Security association management
First Claim
Patent Images
1. A system, comprising:
- a virtual network endpoint node, including a memory coupled to a processor, wherein the virtual network endpoint node is configured to provide network connectivity to a virtual network which comprises a plurality of virtual machines created by a user, and wherein the virtual network endpoint node is configured to establish an encrypted communication channel over a public network;
a management service, including a memory coupled to a processor, wherein the management service is configured to receive a plurality of create security association application programming interface (API) calls to create security associations for the virtual network endpoint node, each create security association API call containing configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key, a valid start time, and a valid end time;
a provisioning service, including a memory coupled to a processor, wherein at or near the valid start time of one of the create security association API calls for the virtual network endpoint node, the provisioning service is configured to transmit the configuration parameters to the virtual network endpoint node for use in implementation of a security association for the encrypted communication channel; and
wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the security association on the virtual network endpoint node.
1 Assignment
0 Petitions
Accused Products
Abstract
A system (and method) includes a plurality of compute devices configured to execute an endpoint node and a provisioning service. The endpoint node is configured to establish an encrypted communication channel over a public network. The provisioning service is configured to retrieve configuration parameters from a database. The configuration parameters define a security association for the encrypted communication channel and include an encryption key and an identifier of an encryption algorithm. The provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel.
24 Citations
19 Claims
-
1. A system, comprising:
-
a virtual network endpoint node, including a memory coupled to a processor, wherein the virtual network endpoint node is configured to provide network connectivity to a virtual network which comprises a plurality of virtual machines created by a user, and wherein the virtual network endpoint node is configured to establish an encrypted communication channel over a public network; a management service, including a memory coupled to a processor, wherein the management service is configured to receive a plurality of create security association application programming interface (API) calls to create security associations for the virtual network endpoint node, each create security association API call containing configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key, a valid start time, and a valid end time; a provisioning service, including a memory coupled to a processor, wherein at or near the valid start time of one of the create security association API calls for the virtual network endpoint node, the provisioning service is configured to transmit the configuration parameters to the virtual network endpoint node for use in implementation of a security association for the encrypted communication channel; and wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the security association on the virtual network endpoint node. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system, comprising:
-
an endpoint node, including a memory coupled to a processor, wherein the endpoint node is configured to establish an encrypted communication channel over a public network; a provisioning service, including a memory coupled to a processor, wherein the provisioning service is configured to retrieve configuration parameters from a database, the configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key and an identifier of an encryption algorithm, and wherein the provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel; and a management service, including a memory coupled to a processor, wherein the management service is configured to store in the database configuration parameters for each of a plurality of create security association application programming interface (API) calls for the same endpoint node, wherein each of the plurality of create security association API calls contains valid start and end times for a respective security association, wherein the valid start and end times are different between the plurality of create security association API calls, and wherein, at or near the valid start time of each of the create security association API calls, the provisioning service is configured to load the configuration parameters for that create security association API call into the endpoint node. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented method, comprising:
-
receiving an application programming interface (API) call including configuration parameters that define a security association for a secure communication channel over a network, the configuration parameters including an identifier of a virtual network endpoint node to implement the secure communication channel, start time specifying when the security association is to be valid, and an end time; storing the configuration parameters of the API call in a database; determining that the start time has been reached, or is within a threshold time period of being reached; retrieving the configuration parameters from the database; loading the configuration parameters into a storage device of the virtual network endpoint node; and returning, by the virtual network endpoint node, an acknowledgment indicating the configuration parameters have been loaded. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification