(19) (12) EUROPEAN PATENT SPECIFICATION (11) EP 1 487 11 B1 (4) Date of publication and mention of the grant of the patent: 01.07.09 Bulletin 09/27 (1) Int Cl.: H04L 12/24 (06.01) (21) Application number: 0406.2 (22) Date of filing: 14.04.04 (4) Labeling gateway for compartmented multi-operator network elements over a heterogeneous network Markierungsgateway für unterteilte Mehr-Betreiber-Netzelemente in einem heterogenen Netz Passerelle d étiquettage pour des eléments de réseau compartementés multi-opérateurs dans un réseau hétérogène (84) Designated Contracting States: DE ES FR GB IT () Priority: 17.04.03 US 417117 (43) Date of publication of application: 1.12.04 Bulletin 04/1 (73) Proprietor: Alcatel Lucent 7008 Paris (FR) (72) Inventors: Gariador, Frederic Ottawa Ontario K1N 6L2 (CA) Le Moigne, Olivier Ottawa Ontario K2B K8 (CA) Marquet, Bertand Ottawa Ontario K1H 1B4 (CA) (74) Representative: Nicolle, Olivier et al Alcatel-Lucent Intellectual Property & Standards 4, rue La Boétie 7008 Paris (FR) (6) References cited: EP-A- 1 327 934 US-B1-6 499 09 WO-A-01/0834 GRIMM R ET AL: "Security policies in OSImanagement experiences from the DeTeBerkom project BMSec" COMPUTER NETWORKS AND ISDN SYSTEMS, NORTH HOLLAND PUBLISHING. AMSTERDAM, NL, vol. 28, no. 4, February 1996 (1996-02), pages 499-11, XP0002982 ISSN: 0169-72 EP 1 487 11 B1 Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). Printed by Jouve, 7001 PARIS (FR)
1 EP 1 487 11 B1 2 Description FIELD OF THE INVENTION [0001] The invention relates to the field of network management and more particularly to providing a highly secure Network Management System for a network of heterogeneous Network Elements through compartmentalization and virtualization techniques. BACKGROUND OF THE INVENTION [0002] Earlier systems and methods introduce the use of mandatory access control to enforce strong compartmentalization between operators of a Network Management System. They also propose mechanisms to carry information about compartmentalization through the network, thereby allowing extension of the compartmentalization to a set of hosts. [0003] Such mechanisms are highly relevant to Network Management Systems, as they can be used to transparently extend to the whole network, compartments defined for operators in the Network Management System. This extension enables implementation of a strong information flow control between operators, each operator being provided, through service virtualization, with a specific view of the network. [0004] The invention disclosed in the co -pending US Application 03/013738 A1 describes the use of a compartmentalized Operating System to increase the security of a Network Management Infrastructure, especially when it addresses a Multi -operator environment. [000] Several standards exist to carry information related to compartmentalization with the traffic. The CIPSO (Commercial Internet Protocol Security Option), for example, communicates security information within and between different security domains. It provides for multiple security domains utilizing a single software environment. Another example of these standards would be the FIPS188 which also supports a large number of compartments. Furthermore, there exists several operating systems that claim compliance with these standards (e.g., SELinux and Trusted Solaris). [0006] Despite the existence of standards, interoperability between different systems that claim to have an implementation of those standards is not guaranteed. As a result, compartmentalization through the network often requires usage of similar Operating Systems. [0007] This constraint is not acceptable in the scope of a Network Management System. Networks are often made of a large variety of heterogeneous Network Elements (e.g., different vendors). It is not reasonable to expect that these Network Elements be built on top of a set of Operating Systems that implement compatible network compartmentalization mechanisms. For example, some Network Elements might be built on top of operating systems that provide non - interoperable network compartmentalization mechanisms: compartmentalization 1 2 3 4 0 techniques could be different from one system to another. Other Network Elements might be built on top of standard operating systems that do not provide compartmentalization features. Furthermore, even systems that implement compartmentalization do not always support services virtualization needed to provide each operator with a specific view of the network according to the operator s compartment. [0008] The lack of compartmentalization on one of the two hosts involved in a communication, the implement ation of different network compartmentalization techniques on these two hosts, and the implementation of similar network compartmentalization techniques configured with inconsistent compartment definitions, are the main foundations for incompatibility. Consequently, service virtualization and compartmentalization through a managed network becomes difficult to achieve because of the heterogeneous nature of such a network, which leads to interoperability problems. [0009] These limitations necessitate the need for a network scheme that allows the integration of different network compartmentalization techniques within a network while providing interoperability between the miscellaneous elements of that network. [00] WO 0834 discloses a method and system for providing an environment allowing agents to function on a set of devices having resources, the environment providing services allowing agents access to resources. Each agent has an associated permission list indicating which services the agent may access. Each agent may move from an environment on one device on a network to an environment on another device. [0011] US 649909 discloses a network element for a communications network, particularly for a synchronous digital communications system. It comprises a controller which contains a processor for executing an access request, a memory in which managed objects are stored, and an access unit for receiving the access request. The controller controls the network element by means of the managed objects. The managed obj ects are images of the static and dynamic properties of resources of the network element. The memory stores a service profile which contains information about access rights to the managed objects. Before executing the access request, the processor checks whether access rights to managed objects needed to execute the access request are present. This permits more flexible and less error-prone management of the access rights to managed objects, particularly during communication between managed objects. SUMMARY OF THE INVENTION [0012] To overcome the limitations of the prior art described above, and to overcome other limitations that will become apparent upon reading and understanding the present specification, the present invention accordingly implements compartmentalization and virtualization techniques. 2
3 EP 1 487 11 B1 4 [0013] The present invention provides the advantage of allowing the integration of different network compartmentalization techniques within a network while providing interoperability between the miscellaneous elements of that network. [0014] The present invention enables service virtualization on a system that does not natively implement this concept. It does so by introducing a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The mediation layer acts as a reverse proxy to provide an operator with transparent access to an appropriate Management Service. [001] The present invention allows, through compartmentalization, the providing of a high level of security that is required for a hybrid network: ample security is needed for a network composed of heterogeneous Network Elements and supporting different network compartmentalization techniques. BRIEF DESCRIPTION OF THE DRAWINGS [0016] In order that the invention may be more clearly understood, a prior art device and devices according to the present invention will now be described with reference to the accompanying drawings in which: Figure 1 show an example illustrating the prior art system; Figure 2 is a block diagram outlining the functionality of the disclosed invention; and Figure 3 echos figure 1 to accentuate the main difference between the prior art and the disclosed invent ion. DETAILED DESCRIPTION OF THE INVENTION [0017] The following description is presented to enable a person skilled in the art to make use of the invention and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the scope of the present invention. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the claims. [0018] As exemplified in figure 1, existing systems require homogeneous compartmentalization techniques. Only two compartments, compartment A 1. and compartement B 2, are employed to illustrate the purpose of this example. A network 0 comprises or a Network Management System 3, a Network Element 4, and channels of communication between the two. For a 1 2 3 4 0 network 0 to be managed effectively, it is usually compartmentalized, with each compartment comprising of elements similar to the ones mentioned above: compartment A 1 has its own compartment management system 6, its own compartment element 7, and its own channels of communication 8. The same applies to compartment B 2. [0019] The management system 6 of compartment A can only manage the element 7 of that comportment. A management connection from the management system 6 of compartment A 1 traverses the channels 8 of that compartment to administer the element 7 of the same compartment. For a management connection from compartment A 1 to administer the element 1 of compartment B 2, calls for the element 7 of compartment A 1 and the element 1 of compartmemt B 2 to be built on top of a set of operating systems that implement compatible network compartmentalization mechanisms. [00] The invention of this application provides a solution to the aforementioned interoperability problem based on a Labeling Conversion Gateway (hereinafter, referred to as LCG). The LCG addresses the compatibility issues that contemporary Network Management Systems fail to sufficiently deal with by offering adequate service virtualization and compartmentalization, in Network Management Systems for heterogeneous Network Elements, to provide interoperability. It is also instrumental in providing a high level of security in such hybrid networks. [0021] The LCG is a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The LCG acts as a reverse proxy for the Network Management System to provide an operator with transparent access to an appropriate Management Service. [0022] As shown in figure 2, in a network 0, the LCG 3 is integrated into the Network Element 1, and it deflects all of the incoming management connections from the Network Management System 2 to that Network Element 1. After receiving the management connection, the LCG 3 maps it to the appropriate Management Service 6. The LCG 3 then relays the management connection to the Management Service 6, thereby providing the operator 7 with management access to the Network Element 1. [0023] For an efficient implementation of the invention, it is required that the Management Services 6 be accessible only through the LCG 3. One way to achieve this would be to bind a management service to a loop -back interface that cannot be accessed directly from a remote system. The loop -back interface and its alternatives are considered to be well known to a person skilled in the art. [0024] Networks are inherently susceptible to attack by exploitation of security weaknesses in network protocols and infrastructure components. By constraining all 3
EP 1 487 11 B1 6 of the incoming management connections to access their Management Services 6 through the LCG 3, the present invention provides a level of network security: the LCG 3 monitors and authorizes (by using labeling information, for example), all management connections before rendering access to the Management Services 6. [002] The mapping between the incoming connection and the appropriate Management Service 6 is defined by a Labeling Conversion Policy 4 (hereinafter, referred to as LCP), which is stored in a database on the Network Element 1. Incoming connections are mapped according to any of the following: the IP source address, the IP destination address, the transport protocol used (TCP, UDP or both), the TCP or UDP destination port, or the labeling information contained in IP options. [0026] A connection that matches an entry of the LCP 4 is relayed to the appropriate Management Service 6 by the LCG 3 according to the LCP 4. The LCP 4 can specify changes to the following information in the incoming connection: the IP destination address, the TCP or UDP destination port, and the labeling information contained in IP options. A connection that does not match an entry of the Labeling Conversion Policy is left unchanged. [0027] To further clarify the present invention, figure 3 is presented to - in combination with figure 1 - depict the main difference between the prior art and the disclosed invention. To reflect the illustration of figure 1, as well, only two compartments are employed in this example: compartment A 1 and compartment B 2. [0028] A management connection from the management system 3 of compartment A 1 traverses the channels 4 of that compartment to reach the LCG 3, which is integrated into the Network Element 1. Subsequently to mapping the incoming management connection in accordance to the LCP 4, which is also stored on the Network Element 1, the management connection can be relayed to any Management Service 6. [0029] The scheme described above can be built into Network Elements during production or added on to existing Network Elements that do not natively implement this concept. Claims 1 2 3 4 - mapping, by the LCG, an incoming management connection to said management service (6) according to a policy; and - relaying said incoming management connection to said management service (6). 2. The method of claim 1, wherein the mapping step further comprises mapping said incoming management connection according to any one of the following or any combination thereof: a) the IP address of the source of said incoming b) the IP address of the destination of said incoming c) the transport protocol of said incoming management connection; d) the TCP destination port of said incoming e) the UDP destination port of said incoming or f) the labeling information contained in IP options. 3. The method of claim 1, wherein a mediator (3) on said network elements (1) relays said incoming management connection to said management service (6). 4. The method of claim 3, wherein said mediator (3) relays said incoming management connection making required changes, to any one of the following or any combination thereof: a) the IP address of the destination of said incoming b) the TCP destination port of said incoming management, connection; c) the UDP destination port of said incoming or d) the labeling information contained in IP options.. The method of claim 4, wherein said changes required by said mediator (3) to relay said incoming management connection are specified in said policy (4). 1. A method of providing an operator (7) of a compartmentalized network management system, NMS (2), with access to a management service of a network element, NE (1), that does not provide a network compartmentalization model compatible with the one of the NMS, characterized in that it comprises the steps of: - providing said network element, NE (1), with a label conversion gateway, LCG (3) ; 0 6. The method of claim 3, wherein said management service (6) is accessible only through said mediator (3). 7. The method of claim 1, wherein said policy (4) is stored on said network element (1). 8. A compartmentalized network management system, NMS (2), providing an operator (7) with access to a management service of a network element, NE 4
7 EP 1 487 11 B1 8 (1), that does not provide a network compartmentalization model compatible with the one of the NMS, characterized in that it comprises: - a label conversion gateway, LCG (3), provided for said network element, NE (1), said LCG being able to map an incoming management connection to said management service (6) according to.a policy; and - means to relay said incoming management connection to said management service (6). 9. The system of claim 8, wherein said LCG further comprises means to map said incoming management connection according to any one of the following or any combination thereof: a) the IP address of the source of said incoming b) the IP address of the destination of said incoming c) the transport protocol of said incoming management connection; d) the TCP destination port of said incoming e) the UDP destination port of said incoming or f) the labeling information contained in IP options.. The system of claim 8, further comprising a mediator (3) on said network element (1) to relay said incoming management connection to said management service (6). 11. The system of claim, wherein said mediator (3) comprises means to make required changes, to any one of the following or any combination thereof: a) the IP address of the destination of said incoming b) the TCP destination port of said incoming c) the UDP destination port of said incoming or d) the labeling information contained in IP options. 12. The system of claim 11 comprising means to verify that said changes are specified in said policy (4). 13. The system of claim, further comprising means to deny access to said management service (6) unless said access is through said mediator (3). 14. The system of claim 8, wherein said network element (1) comprises means to store said policy (4). 1 2 3 4 0 Patentansprüche 1. Verfahren zum Bereitstellen eines Zugriffs auf einen Verwaltungsdienst eines Netzwerkelements, NE (1), für einen Operator (7) eines kompartimentierten Netzwerkverwaltungssystems, NMS (Network Management System) (2), wobei das besagte Netzwerkelement kein Netzwerkkompartimentierungsmodell kompatibel mit dem von dem NMS zur Verfügung stellt, dadurch gekennzeichnet durch: - die Ausstattung des besagten Netzwerkelements, NE (1), mit einer Labelumwandlungsbrücke LCG (Label Conversion Gateway) (3); - das LCG-Mapping einer ankommenden Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6) nach einer Regel (Policy); und - die Übertragung der besagten ankommenden Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6). 