Method for mapping security associations to clients operating behind a network address translation device

US 20040143758A1
Filed: 01/21/2003
Published: 07/22/2004
Est. Priority Date: 01/21/2003
Status: Active Grant

First Claim

Patent Images

1. A method of tracking a plurality of security protocol sessions between at least a first and second initiator and a responder, whereby the responder maintains a plurality of security associations having security parameters, one of the plurality of security associations corresponding to each of the security protocol sessions, comprising:

receiving a first packet from the first initiator, the first packet including first parameters comprising first source and destination IP addresses, and first source and destination application ports and creating a first mapped port;

associating the first parameters and the first mapped port to a first security association;

receiving a second packet from the second initiator, the second packet including second parameters comprising second source and destination IP addresses, and second source and destination application ports; and

creating a second mapped port wherein the second mapped port is distinct from the first mapped port; and

associating the second packet parameters and the second mapped port to a second security association.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mapping security parameters to a plurality of network sessions is provided. A responding computer maps the security parameters to the combination of packet parameters and a mapped port value used in each of the plurality of sessions. The packet parameters includes IP source and destination addresses, application source and destination ports and protocol type. The mapped port value is assigned by the responding computer to maintain a unique mapping between each security associations and each network session.

44 Citations

View as Search Results

23 Claims

1. A method of tracking a plurality of security protocol sessions between at least a first and second initiator and a responder, whereby the responder maintains a plurality of security associations having security parameters, one of the plurality of security associations corresponding to each of the security protocol sessions, comprising:
- receiving a first packet from the first initiator, the first packet including first parameters comprising first source and destination IP addresses, and first source and destination application ports and creating a first mapped port;
  
  associating the first parameters and the first mapped port to a first security association;
  
  receiving a second packet from the second initiator, the second packet including second parameters comprising second source and destination IP addresses, and second source and destination application ports; and
  
  creating a second mapped port wherein the second mapped port is distinct from the first mapped port; and
  
  associating the second packet parameters and the second mapped port to a second security association.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - determining that the first packet parameters are identical to the second packet parameters.
  - 3. The method of claim 1, further comprising:
    - modifying the second packet parameters by replacing the second source application port with the second mapped port and sending the second packet to an upper protocol layer.
  - 4. The method of claim 1, wherein the first and second initiator are interfaced to the responder through a network address translation device.
  - 5. The method of claim 1, wherein the first and second packets are encapsulating security protocol packets.
  - 6. The method of claim 1, wherein the first and second packet parameters further comprise a protocol type.

7. A method of identifying a security association for transforming an outbound IP packet according to a security protocol, comprising:
- associating a plurality of parameters to the security association, the plurality of parameters including application source and destination port values, and a mapped port value;
  
  receiving a packet from a transport layer;
  
  the packet having the mapped port value;
  
  identifying the security association based on the parameters; and
  
  changing the mapped port value to the source application port value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the security protocol is an encapsulating security protocol.
  - 9. The method of claim 7 further comprising sending the packet to a protocol security layer and identifying to the protocol security layer the security association.
  - 10. The method of claim 9 wherein the protocol layer uses the identified security association to transform the packet into a secure packet.
  - 11. The method of claim 10, further comprising:
    - transmitting the transformed packet to an initiating computer through at least one network address translation device.
  - 12. The method of claim 9, wherein the plurality of parameters further comprises a protocol type.

13. A computer-readable medium for executing computer executable instructions for tracking a plurality of security protocol sessions between at least a first and second initiator and a responder, whereby the responder maintains a plurality of security associations having security parameters, one of the plurality of security associations corresponding to each of the security protocol sessions, comprising:
- receiving a first packet from the first initiator, the first packet including first parameters comprising first source and destination IP addresses, and first source and destination application ports and creating a first mapped port;
  
  associating the first parameters and the first mapped port to a first security association;
  
  receiving a second packet from the second initiator, the second packet including second parameters comprising second source and destination IP addresses, and second source and destination application ports; and
  
  creating a second mapped port wherein the second mapped port is distinct from the first mapped port; and
  
  associating the second packet parameters and the second mapped port to a second security association.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13, further comprising:
    - determining that the first packet parameters are identical to the second packet parameters.
  - 15. The computer-readable medium of claim 13, further comprising:
    - modifying the second packet parameters by replacing the second source application port with the second mapped port and sending the second packet to an upper protocol layer.
  - 16. The computer-readable medium of claim 13, wherein the first and second initiator are interfaced to the responder through a network address translation device.
  - 17. The computer-readable medium of claim 13, wherein the first and second packets are encapsulating security protocol packets.
  - 18. The computer-readable medium of claim 13, wherein the first and second packet parameters further comprise a protocol type.

19. A computer-readable medium for executing computer-readable instructions for identifying a security association for transforming an outbound IP packet according to a security protocol, comprising:
- associating a plurality of parameters to the security association, the plurality of parameters including application source and destination port values, and a mapped port value;
  
  receiving a packet from a transport layer;
  
  the packet having the mapped port value;
  
  identifying the security association based on the parameters; and
  
  changing the mapped port value to the source application port value.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer readable medium of claim 19 further comprising sending the packet to a protocol security layer and identifying to the protocol security layer the security association.
  - 21. The computer-readable medium of claim 19 wherein the protocol layer uses the identified security association to transform the packet into a secure packet.
  - 22. The computer-readable medium of claim 20, further comprising:
    - transmitting the transformed packet to an initiating computer through at least one network address translation device.
  - 23. The computer-readable medium of claim 19, wherein the plurality of parameters further comprises a protocol type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Gbadegesin, Abolade, Dixon, William H.

Granted Patent

US 7,386,881 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Method for mapping security associations to clients operating behind a network address translation device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Method for mapping security associations to clients operating behind a network address translation device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others