Collision prevention in secure connection establishment

US 10,432,675 B2
Filed: 04/17/2017
Issued: 10/01/2019
Est. Priority Date: 04/17/2017
Status: Active Grant

First Claim

Patent Images

1. A method for reducing failed secure connections in a network, by preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the method comprising:

a network node X sending an X-to-Y secure connection request toward a network node Y;

network node X receiving a Y-to-X secure connection request from network node Y while the X-to-Y secure connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y secure connection request and before network node X has received from network node Y and processed a response to the X-to-Y secure connection request and a maximum predetermined time that network node X will wait for that response has not elapsed;

network node X sending toward network node Y an acceptance of the Y-to-X secure connection request, instead of network node X rejecting the Y-to-X secure connection request because the X-to-Y secure connection request is still pending;

network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the Y-to-X secure connection request, wherein the method is further characterized in at least one of the following ways;

the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;

orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To reduce network connectivity downtime while connections are established or re-established after maintenance, a connection request that would be rejected is instead accepted, even though a corresponding outgoing request is still pending. In some cases, the connection request is a secure connection request, such as an INIT phase request or an AUTH phase request during an Internet Key Exchange protocol exchange. Single-ended and double-ended configurations are both presented. When colliding INIT attempts succeed, two results are produced, after which one may be selected and the other discarded. Alternately, both INIT results may be used in producing two security associations during a subsequent AUTH phase. Incoming traffic and outgoing traffic may then use respective security associations.

19 Citations

20 Claims

1. A method for reducing failed secure connections in a network, by preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the method comprising:
- a network node X sending an X-to-Y secure connection request toward a network node Y;
  
  network node X receiving a Y-to-X secure connection request from network node Y while the X-to-Y secure connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y secure connection request and before network node X has received from network node Y and processed a response to the X-to-Y secure connection request and a maximum predetermined time that network node X will wait for that response has not elapsed;
  
  network node X sending toward network node Y an acceptance of the Y-to-X secure connection request, instead of network node X rejecting the Y-to-X secure connection request because the X-to-Y secure connection request is still pending;
  
  network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the Y-to-X secure connection request, wherein the method is further characterized in at least one of the following ways;
  
  the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;
  
  orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation.
- View Dependent Claims (2, 3, 4, 5, 13, 14)
- - 2. The method of claim 1, further comprising network node X receiving from network node Y an acceptance of the X-to-Y secure connection request.
  - 3. The method of claim 2, further comprising network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the X-to-Y secure connection request.
  - 4. The method of claim 1, further comprising:
    - network node X selecting an INIT phase secure connection result from among at least two INIT phase secure connection results, one of the INIT phase secure connection results based at least partially on information in the Y-to-X secure connection request, another of the INIT phase secure connection results based at least partially on information in the X-to-Y secure connection request; and
      
      thennetwork node X using the selected INIT phase secure connection result in a subsequent AUTH phase secure connection exchange with network node Y.
  - 5. The method of claim 1, further comprising:
    - network node X employing a first security association for outgoing traffic to network node Y; and
      
      network node X employing a second security association for incoming traffic from network node Y.
  - 13. The method of claim 1, wherein at least one of network node X and network node Y is part of a cloud network.
  - 14. The method of claim 1, wherein the connection requests occur within at least one of the following:
    - one or more Internet Key Exchange v1 exchanges, one or more Internet Key Exchange v2 exchanges, one or more Kerberized Internet Negotiation of Keys exchanges.

6. A computing system equipped with secure connection request collision prevention technology for preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the computing system comprising:
- at least two network nodes, designated here as node X and node Y, each said node respectively comprising;
  
  at least one processor;
  
  a memory in operable communication with the processor; and
  
  secure connection software residing at least partially in the memory and at least partially executable with the processor;
  
  wherein a secure connection request sent by one of the nodes is considered to be pending when (a) no response to the secure connection request has been received and processed by the node which sent the secure connection request, and (b) a maximum predetermined time that the node will wait for such a response has not elapsed;
  
  wherein the secure connection software of at least one of the network nodes provides a functionality enhancement of a security protocol implementation, the enhancement allowing the network node to accept a secure connection request initiated by another node even though the accepting node'"'"'s own secure connection request to that other node is still pending; and
  
  wherein the enhancement provides at least one of the following;
  
  collision prevention technology which accepts an incoming Internet Key Exchange INIT phase secure connection request from another node at an accepting node during pendency of the accepting node'"'"'s own outgoing Internet Key Exchange INIT phase secure connection request to the other node;
  
  collision prevention technology which accepts an incoming Internet Key Exchange AUTH phase secure connection request from another node at an accepting node during pendency of the accepting node'"'"'s own outgoing Internet Key Exchange AUTH phase secure connection request to the other node.
- View Dependent Claims (7, 8, 9, 10, 18, 19, 20)
- - 7. The computing system of claim 6, wherein the enhancement is provided on node X, and the enhancement is not provided on node Y.
  - 8. The computing system of claim 6, wherein the enhancement is provided both on node X and on node Y.
  - 9. The computing system of claim 6, wherein node X is part of a cloud network and node Y is part of an on-premises network.
  - 10. The computing system of claim 6, wherein the secure connection software of node X upon execution performs at least the following:
    - node X selects an INIT phase secure connection result from among at least two INIT phase secure connection results, one of the INIT phase secure connection results based at least partially on information in a Y-to-X secure connection request, another of the INIT phase secure connection results based at least partially on information in an X-to-Y secure connection request; and
      
      thennode X uses the selected INIT phase secure connection result in a subsequent AUTH phase secure connection exchange with node Y.
  - 18. The computing system of claim 6, wherein the secure connection software of node X upon execution performs at least as follows:
    - node X employs a first security association for outgoing traffic to network node Y; and
      
      node X employs a second security association for incoming traffic from network node Y.
  - 19. The computing system of claim 6, further characterized in that the connection requests occur within at least one of the following:
    - one or more Internet Key Exchange v1 exchanges, one or more Internet Key Exchange v2 exchanges, one or more Kerberized Internet Negotiation of Keys exchanges.
  - 20. The computing system of claim 6, further characterized in that at least one of the network nodes operates as a server.

11. A computer-readable storage medium configured with instructions which upon execution by one or more processors perform a method for preventing collisions by increasing acceptance of connection requests during pendency of other network connection requests, the method comprising:
- a network node X sending an X-to-Y connection request toward a network node Y;
  
  network node X receiving a Y-to-X connection request from network node Y while the X-to-Y connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y connection request and before network node X has received from network node Y and processed a response to the X-to-Y connection request and a maximum predetermined time that network node X will wait for that response has not elapsed;
  
  network node X sending toward network node Y an acceptance of the Y-to-X connection request, instead of network node X rejecting the Y-to-X connection request because the X-to-Y connection request is still pending; and
  
  network node X communicating with network node Y over a connection which has been established based at least in part on the Y-to-X connection request, said communicating including network node X transmitting application or end-user data to network node Y or network node X receiving application or end-user data from network node Y, or network node X both transmitting and receiving such data;
  
  wherein said communicating occurs without network node X and network node Y first undergoing a timeout and retry operation which would have occurred if network node X had not sent network node Y an acceptance of the Y-to-X connection request; and
  
  wherein the method is further characterized in at least one of the following ways;
  
  the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;
  
  orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation.
- View Dependent Claims (12, 15, 16, 17)
- - 12. The configured computer-readable storage medium of claim 11, wherein network node X is part of a cloud network and the connection requests occur after cloud software maintenance operations and restarting or rebooting networking software in the cloud network.
  - 15. The configured computer-readable storage medium of claim 11, wherein the method is further characterized in that node X employs a first security association for outgoing traffic to network node Y, and node X employs a second security association for incoming traffic from network node Y.
  - 16. The configured computer-readable storage medium of claim 11, wherein the method further comprises:
    - network node X selecting an INIT phase secure connection result from among at least two INIT phase secure connection results; and
      
      thennetwork node X using the selected INIT phase secure connection result in a subsequent AUTH phase secure connection exchange with network node Y.
  - 17. The configured computer-readable storage medium of claim 11, wherein the method is further characterized in that the connection requests occur within at least one of the following:
    - one or more Internet Key Exchange v1 exchanges, one or more Internet Key Exchange v2 exchanges, one or more Kerberized Internet Negotiation of Keys exchanges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Nandoori, Ashok, Tiwari, Abhishek
Primary Examiner(s)
Tang, Karen C

Application Number

US15/488,822
Publication Number

US 20180302448A1
Time in Patent Office

897 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 63/205   involving negotiation or de...

H04L 65/1069   Session establishment or de...

Collision prevention in secure connection establishment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Collision prevention in secure connection establishment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links