Field of Invention
The present invention pertains to routing of flows in software-defined computer and communication networks, and more particularly to system and methods for enabling secure communications between source and destination nodes in such networks via programmatically controlled dynamic routing rule updates.
Discussion of Related Art
The invention presented herein is concerned with a method to enable communications between source and destination nodes via dynamic forwarding rule updates for fast authorization, authentication, and accounting (AAA) support for network flows, while preventing unauthorized users accessing the network.
A related technology exists for wireless networks as frequency hopping spread spectrum systems where the goal is to protect communication against jamming attacks. In such systems, the carrier frequency of the channel used between the transmitter and receiver is switched regularly in short intervals using a pseudorandom sequence known only to the transmitter and the receiver. The total available bandwidth is divided into small sub-bands in frequency hopping spread spectrum systems and according to the pseudorandom code, and the communications are conducted over only one of these sub-bands at a given time.
In the computer networks domain, a programmatic admission control mechanism in the literature is DIFANE (and OpenFlow as its successor). DIFANE/OpenFlow provides a per flow granularity for performing policy based admission control. When a packet of a traffic flow is seen for the first time at a forwarding element with no forwarding rule set up, the packet or the header of the packet is sent to the controller of the Software Defined Network (SDN). The controller inspects the information in the packet headers (and/or in the payload if the whole packet is sent) to determine which set of policies must be applied to this traffic flow (e.g., is the source MAC address registered as an authorized user?, is the user of this device allowed to access the services in the destination IP address or port?, is the communication protocol allowed in the network?, etc.). Based on this inspection, the controller installs a flow table rule on the said forwarding element that instructs how to handle the existing and subsequent packets of that flow (e.g., drop the packets, forward them to a particular logical or physical port, rewrite one or more header fields, etc.).
In LAN or WLAN systems, end users' devices are registered (e.g., user name, device, MAC address, host name, etc.) by the system admin once IP addresses are assigned. When such registered devices attach to the network, they are authenticated through a server such as RADIUS or DIAMETER if no local context is present at the access point and once it is done, users can access the network.
In cellular systems, user equipment (UE) is authenticated during the attachment procedure by the network (e.g., when the devices are first powered on). UE has access to its mobility management entity (MME) that authenticates the user in the attachment process and establishes default bearers in the core network for the UE. The UE can be in idle or active state. During the idle state, base stations lose the context about the UE (i.e., radio bearers and S1 user plane bearers are discarded). When UE wants to communicate, it switches from idle to active state by establishing the context at the base station it attaches to via its MME. After the radio bearers and S1-u are established, communications proceed. In many use cases for machine to machine or Internet of Things (IoT) applications, machines send short packets relatively infrequently only when certain triggers occur. When such triggers occur, the generated data must be sent very fast. Such communication patterns would lead to UE remain mostly in the idle state and when trigger happens UE needs to switch immediately to active state. This however incurs high delays due to the bearer establishment procedure. One simple alternative is to keep the device always be in an active mode by sending periodic keep-alive type messages from UE. The negative side effect is that UE, which is often a battery powered small device in M2M or IoT applications, would drain its battery faster.
Embodiments of the present invention are an improvement over prior art systems and methods.