2. Verfahren nach Anspruch 1, bei dem der Mapping- Schritt das Mapping der besagten ankommenden Verwaltungsverbindung nach Maßgabe einer der folgenden Informationen oder einer beliebigen Kombination dieser Informationen darüber hinaus aufweist: a) der IP-Adresse der Quelle der besagten ankommenden b) der IP-Adresse des Ziels der besagten ankommenden c) des Transportprotokolls der besagten ankommenden d) des TCP-Zielports der besagten ankommenden e) des UDP-Zielports der besagten ankommenden oder f) der in IP-Optionen enthaltenen Labelinginformation. 3. Verfahren nach Anspruch 1, bei dem ein Vermittler (Mediator) (3) am besagten Netzwerkelement (1) die ankommende Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6) überträgt. 4. Verfahren nach Anspruch 3, bei dem der besagte Vermittler (3) die ankommende Verwaltungsverbindung überträgt, indem er erforderte Änderungen bezüglich einer der folgenden Informationen oder einer beliebigen Kombination dieser Informationen vornimmt: a) der IP-Adresse des Ziels der besagten ankommenden b) des TCP-Zielports der besagten ankommenden c) des UDP-Zielports der besagten ankommen-
9 EP 1 487 11 B1 den oder d) der in IP-Optionen enthaltenen Labelinginformation.. Verfahren nach Anspruch 4, bei dem die besagte, durch den besagten Vermittler (3) erforderte Änderungen zur Übertragung der besagten ankommenden Verwaltungsverbindung in der besagten Regel (4) spezifiziert sind. 6. Verfahren nach Anspruch 3, bei dem der besagte Verwaltungsdienst (6) nur über den besagten Vermittler (3) zugänglich ist. 7. Verfahren nach Anspruch 1, bei dem die Regel (4) am besagten Netzwerkelement (1) gespeichert ist. 8. Kompartimentiertes Netzwerkverwaltungssystem, NMS (2), welches für einen Operator (7) einen Zugriff auf einen Verwaltungsdienst eines Netzwerkelements, NE (1) bereitstellt, das kein Netzwerkkompartimentierungsmodell kompatibel mit dem von dem NMS zur Verfügung stellt, dadurch gekennzeichnet durch: - eine Labelumwandlungsbrücke LCG (3) für das besagte Netzwerkelement, NE (1), wobei sich die LCG für das Mapping einer ankommenden Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6) nach einer Regel geeignet ist; und - Mittel für die Übertragung der ankommenden Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6). 9. System nach Anspruch 8, bei dem die besagte LCG Mittel für das Mapping der ankommenden Verwaltungsverbindung nach Maßgabe einer der folgenden Informationen oder einer beliebigen Kombination dieser Informationen darüber hinaus aufweist: a) der IP-Adresse der Quelle der besagten ankommenden b) der IP-Adresse des Ziels der besagten ankommenden c) des Transportprotokolls der besagten ankommenden d) des TCP-Zielports der besagten ankommenden e) des UDP-Zielports der besagten ankommenden oder f) der in IP-Optionen enthaltenen Labelinginformation.. System nach Anspruch 8, darüber hinaus mit einem Vermittler (3) am besagten Netzwerkelement (1) zur Übertragung der besagten ankommenden 1 2 3 4 0 Verwaltungsverbindung mit dem besagten Verwaltungsdienst (6). 11. System nach Anspruch, bei dem der besagte Vermittler (3) Mittel zum Vornehmen von erforderten Änderungen bezüglich einer der folgenden Informationen oder einer beliebigen Kombination dieser Informationen aufweist: a) der IP-Adresse des Ziels der besagten ankommenden b) des TCP-Zielports der besagten ankommenden c) des UDP-Zielports der besagten ankommenden oder d) der in IP-Optionen enthaltenen Labelinginformation. 12. System nach Anspruch 11, mit Mitteln zum Kontrollieren, dass die besagte Änderungen in der besagten Regel (4) spezifiziert sind. 13. System nach Anspruch, darüber hinaus mit Mitteln zum Versagen eines Zugriffs auf den besagten Verwaltungsdienst (6) außer, wenn der besagte Zugriff über den besagten Vermittler (3) durchgeführt wird. 14. System nach Anspruch 8, bei dem das besagte Netzwerkelement (1) Mittel zum Speichern der besagten Regel (4) aufweist. Revendications 1. Procédé permettant à un opérateur (7) d un système de gestion de réseau compartimentalisé, NMS (2), d accéder à un service de gestion d un élément de réseau, NE (1), qui ne propose pas de modèle de compartimentalisation de réseau compatible avec celui du NMS, caractérisé en ce qu il comprend les étapes suivantes : - doter ledit élément de réseau, NE (1), d une passerelle de conversion d étiquette, LCG (3) ; - mapper, via la LCG, une connexion de gestion entrante audit service de gestion (6) conformément à une règle ; et - relayer ladite connexion de gestion entrante audit service de gestion (6). 2. Procédé selon la revendication 1, dans lequel l étape de mappage comprend en outre le mappage de ladite connexion de gestion entrante conformément à l une des informations suivantes ou une combinaison quelconque de ces informations : 6
