Large networks service a significant number of endpoints, each of which access a sizable number of applications. This results in the definition of access control policies that are extremely lengthy and therefore difficult to render in common network elements, such as routers and switches, due to the limited amount of memory (such as ternary content-addressable memory (TCAM)) that is included in such platforms for the enforcement of policies. To address the type of challenge that was described above, various solutions are provided herein through several techniques. A first technique supports, among other things, the scaling of the access control entries (ACEs) in a network for specific deployment by converting an ACE to a route control entry. A second technique supports, among other things, the disaggregation of access control policies and the efficient distribution of their enforcement. According to this technique, access control attributes may be evaluated at different network locations to optimize scale by localizing the evaluation of matching criteria to the places in which it requires the minimum amount of state creation and maintenance. A policy may be disaggregated at the orchestrator, its components may be distributed to the different enforcement points, and a tagging mechanism may be used to unify the policy as its elements are dispersed across multiple enforcement points.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Moreno, Victor; Hooda, Sanjay; and Wood, Steve, "ACCESS CONTROL POLICY ENFORCEMENT THROUGH ROUTE-BASED MICRO-SEGMENTATION AND CONTRACT TAGS", Technical Disclosure Commons, (May 23, 2022)