US9270575B2 - Service node using services applied by an application node - Google Patents

Service node using services applied by an application node Download PDF

Info

Publication number
US9270575B2
US9270575B2 US14/797,377 US201514797377A US9270575B2 US 9270575 B2 US9270575 B2 US 9270575B2 US 201514797377 A US201514797377 A US 201514797377A US 9270575 B2 US9270575 B2 US 9270575B2
Authority
US
United States
Prior art keywords
packet
service
switching device
request
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US14/797,377
Other versions
US20150319079A1 (en
Inventor
Cedell Adam Alexander, Jr.
Christopher Y. Metz
Jim Guichard
David Delano Ward
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US14/797,377 priority Critical patent/US9270575B2/en
Publication of US20150319079A1 publication Critical patent/US20150319079A1/en
Application granted granted Critical
Publication of US9270575B2 publication Critical patent/US9270575B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/14Routing performance; Theoretical aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • the present disclosure relates generally to communicating information in a network.
  • Layer-4 to layer-7 services are often applied to packets being sent through a packet switching device.
  • Service Insertion Architecture such as that disclosed in US Patent Application Publication 2008/0177896 A1 published Jul. 24, 2008, teaches one approach to providing network services outside the packet switching device.
  • FIG. 1A illustrates a network operating according to one embodiment
  • FIG. 1B illustrates a network operating according to one embodiment
  • FIG. 1C illustrates an apparatus or component used in one embodiment
  • FIG. 2A illustrates a process performed in one embodiment
  • FIG. 2B illustrates a configuration process performed in one embodiment
  • FIG. 2C illustrates a packet format used in one embodiment
  • FIG. 3A illustrates a process performed in one embodiment
  • FIG. 3B illustrates a configuration process performed in one embodiment
  • FIG. 3C illustrates a packet format used in one embodiment
  • a service node e.g., packet switching device
  • an application node e.g., a packet switching device and/or computing platform.
  • An example of an application node used in one embodiment is a Cisco ASR 1000, which is a packet switching device with service processing capability.
  • One embodiment includes a packet switching device, which sends packets to one or more application nodes to apply one or more services to a packet, either internally generated or received from an external source.
  • the packet switching device performs operations, including: maintaining forwarding information for a plurality of virtual private networks (VPNs); creating a request packet corresponding to a particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by one or more application nodes, and an identification of a particular VPN associated with the particular packet; forwarding the request packet to a particular application node of said one or more application nodes; receiving a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after said one or more services have been applied to the particular packet by said one or more application nodes, with the response packet including a particular identification of the particular VPN; and forwarding the service-applied packet or a packet derived from the service-applied packet according to forwarding information for the particular VPN.
  • an application node performs one or more services described in a request packet to an embedded packet.
  • the packet switching device performs operations, including: creating a request packet corresponding to a particular packet, with the request packet including: the particular packet, an identification of a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; forwarding the request packet to a particular application node of said one or more application nodes; receiving a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet by said one or more application nodes; and forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device.
  • the request and/or response packet includes an identification of a particular virtual private network (VPN) associated with the particular packet.
  • VPN virtual private network
  • an application node performs one or more services described in a request packet to an embedded packet.
  • a service node e.g., packet switching device
  • an application node e.g., a packet switching device and/or computing platform
  • a particular packet having one or more services applied to it by an application node is referred to herein as a services-applied packet, regardless of whether the application of the service(s) resulted in the same particular packet, a modified particular packet, or a different packet.
  • Embodiments described herein include various elements and limitations, with no one element or limitation contemplated as being a critical element or limitation. Each of the claims individually recites an aspect of the embodiment in its entirety. Moreover, some embodiments described may include, but are not limited to, inter alia, systems, networks, integrated circuit chips, embedded processors, ASICs, methods, and computer-readable media containing instructions. One or multiple systems, devices, components, etc. may comprise one or more embodiments, which may include some elements or limitations of a claim being performed by the same or different systems, devices, components, etc. A processing element may be a general processor, task-specific processor, or other implementation for performing the corresponding processing.
  • packet refers to a data packet or frame, such as, but not limited to, an Internet Protocol (IP) packet or Ethernet frame; and the format of a packet includes at least a packet header and payload.
  • IP Internet Protocol
  • first,” “second,” etc. are typically used herein to denote different units (e.g., a first element, a second element). The use of these terms herein does not necessarily connote an ordering such as one unit or event occurring or coming before another, but rather provides a mechanism to distinguish between particular units.
  • the phrases “based on x” and “in response to x” are used to indicate a minimum set of items “x” from which something is derived or caused, wherein “x” is extensible and does not necessarily describe a complete list of items on which the operation is performed, etc.
  • the phrase “coupled to” is used to indicate some level of direct or indirect connection between two elements or devices, with the coupling device or devices modifying or not modifying the coupled signal or communicated information.
  • the term “or” is used herein to identify a selection of one or more, including all, of the conjunctive items.
  • transitional term “comprising,” which is synonymous with “including,” “containing,” or “characterized by,” is inclusive or open-ended and does not exclude additional, unrecited elements or method steps.
  • the term “particular machine,” when recited in a method claim for performing steps, refers to a particular machine within the 35 USC ⁇ 101 machine statutory class.
  • a service node e.g., a packet switching device
  • an application node e.g., a packet switching device and/or computing platform
  • One embodiment includes a method, comprising: maintaining, by a packet switching device, forwarding information for a plurality of virtual private networks (VPNs); creating, by the packet switching device, a request packet corresponding to a particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by one or more application nodes, and an identification of a particular VPN associated with the particular packet; forwarding, by the packet switching device, the request packet to a particular application node of said one or more application nodes; receiving, by the packet switching device, a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after said one or more services have been applied to the particular packet by said one or more application nodes, with the response packet including a particular identification of the particular VPN; and forwarding, by the packet switching device, the service-applied packet or a packet derived from the service-applied packet according to forwarding information for the particular VPN.
  • VPNs
  • said one or more services include at least one service from a group of services consisting of: layer-4, layer-5, layer-6, and layer-7 services. In one embodiment, said one or more services include at least one service from a group of services consisting of: Firewall (FW), Network Address Translation (NAT), Network-based Application Recognition (NBAR), authentication, encryption and Internet Protocol Security (IPsec).
  • FW Firewall
  • NAT Network Address Translation
  • NBAR Network-based Application Recognition
  • IPsec Internet Protocol Security
  • the identification of the particular VPN is encoded in a type-length-value (TLV) element in the request packet; and wherein the particular identification of the particular VPN is encoded in a TLV element in the response packet.
  • TLV type-length-value
  • the identification of the particular VPN in the request packet and the particular identification of the particular VPN in the response packet are each encoded in a same type-length-value (TLV) element in the respective said request and response packets.
  • the request packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the application node, immediately followed by a nibble of value zero identifying that the request packet has encoded therein service information, wherein said service information includes the service identification.
  • the response packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the packet switching device, immediately followed by a nibble of value zero identifying that the response packet has encoded therein service information, wherein said service information includes the particular identification of the particular VPN.
  • MPLS Multiprotocol Label Switching
  • each of said one or more application nodes is external to the packet switching device.
  • One embodiment includes: receiving, by the packet switching device, the particular packet from a node external to the packet switching device; and determining, by the packet switching device, to forward the particular packet to the particular application node for applying at least one of said one or more services to the particular packet by said one or more application nodes.
  • each of said one or more application nodes is external to the packet switching device.
  • One embodiment includes: creating, by the packet switching device, the particular packet.
  • One embodiment includes a packet switching device, comprising: one or more storage devices configured for maintaining different forwarding information for each of a plurality of virtual private networks (VPNs); a first interface of a plurality of interfaces configured to receive a particular packet, with the first interface associated with a particular VPN of the plurality of VPNs; a classifier configured to determine, for a particular packet received on the first interface, to forward the particular packet to an application node of one or more application nodes, remote from the packet switching device, for applying one or more services to the particular packet by said one or more application nodes; a packet processor configured to create a request packet corresponding to the particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by said one or more application nodes, and an identification of the particular VPN; and a second interface of the plurality of interfaces configured to send the request packet to the application node; wherein the packet switching device is configured to receive a response packet, corresponding to said sent request packet,
  • said one or more services include at least one service from a group of services consisting of: layer-4, layer-5, layer-6, and layer-7 services.
  • the identification of the particular VPN in the request packet and the particular identification of the particular VPN in the response packet are each encoded in a same type-length-value (TLV) element in the respective said request and response packets.
  • One embodiment includes a method, comprising: receiving, by an application node of one or more application nodes in a network, a request packet, including: a particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by said one or more application nodes, and an identification of a particular virtual private network (VPN); applying, by the application node based on the service identification said received in the request packet, said at least one service to the particular packet said received in the request packet, such that the result of said applying operation is a service-applied packet corresponding to the particular packet; creating, by the application node, a response packet corresponding to said received request packet, with the response packet including: the service-applied packet, and a particular identification of the particular VPN, such that a service node can determine the forwarding information corresponding to the particular VPN; and sending the response packet to: the service node, or another application node for applying one or more additional services of said one or more services to the service-applied packet before a packet derived from the service-
  • said operation of applying said at least one service to the particular packet includes applying said at least one service to the particular packet based on the particular VPN.
  • the application node sends the response packet to the service node and not to said another application node.
  • the request packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the application node, immediately followed by a nibble of value zero identifying that the request packet has encoded therein service information, wherein said service information includes the service identification.
  • MPLS Multiprotocol Label Switching
  • One embodiment includes: identifying, by the application node based on a nibble of value zero immediately following a Multiprotocol Label Switching (MPLS) label stack for reaching the application node included in the request packet, that the request packet includes service information, wherein said service information includes the service identification and the identification of the particular VPN.
  • MPLS Multiprotocol Label Switching
  • One embodiment includes a method, comprising: creating, by a packet switching device, a request packet corresponding to a particular packet, with the request packet including: the particular packet, an identification of a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; forwarding, by the packet switching device, the request packet to a particular application node of said one or more application nodes; receiving, by the packet switching device, a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet by said one or more application nodes; and forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device.
  • the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet.
  • the general service is a Firewall (FW) service
  • the particular service is a service from a group consisting of: inside to outside, and outside to inside.
