1. Field of the Invention
The present invention generally relates to a system and method of assigning discontiguous address ranges to a plurality of repeating address blocks, and more particularly relates to a system and method of aggregating discontiguous address ranges into addresses and masks, using a plurality of repeating address blocks, for the efficient implementation of network policies.
2. Description of the Related Art
With the increase in popularity of the Internet, the widespread deployment of intranets, and the growing use of Internet protocol (IP) based network technologies, many enterprises have established private networks which have become difficult and costly to manage effectively. In particular, enterprises having a network of physical locations and separate network policies have found it difficult and costly to manage their routing infrastructure and policy implementation infrastructure (such as firewalls). The difficulty and complexity of managing these two infrastructures increase as a function of the increased number of separate network address ranges, which represent a single network policy at a single routing location.
Some enterprises have been successful in reducing the complexity and cost of managing their routing infrastructure by creating an enterprise network address plan that places address ranges representing the same routing locations adjacent to each other, irrespective of the different policies these address ranges represent. Unfortunately, an address plan that is designed to be more highly efficient for route advertisement purposes is less efficient for policy implementation.
Other enterprises have purposefully reduced the complexity and cost of managing their policy implementation infrastructure by creating an address plan that places address ranges representing similar policy areas adjacent to each other irrespective of routing location. In this implementation, the adjacent address ranges with a similar policy can be aggregated together into a fewer number of larger ranges in order to gain efficiencies and cost reductions in the policy implementation infrastructure. This aggregation has the opposite effect on route advertisement, causing the routing infrastructure to be more costly and inefficient.
Currently, most enterprise networks aggregate or assign network addresses, i.e., allocate network address space, in one of three ways:
(1) Randomly Allocating Address Ranges. The first way of assigning network addresses is to randomly assign ranges of addresses. The ranges of addresses are assigned as needed or requested in order to accommodate the needs of subnets, which are located at specific physical locations or are connected to specific points of network presence and which have specific policy requirements. For example, assume a company with a company-wide network wishes to connect five locations on two continents using three different policy spaces protected by network firewalls. Also, assume that the company has 13 subnets, each of which includes all the devices within the same security policy space at the same location. The following table illustrates the number of network devices in each policy area at each routing location.
UserProductionWeb ServerNetworkNetworkNetworkLocationContinentDevicesDevicesDevicesPalo AltoN. America210013080AtlantaN. America6006035LondonEurope130120ParisEurope100180FrankfurtEurope2405060
An example of an IP based random distribution would be a company that uses net-10 addressing e.g., IP addresses 10.0.0.0 through 10.255.255.255, for it's internal network devices. In this example, a person or group coordinates the responsibilities to ensure than every location or group within the company is given a unique range of addresses. In the random distribution, the person or group issues ranges of addresses in sequential order based on requests received from the various groups within the company.
The address table in this example may be as follows:
NetworkStartingEndingNumber ofLocationPolicyAddressAddressAddressesPalo AltoUser Net10.0.0.010.0.2.255768LondonUser Net10.0.3.010.0.3.255256Palo AltoProduction10.0.4.010.0.4.255256NetLondonProduction10.0.5.010.0.5.255256NetAtlantaUser Net10.0.6.010.0.9.2551024ParisUser Net10.0.10.010.0.10.255256AtlantaProduction10.0.11.010.0.11.255256NetPalo AltoUser Net10.0.12.010.0.19.2552048FrankfurtProduction10.0.20.010.0.20.255256NetPalo AltoWeb Net10.0.21.010.0.21.255256AtlantaWeb Net10.0.22.010.0.22.255256FrankfurtUser Net10.0.23.010.0.24.255512ParisProduction10.0.25.010.0.25.255256NetFrankfurtWeb Net10.0.26.010.0.26.255256
FIG. 1 illustrates a graphical representation of a prior art randomly assigned address table. The left column shows the random distribution of subnets by routing location and the right column shows the random distribution of subnets by policy area.
A network that randomly assigns addresses is not suitable for optimizing the route advertisement of the addresses because the subnets that represent the addresses used at any particular location or geographic zone are not summarizable. Furthermore, randomly assigning addresses is not suitable for firewall access control list (ACL) optimization because the subnets that represent the same network security policy are not summarizable. ACLs are a common form of policy implementation.
The lack of route advertisement optimization can have a significant impact on large and highly distributed networks because route advertisement tables used by various network devices to correctly route network traffic can become very large. In a large network, stability problems can cause these very large route advertisement tables to be frequently re-transmitted throughout the network using significant portions of available bandwidth on wide area connections and impacting router memory and CPU performance. Also, localized advertisements to network service providers are made more difficult and even impossible if local subnets cannot be aggregated to a sufficient size.
Moreover, the lack of ACL optimization can have a significant impact on large and highly distributed networks because ACL tables used by firewall devices to implement network security policies can become very large and complex. This impacts the performance of the firewall, firewall configuration systems, and the likelihood that the work of the personnel responsible for implementing security policy will be consistent and error free.
(2) Pre-Allocate Address Ranges by Geography. The second way of assigning network addresses is to pre-allocate address ranges by geographical location and zone. This way has tremendous advantages for network routing performance, i.e., optimizes route advertisement, because subnets can be aggregated into larger contiguous ranges to greatly reduce the size of route advertisement tables.
