IPSec network adapter verifier

US 20030200456A1
Filed: 04/19/2002
Published: 10/23/2003
Est. Priority Date: 04/19/2002
Status: Active Grant

First Claim

Patent Images

1. A network terminal comprising:

a network adapter that interfaces with a network and sends a transmission out to an interface of said network; and

a network adapter verifier that verifies that said transmission comprises a characteristic desired to be associated with said transmission when said network adapter is operating according to an established protocol.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system that supports verifiable IPSec network communication. The data processing system comprises an IPSec network adapter that connects the data processing system to an external network and provides IPSec encryption and routing of IPSec packets. The data processing system also comprises a network adapter verifier, which is a secondary network card that is utilized to verify that IPSec packets being transmitted to the external network by the IPSec network adapter have been encrypted. The network adapter verifier comprises a device driver, which caches a copy of an IP address from a generated IPSec packet prior to the packet being received by the network adapter. The network adapter verifier is connected to the external network and monitors the transmission of packets out to the network connection by the network adapter. The IP identification (ID) of the packets are compared to the captured IP address of the generated IPSec packet. When the IP address of the transmitted packet is not the same as that of the generated/cached IP address, the network adapter has failed to correctly encode the packet according to IPSec, and the transmission is thus not secure. The transmission of the stream of packets is therefore terminated.

62 Citations

View as Search Results

23 Claims

1. A network terminal comprising:
- a network adapter that interfaces with a network and sends a transmission out to an interface of said network; and
  
  a network adapter verifier that verifies that said transmission comprises a characteristic desired to be associated with said transmission when said network adapter is operating according to an established protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The network terminal of claim 1, further comprising:
    - software coded algorithms that provides Internet Protocol Security (IPSec) handling of specific sub-components of said transmission, wherein said specific sub-components are encrypted prior to being issued to said interface by said network adapter.
  - 3. The network terminal of claim 2, further comprising:
    - network adapter verifier code that directs said verifier to monitor said interface for said specific sub-components, and, when one of said specific sub-components does not exhibit the characteristic, implements a response, which prevents further transmission of said specific sub-components by said network adapter without first encrypting said specific sub-components so that said specific sub-components exhibits said characteristic.
  - 4. The network terminal of claim 3, wherein said response includes:
    - stopping said transmission;
      
      re-formatting said network adapter according to said established protocol; and
      
      re-initiating a transmission of said specific sub-components via said network adapter.
  - 5. The network terminal of claim 1, wherein said protocol is said IPSec protocol, said components are IPSec packets, and said characteristic is one which indicates to said verifier that a packet issued on said interface has been encrypted according to said IPSec protocol.
  - 6. The network terminal of claim 2, wherein said software coded algorithms includes a device driver for interfacing with said network adapter.
  - 7. The network terminal of claim 6, further comprising:
    - a storage medium;
      
      means for generating said sub-components; and
      
      wherein said verifier code includes program code for;
      
      reading an identification (ID) from each of said sub-components; and
      
      storing said ID in said storage medium.
  - 8. The network terminal of claim 7, wherein:
    - said verifier snoops said transmission issued to said interface for a snooped ID of each of said sub-components;
      
      said verifier code compares said snooped ID with each of said stored IDs to determine whether there is a match; and
      
      when said snooped ID matches one of said stored IDs, said verifier code then checks said sub-component for said characteristic.
  - 9. The network terminal of claim 8, further comprising:
    - means for tracking a number of occurrences when said specific sub-components issued on said interface did not exhibit said characteristic; and
      
      means for signaling a user of said network terminal when said number of occurrences reaches a predetermined threshold.
  - 10. The network terminal of claim 1, wherein said terminal is a data processing system.
  - 11. The network terminal of claim 1, further comprising connection means for connecting to other terminals which together create said network having at least one destination terminal along with said network terminal.