  • One embodiment includes: maintaining, by a packet switching device, forwarding information for a plurality of virtual private networks (VPNs); wherein the request packet and the response packet each include an identification of a particular VPN of the plurality of VPNs, with the particular VPN associated with the particular packet; and wherein said operation of forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device is based on said maintained forwarding information for the particular VPN.
  • One embodiment includes: receiving, by the packet switching device, the particular packet from a node external to the packet switching device; and determining, by the packet switching device, to forward the particular packet to the particular application node for applying at least one of said one or more services to the particular packet by said one or more application nodes. In one embodiment, each of said one or more application nodes is external to the packet switching device.
  • One embodiment includes: creating, by the packet switching device, the particular packet.
  • One embodiment includes: receiving, by an application node of one or more application nodes in a network, a request packet, including: a particular packet, an identification a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; applying, by the application node, the particular service to the particular packet, such that the result of said applying operation is a service-applied packet corresponding to the particular packet; creating, by the application node, a response packet corresponding to said received request packet, with the response packet including: the service-applied packet; and sending the response packet to: a service node, or another application node for applying one or more additional services of said one or more services to the service-applied packet before a packet derived from the service-applied packet is communicated to the service node.
  • the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet.
  • the request packet and the response packet each include an identification of a particular virtual private network (VPN) of a plurality of VPNs, with the particular VPN associated with the particular packet.
  • said application of the particular service to the particular packet is based on the particular VPN.
  • FIG. 1A illustrates network 100 operating according to one embodiment, wherein a service node (e.g., packet switching device 102 - 103 ) sends a packet to an application node ( 108 - 109 ) for performing one or more services to the packet by one or more application nodes ( 108 - 109 ).
  • Network 100 illustrates a typical configuration of a service provider network 101 , which has edge packet switching devices 102 - 103 communicatively coupled to customer networks 111 - 119 ; and within service provider network 101 , service provider nodes 102 - 103 and 108 - 109 are communicatively coupled ( 105 ).
  • one embodiment performs the operations of sending packets to application node(s) for applying service(s) in one or more networks different than network 100 ; and one embodiment performs the operations of receiving packets by application node(s) for applying service(s) in one or more networks different than network 100 .
  • packet switching devices 102 - 103 (“service nodes”) are configured for sending packets to one or more application nodes 108 - 109 for applying one or more services, with the resulting services-applied packet being returned to the originating packet switching device ( 102 - 103 ).
  • packet switching devices 102 - 103 do not have to have the capability for the service applied to the particular service, and allowing development of new services to be performed by an application node 108 - 109 , without having to integrate into a packet switching device 102 - 103 , which is typically more costly in terms of development and testing.
  • FIG. 1B shown in FIG. 1B is a generalized configuration including service node 151 (e.g., packet switching device/appliance), application node(s) 153 (e.g., packet switching device/appliance such as, but not limited to, a Cisco ASR 1000), communicatively coupled via network 152 .
  • service node 151 sends a request packet ( 161 ) encapsulating an original packet to application node(s) 153 , which applies one or more services to the original packet.
  • a response packet is sent ( 162 ) from application node(s) 153 to originating service node 151 , with the response packet including the encapsulated services-applied packet (e.g., the result of one or more services being applied to the original packet, which is typically the same, or a modification of, the original packet).
  • the encapsulated services-applied packet e.g., the result of one or more services being applied to the original packet, which is typically the same, or a modification of, the original packet.
  • FIG. 1C is a block diagram of an apparatus or component 170 used in one embodiment associated with a service node (e.g., packet switching device) using one or more services applied to packets by an application node (e.g., a packet switching device and/or computing platform).
  • a service node e.g., packet switching device
  • an application node e.g., a packet switching device and/or computing platform.
  • apparatus or component 170 performs one or more processes corresponding to one of the flow diagrams illustrated or otherwise described herein.
  • apparatus or component 170 includes one or more processing element(s) 171 , memory 172 , storage device(s) 173 , specialized component(s) 175 (e.g. optimized hardware such as for performing operations, etc.), and interface(s) 177 for communicating information (e.g., sending and receiving packets, user-interfaces, displaying information, etc.), which are typically communicatively coupled via one or more communications mechanisms 179 , with the communications paths typically tailored to meet the needs of the application.
  • apparatus or component 170 corresponds to, or is part of, a service or application node illustrated in one of the other figures or otherwise described herein.
  • apparatus or component 170 may include more or less elements.
  • the operation of apparatus or component 170 is typically controlled by processing element(s) 171 using memory 172 and storage device(s) 173 to perform one or more tasks or processes.
  • Memory 172 is one type of computer-readable/computer-storage medium, and typically comprises random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components.
  • RAM random access memory
  • ROM read only memory
  • flash memory integrated circuits
  • Memory 172 typically stores computer-executable instructions to be executed by processing element(s) 171 and/or data which is manipulated by processing element(s) 171 for implementing functionality in accordance with an embodiment.
  • Storage device(s) 173 are another type of computer-readable medium, and typically comprise solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices. Storage device(s) 173 typically store computer-executable instructions to be executed by processing element(s) 171 and/or data which is manipulated by processing element(s) 171 for implementing functionality in accordance with an embodiment.
  • FIG. 2A illustrates a process performed in one embodiment by a service node, such as, but not limited to, a packet switching device. Processing begins with process block 200 .
  • the service node receives or generates a packet. For example, the packet may be generated by the service node itself, or even by processing of another packet.
  • process block 204 (assuming it is not already known that the packet should be sent to an application node, e.g., based on a generated packet or all packets being sent to an application node), the packet is evaluated to determine whether or not it should be sent to an application node.
  • process block 206 normal local processing of the packet is performed (e.g., apply one or more features, forward or drop, etc.). Otherwise processing proceeds to process block 210 , as process block 205 identified that the packet is to be sent to an application node for applying one or more Layer-4 to Layer-7 services by one or more application nodes to the packet.
  • the use of the phrase “applying one or more services to the packet” includes a series of applications applied to the packet, with the packet possibly being modified between the application of some of these services such that one or more of the services is applied to a modified original packet.
  • these Layer-4 to Layer-7 services include, but are not limited to, Firewall (FW), Network Address Translation (NAT), Network-based Application Recognition (NBAR), authentication, encryption and Internet Protocol Security (IPsec).
  • any parameters are acquired, and the request packet is created.
  • the request packet includes the original packet, as well as other ServiceWire attributes, such as, but not limited to: an identification of one or more services to be applied to the packet, an identification of a virtual private network (VPN) associated with the packet (e.g., a VPN associated with an interface on which the packet was received), etc.
  • the service identification is a single value.
  • the service identification includes the identification of a generalized service (e.g., Firewall) and a specific service of the generalized service (e.g., inside-to-outside, outside-to-inside).
  • the request packet (e.g., a ServiceWire packet encapsulating the original packet) is sent to an application node.
  • a response packet corresponding to the sent request packet, is received, with the response packet being a ServiceWire packet encapsulating the services-applied packet corresponding to the original packet (i.e., the result of one or more services being applied to the original packet by one or more application nodes).
  • the service node processes the services-applied packet.
  • processing include, but are not limited to: the service node applies one or more additional services to the services-applied packet; the service node forwarding or dropping the services-applied packet; the service node performing a lookup operation in the corresponding forwarding information for the VPN identified in the response packet from multiple sets of forwarding information maintained for different VPNs; repeat the process illustrated in FIG. 2A by returning to process block 204 , etc.
  • Processing of the flow diagram of FIG. 2A is represented by process block 219 .
  • FIG. 2B illustrates a command 250 , used in one embodiment, for configuring the service definition in a service node.
  • command 250 includes:
  • FIG. 2C illustrates a ServiceWire request packet ( 280 ) used in one embodiment.
  • request packet 280 encapsulates original packet 283 , which is to have one or more services applied to it by one or more application nodes.
  • request packet 280 comprises one or more fields 281 , which includes information to get the request packet from the service node to the first application node of one or more application nodes.
  • the format of request packet 280 may be in one of an extensible number of formats, such as, but not limited to, MPLS, Ethernet, GRE, HDLC, PPP, etc., with one or more fields 281 conforming to the particular packet format.
  • ServiceWire encapsulation 282 includes information required for defining the one or more applications to be applied to original packet 283 , as well as possibly additional information (e.g., VPN information to be returned to the service node so it can properly forward a packet).
  • additional information e.g., VPN information to be returned to the service node so it can properly forward a packet.
  • field 282 has its first nibble as zero to identify ServiceWire encapsulation follows, when normally the first nibble would be four or six to identify an IPv4 or IPv6 packet is encapsulated.
  • ServiceWire encapsulation 282 encodes the ServiceWire information (e.g., identification of a service, identification of a general and specific services, VPN information, etc.) in one or more Type-Length-Value (TLV) structures.
  • TLV Type-Length-Value
  • FIG. 3A illustrates a process performed, in one embodiment, by an application node. Processing begins with process block 300 .
  • the application node receives the request packet for which to apply one or more services to the packet encapsulated therein.
  • the application node is remote from the service node (e.g., communicatively coupled via a network external to the service and application nodes).
  • the service and application nodes are within a same packet switching appliance, such as with the application node being a blade server.
  • the application node identifies, based on information included in the request packet (e.g., in the ServiceWire encapsulation) one or more services to apply to the encapsulated packet.
  • the application node applies one or more of the identified service(s) to the encapsulated packet.
  • some remedial or other action is typically taken.
  • the services-applied packet (e.g., the original packet or a modification thereof based on the application of one or more services) is sent in a request packet to another application node to apply one or more services; or the services-applied packet is sent in a response packet back to the originating service node.
  • the response packet may include one or more attributes or other information, such as, but not limited to, an identification of a VPN associated with the services-applied packet (e.g., the same or different identifier identifying a VPN in the ServiceWire or other encapsulation of the received request packet).
  • Processing of the flow diagram of FIG. 3A is complete as indicated by process block 312 .
  • FIG. 3B illustrates a command 350 , used in one embodiment, for configuring the service definition in an application node.
  • command 350 includes:
  • FIG. 3C illustrates a ServiceWire response packet ( 380 ) used in one embodiment.
  • response packet 380 encapsulates the services-applied packet 383 , which is the original packet after having the one or more services applied to it by one or more application nodes.
  • services-applied packet 383 packet can be the original packet, or a modification thereof resulting from the application of these services.
  • response packet 380 comprises one or more fields 381 , which includes information to get the response packet from the application node to the service node.
  • the format of response packet 380 may be in one of an extensible number of formats, such as, but not limited to, MPLS, Ethernet, GRE, HDLC, PPP, etc., with one or more fields 381 conforming to the particular packet format.
  • ServiceWire encapsulation 382 includes information for use by the service node in processing encapsulated services-applied packet 383 (e.g., VPN information so the service node can properly forward services-applied packet 383 ).
  • field 382 has its first nibble as zero to identify ServiceWire encapsulation follows, when normally the first nibble would be four or six to identify an IPv4 or IPv6 packet is encapsulated.
  • ServiceWire encapsulation 382 encodes the ServiceWire information (e.g., identification of a service, identification of a general and specific services, VPN information, etc.) in one or more Type-Length-Value (TLV) structures.
  • TLV Type-Length-Value