In this example, the optimized route advertisement address plan may be as follows:
NetworkStartingEndingNumber ofLocationPolicyAddressAddressAddressesPalo AltoUser Net10.0.0.010.0.2.255768Palo AltoProduction Net10.0.3.010.0.3.255256Palo AltoUser Nets10.0.4.010.0.11.2552048Palo AltoWeb Net10.0.12.010.0.12.255256AtlantaUser Net10.0.13.010.0.16.2551024AtlantaWeb Net10.0.17.010.0.17.255256AtlantaProduction Net10.0.18.010.0.18.255256LondonUser Net10.0.32.010.0.32.255256LondonProduction Net10.0.33.010.0.33.255256ParisProduction Net10.0.34.010.0.34.255256ParisUser Net10.0.35.010.0.35.255256FrankfurtUser Net10.0.36.010.0.37.255512FrankfurtWeb Net10.0.38.010.0.38.255256FrankfurtProduction Net10.039.010.0.39.255256
FIG. 2 illustrates a graphical representation of a prior art route advertisement optimized address table. The left column shows the distribution of subnets by routing location and the right column shows the distribution of subnets by policy area.
This address plan allows an aggregation at the city and continent level. As shown, the addresses in the range 10.0.0.0-10.0.12.255 represent the subnets in Palo Alto. Also, the addresses in the range 10.0.0.0-10.0.31.255 represent the subnets in North America. The blank space represents the address space reserved for future use. Pre-allocating address ranges by geography allows all routers in Europe to carry a single route advertisement table entry for North America as well as a single route advertisement for each European site. It also allows a new site in North America to be assigned unused address space within the range reserved for North America. By doing this, the new site can be implemented without changing the route advertisement aggregations at any of the European sites.
The route advertisement optimization, however, is gained at the expense of security policy or ACL optimization. The lack of ACL optimization can have a significant impact on large and highly distributed networks because ACL tables used by firewall devices to implement security policy can become very large and complex. This impacts the performance of the firewall, firewall configuration systems, and the likelihood that the work of the personnel responsible for implementing security policy will be consistent and error free.
(3) Pre-Allocate Address Ranges by Security Policy. The third way of assigning network addresses is to pre-allocate address ranges by security policy. This way optimizes the ACL assignment and can be very helpful in a large and complex network environment because it can reduce the size and complexity of ACLs and other firewall configurations.
In this example, the optimized ACL address plan may be as follows:
NetworkStartEndNumber ofLocationPolicyAddressAddressAddressesPalo AltoUser Net10.0.0.010.0.2.255768LondonUser Net10.0.3.010.0.3.255256AtlantaUser Net10.0.4.010.0.7.2551024ParisUser Net10.0.8.010.0.8.255256Palo AltoUser Net10.0.9.010.0.16.2552048FrankfurtUser Net10.0.17.010.0.17.255256ParisProduction Net10.0.32.010.0.32.255256AtlantaProduction Net10.0.33.010.0.33.255256FrankfurtProduction Net10.0.34.010.0.34.255256Palo AltoProduction Net10.0.35.010.0.35.255256LondonProduction Net10.0.36.010.0.36.255256Palo AltoWeb Net10.0.40.010.0.40.255256FrankfurtWeb Net10.0.41.010.0.41.255256AtlantaWeb Net10.0.42.010.0.42.255256
FIG. 3 illustrates a graphical representation of a prior art ACL optimized address table. The left column shows the distribution of subnets by routing location and the right column shows the distribution of subnets by policy area. This address plan allows an aggregation of subnets with the same security policy.
As shown in the table, all addresses in the range 10.0.0.0-10.0.31.255 represent User Nets subnets. This allows ACLs on firewalls protecting Production Nets and Web Nets to identify all User Net addresses in a single ACL entry. Also, it allows a new User Net subnet to be assigned address space from the unused portion of the User Net address range. Hence, the new subnet is given the same access into Production subnets and Web subnets without having to change the ACL entries or other network policy configurations on those existing firewall devices.
This ACL optimization, however, is gained at the expense of geographic route advertisement optimization. The lack of route advertisement optimization can have a significant impact on large and highly distributed networks because tables of route advertisements used by various network devices to correctly route network traffic can become very large. In a large network, stability problems can cause these very large route advertisement tables to be frequently re-transmitted throughout the network using significant portions of available bandwidth on wide area connections and impacting router memory and CPU performance. Also, localized advertisements to network service providers are made more difficult and even impossible if local subnets cannot be aggregated to a sufficient size.
Once the address ranges are allocated, routers are used to implement the address ranges. Many popular routers implement address ranges using a single address and a mask. That is, in order for a router to determine whether a target network address is within the address range specified by the address and mask, a binary comparison is made using the address and mask of the address range and the target network address. For example, in an 8-bit binary addressing scheme having valid addresses from 0 to 255, the address range from 0-31 can be described with an address of 0 (0000 0000) and a mask of 224 (1110 0000). In the binary comparison operation, the target network address is compared on a bit by bit basis to the address range using the mask. In each binary digit, a one value in the mask means that the target address must match the range address. A zero value means that the target address does not have to match the range address. The following two examples illustrate this concept.