12. A method for verifying that a particular communication component being transmitted from a network terminal out to an interface of a network exhibits a particular characteristic, said method comprising:
- reading an identification (ID) from said component prior to sending said component to a network adapter of said network terminal;
  
  dynamically determining when a characteristic exhibited by said component after said component is placed on the interface of said network by the network adapter does not reflect a characteristic desired to be associated with said component based on a transmission protocol controlling a generation and transmission of said component, wherein the determination is made after said component is placed on the interface of said network by the network adapter.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - generating said component from application data; and
      
      placing said ID within a header of said component when said component is created according to said transmission protocol, wherein other components that are not created according to said transmission protocol are provided with a different identifier-type.
  - 14. The method of claim 12, further comprising:
    - storing the ID read from said component in a storage medium;
      
      snooping said interface for a snooped ID of each of said components issued to said interface;
      
      comparing said snooped ID with each of the stored IDs to determine whether there is a match; and
      
      when said snooped ID matches one of said stored IDs, checking said component for said characteristic.
  - 15. The method of claim 14, wherein when said snooped ID matches a stored ID and said characteristic is not exhibited by said component, said method further comprises:
    - stopping a transmission of components to said interface;
      
      re-formatting said network adapter according to said established protocol; and
      
      re-initiating a transmission of said specific components via said network adapter.
  - 16. The method of claim 14, further comprising:
    - tracking a number of occurrences when said specific components issued on said interface did not exhibit said characteristic; and
      
      signaling a user of said network terminal when said number of occurrences reaches a predetermined threshold.
  - 17. The method of claim 12, wherein:
    - said transmission protocol is an Internet Protocol Security (IPSec) protocol;
      
      said component is a transmission packet;
      
      said particular components are IPSec packets;
      
      said characteristic is a characteristic that identifies when a packet has been encrypted according to the IPSec protocol prior to its issuance to the interface; and
      
      said method further comprising;
      
      generating an IPSec packet;
      
      capturing said ID from a header of said IPSec packet; and
      
      checking for said characteristic only IPSec packets issued to the network interface, wherein packets which are not IPSec packets are not checked for said characteristic.

18. A computer program product, comprising:
- a computer readable medium; and
  
  program code on said computer readable medium for dynamically verifying that a particular communication component being transmitted from a network terminal out to an interface of a network exhibits a particular characteristic, said program code comprising code for;
  
  reading an identification (ID) from said component prior to sending said component to a network adapter of said network terminal; and
  
  dynamically determining when a characteristic exhibited by said component after said component is placed on the interface of said network by the network adapter does not reflect a characteristic desired to be associated with said component based on a transmission protocol controlling a generation and transmission of said component, wherein the determination is made after said component is placed on the interface of said network by the network adapter.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The computer program product of claim 18, further comprising program code for:
    - generating said component from application data; and
      
      placing said ID within a header of said component when said component is created according to said transmission protocol, wherein other components that are not created according to said transmission protocol are provided with a different identifier-type.
  - 20. The computer program product of claim 19, further comprising program code for:
    - storing the ID read from said component in a storage medium;
      
      snooping said interface for a snooped ID of each of said components issued to said interface;
      
      comparing said snooped ID with each of the stored IDs to determine whether there is a match; and
      
      when said snooped ID matches one of said stored IDs, checking said component for said characteristic.
  - 21. The computer program product of claim 20, wherein when said snooped ID matches a stored ID and said characteristic is not exhibited by said component, said method further comprises:
    - stopping a transmission of components to said interface;
      
      re-formatting said network adapter according to said established protocol; and
      
      re-initiating a transmission of said specific components via said network adapter.
  - 22. The computer program product of claim 20, further comprising program code for:
    - tracking a number of occurrences when said specific components issued on said interface did not exhibit said characteristic; and
      
      signaling a user of said network terminal when said number of occurrences reaches a predetermined threshold.
  - 23. The computer program product of claim 18, wherein:
    - said transmission protocol is an Internet Protocol Security (IPSec) protocol;
      
      said component is a transmission packet;
      
      said particular components are IPSec packets;
      
      said characteristic is a characteristic that identifies when a packet has been encrypted according to the IPSec protocol prior to its issuance to the interface; and
      
      said program code further comprising code for;
      
      generating an IPSec packet;
      
      capturing said ID from a header of said IPSec packet; and
      
      checking for said characteristic only IPSec packets issued to the network interface, wherein packets which are not IPSec packets are not checked for said characteristic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McBrearty, Gerald Francis, Shieh, Johnny Meng-Han, Mullen, Shawn Patrick, Cyr, Michael Paul

Granted Patent

US 8,161,539 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 63/0435 wherein the sending and rec...

H04L 63/164 at the network layer

IPSec network adapter verifier

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

IPSec network adapter verifier

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links