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Packets are encapsulated and sent from a service node to an application node for applying one or more Layer-4 to Layer-7 services to the packets, with service-applied packets being returned to the service node. An identification of a virtual private network (VPN) may be carried within a request packet, encapsulating a particular packet, sent by a service node to an application node for applying a service to the particular packet; with the corresponding response packet sent to the service node including an identification of the VPN for use by the service node in forwarding the services-applied packet. Additionally, parameters may be included in a request packet to identify a particular service of a general service to be applied to a particular packet encapsulated in the request packet.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application is a continuation of U.S. patent application Ser. No. 12/827,157, filed Jun. 30, 2010, which is hereby incorporated by reference in its entirety.
TECHNICAL FIELD
The present disclosure relates generally to communicating information in a network.
BACKGROUND
The communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology.
Layer-4 to layer-7 services are often applied to packets being sent through a packet switching device. Service Insertion Architecture, such as that disclosed in US Patent Application Publication 2008/0177896 A1 published Jul. 24, 2008, teaches one approach to providing network services outside the packet switching device.
BRIEF DESCRIPTION OF THE DRAWINGS
The appended claims set forth the features of one or more embodiments with particularity. The embodiment(s), together with its advantages, may be best understood from the following detailed description taken in conjunction with the accompanying drawings of which:
FIG. 1A illustrates a network operating according to one embodiment;
FIG. 1B illustrates a network operating according to one embodiment;
FIG. 1C illustrates an apparatus or component used in one embodiment;
FIG. 2A illustrates a process performed in one embodiment;
FIG. 2B illustrates a configuration process performed in one embodiment;
FIG. 2C illustrates a packet format used in one embodiment;
FIG. 3A illustrates a process performed in one embodiment;
FIG. 3B illustrates a configuration process performed in one embodiment; and
FIG. 3C illustrates a packet format used in one embodiment;
DESCRIPTION OF EXAMPLE EMBODIMENTS 1. Overview
Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a service node (e.g., packet switching device) using one or more services applied to packets by an application node (e.g., a packet switching device and/or computing platform). An example of an application node used in one embodiment is a Cisco ASR 1000, which is a packet switching device with service processing capability. One embodiment includes a packet switching device, which sends packets to one or more application nodes to apply one or more services to a packet, either internally generated or received from an external source.
In one embodiment, the packet switching device performs operations, including: maintaining forwarding information for a plurality of virtual private networks (VPNs); creating a request packet corresponding to a particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by one or more application nodes, and an identification of a particular VPN associated with the particular packet; forwarding the request packet to a particular application node of said one or more application nodes; receiving a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after said one or more services have been applied to the particular packet by said one or more application nodes, with the response packet including a particular identification of the particular VPN; and forwarding the service-applied packet or a packet derived from the service-applied packet according to forwarding information for the particular VPN. In one embodiment, an application node performs one or more services described in a request packet to an embedded packet.
In one embodiment, the packet switching device performs operations, including: creating a request packet corresponding to a particular packet, with the request packet including: the particular packet, an identification of a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; forwarding the request packet to a particular application node of said one or more application nodes; receiving a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet by said one or more application nodes; and forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device. In one embodiment, the request and/or response packet includes an identification of a particular virtual private network (VPN) associated with the particular packet. In one embodiment, an application node performs one or more services described in a request packet to an embedded packet.
2. Description
Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a service node (e.g., packet switching device) using one or more services applied to packets by an application node (e.g., a packet switching device and/or computing platform). Note, a particular packet having one or more services applied to it by an application node is referred to herein as a services-applied packet, regardless of whether the application of the service(s) resulted in the same particular packet, a modified particular packet, or a different packet.
Embodiments described herein include various elements and limitations, with no one element or limitation contemplated as being a critical element or limitation. Each of the claims individually recites an aspect of the embodiment in its entirety. Moreover, some embodiments described may include, but are not limited to, inter alia, systems, networks, integrated circuit chips, embedded processors, ASICs, methods, and computer-readable media containing instructions. One or multiple systems, devices, components, etc. may comprise one or more embodiments, which may include some elements or limitations of a claim being performed by the same or different systems, devices, components, etc. A processing element may be a general processor, task-specific processor, or other implementation for performing the corresponding processing. The embodiments described hereinafter embody various aspects and configurations, with the figures illustrating exemplary and non-limiting configurations. Note, computer-readable media and means for performing methods and processing block operations (e.g., a processor and memory or other apparatus configured to perform such operations) are disclosed and are in keeping with the extensible scope and spirit of the embodiments. Note, the term “apparatus” is used consistently herein with its common definition of an appliance or device. The term “packet” refers to a data packet or frame, such as, but not limited to, an Internet Protocol (IP) packet or Ethernet frame; and the format of a packet includes at least a packet header and payload.
Note, the steps, connections, and processing of signals and information illustrated in the figures, including, but not limited to any block and flow diagrams and message sequence charts, may typically be performed in the same or in a different serial or parallel ordering and/or by different components and/or processes, threads, etc., and/or over different connections and be combined with other functions in other embodiments, unless this disables the embodiment or a sequence is explicitly or implicitly required (e.g., for a sequence of read the value, process said read value—the value must be obtained prior to processing it, although some of the associated processing may be performed prior to, concurrently with, and/or after the read operation). Also note, nothing described or referenced in this document is admitted as prior art to this application unless explicitly so stated.
The term “one embodiment” is used herein to reference a particular embodiment, wherein each reference to “one embodiment” may refer to a different embodiment, and the use of the term repeatedly herein in describing associated features, elements and/or limitations does not establish a cumulative set of associated features, elements and/or limitations that each and every embodiment must include, although an embodiment typically may include all these features, elements and/or limitations. In addition, the terms “first,” “second,” etc. are typically used herein to denote different units (e.g., a first element, a second element). The use of these terms herein does not necessarily connote an ordering such as one unit or event occurring or coming before another, but rather provides a mechanism to distinguish between particular units. Moreover, the phrases “based on x” and “in response to x” are used to indicate a minimum set of items “x” from which something is derived or caused, wherein “x” is extensible and does not necessarily describe a complete list of items on which the operation is performed, etc. Additionally, the phrase “coupled to” is used to indicate some level of direct or indirect connection between two elements or devices, with the coupling device or devices modifying or not modifying the coupled signal or communicated information. Moreover, the term “or” is used herein to identify a selection of one or more, including all, of the conjunctive items. Additionally, the transitional term “comprising,” which is synonymous with “including,” “containing,” or “characterized by,” is inclusive or open-ended and does not exclude additional, unrecited elements or method steps. Finally, the term “particular machine,” when recited in a method claim for performing steps, refers to a particular machine within the 35 USC §101 machine statutory class.
Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a service node (e.g., a packet switching device) using one or more services applied to packets by an application node (e.g., a packet switching device and/or computing platform). One embodiment includes a method, comprising: maintaining, by a packet switching device, forwarding information for a plurality of virtual private networks (VPNs); creating, by the packet switching device, a request packet corresponding to a particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by one or more application nodes, and an identification of a particular VPN associated with the particular packet; forwarding, by the packet switching device, the request packet to a particular application node of said one or more application nodes; receiving, by the packet switching device, a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after said one or more services have been applied to the particular packet by said one or more application nodes, with the response packet including a particular identification of the particular VPN; and forwarding, by the packet switching device, the service-applied packet or a packet derived from the service-applied packet according to forwarding information for the particular VPN.
In one embodiment, said one or more services include at least one service from a group of services consisting of: layer-4, layer-5, layer-6, and layer-7 services. In one embodiment, said one or more services include at least one service from a group of services consisting of: Firewall (FW), Network Address Translation (NAT), Network-based Application Recognition (NBAR), authentication, encryption and Internet Protocol Security (IPsec). In one embodiment, the identification of the particular VPN is encoded in a type-length-value (TLV) element in the request packet; and wherein the particular identification of the particular VPN is encoded in a TLV element in the response packet. In one embodiment, the identification of the particular VPN in the request packet and the particular identification of the particular VPN in the response packet are each encoded in a same type-length-value (TLV) element in the respective said request and response packets. In one embodiment, the request packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the application node, immediately followed by a nibble of value zero identifying that the request packet has encoded therein service information, wherein said service information includes the service identification. In one embodiment, the response packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the packet switching device, immediately followed by a nibble of value zero identifying that the response packet has encoded therein service information, wherein said service information includes the particular identification of the particular VPN. In one embodiment, each of said one or more application nodes is external to the packet switching device. One embodiment includes: receiving, by the packet switching device, the particular packet from a node external to the packet switching device; and determining, by the packet switching device, to forward the particular packet to the particular application node for applying at least one of said one or more services to the particular packet by said one or more application nodes. In one embodiment, each of said one or more application nodes is external to the packet switching device. One embodiment includes: creating, by the packet switching device, the particular packet.
One embodiment includes a packet switching device, comprising: one or more storage devices configured for maintaining different forwarding information for each of a plurality of virtual private networks (VPNs); a first interface of a plurality of interfaces configured to receive a particular packet, with the first interface associated with a particular VPN of the plurality of VPNs; a classifier configured to determine, for a particular packet received on the first interface, to forward the particular packet to an application node of one or more application nodes, remote from the packet switching device, for applying one or more services to the particular packet by said one or more application nodes; a packet processor configured to create a request packet corresponding to the particular packet, with the request packet including: the particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by said one or more application nodes, and an identification of the particular VPN; and a second interface of the plurality of interfaces configured to send the request packet to the application node; wherein the packet switching device is configured to receive a response packet, corresponding to said sent request packet, on one of the plurality of interfaces, with the response packet including a service-applied packet corresponding to the particular packet after said one or more services have been applied to the particular packet by said one or more application nodes, with the response packet including a particular identification of the particular VPN; and wherein the packet switching device is configured to forward the service-applied packet or a packet derived from the service-applied packet from one of the plurality of interfaces according to forwarding information for the particular VPN stored in at least one of said storage devices.
In one embodiment, wherein said one or more services include at least one service from a group of services consisting of: layer-4, layer-5, layer-6, and layer-7 services. In one embodiment, the identification of the particular VPN in the request packet and the particular identification of the particular VPN in the response packet are each encoded in a same type-length-value (TLV) element in the respective said request and response packets.
One embodiment includes a method, comprising: receiving, by an application node of one or more application nodes in a network, a request packet, including: a particular packet, a service identification of at least one service of one or more services to be applied to the particular packet by said one or more application nodes, and an identification of a particular virtual private network (VPN); applying, by the application node based on the service identification said received in the request packet, said at least one service to the particular packet said received in the request packet, such that the result of said applying operation is a service-applied packet corresponding to the particular packet; creating, by the application node, a response packet corresponding to said received request packet, with the response packet including: the service-applied packet, and a particular identification of the particular VPN, such that a service node can determine the forwarding information corresponding to the particular VPN; and sending the response packet to: the service node, or another application node for applying one or more additional services of said one or more services to the service-applied packet before a packet derived from the service-applied packet is communicated to the service node.
In one embodiment, said operation of applying said at least one service to the particular packet includes applying said at least one service to the particular packet based on the particular VPN. In one embodiment, the application node sends the response packet to the service node and not to said another application node. In one embodiment, the request packet includes a Multiprotocol Label Switching (MPLS) label stack for reaching the application node, immediately followed by a nibble of value zero identifying that the request packet has encoded therein service information, wherein said service information includes the service identification. One embodiment includes: identifying, by the application node based on a nibble of value zero immediately following a Multiprotocol Label Switching (MPLS) label stack for reaching the application node included in the request packet, that the request packet includes service information, wherein said service information includes the service identification and the identification of the particular VPN.
One embodiment includes a method, comprising: creating, by a packet switching device, a request packet corresponding to a particular packet, with the request packet including: the particular packet, an identification of a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; forwarding, by the packet switching device, the request packet to a particular application node of said one or more application nodes; receiving, by the packet switching device, a response packet corresponding to said forwarded request packet, the response packet including a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet by said one or more application nodes; and forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device.
In one embodiment, the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet. In one embodiment, the general service is a Firewall (FW) service, and the particular service is a service from a group consisting of: inside to outside, and outside to inside. One embodiment includes: maintaining, by a packet switching device, forwarding information for a plurality of virtual private networks (VPNs); wherein the request packet and the response packet each include an identification of a particular VPN of the plurality of VPNs, with the particular VPN associated with the particular packet; and wherein said operation of forwarding the service-applied packet or a packet derived from the service-applied packet from the packet switching device is based on said maintained forwarding information for the particular VPN. One embodiment includes: receiving, by the packet switching device, the particular packet from a node external to the packet switching device; and determining, by the packet switching device, to forward the particular packet to the particular application node for applying at least one of said one or more services to the particular packet by said one or more application nodes. In one embodiment, each of said one or more application nodes is external to the packet switching device. One embodiment includes: creating, by the packet switching device, the particular packet.
One embodiment includes: receiving, by an application node of one or more application nodes in a network, a request packet, including: a particular packet, an identification a general service to be applied to the particular packet by one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service; applying, by the application node, the particular service to the particular packet, such that the result of said applying operation is a service-applied packet corresponding to the particular packet; creating, by the application node, a response packet corresponding to said received request packet, with the response packet including: the service-applied packet; and sending the response packet to: a service node, or another application node for applying one or more additional services of said one or more services to the service-applied packet before a packet derived from the service-applied packet is communicated to the service node. In one embodiment, the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet. In one embodiment, the request packet and the response packet each include an identification of a particular virtual private network (VPN) of a plurality of VPNs, with the particular VPN associated with the particular packet. In one embodiment, said application of the particular service to the particular packet is based on the particular VPN.
Expressly turning to the figures, FIG. 1A illustrates network 100 operating according to one embodiment, wherein a service node (e.g., packet switching device 102-103) sends a packet to an application node (108-109) for performing one or more services to the packet by one or more application nodes (108-109). Network 100 illustrates a typical configuration of a service provider network 101, which has edge packet switching devices 102-103 communicatively coupled to customer networks 111-119; and within service provider network 101, service provider nodes 102-103 and 108-109 are communicatively coupled (105).
Note, one embodiment performs the operations of sending packets to application node(s) for applying service(s) in one or more networks different than network 100; and one embodiment performs the operations of receiving packets by application node(s) for applying service(s) in one or more networks different than network 100.
As illustrated in FIG. 1A, packet switching devices 102-103 (“service nodes”) are configured for sending packets to one or more application nodes 108-109 for applying one or more services, with the resulting services-applied packet being returned to the originating packet switching device (102-103). Thus, packet switching devices 102-103 do not have to have the capability for the service applied to the particular service, and allowing development of new services to be performed by an application node 108-109, without having to integrate into a packet switching device 102-103, which is typically more costly in terms of development and testing.
Next, shown in FIG. 1B is a generalized configuration including service node 151 (e.g., packet switching device/appliance), application node(s) 153 (e.g., packet switching device/appliance such as, but not limited to, a Cisco ASR 1000), communicatively coupled via network 152. As shown, service node 151 sends a request packet (161) encapsulating an original packet to application node(s) 153, which applies one or more services to the original packet. A response packet is sent (162) from application node(s) 153 to originating service node 151, with the response packet including the encapsulated services-applied packet (e.g., the result of one or more services being applied to the original packet, which is typically the same, or a modification of, the original packet).
FIG. 1C is a block diagram of an apparatus or component 170 used in one embodiment associated with a service node (e.g., packet switching device) using one or more services applied to packets by an application node (e.g., a packet switching device and/or computing platform). In one embodiment, apparatus or component 170 performs one or more processes corresponding to one of the flow diagrams illustrated or otherwise described herein.
In one embodiment, apparatus or component 170 includes one or more processing element(s) 171, memory 172, storage device(s) 173, specialized component(s) 175 (e.g. optimized hardware such as for performing operations, etc.), and interface(s) 177 for communicating information (e.g., sending and receiving packets, user-interfaces, displaying information, etc.), which are typically communicatively coupled via one or more communications mechanisms 179, with the communications paths typically tailored to meet the needs of the application. In one embodiment apparatus or component 170 corresponds to, or is part of, a service or application node illustrated in one of the other figures or otherwise described herein.
