce mode, wherein the allow message indicates that the second packet passed a deep packet inspection. 14. The system of claim 9 , wherein the address of the firewall received is an IP address of the firewall, wherein the first packet is sent through a port to an address identified in the flow table after the first packet has passed deep packet inspection, and wherein the second packet is sent through the port to the address identified in the flow tab

Assignees

Dell Software Inc

Inventors

Classifications

H04L63/0254Primary
Stateful filtering · CPC title
H04L67/10
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
H04L43/20
the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV · CPC title
H04L61/5007
Internet protocol [IP] addresses · CPC title
H04L63/0245
Filtering by information in the payload · CPC title

Patent family

Related publications grouped by family.

View patent family 54480374

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9237129B2 cover?: The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically…
Who is the assignee on this patent?: Dell Software Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0254. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 12 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).