Search

US-12627744-B2 - Object-based changes to filter-intent over multicast or publication/subscription (Pub/Sub) distribution

US12627744B2US 12627744 B2US12627744 B2US 12627744B2US-12627744-B2

Abstract

Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.

Inventors

  • Dean Ballew
  • John R. B. Woodworth
  • Brian J. STRONG
  • Robert J. Whelton
  • Thomas P Donahue
  • John A. Schiel
  • Mark DEHUS

Assignees

  • LEVEL 3 COMMUNICATIONS, LLC

Dates

Publication Date
20260512
Application Date
20240430

Claims (20)

  1. 1 . A method, comprising: receiving, by a first managed device among a plurality of managed devices disposed in one or more networks and from a network filter orchestration conductor, a global filter-intent list comprising at least one first filter intent, wherein each first filter intent references a corresponding first filter-intent object among at least one first filter-intent object; determining, by the first managed device and based on at least one of the global filter-intent list, the at least one first filter intent, or the at least one first filter-intent object, whether the at least one first filter intent applies to the first managed device; based on a determination that the at least one first filter intent applies to the first managed device, translating, by the first managed device, the at least one first filter intent into a first filter that is specific to a first configuration of the first managed device; and applying the first filter to one or more network communications handled by the first managed device.
  2. 2 . The method of claim 1 , wherein the plurality of managed devices each comprises at least one of a switch, a router, a network gateway, a network firewall, a server, a network node, or other network device.
  3. 3 . The method of claim 1 , wherein the global filter-intent list comprises at least one of a list indicating network filter intent or a list indicating network filter rules.
  4. 4 . The method of claim 1 , wherein each first filter-intent object comprises at least one of a list of one or more devices, a list of one or more network devices, a list of one or more network nodes, a list of one or more networks, a list of one or more subnets, a list of information associated with the one or more devices, a list of information associated with the one or more network devices, a list of information associated with the one or more network nodes, a list of information associated with the one or more networks, or a list of information associated with the one or more subnets.
  5. 5 . The method of claim 1 , further comprising: based on a determination that the global filter-intent list does not comprise a signed global filter-intent list that has been signed by the network filter orchestration conductor, ignoring the received global filter-intent list; and storing, by the first managed device and in a first cache, at least the global filter-intent list; wherein at least the steps of storing at least the global filter-intent list and determining whether the at least one first filter intent applies to the first managed device are based on a determination that the received global filter-intent list comprises a signed global filter-intent list that has been signed by the network filter orchestration conductor, wherein the signed global filter-intent list also includes version information.
  6. 6 . The method of claim 5 , further comprising: confirming, by an agent of the first managed device, whether the received global filter-intent list is a most-current version of the global filter-intent list based on the version information; and based on a determination that the received global filter-intent list is not the most-current version, requesting, by the agent of the first managed device, the most-current version of the global filter-intent list.
  7. 7 . The method of claim 6 , further comprising: confirming, by the agent of the first managed device, whether the referenced at least one first filter-intent object is the most-current version of the referenced at least one first filter-intent object based on version information of the referenced at least one first filter-intent object; and based on a determination that the received global filter-intent list is not the most-current version, requesting, by the agent of the first managed device, the referenced at least one first filter-intent object.
  8. 8 . The method of claim 7 , wherein: storing the global filter-intent list is performed by the agent of the first managed device; confirming whether the received global filter-intent list is the most-current version of the global filter-intent list comprises sending, by the agent of the first managed device, a query for the most-current version of the global filter-intent list, wherein sending the query comprises sending the query to at least one of the network filter orchestration conductor or one or more agents of corresponding one or more managed devices among the plurality of managed devices; and confirming whether the referenced at least one first filter-intent object is the most-current version of the referenced at least one first filter-intent object comprises sending, by the agent of the first managed device, a query for the most-current version of the referenced at least one first filter-intent object, wherein sending the query comprises sending the query to at least one of the network filter orchestration conductor or the one or more agents of the corresponding one or more managed devices.
  9. 9 . The method of claim 1 , further comprising: receiving, by the first managed device and from a second managed device among the plurality of managed devices, a request for a second filter-intent object; sending, by the first managed device, an offer to send the second filter-intent object to the second managed device and sending, by the first managed device, a request for an acknowledgment of the offer; and in response to receiving the acknowledgment of the offer, sending, by the first managed device, the second filter-intent object to the second managed device.
  10. 10 . The method of claim 1 , wherein the global filter-intent list comprises an incremental update of a previously received global filter-intent list.
  11. 11 . The method of claim 10 , wherein storing the global filter-intent list is performed by an agent of the first managed device, wherein the method further comprises, based on a determination that the incremental update of the global filter-intent list is applicable to the first managed device, building, by the agent of the first managed device, one or more network filters based at least in part on filter intent indicated in the incremental update of the global filter-intent list.
  12. 12 . The method of claim 11 , wherein building the one or more network filters comprises building, by the agent of the first managed device, one or more network filters based at least in part on filter intent indicated in the incremental update of the filter-intent list and further based at least in part on one of an evaluation of one or more network interfaces of the first managed device or one or more routing tables.
  13. 13 . The method of claim 1 , wherein the global filter-intent list comprises a complete global filter-intent list that contains an up-to-date and complete network intent.
  14. 14 . The method of claim 13 , wherein one or more incremental updates of a previously received global filter-intent list are stored in a first cache by an agent of the first managed device, wherein the method further comprises: after receiving the complete global filter-intent list, clearing, by the agent of the first managed device, the one or more incremental updates of the previously received global filter-intent list that are stored in the first cache.
  15. 15 . The method of claim 1 , wherein the global filter-intent list is multicast from the network filter orchestration conductor to the plurality of managed devices.
  16. 16 . The method of claim 1 , wherein the global filter-intent list is published by the network filter orchestration conductor, wherein the first managed device subscribes to the global filter-intent list that is published by the network filter orchestration conductor.
  17. 17 . The method of claim 1 , further comprising one of: based on a determination that the first managed device is unable to fully translate the at least one first filter intent into the first filter or that the first managed device lacks capability to fully apply the first filter to the one or more network communications, initiating, by the first managed device, an error condition; or based on a determination that the at least one first filter intent does not apply to the first managed device, ignoring, by the first managed device, the at least one first filter intent.
  18. 18 . The method of claim 17 , wherein the error condition comprises sending, by the first managed device and to the network filter orchestration conductor, one or more of an error message indicating an error occurring when attempting to translate the at least one first filter intent into the first filter, an error message indicating the first managed device's inability to fully translate the at least one first filter intent into the first filter, an error message indicating an error occurring when attempting to filter the one or more network communications based on the at least one first filter intent, an error message indicating the first managed device's inability to filter the one or more network communications based on the at least one first filter intent, or an error message indicating processing of filter rules or intent exceed the first managed device's capability.
  19. 19 . A system, comprising: a network filter orchestration conductor; a first computing system among a plurality of computing systems disposed in one or more networks, the first computing system comprising: at least one first processor; and a first non-transitory computer readable medium communicatively coupled to the at least one first processor, the first non-transitory computer readable medium having stored thereon computer software comprising a first set of instructions that, when executed by the at least one first processor, causes the first computing system to: receive, from the network filter orchestration conductor, a global filter-intent list comprising at least one first filter intent, wherein each first filter intent references a corresponding first filter-intent object among at least one first filter-intent object; determine, based on at least one of the global filter-intent list, the at least one first filter intent, or the at least one first filter-intent object, whether the at least one first filter intent applies to the first computing system; based on a determination that the at least one first filter intent applies to the first computing system, translate the at least one first filter intent into a first filter that is specific to a first configuration of the first computing system; and apply the first filter to one or more network communications handled by the first computing system.
  20. 20 . A method, comprising: sending, by a network filter orchestration conductor and to a plurality of managed devices disposed in one or more networks, a global filter-intent list comprising at least one first filter intent, wherein each first filter intent references a corresponding first filter-intent object among at least one first filter-intent object, wherein sending the global filter-intent list to the plurality of managed devices comprises one of multicasting the global filter-intent list to the plurality of managed devices or providing the global filter-intent list to the plurality of managed devices via a publication/subscription system; wherein, for each managed device that determines that the at least one first filter intent applies to said managed device, the at least one first filter intent is translated into a first filter that is specific to a first configuration of said managed device, and the first filter is subsequently applied to one or more network communications handled by said managed device.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Application No. 63/499,409 filed May 1, 2023, entitled “Object-based Changes to Filter Intent Over Multicast or Publication/Subscription (Pub/Sub) Distribution,” which is incorporated herein by reference in its entirety. COPYRIGHT STATEMENT A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. FIELD The present disclosure relates, in general, to methods, systems, and apparatuses for implementing filtering of network communications, and, more particularly, to methods, systems, and apparatuses for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. BACKGROUND Distributing consistent filters across a large network is a delicate and complex challenge, and inconsistencies can lead to security blind-spots. In addition to creating a weaker environment, inconsistencies can lead to unsatisfactory customer experiences (“CX”). Speed of execution can also be a factor in the defense of network elements in the event of ongoing attacks. It is with respect to this general technical environment to which aspects of the present disclosure are directed. BRIEF DESCRIPTION OF THE DRAWINGS A further understanding of the nature and advantages of particular embodiments may be realized by reference to the remaining portions of the specification and the drawings, in which like reference numerals are used to refer to similar components. In some instances, a sub-label is associated with a reference numeral to denote one of multiple similar components. When reference is made to a reference numeral without specification to an existing sub-label, it is intended to refer to all such multiple similar components. For denoting a plurality of components, the suffixes “a” through “n” may be used, where n denotes any suitable integer number (unless it denotes the number 14, if there are components with reference numerals having suffixes “a” through “m” preceding the component with the reference numeral having a suffix “n”), and may be either the same or different from the suffix “n” for other components in the same or different figures. For example, for component #1 X05a-X05n, the integer value of n in X05n may be the same or different from the integer value of n in X10n for component #2 X10a-X10n, and so on. FIG. 1 is a schematic diagram illustrating a system for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution, in accordance with various embodiments. FIGS. 2A and 2B are schematic diagrams illustrating a non-limiting example of filter-intent list distribution and object request when implementing object-based changes to filter-intent over multicast distribution, in accordance with various embodiments. FIGS. 3A and 3B are schematic diagrams illustrating a non-limiting example of filter-intent list distribution and object request when implementing object-based changes to filter-intent over Pub/Sub distribution, in accordance with various embodiments. FIGS. 4A-4G are flow diagrams illustrating a method for implementing object-based changes to filter-intent over multicast or Pub/Sub distribution, in accordance with various embodiments. FIG. 5 is a block diagram illustrating an exemplary computer or system hardware architecture, in accordance with various embodiments. DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS Overview Various embodiments provide tools and techniques for implementing filtering of network communications, and, more particularly, to methods, systems, and apparatuses for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent, or the like) may receive, from a network filter orchestration conductor, a global filter-intent list. The global filter-intent list may include, without limitation, at least one first filter intent, and each first filter intent may reference a corresponding first filter-intent object among at least one first filter-intent object. The computing system may determine, based on at least one of the global filter-intent list, the at least one first filter intent, or the at least one first filter-intent object, whether the at least one first filter intent applies to the first managed device. Based on a determination that the at least one first filter intent applies to the first managed device, the computing system may translate the at least one first filter intent into a first filter that is