Software-defined networking interface between multiple platform managers
US-2015172208-A1 · Jun 18, 2015 · US
Software-defined network threat control
US9654465B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9654465-B2 |
| Application number | US-201514872578-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 1, 2015 |
| Priority date | Oct 1, 2015 |
| Publication date | May 16, 2017 |
| Grant date | May 16, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In Software-Defined Network (SDN), a trust controller and trust processor exchange hardware-trust data over an SDN southbound interface to maintain hardware-trust. A flow controller transfers a Flow Description Table (FDT) modification to the data-plane machine over the southbound interface. The flow controller transfers an FDT modification notice to the trust controller which transfers FDT security data over the southbound interface to authorize the FDT change in the SDN data-plane machine. The data-plane machine authorizes the FDT modification based on the FDT security data from the trust controller. The data-plane machine modifies the FDT in response to the successful authorization and processes user data traffic using the modified FDT. The trust controller may also transfer a Threat Description Table (TDT) to the data-plane machine to filter the user traffic for other threats.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of operating a Software-Defined Network (SDN) data communication system to support hardware-trust and process user data traffic, the method comprising: in an SDN control system, a trust controller transferring hardware-trust data to a trust processor in an SDN data-plane machine over an SDN southbound interface to maintain hardware-trust with the SDN data-plane machine; in the SDN data-plane machine, the trust processor transferring additional hardware-trust data to the trust controller over the SDN southbound interface to maintain the hardware trust with the SDN control system; in the SDN control system, a flow controller transferring a Flow Description Table (FDT) modification to a flow processor in the SDN data-plane machine over the SDN southbound interface and transferring an FDT modification notice to the trust controller; in the SDN control system, the trust controller transferring FDT security data to the trust processor over the SDN southbound interface to authorize an FDT change responsive to the FDT modification notice; the trust processor transferring FDT authorization data to the flow processor responsive to the FDT security data from the trust controller; and in the SDN data-plane machine, the flow processor authorizing the FDT modification based on the FDT authorization data from the trust processor, modifying an FDT based on the FDT modification and in response to the successful FDT authorization, and processing the user data traffic using the modified FDT. 2. The method of claim 1 further comprising: in the SDN control system, the trust controller transferring threat data over the SDN southbound interface to the trust processor; in the SDN data-plane machine, the trust processor transferring the threat data to the flow processor; and in the SDN data-plane machine, the flow processor modifying a Threat Description Table (TDT) responsive to the threat data and filtering the user data traffic using the modified TDT. 3. The method of claim 2 wherein processing the user data traffic based on the FDT comprises forwarding a first flow of user data packets. 4. The method of claim 2 wherein filtering the user data traffic based on the TDT further comprises blocking a second flow of user data packets. 5. The method of claim 4 further comprising the trust controller receiving a flow threat notice from another SDN data-plane machine indicating a detected threat from the second flow of the user data packets and wherein transferring the threat data to modify the TDT comprises transferring the threat data in response to the flow threat notice. 6. The method of claim 4 wherein the TDT comprises a portion of the FDT. 7. The method of claim 1 further comprising the trust controller transferring an SDN data-plane machine notice to the trust processor over the SDN southbound interface responsive to a hardware-trust failure of another SDN data-plane machine. 8. The method of claim 1 further comprising the trust controller transferring an SDN flow controller notice to the trust processor over the SDN southbound interface responsive to an unauthorized FDT modification attempt associated with another SDN flow controller. 9. The method of claim 1 wherein: transferring the hardware-trust data comprises the trust controller transferring a random code over the SDN southbound interface to the trust processor; and transferring the additional hardware-trust data comprises the trust processor reading a physically-embedded hardware-trust key, processing the hardware-trust key and the random code to generate a hardware-trust result, and transferring the hardware-trust result over the SDN southbound interface to the trust controller. 10. The method of claim 1 wherein: transferring the hardware-trust data comprises the trust controller transferring a control system digital certificate over the SDN southbound interface to the trust processor; and transferring the additional hardware-trust data comprises the trust processor transferring a data-plane machine digital certificate over the SDN southbound interface to the trust controller. 11. A Software-Defined Network (SDN) data communication system to support hardware-trust and process user data traffic comprising: a trust controller in an SDN control system, comprising a processor executing instructions stored in a memory, configured to transfer hardware-trust data to a trust processor in an SDN data-plane machine over an SDN southbound interface to maintain hardware-trust with the SDN data-plane machine; the trust processor in the SDN data-plane machine configured to transfer additional hardware-trust data to the trust controller over the SDN southbound interface to maintain the hardware trust with the SDN control system; a flow controller in the SDN control system configured to transfer a Flow Description Table (FDT) modification to a flow processor in the SDN data-plane machine over the SDN southbound interface and transfer an FDT modification notice to the trust controller; the trust controller in the SDN control system configured to transfer FDT security data to the trust processor over the SDN southbound interface to authorize an FDT change responsive to the FDT modification notice; the trust processor in the SDN data-plane machine configured to transfer FDT authorization data to the flow processor responsive to the FDT security data from the trust controller; and the flow processor in the SDN data-plane machine configured to authorize the FDT modification based on the FDT authorization data from the trust processor, modify an FDT based on the FDT modification and in response to the successful FDT authorization, and process the user data traffic using the modified FDT. 12. The SDN data communication system of claim 11 further comprising: the trust controller in the SDN control system configured to transfer threat data over the SDN southbound interface to the trust processor; the trust processor in the SDN data-plane machine configured to transfer the threat data to the flow processor; and the flow processor in the SDN data-plane machine configured to modify a Threat Description Table (TDT) responsive to the threat data and filter the user data traffic using the modified TDT. 13. The SDN data communication system of claim 12 wherein the flow processor in the SDN data-plane machine is configured to process the user data traffic based on the FDT by forwarding a first flow of user data packets. 14. The SDN data communication system of claim 12 wherein the flow processor in the SDN data-plane machine is configured to filter the user data traffic based on the TDT by blocking a second flow of user data packets. 15. The SDN data communication system of claim 14 wherein the trust controller is configured to receive a flow threat notice from another SDN data-plane machine indicating a detected threat from the second flow of the user data packets and transfer the threat data to modify the TDT in response to the flow threat notice. 16. The SDN data communication system of claim 14 wherein the TDT comprises a portion of the FDT. 17. The SDN data communication system of claim 11 wherein the trust controller is configured to transfer an SDN data-plane machine notice to the trust processor over the SDN southbound interface responsive to a hardware-trust failure of another SDN data-plane machine. 18. The SDN data communication system of claim 11 wherein the trust controller is configured to transfer an SDN flow controller notice to the trust processor over the SDN southbo
Assignees
Inventors
Classifications
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
to assure secure computing or processing of information · CPC title
involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token (network architectures or network communication protocols for supporting authentication of entities using an additional device in a packet data network H04L63/0853) · CPC title
Tools and structures for managing or administering access control systems · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9654465B2 cover?
- In Software-Defined Network (SDN), a trust controller and trust processor exchange hardware-trust data over an SDN southbound interface to maintain hardware-trust. A flow controller transfers a Flow Description Table (FDT) modification to the data-plane machine over the southbound interface. The flow controller transfers an FDT modification notice to the trust controller which transfers FDT sec…
- Who is the assignee on this patent?
- Sprint Communications Co Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 16 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).