Various embodiments of apparatus or component 170 may include more or less elements. The operation of apparatus or component 170 is typically controlled by processing element(s) 171 using memory 172 and storage device(s) 173 to perform one or more tasks or processes. Memory 172 is one type of computer-readable/computer-storage medium, and typically comprises random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components. Memory 172 typically stores computer-executable instructions to be executed by processing element(s) 171 and/or data which is manipulated by processing element(s) 171 for implementing functionality in accordance with an embodiment. Storage device(s) 173 are another type of computer-readable medium, and typically comprise solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices. Storage device(s) 173 typically store computer-executable instructions to be executed by processing element(s) 171 and/or data which is manipulated by processing element(s) 171 for implementing functionality in accordance with an embodiment.
FIG. 2A illustrates a process performed in one embodiment by a service node, such as, but not limited to, a packet switching device. Processing begins with process block 200. In process block 202, the service node receives or generates a packet. For example, the packet may be generated by the service node itself, or even by processing of another packet. In process block 204 (assuming it is not already known that the packet should be sent to an application node, e.g., based on a generated packet or all packets being sent to an application node), the packet is evaluated to determine whether or not it should be sent to an application node. As identified in process block 205, if the packet should not be sent to an application node, then in process block 206, normal local processing of the packet is performed (e.g., apply one or more features, forward or drop, etc.). Otherwise processing proceeds to process block 210, as process block 205 identified that the packet is to be sent to an application node for applying one or more Layer-4 to Layer-7 services by one or more application nodes to the packet.
Note, the use of the phrase “applying one or more services to the packet” includes a series of applications applied to the packet, with the packet possibly being modified between the application of some of these services such that one or more of the services is applied to a modified original packet. Further, examples of these Layer-4 to Layer-7 services include, but are not limited to, Firewall (FW), Network Address Translation (NAT), Network-based Application Recognition (NBAR), authentication, encryption and Internet Protocol Security (IPsec).
In process block 210, any parameters (e.g., VPN identification, specialized service parameters, label stacks, etc.) are acquired, and the request packet is created. The request packet includes the original packet, as well as other ServiceWire attributes, such as, but not limited to: an identification of one or more services to be applied to the packet, an identification of a virtual private network (VPN) associated with the packet (e.g., a VPN associated with an interface on which the packet was received), etc. In one embodiment, the service identification is a single value. In one embodiment, the service identification includes the identification of a generalized service (e.g., Firewall) and a specific service of the generalized service (e.g., inside-to-outside, outside-to-inside). Next, in process block 212, the request packet (e.g., a ServiceWire packet encapsulating the original packet) is sent to an application node. In process block 214, a response packet, corresponding to the sent request packet, is received, with the response packet being a ServiceWire packet encapsulating the services-applied packet corresponding to the original packet (i.e., the result of one or more services being applied to the original packet by one or more application nodes). In process block 216, the service node processes the services-applied packet. Examples of such processing include, but are not limited to: the service node applies one or more additional services to the services-applied packet; the service node forwarding or dropping the services-applied packet; the service node performing a lookup operation in the corresponding forwarding information for the VPN identified in the response packet from multiple sets of forwarding information maintained for different VPNs; repeat the process illustrated in FIG. 2A by returning to process block 204, etc. Processing of the flow diagram of FIG. 2A is represented by process block 219.
FIG. 2B illustrates a command 250, used in one embodiment, for configuring the service definition in a service node. As shown, command 250 includes:
    • a user-defined name of the ServiceWire service (251);
    • a user description/comment (252);
    • application node definition (253) including the address of the application node to which to send a packet as well as the identification of the service(s) to be applied (e.g., which may be a specific service, or a generalized service and one or more values to define a specific service of the generalized service);
    • backup application node definition (254); and
    • mode hairpin (255) defining that the one or more application nodes will return a response packet including the services applied packet to the originating service node.
Next, FIG. 2C illustrates a ServiceWire request packet (280) used in one embodiment. As shown, request packet 280 encapsulates original packet 283, which is to have one or more services applied to it by one or more application nodes. In one embodiment, request packet 280 comprises one or more fields 281, which includes information to get the request packet from the service node to the first application node of one or more application nodes. The format of request packet 280 may be in one of an extensible number of formats, such as, but not limited to, MPLS, Ethernet, GRE, HDLC, PPP, etc., with one or more fields 281 conforming to the particular packet format. ServiceWire encapsulation 282 includes information required for defining the one or more applications to be applied to original packet 283, as well as possibly additional information (e.g., VPN information to be returned to the service node so it can properly forward a packet). In one embodiment such as when field 281 includes an MPLS label stack, field 282 has its first nibble as zero to identify ServiceWire encapsulation follows, when normally the first nibble would be four or six to identify an IPv4 or IPv6 packet is encapsulated. In one embodiment, ServiceWire encapsulation 282 encodes the ServiceWire information (e.g., identification of a service, identification of a general and specific services, VPN information, etc.) in one or more Type-Length-Value (TLV) structures.
FIG. 3A illustrates a process performed, in one embodiment, by an application node. Processing begins with process block 300. In process block 302, the application node receives the request packet for which to apply one or more services to the packet encapsulated therein. Typically, the application node is remote from the service node (e.g., communicatively coupled via a network external to the service and application nodes). In one embodiment, the service and application nodes are within a same packet switching appliance, such as with the application node being a blade server.
Next, in process block 304, the application node identifies, based on information included in the request packet (e.g., in the ServiceWire encapsulation) one or more services to apply to the encapsulated packet. In process block 306, the application node applies one or more of the identified service(s) to the encapsulated packet. As determined in process block 307, if the packet was dropped, then in process block 308, some remedial or other action is typically taken. Otherwise, in process block 310, the services-applied packet (e.g., the original packet or a modification thereof based on the application of one or more services) is sent in a request packet to another application node to apply one or more services; or the services-applied packet is sent in a response packet back to the originating service node. The response packet may include one or more attributes or other information, such as, but not limited to, an identification of a VPN associated with the services-applied packet (e.g., the same or different identifier identifying a VPN in the ServiceWire or other encapsulation of the received request packet). Processing of the flow diagram of FIG. 3A is complete as indicated by process block 312.
FIG. 3B illustrates a command 350, used in one embodiment, for configuring the service definition in an application node. As shown, command 350 includes:
    • a user-defined name of the ServiceWire service (351);
    • a user-defined description/comment (352);
    • identification (353) of the service(s) to be applied (e.g., which may be a specific service, or a generalized service and one or more values to define a specific service of the generalized service), which corresponds the service identification in service node definition (253) in FIG. 2B;
    • features (354) of the one or more services to be applied at an input-service-interface;
    • features (355) of the one or more services to be applied at an output-service-interface; and
    • optional forwarding information (356). If not included, a response packet will be created and sent to the originating service node. Otherwise, the nexthop keyword indicates a next application node in the service path (this is the service chaining case where the one or more services are applied by multiple application nodes). The optimize-12 keyword enables a forwarding optimization for traffic received on native transport connections. When optimize-12 is configured, an optimized forwarding mechanism that increases packet throughput is used for traffic received on native transport connections. The optimized forwarding mechanism is: swap the source and destination MAC addresses in the packet, and forward the packet back out the interface that it was received on. When the optional rewrite-service-id keyword is configured, the application node will use this as the identification (353) of the service to be applied by the next application node.
      In one embodiment, when an application node sends a packet to another application node for applying additional services of the one or more services to be applied to a packet, it sends a request packet 280 of FIG. 2C to the next application node.
Next, FIG. 3C illustrates a ServiceWire response packet (380) used in one embodiment. As shown, response packet 380 encapsulates the services-applied packet 383, which is the original packet after having the one or more services applied to it by one or more application nodes. Thus, services-applied packet 383 packet can be the original packet, or a modification thereof resulting from the application of these services.
In one embodiment, response packet 380 comprises one or more fields 381, which includes information to get the response packet from the application node to the service node. The format of response packet 380 may be in one of an extensible number of formats, such as, but not limited to, MPLS, Ethernet, GRE, HDLC, PPP, etc., with one or more fields 381 conforming to the particular packet format. ServiceWire encapsulation 382 includes information for use by the service node in processing encapsulated services-applied packet 383 (e.g., VPN information so the service node can properly forward services-applied packet 383). In one embodiment such as when field 381 includes an MPLS label stack, field 382 has its first nibble as zero to identify ServiceWire encapsulation follows, when normally the first nibble would be four or six to identify an IPv4 or IPv6 packet is encapsulated. In one embodiment, ServiceWire encapsulation 382 encodes the ServiceWire information (e.g., identification of a service, identification of a general and specific services, VPN information, etc.) in one or more Type-Length-Value (TLV) structures.
In view of the many possible embodiments to which the principles of our invention may be applied, it will be appreciated that the embodiments and aspects thereof described herein with respect to the drawings/figures are only illustrative and should not be taken as limiting the scope of the invention. For example, and as would be apparent to one skilled in the art, many of the process block operations can be re-ordered to be performed before, after, or substantially concurrent with other operations. Also, many different forms of data structures could be used in various embodiments. The invention as described herein contemplates all such embodiments as may come within the scope of the following claims and equivalents thereof.

