Secure communication session resumption in a service function chain
First Claim
1. A method comprising:
- receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF);
generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session;
forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata;
receiving a connection request from a client device, the client device having previously disconnected from the TLS session;
determining the connection request contains the PSK identifier;
selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and
using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.
-
Citations
16 Claims
-
1. A method comprising:
-
receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF); generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session; forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata; receiving a connection request from a client device, the client device having previously disconnected from the TLS session; determining the connection request contains the PSK identifier; selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable device having stored therein instructions which, when executed by at least one processor, cause the at least one processor to perform operations comprising:
-
receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF); generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session; forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata; receiving a connection request from a client device, the client device having previously disconnected from the TLS session; determining the connection request contains the PSK identifier; selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification