Agile network protocol for secure communications with assured system availability
First Claim
1. A method of transmitting data packets between a first computer and a second computer, wherein the first computer and the second computer are linked via a plurality of separate transmission paths, the method comprising the steps of:
- (1) assigning a weight value to each of the plurality of transmission paths, wherein each respective weight value represents the relative number of packets that a respective transmission path will transmit;
(2) for each data packet that is to be transmitted from the first computer to the second computer, selecting one of the plurality of transmission paths on the basis of each respective transmission path'"'"'s assigned weight value;
(3) measuring the transmission quality for each of the plurality of transmission paths; and
(4) adjusting downwardly to a non-zero value the assigned weight value for a transmission path for which the transmission quality has declined.
2 Assignments
0 Petitions
Accused Products
Abstract
A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer, that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.
-
Citations
71 Claims
-
1. A method of transmitting data packets between a first computer and a second computer, wherein the first computer and the second computer are linked via a plurality of separate transmission paths, the method comprising the steps of:
-
(1) assigning a weight value to each of the plurality of transmission paths, wherein each respective weight value represents the relative number of packets that a respective transmission path will transmit;
(2) for each data packet that is to be transmitted from the first computer to the second computer, selecting one of the plurality of transmission paths on the basis of each respective transmission path'"'"'s assigned weight value;
(3) measuring the transmission quality for each of the plurality of transmission paths; and
(4) adjusting downwardly to a non-zero value the assigned weight value for a transmission path for which the transmission quality has declined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A first computer that transmits data packets to a second computer over a plurality of separate transmission paths, wherein the first computer performs the steps of:
-
(1) assigning a weight value to each of the plurality of transmission paths, wherein each respective weight value represents the relative number of packets that a respective transmission path will transmit;
(2) for each data packet that is to be transmitted to the second computer, selecting one of the plurality of transmission paths on the basis of each respective transmission path'"'"'s assigned weight value;
(3) measuring the transmission quality for each of the plurality of transmission paths; and
(4) adjusting downwardly to a non-zero value the assigned weight value for a transmission path for which the transmission quality has declined. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method of transparently creating a virtual private network (VPN) between a client computer and a target computer, comprising the steps of:
-
(1) generating from the client computer a Domain Name Service (DNS) request that requests an IP address corresponding to a domain name associated with the target computer;
(2) determining whether the DNS request transmitted in step (1) is requesting access to a secure web site; and
(3) in response to determining that the DNS request in step (2) is requesting access to a secure target web site, automatically initiating the VPN between the client computer and the target computer. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A system that transparently creates a virtual private network (VPN) between a client computer and a secure target computer, comprising:
-
a DNS proxy server that receives a request from the client computer to look up an IP address for a domain name, wherein the DNS proxy server returns the IP address for the requested domain name if it is determined that access to a non-secure web site has been requested, and wherein the DNS proxy server generates a request to create the VPN between the client computer and the secure target computer if it is determined that access to a secure web site has been requested; and
a gatekeeper computer that allocates resources for the VPN between the client computer and the secure web computer in response to the request by the DNS proxy server. - View Dependent Claims (38, 39)
-
-
40. A method of preventing data packets received from a high bandwidth link from flooding a low bandwidth link, comprising the steps of:
-
(1) receiving data packets from the high bandwidth link that are ostensibly addressed to a computer residing on the low-bandwidth link;
(2) for each data packet, determining whether the data packet is validly addressed to the computer on the low-bandwidth link;
(3) in response to determining that the data packet is not validly addressed to the computer on the low-bandwidth link, rejecting the data packet; and
(4) in response to determining that the data packet is validly addressed to the computer on the low-bandwidth link, forwarding the data packet to the computer over the low-bandwidth link. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. In a system having a low bandwidth data link, a first computer coupled to the low bandwidth data link, and a high bandwidth data link, an improvement comprising:
-
a second computer coupled between the low bandwidth data link and the high bandwidth data link, wherein the second computer receives data packets from the high bandwidth data link and, if they are addressed to the first computer, routes them to the first computer over the low bandwidth data link, wherein the second computer prevents invalid data packets ostensibly addressed to the first computer from being transmitted over the low bandwidth data link. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59)
-
-
60. In a system comprising a first computer that transmits data packets to a second computer over a network according to a scheme by which at least one field in a series of data packets is periodically changed according to a sequence known by the first and second computers, and wherein the second computer periodically receives a synchronization request from the first computer to maintain synchronization of the sequence between the first and second computers, a method comprising the steps of:
-
(1) receiving at the first computer the synchronization request from the second computer;
(2) determining whether the synchronization request was received in less than a predetermined interval;
(3) in response to determining that the synchronization request was received in less than the predetermined interval, ignoring the synchronization request; and
(4) in response to determining that the synchronization request was not received in less than the predetermined interval, providing the synchronization response to the first computer. - View Dependent Claims (61, 62, 63)
-
-
64. A computer that receives data packets from a second computer over a network according to a scheme by which at least one field in a series of data packets is periodically changed according to a known sequence, wherein the second computer periodically transmits a synchronization request to maintain synchronization of the sequence, wherein the computer performs the steps of:
-
(1) receiving the synchronization request from the second computer;
(2) determining whether the synchronization request was received in less than a predetermined interval;
(3) in response to determining that the synchronization request was received in less than a predetermined interval ignoring the synchronization request; and
(4) in response to determining that the synchronization request was not received in less than a predetermined interval, providing the response to the first computer. - View Dependent Claims (65, 66)
-
-
67. A method of establishing communication between one of a plurality of client computers and a central computer that maintains a plurality of authentication tables each corresponding to one of the client computers, the method comprising the steps of:
-
(1) in the central computer, receiving from one of the plurality of client computers a request to establish a connection;
(2) authenticating, with reference to one of the plurality of authentication tables, that the request received in step (1) is from an authorized client;
(3) responsive to a determination that the request is from an authorized client, allocating resources to establish a virtual private link between the client and a second computer; and
(4) communicating between the authorized client and the second computer using the virtual private link. - View Dependent Claims (68, 69, 70, 71)
-
Specification