Internet protocol (IP) networks in the present environment tend to be complex and often overloaded. Within this context, it is necessary to develop a framework for providing some level of quality of service (also referred herein as "service quality") in an IP network. A common architecture of an IP-based corporate internet includes several campus networks connected by a backbone network. The campus networks are typically high-speed local area networks (e.g., Ethernets, Token Rings, etc.) and are relatively free of congestion. The backbone network employs relatively slower links and is more susceptible to congestion and packet losses. The main cause for such performance problems is that the demand for network bandwidth often exceeds the operating capacity of the backbone network.
One approach to solve the congestion problems in the congested portions of the network is to use a reservation protocol, such as RSVP. Reservation protocols offer a service-quality on a per-connection basis, but are relatively complex to implement and require inefficient resource allocation. An alternative approach is to place specialized software components at the edge of the network whose performance needs to be monitored. The specialized software component, or the edge-device, continuously monitors network traffic characteristics and performance. If the network supports means for distinguishing among packets of differing priority, the edge-device transforms the packets flowing into the backbone network in different manners. The edge-device also permits the flow of packets into the network to occur at a specified regulated rate. The different edge-devices in the network communicate with a directory server in the network to obtain information, such as classification rules, policy rules, pacing rates and network state information. The directory server is typically an X.500 directory, which is accessed using Lightweight Directory Access Protocol (LDAP).
The edge-device obtains the rules that determine the level to which a packet belongs, by querying the directory server. The query may be made by triggers, such as the establishment of a new connection, or at periodic intervals. The packets are modified so that the routers in the backbone can determine the service level of a packet readily. The edge-devices collect statistics about the traffic flowing through them, and report the statistics to the directory server on the occurrence of triggers, such as expiration timer, or termination of a connection. They also collect performance statistics about packets that are received from the network backbone and report these statistics to the directory server. In some situations, e.g., when the network is congested, edge-devices may restrict data traffic flow across part of the network below a specific rate. The edge-device obtains the values of the regulated rate by querying the directory server.
The classification rules stored in the directory server determine what service-level will be used for packets belonging to a particular connection. The rule typically specifies source/destination IP addresses, source/destination port numbers used by TCP/UDP and the service level associated with this combination. In some networking environments, the classification rules are fairly static and configured by the network. In other cases, an application may want to update the rules when it is started and when it terminates.
The use of a directory server to manage network state offers several advantages. The directory server acts as a central administration point for network control. Devices in the network can access the information from their local directory, and also store their own information in the directory. Using a protocol such as X.500, the different directory servers regulate the distribution of data into multiple locations. Since directory access protocols offer security and authentication mechanisms, secure communication channels can be readily established.
The use of a centrally administered directory and directory server for control of network operations has some performance problems. The main concerns are enumerated below:
(1) Update Lag
An edge-device needs to maintain its classification rules consistent with the classification rules in the directory server, which is capable of storing a large number of entries (e.g., millions). In some cases, the edge-device may not be able to maintain a copy of all the rules. Instead, the edge-device may cache only a small portion of these rules. This portion depends on the current set of active applications and is likely to be dynamic. Furthermore, the rules stored in the directory server are subject to change. They may be changed by an operator, or applications may request that an update be made to enable them to operate at a specific service-level. Since a change in the rules occurs without the knowledge of the edge-device, there is latency between the time an edge-device queries the directory for the classification rules (e.g., on observing the first packet of a connection) and the time when the update occurs. Thus, the edge-device may be operating for some period using out-of-date classification rules.
(2) Server Overload
In order to facilitate improved network control, the edge-device needs to update the information maintained in the directory server about its statistics. When there are hundreds of edge-devices that need to store the information in the directory, the directory server can easily become overwhelmed with the volume of updates. Since each edge-device is operating asynchronously, it is possible for many of them to attempt to update the directory at the same time, and for some to be unable to connect for extended periods of time.
(3) Encrypted Data
When the IP payload is encrypted end-to-end using a protocol such as IP-sec, an intermediate box is unable to obtain information such as port numbers necessary to mark data. However, the intermediate box is responsible for ensuring that an untrustworthy user workstation, e.g., a directory client, is not sending improperly marked data across the network.
There is a need to address the problems of update lag, server overload and encrypted data when an intermediary edge-device is used to classify packets, and a directory server is used as the site for administration. More specifically, there is a need to ensure that an untrustworthy user workstation is not sending improperly marked data, across the network.
Accordingly, it is an object of the present invention to provide a directory server to eliminate the problems associated with update lag, server overload and encrypted data.
It is a further object of the present invention to provide a directory server, which notifies designated third-parties in the event directory information is accessed and/or modified.
Another object of the present invention is to provide a directory server, which monitors requests, such as queries or updates, by a client node.