1. Field of the Invention
This invention relates generally to the fields of on-switch methods of performing various network functions, including detecting and mitigating network anomalies, performing packet filtering, enforcing network policies and the like, embodied in the form of rules such as Access Control Lists stored locally at the switch, and, more specifically, to improvements in the structure of such rules to allow more dynamic and flexible control and performance of the various network functions.
2. Related Art
In response to the onset of network attacks, viruses, and other network anomalies, network administrators presently utilize relatively static rules known as Access Control Lists (ACLs) to detect and mitigate the problem. These ACLs define a profile of potentially problematic network packets (typically in the form of an n-tuple specifying layer 2 source and destination addresses, layer 3 (IP) source and destination addresses, layer 4 protocol (TCP/UDP), and layer 4 source and destination ports), and one or more predetermined actions (such as denying or permitting packet access) to be taken by the network switch should a packet meeting this profile be encountered. Once defined, these ACLs are then compiled into executable form and executed within the network switch as packets are received or transmitted over the network. When a packet meeting the defined profile is received or transmitted over the network, the one or more predetermined actions defined by the rule are performed.
A problem with current ACLs is that, as the specified matching conditions are limited to conditions involving data in the packet or packet header, they are often insufficiently precise for the purpose of detecting or defending against network anomalies that are defined in other terms. Consider, for example, the following ACL, which always denies access to ICMP echo requests from a particular subnet (10.203.134.0/24), for the purpose of detecting and mitigating packet flooding of the network by this particular form of packet:
entry icmp {                IF {                    source-address 10.203.134.0/24;            protocol icmp;            icmp-type echo-request;                        } THEN {                    deny;                        }        
}
As this ACL always denies access whenever an ICMP echo request from the particular subnet (10.203.134.0/24) is encountered, even when a flooding condition is not present, it will often result in the denial of valid packets.
A related problem is that, as the response defined by this ACL is static, it cannot dynamically respond to a change in network conditions. For example, assuming the foregoing ACL is initially (and correctly) triggered upon the onset of a packet flooding condition from this particular form of packet, the ACL continues to deny access to these packets even after the network flooding condition has abated.
A third problem is that the limited functions that are allowed should a match condition be detected, such as allowing or denying access to packets meeting the specified profile, or mirroring the packets to a network administrator, are often not effective for the purpose of mitigating the network anomaly.
Consider, for example, an ACL that mirrors potentially problematic packets to a network administrator who is charged with the responsibility of examining the packets and taking appropriate action, such as by applying one or more new ACLs to deny access to these packets. Because of the latency between the time the potentially problematic packets are detected and the time of a response, significant damage to the network may have already occurred by the time of the response.
Therefore, there is a need for a more precise, flexible and dynamic rule structure for the purpose of detecting and responding to network anomalies.