A. Field of the Invention
This invention relates to the field of digital telecommunications. More particularly, this invention relates to a method and apparatus for applying policies in packet forwarding devices, such as routers and remote access servers.
B. Description of Related Art
Packet-switched networks, such as the Internet, typically include one or more packet forwarding devices, such as routers or remote access servers. Viewed at the simplest level, a router is a device having a plurality of interfaces, with each interface typically connected to a wide area network (WAN), a local area network (LAN), or a host. Internally, the router forwards packets from one interface to another based on the destination address contained in the header of each packet. A remote access server is similar to a router, except that, in addition to interfaces to WANs and/or LANs, a remote access server also includes one or more interfaces to the public switched telephone network (PSTN) to provide dial-in access to the network. Remote access servers also forward packets from one interface to another based on the destination addresses of the packets.
Increasingly, routers and remote access servers are also performing more sophisticated handling of packets than simply routing them on the basis of destination address. In particular, some packets may be selected for special treatment in order to provide xe2x80x9cpolicy-based services.xe2x80x9d xe2x80x9cPolicy-based servicesxe2x80x9d encompass any disposition of packets that involves more than simply routing them based on their destination addresses. For example, routers and remote access servers may perform packet filtering, in which certain packets are dropped, diverted, and/or logged. The router or remote access server may also perform network address translation (NAT), in which the source and/or destination addresses are changed. Certain packets may be encrypted or decrypted, such as provided for in the IPsec protocols. Finally, certain packets may be prioritized in the queue of the router or remote access server in order to provide a particular quality of service (QoS) level. Many other types of special handling of packets could also be performed.
To identify the packets that are to be subject to such special handling, the router or remote access server typically examines more than the destination address of the packet. In general, the packet-forwarding device examines one or more xe2x80x9cselector fieldsxe2x80x9d within each packet, such as the source address, destination address, source port, destination port, and protocol type. User name, more particularly the IP address allocated to a particular user, may also be used as a selector filed in remote access servers. The packet-forwarding device then enforces a xe2x80x9cpolicyxe2x80x9d by applying a set of rules to packets whose selector fields meet predefined criteria. The rules specify how the packets are to be handled. As a result of this policy enforcement, packets may be dropped, logged, translated, encrypted, decrypted, or prioritized, if the selector fields within the packets match certain predefined criteria.
Typically, the xe2x80x9cpolicyxe2x80x9d is applied to all interfaces of the packet-forwarding device. For example, Abraham et al., U.S. Pat. No. 5,983,270 discloses a network server through which all traffic between a LAN and the Internet passes. A filter engine in the network server applies a policy, embodied in a set of rules, to all outbound packets transmitted from the LAN to the Internet and to all inbound packets from the Internet to the LAN.
Similarly, Haddock et al., PCT Publication No. WO 99/11003 discloses a packet-forwarding device having a comparison engine. The comparison engine examines the packets arriving at each input port to determine with which traffic group each packet is associated, the traffic groups defining different QoS levels.
A packet-forwarding device 10 that typifies the prior art approach of applying policies to packets is shown in FIG. 1. FIG. 1 is a functional block diagram in which arrows illustrate the flow of packets between functional blocks. Device 10 may be a router, a remote access server, or other such device that forwards packets. Device 10 includes interfaces 12, 14, and 16, that connect device 10 to nodes 18, 20, and 22, respectively. Nodes 18-22 may represent hosts connected via a LAN or WAN or via the PSTN. Nodes 18-22 may also represent other packet forwarding devices. Although device 10 is shown in FIG. 1 with three interfaces, device 10 may, in general, have a greater or fewer number of interfaces.
As indicated by the double-headed arrows, interfaces 12-16 are able to send packets to and to receive packets from nodes 18-22, respectively. Interfaces 12-16, in turn, are logically connected to a packet forwarder 24 via policy engines 26, 28, and 30. Internal applications 32 are also logically connected to packet forwarder 24. Internal applications 32 include the applications on device 10, such as applications for controlling and configuring device 10, that arc accessible remotely, such as by SNMP or by Telnet.
Packet forwarder 24 receives packets forwarded by interfaces 12-16, via policy engines 26-30, and by internal applications 32. Packet forwarder 24, in turn, is able to forward packets to internal interfaces 12-16, via policy engines 26-30, and to internal applications 32. Packet forwarder 24 performs a routing functionality. Specifically, packet forwarder 24 determines, for each packet it receives, whether to forward the packet to one or more of interfaces 12-16 and/or internal applications 32. Packet forwarder 24 makes this routing determination for each packet based on the packet""s destination address. Typically, packet forwarder 24 has access to routing tables that specify where to send each destination address. Normally, packet forwarder 24 will forward a packet to internal applications 32 when the packet""s destination address matches one of the packet-forwarding device""s own IP addresses.
Policy engines 26-30 apply policies to all packets forwarded between interfaces 12-16 and packet forwarder 24. In this process, policy engines 26-30 trap each packet and examine various selector fields in each packet, such as source address, destination address, source port, destination port, and protocol type. Based on this information, policy engines 26-30 apply a set of rules that specify the manner in which the packets are to be handled. In general, policy engines 26-30 may be separately configured so as to apply different policies.
The problem with this approach is that there is a high overhead associated with applying policies to all incoming and outgoing packets. This high overhead may increase the latency of each packet and may degrade the throughput of the packet-forwarding device. Another disadvantage with the prior art approach is the time and effort required to develop and manage policies for each interface. Finally, the overhead and management difficulties serve to limit the complexity of the policies that a packet-forwarding device can apply.
In a first principal aspect, the present invention provides a method for providing policy-based services in a packet-forwarding device running an internal application and having a first interface and a second interface. The internal application generates internally-generated packets. A policy is applied to the internally-generated packets, and the internally-generated packets are forwarded to the first interface. External packets are received at the second interface, and these external packets are forwarded to the first interface without applying the policy to them.
In a second principal aspect, the present invention provides a method for providing policy-based services in a packet-forwarding device running an internal application and having a first interface and a second interface. Incoming packets, each of which has a source address, are received at the first interface. The incoming packets are classified as internally-destined packets if their source addresses are in a first set of addresses and as external packets if their source addresses are in a second set of addresses. A policy is applied to the internally-destined packets, and the internally-destined packets are forwarded to the internal application. However, the external packets arc forwarded to the second interface without applying the policy to them.
In a third principal aspect, the present invention provides a packet-forwarding device comprising first and second interfaces for transmitting and receiving packets, an internal application running on the packet-forwarding device, an internal interface logically connected to the internal application, a packet forwarder logically connected to the first and second interfaces, and a policy engine logically connected to the internal interface and the internal application. The internal application generates internally-generated packets and uses internally-destined packets. The internal interface forwards the internally-generated packets to the first interface and forwards the internally-destined packets to the internal application. The packet forwarder forwards packets between the first and second interfaces. The policy engine applies a policy to internal packets, the internal packets being selected from the group consisting of internally-generated packets and internally-destined packets.
In a fourth principal aspect, the present invention provides an improvement to a packet-forwarding device. The packet-forwarding device has a first interface, a second interface, a packet forwarder forwarding packets between the first and second interfaces, and runs an internal application. The internal application generates internally-generated packets and uses internally-destined packets. The improvement comprises an internal interface logically connected to the internal application and a policy engine logically connected to the internal interface. The internal interface forwards internal packets, the internal packets being selected from the group consisting of internally-generated packets and internally-destined packets. The policy engine applies a policy to the internal packets.