Collision prevention in secure connection establishment
First Claim
1. A method for reducing failed secure connections in a network, by preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the method comprising:
- a network node X sending an X-to-Y secure connection request toward a network node Y;
network node X receiving a Y-to-X secure connection request from network node Y while the X-to-Y secure connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y secure connection request and before network node X has received from network node Y and processed a response to the X-to-Y secure connection request and a maximum predetermined time that network node X will wait for that response has not elapsed;
network node X sending toward network node Y an acceptance of the Y-to-X secure connection request, instead of network node X rejecting the Y-to-X secure connection request because the X-to-Y secure connection request is still pending;
network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the Y-to-X secure connection request, wherein the method is further characterized in at least one of the following ways;
the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;
orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation.
1 Assignment
0 Petitions
Accused Products
Abstract
To reduce network connectivity downtime while connections are established or re-established after maintenance, a connection request that would be rejected is instead accepted, even though a corresponding outgoing request is still pending. In some cases, the connection request is a secure connection request, such as an INIT phase request or an AUTH phase request during an Internet Key Exchange protocol exchange. Single-ended and double-ended configurations are both presented. When colliding INIT attempts succeed, two results are produced, after which one may be selected and the other discarded. Alternately, both INIT results may be used in producing two security associations during a subsequent AUTH phase. Incoming traffic and outgoing traffic may then use respective security associations.
19 Citations
20 Claims
-
1. A method for reducing failed secure connections in a network, by preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the method comprising:
-
a network node X sending an X-to-Y secure connection request toward a network node Y; network node X receiving a Y-to-X secure connection request from network node Y while the X-to-Y secure connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y secure connection request and before network node X has received from network node Y and processed a response to the X-to-Y secure connection request and a maximum predetermined time that network node X will wait for that response has not elapsed; network node X sending toward network node Y an acceptance of the Y-to-X secure connection request, instead of network node X rejecting the Y-to-X secure connection request because the X-to-Y secure connection request is still pending; network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the Y-to-X secure connection request, wherein the method is further characterized in at least one of the following ways; the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;
orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation. - View Dependent Claims (2, 3, 4, 5, 13, 14)
-
-
6. A computing system equipped with secure connection request collision prevention technology for preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the computing system comprising:
-
at least two network nodes, designated here as node X and node Y, each said node respectively comprising; at least one processor; a memory in operable communication with the processor; and secure connection software residing at least partially in the memory and at least partially executable with the processor; wherein a secure connection request sent by one of the nodes is considered to be pending when (a) no response to the secure connection request has been received and processed by the node which sent the secure connection request, and (b) a maximum predetermined time that the node will wait for such a response has not elapsed; wherein the secure connection software of at least one of the network nodes provides a functionality enhancement of a security protocol implementation, the enhancement allowing the network node to accept a secure connection request initiated by another node even though the accepting node'"'"'s own secure connection request to that other node is still pending; and wherein the enhancement provides at least one of the following; collision prevention technology which accepts an incoming Internet Key Exchange INIT phase secure connection request from another node at an accepting node during pendency of the accepting node'"'"'s own outgoing Internet Key Exchange INIT phase secure connection request to the other node; collision prevention technology which accepts an incoming Internet Key Exchange AUTH phase secure connection request from another node at an accepting node during pendency of the accepting node'"'"'s own outgoing Internet Key Exchange AUTH phase secure connection request to the other node. - View Dependent Claims (7, 8, 9, 10, 18, 19, 20)
-
-
11. A computer-readable storage medium configured with instructions which upon execution by one or more processors perform a method for preventing collisions by increasing acceptance of connection requests during pendency of other network connection requests, the method comprising:
-
a network node X sending an X-to-Y connection request toward a network node Y; network node X receiving a Y-to-X connection request from network node Y while the X-to-Y connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y connection request and before network node X has received from network node Y and processed a response to the X-to-Y connection request and a maximum predetermined time that network node X will wait for that response has not elapsed; network node X sending toward network node Y an acceptance of the Y-to-X connection request, instead of network node X rejecting the Y-to-X connection request because the X-to-Y connection request is still pending; and network node X communicating with network node Y over a connection which has been established based at least in part on the Y-to-X connection request, said communicating including network node X transmitting application or end-user data to network node Y or network node X receiving application or end-user data from network node Y, or network node X both transmitting and receiving such data; wherein said communicating occurs without network node X and network node Y first undergoing a timeout and retry operation which would have occurred if network node X had not sent network node Y an acceptance of the Y-to-X connection request; and wherein the method is further characterized in at least one of the following ways; the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation;
orthe X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation. - View Dependent Claims (12, 15, 16, 17)
-
Specification