Claims (25)

What is claimed is:
1. A packet switching device, comprising:
one or more processing elements;
memory;
a plurality of interfaces configured to send and receive packets; and
one or more packet switching mechanisms configured to packet switch packets among said interfaces;
wherein the packet switching device is configured to perform operations, including:
receiving on one of the plurality of interfaces a particular packet from another packet switching device; and
in response to determining to apply a service to the particular packet by one or more application nodes located remotely from the packet switching device:
creating a request packet encapsulating the particular packet, with the request packet including an identification of a general service to be applied to the particular packet by said one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service, with the identification of the general service and said one or more service parameters said included in the request packet in fields not within the particular packet;
forwarding the request packet to a particular application node of said one or more application nodes, wherein each of said one or more application nodes is external to the packet switching device;
receiving on one of the plurality of interfaces from an external source, a response packet corresponding to said forwarded request packet, the response packet encapsulating a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet, not to the request packet, by said one or more application nodes;
extracting the service-applied packet from the response packet; and
sending the service-applied packet or a packet derived from the service-applied packet from the packet switching device on one of the plurality of interfaces;
wherein the packet switching device, said another packet switching device, and each of said one or more application nodes are different stand-alone appliances communicatively coupled via one or more networks.
2. The packet switching device of claim 1, wherein the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet.
3. The packet switching device of claim 1, wherein the general service is a Firewall (FW) service.
4. The packet switching device of claim 1, wherein said operations include:
maintaining, by the packet switching device, forwarding information for a plurality of virtual private networks (VPNs);
wherein the request packet and the response packet each include an identification of a particular VPN of the plurality of VPNs, with the particular VPN associated with the particular packet; and
wherein said operation of sending the service-applied packet or a packet derived from the service-applied packet from the packet switching device is based on said maintained forwarding information for the particular VPN.
5. An application node, comprising:
one or more processing elements;
memory;
a plurality of interfaces configured to send and receive packets; and
wherein the application node is configured to perform operations, including:
receiving on one of the plurality of interfaces by the application node of one or more application nodes a request packet from a particular service node different from said one or more application nodes, including: a particular packet, an identification of a general service to be applied to the particular packet by said one or more application nodes, and one or more service parameters for the general service defining a particular service of the general service, with the identification of the general service and said one or more service parameters said included in the request packet in fields not within the particular packet;
extracting the particular packet from said received request packet;
applying the particular service to the particular packet, such that the result of said applying operation is a service-applied packet corresponding to the particular packet;
creating a response packet corresponding to said received request packet, with the response packet encapsulating the service-applied packet; and
sending the response packet to: the particular service node, or another application node for applying one or more additional services to the service-applied packet before a packet derived from the service-applied packet is communicated to the particular service node;
wherein the particular service node and the application node are different stand-alone appliances communicatively coupled via one or more networks.
6. The application node of claim 5, wherein the identification of the general service and said one or more service parameters for the general service are encoded in one or more type-length-value (TLV) elements in the request packet.
7. The application node of claim 5, wherein the request packet and the response packet each include an identification of a particular virtual private network (VPN) of a plurality of VPNs, with the particular VPN associated with the particular packet.
8. The application node of claim 7, wherein said application of the particular service to the particular packet is based on the particular VPN.
9. A method, comprising:
receiving, by a packet switching device from another packet switching device via a network, a particular packet; and
in response to determining by the packet switching device to apply a particular service to the particular packet by one or more application nodes located remotely from the packet switching device:
creating, by the packet switching device, a request packet encapsulating the particular packet, with the request packet including one or more additional attributes for the particular service to be applied to the particular packet by said one or more application nodes, with said one or more additional attributes said included in the request packet in fields not within the particular packet;
forwarding, by the packet switching device, the request packet to a particular application node of said one or more application nodes, wherein each of said one or more application nodes is external to the packet switching device;
receiving, by the packet switching device from an external source, a response packet corresponding to said forwarded request packet, the response packet encapsulating a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet, not to the request packet, by said one or more application nodes;
extracting the service-applied packet from the response packet; and
sending the service-applied packet or a packet derived from the service-applied packet from the packet switching device;
wherein the packet switching device, said another packet switching device, and each of said one or more application nodes are different stand-alone appliances communicatively coupled via one or more networks.
10. The method of claim 9, where said one or more additional attributes are included in the request packet in fields between forwarding information for the request packet and the particular packet.
11. The method of claim 10, wherein said one or more additional attributes and the particular packet are in adjacent fields in the request packet.
12. The method of claim 9, comprising:
maintaining, by the packet switching device, forwarding information for a plurality of virtual private networks (VPNs);
wherein the request packet and the response packet each include an identification of a particular VPN of the plurality of VPNs, with the particular VPN associated with the particular packet; and
wherein said operation of sending the service-applied packet or a packet derived from the service-applied packet from the packet switching device is based on said maintained forwarding information for the particular VPN.
13. The method of claim 12, wherein said one or more additional attributes include the identification of the particular VPN in the request packet.
14. The method of claim 13, where said one or more additional attributes are included in the request packet in fields between forwarding information for the request packet and the particular packet.
15. The method of claim 14, wherein said one or more additional attributes and the particular packet are in adjacent fields in the request packet.
16. A method, comprising:
receiving, by an application node of one or more application nodes in a network, a request packet from a particular service node different from said one or more application nodes requesting a particular service, with the request packet including one or more additional attributes and a particular packet, with said one or more additional attributes said included in the request packet in fields not within the particular packet;
extracting the particular packet from said received request packet;
applying, by the application node, the particular service to the particular packet based on said one or more additional attributes, such that the result of said applying operation is a service-applied packet corresponding to the particular packet;
creating, by the application node, a response packet corresponding to said received request packet, with the response packet encapsulating the service-applied packet; and
sending the response packet to: the particular service node, or another application node for applying one or more additional services to the service-applied packet before a packet derived from the service-applied packet is communicated to the particular service node;
wherein the particular service node and the application node are different stand-alone appliances communicatively coupled via one or more networks.
17. The method of claim 16, wherein the request packet and the response packet each include an identification of a particular virtual private network (VPN) of a plurality of VPNs, with the particular VPN associated with the particular packet.
18. The method of claim 17, wherein said application of the particular service to the particular packet is based on the particular VPN.
19. The method of claim 17, wherein said one or more additional attributes include the identification of the particular VPN in the request packet; and wherein the identification of the particular VPN in the response packet is located in fields between forwarding information for the response packet and the service-applied packet.
20. The method of claim 16, where said one or more additional attributes are included in the request packet in fields between forwarding information for the request packet and the particular packet; and wherein said one or more additional attributes and the particular packet are in adjacent fields in the request packet.
21. A packet switching device, comprising:
one or more processing elements;
memory;
a plurality of interfaces configured to send and receive packets; and
one or more packet switching mechanisms configured to packet switch packets among said interfaces;
wherein the packet switching device is configured to perform operations, including:
receiving a particular packet from another packet switching device via a network; and
in response to determining to apply a particular service to the particular packet by one or more application nodes located remotely from the packet switching device:
creating a request packet encapsulating the particular packet, with the request packet including one or more additional attributes for the particular service to be applied to the particular packet by said one or more application nodes, with said one or more additional attributes said included in the request packet in fields not within the particular packet;
forwarding the request packet to a particular application node of said one or more application nodes, wherein each of said one or more application nodes is external to the packet switching device;
receiving from an external source a response packet corresponding to said forwarded request packet, the response packet encapsulating a service-applied packet corresponding to the particular packet after at least the particular service has been applied to the particular packet, not to the request packet, by said one or more application nodes;
extracting the service-applied packet from the response packet; and
sending the service-applied packet or a packet derived from the service-applied packet from the packet switching device;
wherein the packet switching device, said another packet switching device, and each of said one or more application nodes are different stand-alone appliances communicatively coupled via one or more networks.
22. The packet switching device of claim 21, where said one or more additional attributes are included in the request packet in fields between forwarding information for the request packet and the particular packet.
23. An application node, comprising:
one or more processing elements;
memory;
a plurality of interfaces configured to send and receive packets; and
wherein the application node is configured to perform operations, including:
receiving, by the application node of one or more application nodes in a network, a request packet from a particular service node different from said one or more application nodes requesting a particular service, with the request packet including one or more additional attributes and a particular packet, with said one or more additional attributes said included in the request packet in fields not within the particular packet;
extracting the particular packet from said received request packet;
applying the particular service to the particular packet based on said one or more additional attributes, such that the result of said applying operation is a service-applied packet corresponding to the particular packet;
creating a response packet corresponding to said received request packet, with the response packet encapsulating the service-applied packet; and
sending the response packet to: the particular service node, or another application node for applying one or more additional services to the service-applied packet before a packet derived from the service-applied packet is communicated to the particular service node;
wherein the particular service node and the application node are different stand-alone appliances communicatively coupled via one or more networks.
24. The application node of claim 23, wherein the request packet and the response packet each include an identification of a particular virtual private network (VPN) of a plurality of VPNs, with the particular VPN associated with the particular packet.
25. The method of claim 24, wherein said application of the particular service to the particular packet is based on the particular VPN.
US14/797,377 2010-06-30 2015-07-13 Service node using services applied by an application node Active US9270575B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/797,377 US9270575B2 (en) 2010-06-30 2015-07-13 Service node using services applied by an application node

