Internet protocol security framework utilizing predictve security association re-negotiation

US 20020103887A1
Filed: 01/26/2001
Published: 08/01/2002
Est. Priority Date: 01/26/2001
Status: Active Grant

First Claim

Patent Images

1. An apparatus for use in predicting exchanges of a specific quantity of communication traffic between network elements, said apparatus comprising:

a digital processor operable on a periodic basis to calculate a weighted traffic flow per usage for a given network element, said digital processor further including, a comparison mechanism for comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic yet to be processed by said network element, wherein an indication is given by said network element if said remainder value is less than said weighted traffic flow.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a methodology for predicting when current sets of encryption keys used in a high speed data network are about to expire. The invention allows network elements of a communication system to re-negotiate new sets of keys well in advance so as to prevent interruptions in communications traffic flow. In accordance with one exemplary embodiment of the invention, a weighted traffic flow per usage for a given network element is calculated on a periodic basis. The value of the weighted traffic flow per usage is compared with a remainder value of a specific quantity of communications traffic yet to be processed by the network element. If the remainder value is less than the weighted traffic flow value, an indication is given to the appropriate network element to renegotiate a new set of keys.

Citations

20 Claims

1. An apparatus for use in predicting exchanges of a specific quantity of communication traffic between network elements, said apparatus comprising:
- a digital processor operable on a periodic basis to calculate a weighted traffic flow per usage for a given network element, said digital processor further including, a comparison mechanism for comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic yet to be processed by said network element, wherein an indication is given by said network element if said remainder value is less than said weighted traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 14)
- - 2. The apparatus of claim 1, wherein said digital processor waits until beginning another time period to calculate another value of said weighted traffic flow per usage to be compared with an updated remainder value.
  - 3. The apparatus of claim 1, wherein said specific quantity of communications traffic corresponds to a quantity value associated with a security association (SA) between said network elements.
  - 4. The apparatus of claim 3, wherein said indication given from said network elements prompts renegotiation of another SA.
  - 5. The apparatus of claim 3, wherein said SA is an Internet Protocol Security (IPSEC) SA.
  - 6. The apparatus of claim 1, wherein said apparatus is used in connection with a communications traffic monitoring application to identify randomly occurring traffic patterns.
  - 7. The apparatus of claim 1, wherein said apparatus is used in connection with a communications network management application to monitor usage of network components.
  - 8. The apparatus of claim 1, wherein said weighted traffic flow per usage corresponds to the average use of network element per period multiplied by the average communications traffic quantity per use.
  - 14. The method of claim 1, wherein said method is used in connection with a communications traffic monitoring application to identify randomly occurring traffic patterns.

9. A method of predicting exchanges of a specific quantity of communication traffic between network elements, said method comprising:
- calculating on a periodic basis a weighted traffic flow per usage for a given network element;
  
  comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic yet to be processed by said network element; and
  
  giving an indication from said network element if said remainder value is less than said weighted traffic flow.
- View Dependent Claims (10, 11, 12, 13, 15, 16, 17, 19, 20)
- - 10. The method of claim 9, further including waiting until beginning another time period to calculate another value of said weighted traffic flow per usage to be compared with an updated remainder value.
  - 11. The method of claim 9, wherein said specific quantity of communications traffic corresponds to a quantity value associated with a security association (SA) between said network elements.
  - 12. The method of claim 11, wherein said indication given from said network elements prompts renegotiation of another SA.
  - 13. The method of claim 11, wherein said SA is an Internet Protocol Security (IPSEC) SA.
  - 15. The method of claim 9, wherein said method is used in connection with a communications network management application to monitor usage of network components.
  - 16. The method of claim 9, wherein said weighted traffic flow per usage corresponds to the average use of network element per period multiplied by the average communications traffic quantity per use.
  - 17. The method of claim 9, wherein at least a portion of said communications traffic flows between network elements over the public Internet.
  - 19. The method of claim 18, wherein said weighted traffic flow per usage corresponds to the average use of a security association per period multiplied by the average number of bytes processed per use.
  - 20. The method of claim 18, wherein said security association is an IPSEC security association.

18. A method of predicting expiration of quantity based security associations between network elements, at least a portion of communications traffic exchanged between said network flowing over the public Internet, said method comprising:
- calculating on a periodic basis a weighted traffic flow per usage for a given network element;
  
  comparing a value of said weighted traffic flow per usage with a remainder value of yet to be processed communications traffic of one of said quantity based security associations; and
  
  renegotiating another security association with a corresponding one of said network elements if said remainder value is less than said weighted traffic flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Bagasrawala, Abbas

Granted Patent

US 7,143,154 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/164 at the network layer

Internet protocol security framework utilizing predictve security association re-negotiation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Internet protocol security framework utilizing predictve security association re-negotiation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links