11 EP 1 487 11 B1 12 a) l adresse IP de la source de ladite connexion b) l adresse IP de la destination de ladite connexion c) le protocole de transport de ladite connexion d) le port de destination TCP de ladite connexion e) le port de destination UDP de ladite connexion ou f) l information d étiquetage contenue dans des options IP. 3. Procédé selon la revendication 1, dans lequel un médiateur (3) sur ledit élément de réseau (1) relaie ladite connexion de gestion entrante audit service de gestion (6). 4. Procédé selon la revendication 3, dans lequel ledit médiateur (3) relaie ladite connexion de gestion entrante en apportant des changements requis à l une quelconque des informations suivantes ou une combinaison quelconque de ces informations : a) l adresse IP de la destination de ladite connexion b) le port de destination TCP de ladite connexion c) le port de destination UDP de ladite connexion ou d) l information d étiquetage contenue dans des options IP.. Procédé selon la revendication 4, dans lequel lesdits changements requis par ledit médiateur (3) pour relayer ladite connexion de gestion entrante sont spécifiés dans ladite règle (4). 6. Procédé selon la revendication 3, dans lequel ledit service de gestion (6) n est accessible que via ledit médiateur (3). 7. Procédé selon la revendication 1, dans lequel ladite règle (4) est stockée sur ledit élément de réseau (1). 8. Système de gestion de réseau compartimentalisé, NMS (2), permettant à un opérateur (7) d accéder à un service de gestion d un élément de réseau, NE (1), qui ne propose pas de modèle de compartimentalisation de réseau compatible avec celui du NMS, caractérisé en ce qu il comprend : - une passerelle de conversion d étiquette, LCG (3), prévue pour ledit élément de réseau, NE (1), ladite LCG étant apte à mapper une connexion de gestion entrante audit service de gestion (6) conformément à une règle ; et 1 2 3 4 0 - des moyens pour relayer ladite connexion de gestion entrante audit service de gestion (6). 9. Système selon la revendication 8, dans lequel ladite LCG comprend en outre des moyens de mappage de ladite connexion de gestion entrante conformément à l une quelconque des informations suivantes ou une combinaison quelconque de ces informations : a) l adresse IP de la source de ladite connexion b) l adresse IP de la destination de ladite connexion c) le protocole de transport de ladite connexion d) le port de destination TCP de ladite connexion e) le port de destination UDP de ladite connexion ou f) l information d étiquetage contenue dans des options IP.. Système selon la revendication 8, comprenant en outre un médiateur (3) sur ledit élément de réseau (1) pour relayer ladite connexion de gestion entrante audit service de gestion (6). 11. Système selon la revendication, dans lequel ledit médiateur (3) comprend des moyens permettant d apporter des changements requis à l une quelconque des informations suivantes ou une combinaison quelconque de ces informations : a) l adresse IP de la destination de ladite connexion b) le port de destination TCP de ladite connexion c) le port de destination UDP de ladite connexion ou d) l information d étiquetage contenue dans des options IP. 12. Système selon la revendication 11 comprenant des moyens permettant de vérifier que lesdits changements sont spécifiés dans ladite règle (4). 13. Système selon la revendication, comprenant en outre des moyens permettant de refuser un accès audit service de gestion (6) à moins que ledit accès ne passe par ledit médiateur (3). 14. Système selon la revendication 8, dans lequel ledit élément de réseau (1) comprend des moyens permettant de mémoriser ladite règle (4). 7
EP 1 487 11 B1 8
EP 1 487 11 B1 9
EP 1 487 11 B1
EP 1 487 11 B1 REFERENCES CITED IN THE DESCRIPTION This list of references cited by the applicant is for the reader s convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard. Patent documents cited in the description US 013738 A1 [0004] WO 0834 A [00] US 649909 B [0011] 11