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/827,157 US9112723B2 (en) 2010-06-30 2010-06-30 Service node using services applied by an application node
US14/797,377 US9270575B2 (en) 2010-06-30 2015-07-13 Service node using services applied by an application node

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/827,157 Continuation US9112723B2 (en) 2010-06-30 2010-06-30 Service node using services applied by an application node

Publications (2)

Publication Number Publication Date
US20150319079A1 US20150319079A1 (en) 2015-11-05
US9270575B2 true US9270575B2 (en) 2016-02-23

Family

ID=45399687

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/827,157 Active 2031-07-04 US9112723B2 (en) 2010-06-30 2010-06-30 Service node using services applied by an application node
US14/797,377 Active US9270575B2 (en) 2010-06-30 2015-07-13 Service node using services applied by an application node

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/827,157 Active 2031-07-04 US9112723B2 (en) 2010-06-30 2010-06-30 Service node using services applied by an application node

Country Status (1)

Country Link
US (2) US9112723B2 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9112723B2 (en) 2010-06-30 2015-08-18 Cisco Technology, Inc. Service node using services applied by an application node
US8619773B2 (en) 2010-07-29 2013-12-31 Cisco Technology, Inc. Service request packet including an exterior network protocol attribute
US8520672B2 (en) 2010-07-29 2013-08-27 Cisco Technology, Inc. Packet switching device using results determined by an application node
US9049098B2 (en) 2010-08-05 2015-06-02 Cisco Technology, Inc. Discovery of services provided by application nodes in a network
US9049099B2 (en) 2010-08-05 2015-06-02 Cisco Technology, Inc. Label distribution protocol advertisement of services provided by application nodes
US8345682B2 (en) 2010-09-15 2013-01-01 Cisco Technology, Inc. Data path processing information included in the pseudowire layer of packets
US9432268B2 (en) 2013-01-28 2016-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for placing services in a network
US9608901B2 (en) * 2012-07-24 2017-03-28 Telefonaktiebolaget Lm Ericsson (Publ) System and method for enabling services chaining in a provider network
US9584371B2 (en) 2012-07-24 2017-02-28 Telefonaktiebolaget Lm Ericsson (Publ) System and method for assigning multi-instance services in a provider network
US9130866B2 (en) * 2013-03-13 2015-09-08 Cisco Technology, Inc. Transparent flow based application navigator
US10506083B2 (en) 2017-06-27 2019-12-10 Cisco Technology, Inc. Segment routing gateway storing segment routing encapsulating header used in encapsulating and forwarding of returned native packet
CN111404817B (en) * 2020-03-24 2022-06-03 深圳市吉祥腾达科技有限公司 Method and system for improving fragment data packet forwarding performance of network communication equipment

Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060062218A1 (en) 2003-07-09 2006-03-23 Yasushi Sasagawa Method for establishing session in label switch network and label switch node
US20060233155A1 (en) 2002-03-19 2006-10-19 Srivastava Sunil K Server load balancing using IP option field approach to identify route to selected server
US20070115913A1 (en) 2004-02-07 2007-05-24 Bin Li Method for implementing the virtual leased line
US20070237147A1 (en) 2006-04-07 2007-10-11 Cisco Technology, Inc. System and method for selectively applying a service to a network packet using a preexisting packet header
US20080177896A1 (en) 2007-01-19 2008-07-24 Cisco Technology, Inc. Service insertion architecture
US20080198849A1 (en) 2007-02-20 2008-08-21 Jim Guichard Scaling virtual private networks using service insertion architecture
US20080276085A1 (en) 2007-05-02 2008-11-06 Cisco Technology, Inc. Allowing differential processing of encrypted tunnels
US20080320303A1 (en) 2007-06-21 2008-12-25 Cisco Technology, Inc. Vpn processing via service insertion architecture
US20090037713A1 (en) 2007-08-03 2009-02-05 Cisco Technology, Inc. Operation, administration and maintenance (oam) for chains of services
US7558273B1 (en) 2003-12-23 2009-07-07 Extreme Networks, Inc. Methods and systems for associating and translating virtual local area network (VLAN) tags
US20100058329A1 (en) 2008-08-26 2010-03-04 Cisco Technology, Inc. Method and apparatus for dynamically instantiating services using a service insertion architecture
US20100165985A1 (en) 2008-12-29 2010-07-01 Cisco Technology, Inc. Service Selection Mechanism In Service Insertion Architecture Data Plane
US20100254385A1 (en) 2009-04-07 2010-10-07 Cisco Technology, Inc. Service Insertion Architecture (SIA) in a Virtual Private Network (VPN) Aware Network
US7860100B2 (en) 2008-10-01 2010-12-28 Cisco Technology, Inc. Service path selection in a service network
US7948986B1 (en) 2009-02-02 2011-05-24 Juniper Networks, Inc. Applying services within MPLS networks
US20110161494A1 (en) 2009-12-30 2011-06-30 Verizon Patent And Licensing, Inc. Feature delivery packets for peer-to-peer based feature network
US20120026897A1 (en) 2010-07-29 2012-02-02 Cisco Technology, Inc., A Corporation Of California Packet Switching Device Using Results Determined by an Application Node
US20120027016A1 (en) 2010-07-29 2012-02-02 Cisco Technology, Inc.,a corporation of California Service Request Packet Including an Exterior Network Protocol Attribute
US20120033664A1 (en) 2010-08-05 2012-02-09 Cisco Technology, Inc., A Corporation Of California Label Distribution Protocol Advertisement of Services Provided by Application Nodes
US20120033663A1 (en) 2010-08-05 2012-02-09 Cisco Technology, Inc., A Corporation Of California Discovery of Services Provided by Application Nodes in a Network
US20120063450A1 (en) 2010-09-15 2012-03-15 Cisco Technology, Inc., A Corporation Of California Data Path Processing Information included in the Pseudowire Layer of Packets
US9112723B2 (en) 2010-06-30 2015-08-18 Cisco Technology, Inc. Service node using services applied by an application node

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060233155A1 (en) 2002-03-19 2006-10-19 Srivastava Sunil K Server load balancing using IP option field approach to identify route to selected server
US20060062218A1 (en) 2003-07-09 2006-03-23 Yasushi Sasagawa Method for establishing session in label switch network and label switch node
US7558273B1 (en) 2003-12-23 2009-07-07 Extreme Networks, Inc. Methods and systems for associating and translating virtual local area network (VLAN) tags
US20070115913A1 (en) 2004-02-07 2007-05-24 Bin Li Method for implementing the virtual leased line
US20070237147A1 (en) 2006-04-07 2007-10-11 Cisco Technology, Inc. System and method for selectively applying a service to a network packet using a preexisting packet header
US20080177896A1 (en) 2007-01-19 2008-07-24 Cisco Technology, Inc. Service insertion architecture
US20080198849A1 (en) 2007-02-20 2008-08-21 Jim Guichard Scaling virtual private networks using service insertion architecture
US20080276085A1 (en) 2007-05-02 2008-11-06 Cisco Technology, Inc. Allowing differential processing of encrypted tunnels
US20080320303A1 (en) 2007-06-21 2008-12-25 Cisco Technology, Inc. Vpn processing via service insertion architecture
US20090037713A1 (en) 2007-08-03 2009-02-05 Cisco Technology, Inc. Operation, administration and maintenance (oam) for chains of services
US20100058329A1 (en) 2008-08-26 2010-03-04 Cisco Technology, Inc. Method and apparatus for dynamically instantiating services using a service insertion architecture
US7860100B2 (en) 2008-10-01 2010-12-28 Cisco Technology, Inc. Service path selection in a service network
US20100165985A1 (en) 2008-12-29 2010-07-01 Cisco Technology, Inc. Service Selection Mechanism In Service Insertion Architecture Data Plane
US7948986B1 (en) 2009-02-02 2011-05-24 Juniper Networks, Inc. Applying services within MPLS networks
US20100254385A1 (en) 2009-04-07 2010-10-07 Cisco Technology, Inc. Service Insertion Architecture (SIA) in a Virtual Private Network (VPN) Aware Network
US20110161494A1 (en) 2009-12-30 2011-06-30 Verizon Patent And Licensing, Inc. Feature delivery packets for peer-to-peer based feature network
US9112723B2 (en) 2010-06-30 2015-08-18 Cisco Technology, Inc. Service node using services applied by an application node
US20120026897A1 (en) 2010-07-29 2012-02-02 Cisco Technology, Inc., A Corporation Of California Packet Switching Device Using Results Determined by an Application Node
US20120027016A1 (en) 2010-07-29 2012-02-02 Cisco Technology, Inc.,a corporation of California Service Request Packet Including an Exterior Network Protocol Attribute
US8619773B2 (en) 2010-07-29 2013-12-31 Cisco Technology, Inc. Service request packet including an exterior network protocol attribute
US20120033664A1 (en) 2010-08-05 2012-02-09 Cisco Technology, Inc., A Corporation Of California Label Distribution Protocol Advertisement of Services Provided by Application Nodes
US20120033663A1 (en) 2010-08-05 2012-02-09 Cisco Technology, Inc., A Corporation Of California Discovery of Services Provided by Application Nodes in a Network
US9049098B2 (en) * 2010-08-05 2015-06-02 Cisco Technology, Inc. Discovery of services provided by application nodes in a network
US9049099B2 (en) * 2010-08-05 2015-06-02 Cisco Technology, Inc. Label distribution protocol advertisement of services provided by application nodes
US20120063450A1 (en) 2010-09-15 2012-03-15 Cisco Technology, Inc., A Corporation Of California Data Path Processing Information included in the Pseudowire Layer of Packets
US8345682B2 (en) 2010-09-15 2013-01-01 Cisco Technology, Inc. Data path processing information included in the pseudowire layer of packets

Also Published As

Publication number Publication date
US9112723B2 (en) 2015-08-18
US20120002672A1 (en) 2012-01-05
US20150319079A1 (en) 2015-11-05

Similar Documents

Publication Publication Date Title
US9270575B2 (en) Service node using services applied by an application node
US8520672B2 (en) Packet switching device using results determined by an application node
US9049098B2 (en) Discovery of services provided by application nodes in a network
US11882203B2 (en) Providing efficiencies in processing and communicating internet protocol packets in a network using segment routing
US8619773B2 (en) Service request packet including an exterior network protocol attribute
US8345682B2 (en) Data path processing information included in the pseudowire layer of packets
US11627016B2 (en) Packet communications providing packet processing efficiencies in a network including using a segment routing and tunnel exchange
US10924399B2 (en) Segment routing packet policies and functions including an engineered reverse reply path providing efficiencies in communicating packets in a network
US10469367B2 (en) Segment routing network processing of packets including operations signaling and processing of packets in manners providing processing and/or memory efficiencies
US10892987B2 (en) Segment routing network processing of packets including packets having a segment identifier structure providing processing and/or memory efficiencies
US9049099B2 (en) Label distribution protocol advertisement of services provided by application nodes
US10516610B2 (en) Segment routing packet policies and functions providing processing signaling and packet forwarding efficiencies in a network
US10341140B2 (en) Dynamic network service overlay establishment in hub-and-spoke packet switching networks
US10749710B2 (en) Service offload or bypass initiated by a service function forwarder in a service function chaining network
US11082540B2 (en) Network operations including protocol processing of a packet updating an operations data field of a different protocol

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8