1. Field of the Invention
The present invention relates to computer networks. More particularly, the present invention relates to computer networks that can be controlled using policies.
2. Background Information
In a network system that does not employ policy-based control, network devices are configured separately one by one for controlling the functions for the Quality of Service (QoS) and security management.
A high-speed network device can comprise hardware for performing high-speed processing. Furthermore, an increasing number of network devices recently introduced into the market include built-in processors called packet processors or network processors capable of high-speed processing of limited functions. However, these hardware network devices are not for general purpose use, so their functionality is limited to a certain extent. Consequently, these network devices are not necessarily capable of using policies to control their behavior.
Differentiated Services Technology (“DiffServ”) is one system for controlling a network. DiffServ assures QoS over a network, such as the Internet. According to DiffServ technology, a series of packets are transmitted between a first network application to a second network application via a network, each of these packets being viewed as one that belongs to a single “flow” or a flow of packets. Whether or not a given Internet Protocol (IP) packet belongs to a given flow may be determined by identifying the source and/or IP addresses, the protocol, and if that protocol is either TCP or UDP, also by identifying the ports thereof. On the path from the first network application to the second network application, there are an edge router as an entrance to the network, zero or more core routers, and then an edge router as an exit from the network.
According to DiffServ technology, a plurality of flows are brought together and the packets are marked with a given value in their DS field (Differentiated Services field) at the entrance edge router, and those packets having that given value are thereafter handled as the components of a single flow (aggregated flow). The value included in the DS field is called a DSCP (Differentiated Services Code Point). By creating aggregated flows, the QoS conditions such as a bandwidth and packet transmission priority may be controlled for each of the aggregated flows just by determining the DSCP. By using this DiffServ technology, flows may be aggregated, allowing the determination to be made only by the DSCP so that the load on core routers for managing the QoS conditions may be alleviated.
However, a need may arise for rules included in a single high-level policy to be divided into rules of a plurality of low-level policies implementing the equivalent functions, or for rules included in a plurality of high-level policies to be merged into rules of a single low-level policy implementing the equivalent functions. Furthermore, due to the constraint of the hardware functions, the policy rules themselves also may not be converted through a one-to-one correspondence. That is, there may be a case in which a single policy rule in a high-level policy needs to be converted into a plurality of policy rules of a low-level policy implementing the equivalent function, or a plurality of policy rules in a high-level policy has to be converted into a single policy rule included in a low-level policy implementing the equivalent function.
It would be desirable to provide a policy-controlled network system which allows a single high-level policy to be converted into a plurality of low-level policies that meet the constraints of the device, even if the high-level policy cannot be converted through a one-to-one correspondence due to the constraints over the low-level policies of the network device, and which allows a plurality of high-level policies to be converted into a single low-level policy that meets the constraint of the network device even if the high-level policies may not be converted through a one-to-one correspondence due to the constraint.