Method and apparatus for fragmenting and reassembling internet key exchange data packets
First Claim
1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:
- generating and transmitting an IKE packet over a network;
determining whether a response to the IKE packet was received;
fragmenting the IKE packet into a plurality of smaller packets when a response is not received, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and
transmitting each of the plurality of smaller packets over a network.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for fragmenting and reassembling IKE protocol data packets that exceed a Maximum Transmission Unit is provided. A transmitting node determines whether to fragment IKE data depending on whether the receiving node has the capability to receive and reassemble fragmented data packets. The transmitting node detects whether fragmentation is appropriate and then intercepts and fragments appropriate IKE payloads for transmission over a network. The invention further includes a method and apparatus for reassembling fragmented IKE payloads. The receiving node discards certain packets according to a set of predetermined rules that are designed to prevent denial of service attacks and other similar attacks. No modification is required to the existing IKE protocol or to other lower level networking protocols.
-
Citations
12 Claims
-
1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:
-
generating and transmitting an IKE packet over a network;
determining whether a response to the IKE packet was received;
fragmenting the IKE packet into a plurality of smaller packets when a response is not received, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and
transmitting each of the plurality of smaller packets over a network. - View Dependent Claims (2)
-
-
3. A network node that communicates with other network nodes according to the Internet Key Exchange (IKE) protocol comprising:
-
a User Datagram Protocol (UDP) stack that is capable of generating UDP data packets for transmission over a network;
an IKE protocol stack that generates IKE data packets that are subsequently processed by the UDP protocol stack; and
a fragmenter module that intercepts IKE data packets prior to being processed by to the UDP protocol stack and splits the IKE data packets into a plurality of smaller data packets that may be subsequently formatted by the UDP protocol stack.
-
-
4. A method for fragmenting a data packet comprising the steps of:
-
generating an IKE data packet;
intercepting the IKE data packet before it is passed to a subsequent network protocol stack;
determining a maximum size for fragments of an IKE data packet;
dividing the IKE data packet into at least two smaller packets; and
prepending a header to each smaller packet, wherein each header for each smaller packet includes an identifier that associates the smaller packet with its corresponding IKE data packet. - View Dependent Claims (5)
-
-
6. A method for receiving fragmented Internet Key Exchange (IKE) data packets comprising the steps of:
-
receiving a plurality of fragments of an IKE data packet from a transmitting node, wherein each fragment includes an identifier that associates each fragment with an IKE data packet; and
discarding all fragments that contain a first identifier if a predetermined number of fragments are received that contain a second identifier. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for transmitting Internet Key Exchange (IKE) protocol data packets across a network comprising:
-
means for generating an IKE packet;
means for detecting whether the IKE packet was successfully received at the intended receiver node; and
means for fragmenting the IKE packets into smaller packets when the IKE packet was not successfully received at the receiver node, wherein each of the smaller packets includes information that permits a receiver node to identify the IKE packet associated with each smaller packet and the position of each smaller packet within the IKE packet. - View Dependent Claims (12)
-
Specification