Secure communication session resumption in a service function chain

US 10,554,689 B2
Filed: 04/28/2017
Issued: 02/04/2020
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF);

generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session;

forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata;

receiving a connection request from a client device, the client device having previously disconnected from the TLS session;

determining the connection request contains the PSK identifier;

selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and

using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

Citations

16 Claims

1. A method comprising:
- receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF);
  
  generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session;
  
  forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata;
  
  receiving a connection request from a client device, the client device having previously disconnected from the TLS session;
  
  determining the connection request contains the PSK identifier;
  
  selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and
  
  using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the second SF node is selected by determining the second SF node is uniquely associated with the PSK identifier from the connection request, such that the second SF node and the first SF node are the same node.
  - 3. The method of claim 2, wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second SF node determines the TCP SYN packet contains the PSK identifier, and uses the PSK to decrypt and process an initial flight of data contained in the TCP SYN packet.
  - 4. The method of claim 2, wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second SF node determines the QUIC packet contains the PSK identifier, and uses the PSK to decrypt and process an initial flight of data contained in the QUIC packet.
  - 5. The method of claim 1, wherein the second SF node is selected by performing load balancing at the SFF, such that the second SF node can be any one of the plurality of SF nodes.
  - 6. The method of claim 5, wherein the PSK is stored as an entry in a memory structure and the PSK identifier is a corresponding entry lookup key for the PSK, such that the second SF node extracts the PSK identifier from the connection request and obtains the PSK from the memory structure in order to re-establish the TLS session.
  - 7. The method of claim 5, wherein the PSK identifier comprises a self-contained ticket containing an encrypted copy of the PSK, and wherein the second SF node receives required cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of SF nodes, such that the second SF node extracts the PSK from the self-contained ticket in order to re-establish the TLS session.
  - 8. The method of claim 1, wherein forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes comprises a publish-subscribe mechanism.

9. A computer-readable device having stored therein instructions which, when executed by at least one processor, cause the at least one processor to perform operations comprising:
- receiving, at a first Service Function (SF) node, a request to establish a Transport Layer Security (TLS) session, the first SF node being one of a plurality of SF nodes communicatively coupled to a Service Function Forwarder (SFF);
  
  generating a Pre-Shared Key (PSK) and a PSK identifier, the PSK and the PSK identifier uniquely corresponding to the first SF node and the TLS session;
  
  forwarding the PSK identifier to the SFF and/or one or more of the plurality of SF nodes, the forwarding including encapsulating the PSK identifier in Network Service Header (NSH) metadata;
  
  receiving a connection request from a client device, the client device having previously disconnected from the TLS session;
  
  determining the connection request contains the PSK identifier;
  
  selecting a second SF node and using the PSK to re-establish the TLS session between the client device and the second SF node; and
  
  using an NSH Metadata-Type 2 Type Length Value (NSH MD-Type 2 TLV) to indicate a Quick UDP Internet Connections (QUIC) connection has been closed with the SFF and/or the plurality of SF nodes.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable device of claim 9, wherein the instructions further cause the at least one processor to select the second SF node by determining the SF node is uniquely associated with the PSK identifier from the connection request, such that the second SF node and the first SF node are the same node.
  - 11. The computer-readable device of claim 10, wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second SF node determines the TCP SYN packet contains the PSK identifier, and uses the PSK to decrypt and process an initial flight of data contained in the TCP SYN packet.
  - 12. The computer-readable device of claim 10, wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second SF node determines the QUIC packet contains the PSK identifier, and uses the PSK to decrypt and process an initial flight of data contained in the QUIC packet.
  - 13. The computer-readable device of claim 9, wherein the instructions further cause the at least one processor to select the second SF node by performing load balancing at the SFF, such that the second SF node can be any one of the plurality of SF nodes.
  - 14. The computer-readable device of claim 13, wherein the PSK is stored as an entry in a memory structure and the PSK identifier is a corresponding entry lookup key for the PSK, such that the second SF node extracts the PSK identifier from the connection request and obtains the PSK from the memory structure in order to re-establish the TLS session.
  - 15. The computer-readable device of claim 13, wherein the PSK identifier comprises a self-contained ticket containing an encrypted copy of the PSK, and wherein the second SF node receives required cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of SF nodes, such that the second SF node extracts the PSK from the self-contained ticket in order to re-establish the TLS session.
  - 16. The computer-readable device of claim 9, wherein the instructions further cause the at least one processor to forward the PSK identifier to the SFF and/or one or more of the plurality of SF nodes with a publish-subscribe mechanism or a modification of Network Service Header (NSH) metadata.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Reddy, K Tirumaleswar, Patil, Prashanth, Pignataro, Carlos M.
Primary Examiner(s)
Li, Meng

Application Number

US15/582,026
Publication Number

US 20180316724A1
Time in Patent Office

1,012 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/166   at the transport layer

H04L 9/0822   using key encryption key

H04L 9/0827   involving distinctive inter...

Secure communication session resumption in a service function chain

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication session resumption in a service function chain

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links