Security association management

US 10,516,652 B1
Filed: 02/28/2017
Issued: 12/24/2019
Est. Priority Date: 02/28/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a virtual network endpoint node, including a memory coupled to a processor, wherein the virtual network endpoint node is configured to provide network connectivity to a virtual network which comprises a plurality of virtual machines created by a user, and wherein the virtual network endpoint node is configured to establish an encrypted communication channel over a public network;

a management service, including a memory coupled to a processor, wherein the management service is configured to receive a plurality of create security association application programming interface (API) calls to create security associations for the virtual network endpoint node, each create security association API call containing configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key, a valid start time, and a valid end time;

a provisioning service, including a memory coupled to a processor, wherein at or near the valid start time of one of the create security association API calls for the virtual network endpoint node, the provisioning service is configured to transmit the configuration parameters to the virtual network endpoint node for use in implementation of a security association for the encrypted communication channel; and

wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the security association on the virtual network endpoint node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system (and method) includes a plurality of compute devices configured to execute an endpoint node and a provisioning service. The endpoint node is configured to establish an encrypted communication channel over a public network. The provisioning service is configured to retrieve configuration parameters from a database. The configuration parameters define a security association for the encrypted communication channel and include an encryption key and an identifier of an encryption algorithm. The provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel.

24 Citations

View as Search Results

19 Claims

1. A system, comprising:
- a virtual network endpoint node, including a memory coupled to a processor, wherein the virtual network endpoint node is configured to provide network connectivity to a virtual network which comprises a plurality of virtual machines created by a user, and wherein the virtual network endpoint node is configured to establish an encrypted communication channel over a public network;
  
  a management service, including a memory coupled to a processor, wherein the management service is configured to receive a plurality of create security association application programming interface (API) calls to create security associations for the virtual network endpoint node, each create security association API call containing configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key, a valid start time, and a valid end time;
  
  a provisioning service, including a memory coupled to a processor, wherein at or near the valid start time of one of the create security association API calls for the virtual network endpoint node, the provisioning service is configured to transmit the configuration parameters to the virtual network endpoint node for use in implementation of a security association for the encrypted communication channel; and
  
  wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the security association on the virtual network endpoint node.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 further comprising a database configured to store a plurality of records, wherein each record is configured to store, for a given security association, a security association identifier, the security association API call configuration parameters, and a corresponding status indicator for the security association.
  - 3. The system of claim 2, wherein:
    - the management service is configured to store in the security association database configuration parameters for each of the plurality of create security association API calls for the virtual network endpoint node, wherein the valid start and end times for the respective security association are different between the plurality of create security association API calls.
  - 4. The system of claim 1, wherein responsive to the acknowledgment message, the provisioning service is configured to update a status indicator in a database record to indicate that the security association is in an active state.
  - 5. The system of claim 1, wherein the configuration parameters of the create security association API calls also include at least one of:
    - a source internet protocol (IP) address, a destination IP address, an identifier of an encryption algorithm, an identifier of an authentication algorithm, an authentication key, a security parameter index, and a replay window size, wherein the valid start time in the configuration parameters indicates the time after which the encryption key is valid, the valid end time indicates the time after which the encryption key is invalid.

6. A system, comprising:
- an endpoint node, including a memory coupled to a processor, wherein the endpoint node is configured to establish an encrypted communication channel over a public network;
  
  a provisioning service, including a memory coupled to a processor, wherein the provisioning service is configured to retrieve configuration parameters from a database, the configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key and an identifier of an encryption algorithm, and wherein the provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel; and
  
  a management service, including a memory coupled to a processor, wherein the management service is configured to store in the database configuration parameters for each of a plurality of create security association application programming interface (API) calls for the same endpoint node, wherein each of the plurality of create security association API calls contains valid start and end times for a respective security association, wherein the valid start and end times are different between the plurality of create security association API calls, andwherein, at or near the valid start time of each of the create security association API calls, the provisioning service is configured to load the configuration parameters for that create security association API call into the endpoint node.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The system of claim 6, wherein the configuration parameters also include an identifier of an authentication algorithm, an authentication key, a security parameter index, the valid start time indicating the time after which the encryption key is valid, the valid end time indicating the time after which the encryption key is invalid, and a replay window size.
  - 8. The system of claim 6, further comprising a management service, including a memory coupled to a processor, wherein the management service is configured to:
    - receive a create security association API call to create a security association for the endpoint node; and
      
      store the configuration parameters from the received create security association API call in the database.
  - 9. The system of claim 6, wherein the management service is configured to:
    - receive a describe security association API call that includes a security association identifier as an input argument;
      
      access the database to retrieve the record corresponding to the security association identifier; and
      
      respond to the describe security association API call with a status identifier of the corresponding security association identifier.
  - 10. The system of claim 6, wherein the management service is configured to receive a delete security association API call that includes a security association identifier as an input argument and update the record in the database corresponding to the security association identifier to specify that the security association is to be deleted, and wherein the provisioning service is configured to respond to the update to the record by transmission of a message to the endpoint node to delete its security association.
  - 11. The system of claim 6, wherein the endpoint node comprises virtual network endpoint node configured to provide network connectivity to a virtual network, wherein the virtual network comprises a plurality of virtual machines.
  - 12. The system of claim 6, wherein each load of configuration parameters defining a security association into the endpoint node overwrites previously loaded security association configuration parameters.
  - 13. The system of claim 6, wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the configuration parameters into the endpoint node, and wherein, responsive to the acknowledgment message, the provisioning service is configured to update a status indicator in the database to indicate that the security association is in an active state.

14. A computer-implemented method, comprising:
- receiving an application programming interface (API) call including configuration parameters that define a security association for a secure communication channel over a network, the configuration parameters including an identifier of a virtual network endpoint node to implement the secure communication channel, start time specifying when the security association is to be valid, and an end time;
  
  storing the configuration parameters of the API call in a database;
  
  determining that the start time has been reached, or is within a threshold time period of being reached;
  
  retrieving the configuration parameters from the database;
  
  loading the configuration parameters into a storage device of the virtual network endpoint node; and
  
  returning, by the virtual network endpoint node, an acknowledgment indicating the configuration parameters have been loaded.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-implemented method of claim 14, wherein the configuration parameters included in the API call also include at least one of an encryption key, a seed value, a source internet protocol (IP) address, a destination IP address, an identifier of an encryption algorithm, an authentication key, an identifier of an authentication algorithm, a security parameter index, and a replay window size.
  - 16. The computer-implemented method of claim 14, further comprising:
    - responsive to the acknowledgment, updating a status indicator in the database for the indicating that the configuration parameters have been loaded into the virtual network endpoint node;
      
      receiving a describe security association API call including, as an argument, a security association identifier corresponding to the configuration parameters; and
      
      responsive to the describe security association API call, returning the status indicator from the database.
  - 17. The computer-implemented method of claim 14, wherein:
    - receiving the API call includes receiving a plurality of API calls, each received API call including a separate set of configuration parameters and each set includes the identifier of the virtual network endpoint node;
      
      before loading any of the configuration parameters in the virtual network endpoint node, storing the configuration parameters includes storing each of the sets of configuration parameters in the database;
      
      determining that the start time has been reached, or is within the threshold time period of being reached includes determining that the start of one of the sets of configuration parameters has been reached, or is within the threshold time period of being reached; and
      
      loading the configuration parameters into the virtual network endpoint node includes loading the configuration parameters containing the start time that has been reached, or is within the threshold time period of being reached.
  - 18. The computer-implemented method of claim 14, further comprising:
    - receiving a delete security association API call that includes a security association identifier as an input argument;
      
      updating the database to specify that the security association is to be deleted;
      
      responsive to the update of the database, transmitting a message to the virtual network endpoint node to delete its configuration parameters that define its security association for the secure communication channel.
  - 19. The computer-implemented method of claim 14, wherein the configuration parameters include an end time and the method further comprises:
    - determining that the end time has been reached; and
      
      transmitting a message to the virtual network endpoint node to deactivate the security association for the secure communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hashmi, Omer, Redmon, Andrew Hemstreet
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US15/445,459
Time in Patent Office

1,029 Days
Field of Search

713150-155
US Class Current
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

Security association management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security association management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links