Firewall for filtering tunneled data packets

US 20030115328A1
Filed: 11/22/2002
Published: 06/19/2003
Est. Priority Date: 11/29/2001
Status: Active Grant

First Claim

Patent Images

1. A method of filtering a data packet, comprising receiving a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, matching the value of at least one outer header field of the tunneled data packet to a first rule, and taking the action defined in the first rule comprising detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of filtering a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule comprises detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Citations

11 Claims

1. A method of filtering a data packet, comprising receiving a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, matching the value of at least one outer header field of the tunneled data packet to a first rule, and taking the action defined in the first rule comprising detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, wherein the action defined in the first rule comprises instructions to direct the tunneled data packet to another process for handling, the another process taking the steps of detecting, matching and taking associated to the inner data packet.
  - 3. A method according to claim 1, wherein the action defined in the first rule comprises offset information for finding the beginning of the inner data packet and a pointer to rules to which to match the inner data packet.
  - 4. A method according to any of the preceding claims, further comprising creating, on the basis of the outer header, to a first connection state table, an entry for processing other data packets of the same tunnel, the entry comprising a value of at least one outer header field for identifying the other data packets of the same tunnel and instructions for filtering the inner data packet, and creating, on the basis of the inner header, to a second connection state table, an entry for processing other data packets of the same connection, the entry comprising a value of at least one inner header field for identifying the other data packets of the same connection and instructions for processing the inner data packet.
  - 5. A method according to claim 4, wherein the entries of the first and the second connection state table are included in one connection state table.
  - 6. A method according to claim 4, wherein the instructions for filtering the inner data packet comprise offset information for finding the beginning of the inner data packet and a pointer to rules and/or to a connection state table to which to match the inner data packet.
  - 7. A method according to claim 4, wherein the instructions for filtering the inner data packet comprise instructions to direct the tunneled data packet to another process for handling, the another process filtering the inner data packet.
  - 8. A method according to any one of the preceding claims, wherein taking the action defined in the second rule comprises modifying at least one field of the inner data packet.
  - 9. A method according to claim 1, wherein the data packet is an Internet Protocol version 6 data packet and the inner header is an Extension Header field of Internet Protocol version 6.

10. A network gateway comprising a mechanism for receiving a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, a mechanism for matching the value of at least one outer header field of the tunneled data packet to a first rule, and a mechanism for taking the action defined in the first rule comprising a mechanism for detecting the inner data packet within the tunneled data packet, a mechanism for matching the value of at least one field of the inner data packet to a second rule, and a mechanism for taking the action defined in the second rule.

11. A computer-readable medium, containing a computer software which, when executed in a computer device, causes the computer device to provide a routine of filtering a data packet comprising receiving a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, matching the value of at least one outer header field of the tunneled data packet to a first rule, and taking the action defined in the first rule comprising detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Original Assignee
Stonesoft Corporation
Inventors
Jalava, Mika, Salminen, Riku, Syvanne, Tuomo

Granted Patent

US 7,721,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04W 80/04   Network layer protocols, e....

Firewall for filtering tunneled data packets

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall for filtering tunneled data packets

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links