Transparent inline content inspection and modification in a TCP session
First Claim
1. A method carried out in a device positioned between a sending entity, and a receiving entity, wherein each of the sending and receiving entities includes a TCP stack, comprising a set of operations:
- during a TCP session established between the sending entity and the receiving entity, inspecting a stream of TCP traffic;
upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets received from the sending entity, placing, in an input record, the one or more input data packets comprising the portion, the one or more input data packets including a last input data packet;
returning to the sending entity an acknowledgement for each input data packet received except for the last input data packet;
generating, from the one or more input data packets in the input record, a modified portion of the stream, the modified portion comprising one or more output data packets to be sent to the receiving entity;
placing in an output record the one or more output data packets;
forwarding into the stream of TCP traffic to the receiving entity the one or more output data packets in the output record; and
upon receipt of acknowledgements from the receiving entity for the output data packets comprising the modified portion in the output record, transmitting to the sending entity an acknowledgement of the last input data packet of the one or more input data packets comprising the portion;
wherein the set of operations are carried out without requiring a TCP stack in the device, and without requiring termination or re-origination of a connection between the sending entity and the receiving entity;
wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream.
1 Assignment
0 Petitions
Accused Products
Abstract
A network appliance is configured to provide inline traffic inspection for all flow through the device, to selectively intercept based on traffic content or policy, and to modify intercepted traffic content, all without connection termination and re-origination. Content modification may involve substitution of traffic content with smaller or larger content, in which case the device provides appropriate sequence number translations for acknowledgements to the endpoints. This streaming rewrite may occur on a byte-at-a-time basis, while keeping the session alive and without a need to proxy it. The appliance enables transmitted TCP data to be modified inline and then reliably delivered without the overhead of forwarding packets through a full-blown TCP stack. Rather, the approach relies upon an initiator entity'"'"'s TCP stack for congestion control, as well as the receiving entity'"'"'s re-transmission behavior to determine how the device manages packets internally.
11 Citations
21 Claims
-
1. A method carried out in a device positioned between a sending entity, and a receiving entity, wherein each of the sending and receiving entities includes a TCP stack, comprising a set of operations:
-
during a TCP session established between the sending entity and the receiving entity, inspecting a stream of TCP traffic; upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets received from the sending entity, placing, in an input record, the one or more input data packets comprising the portion, the one or more input data packets including a last input data packet; returning to the sending entity an acknowledgement for each input data packet received except for the last input data packet; generating, from the one or more input data packets in the input record, a modified portion of the stream, the modified portion comprising one or more output data packets to be sent to the receiving entity; placing in an output record the one or more output data packets; forwarding into the stream of TCP traffic to the receiving entity the one or more output data packets in the output record; and upon receipt of acknowledgements from the receiving entity for the output data packets comprising the modified portion in the output record, transmitting to the sending entity an acknowledgement of the last input data packet of the one or more input data packets comprising the portion; wherein the set of operations are carried out without requiring a TCP stack in the device, and without requiring termination or re-origination of a connection between the sending entity and the receiving entity; wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus positioned between a first computing entity and a second computing entity, wherein each of the first and second computing entities includes a TCP stack, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor, the computer memory comprising a first memory buffer, and a second memory buffer, the computer program instructions comprising; program code operative during a TCP session established between the first computing entity and the second computing entity, to inspect a stream of TCP traffic; program code operative upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets, to store into the first memory buffer the one or more input data packets comprising the portion, the one or more input data packets including a last input data packet; program code operative to return an acknowledgement for each input data packet received except for the last input data packet; program code operative to generate, from the one or more input data packets, a modified portion of the stream, the modified portion comprising one or more output data packets; program code to store into the second memory buffer the one or more output data packets; program code operative to forward into the stream of TCP traffic the one or more output data packets; and program code operative upon receipt of acknowledgements for the output data packets comprising the modified portion to transmit to the first computing entity an acknowledgement of the last input data packet of the one or more input data packets comprising the portion; wherein the program code is operative without requiring a TCP stack in the apparatus, and without requiring termination or re-origination of a connection between the first and second computing entities; wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable medium for use in a data processing system positioned between a first computing entity and a second computing entity, wherein each of the first and second computing entities includes a TCP stack, the computer program product holding computer program instructions executed by the data processing system, the computer program instructions comprising:
-
program code operative during a TCP session established between the first computing entity and the second computing entity, to inspect a stream of TCP traffic; program code operative upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets, to store into a first memory buffer the one or more input data packets comprising the portion, the one or more input data packets including a last input data packet; program code operative to return an acknowledgement for each input data packet received except for the last input data packet; program code operative to generate, from the one or more input data packets, a modified portion of the stream, the modified portion comprising one or more output data packets; program code to store into a second memory buffer the one or more output data packets; program code operative to forward into the stream of TCP traffic the one or more output data packets; and program code operative upon receipt of acknowledgements for the output data packets comprising the modified portion to transmit to the first computing entity an acknowledgement of the last input data packet of the one or more input data packets comprising the portion; wherein the program code is operative without requiring a TCP stack in the data processing system, and without requiring termination or re-origination of a connection between the first and second computing entities; wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification