Arrangement in an IP node for preserving security-based sequences by ordering IP packets according to quality of service requirements prior to encryption
First Claim
1. A method in a router having at least one outbound interface, the method comprising:
- establishing, on one of the outbound interfaces, a plurality of Internet Protocol (IP)-based secure connections with respective destinations based on receiving encrypted packets generated by a cryptographic module, each encrypted packet successively output from the cryptographic module having a corresponding successively-unique sequence number;
controlling supply of data packets to the cryptographic module by;
(1) assigning, for each secure connection, a corresponding queuing module, (2) reordering, in each queuing module, a corresponding group of the data packets associated with the corresponding secure connection according to a determined quality of service policy and based on a corresponding assigned maximum output bandwidth for the corresponding queuing module, and (3) outputting to the cryptographic module the group of data packets, from each corresponding queuing module according to the corresponding assigned maximum output bandwidth, for generation of the encrypted packets; and
second outputting the encrypted packets from the cryptographic module to the one outbound interface for transport via their associated secure connections.
1 Assignment
0 Petitions
Accused Products
Abstract
A router has at least one outbound interface configured for establishing multiple IP-based secure connections (i.e., tunnels) with respective destinations based on transmission of encrypted data packets via the IP-based secure connections. The encrypted data packets are generated by a cryptographic module, where each encrypted packet successively output from the cryptographic module includes a corresponding successively-unique sequence number. The supply of data packets to the cryptographic module is controlled by a queue controller: the queue controller assigns, for each secure connection, a corresponding queuing module configured for outputting a group of data packets associated with the corresponding secure connection according to a corresponding assigned maximum output bandwidth. Each queuing module also is configured for reordering the corresponding group of data packets according to a determined quality of service policy and the corresponding assigned maximum output bandwidth.
-
Citations
35 Claims
-
1. A method in a router having at least one outbound interface, the method comprising:
-
establishing, on one of the outbound interfaces, a plurality of Internet Protocol (IP)-based secure connections with respective destinations based on receiving encrypted packets generated by a cryptographic module, each encrypted packet successively output from the cryptographic module having a corresponding successively-unique sequence number;
controlling supply of data packets to the cryptographic module by;
(1) assigning, for each secure connection, a corresponding queuing module, (2) reordering, in each queuing module, a corresponding group of the data packets associated with the corresponding secure connection according to a determined quality of service policy and based on a corresponding assigned maximum output bandwidth for the corresponding queuing module, and (3) outputting to the cryptographic module the group of data packets, from each corresponding queuing module according to the corresponding assigned maximum output bandwidth, for generation of the encrypted packets; and
second outputting the encrypted packets from the cryptographic module to the one outbound interface for transport via their associated secure connections. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A router comprising:
-
a cryptographic module configured for successively outputting encrypted packets having respective successively-unique sequence numbers;
an outbound interface configured for establishing a plurality of Internet Protocol (IP)-based secure connections with respective destinations based on receiving respective streams of the encrypted packets; and
a queue controller configured for controlling supply of data packets to the cryptographic module, the queue controller configured for assigning, for each secure connection, a corresponding queuing module, each queuing module configured for;
(1) outputting to the cryptographic module a corresponding group of the data packets associated with the corresponding secure connection, and according to a corresponding assigned maximum output bandwidth for the corresponding queuing module, for generation of the corresponding stream of the encrypted packets, and (2) reordering the corresponding group of the data packets according to a determined quality of service policy and the corresponding assigned maximum output bandwidth. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer readable medium having stored thereon sequences of instructions for outputting encrypted packets by a router having at least one outbound interface, the sequences of instructions including instructions for:
-
establishing, on the outbound interface, a plurality of Internet Protocol (IP)-based secure connections with respective destinations based on receiving encrypted packets generated by a cryptographic module, each encrypted packet successively output from the cryptographic module having a corresponding successively-unique sequence number;
controlling supply of data packets to the cryptographic module by;
(1) assigning, for each secure connection, a corresponding queuing module, (2) reordering, in each queuing module, a corresponding group of the data packets associated with the corresponding secure connection according to a determined quality of service policy and based on a corresponding assigned maximum output bandwidth for the corresponding queuing module, and (3) outputting to the cryptographic module the group of data packets, from each corresponding queuing module according to the corresponding assigned maximum output bandwidth, for generation of the encrypted packets; and
second outputting the encrypted packets from the cryptographic module to the one outbound interface for transport via their associated secure connections. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A router having at least one outbound interface, the router further comprising:
-
means for establishing, on the outbound interface, a plurality of Internet Protocol (IP)-based secure connections with respective destinations based on receiving encrypted packets;
means for generating the encrypted packets, each encrypted packet successively output having a corresponding successively-unique sequence number; and
means for controlling supply of data packets to the generating means, including;
(1) means for assigning, for each secure connection, a corresponding queuing means for queuing data packets, (2) means for reordering, in each queuing means, a corresponding group of the data packets associated with the corresponding secure connection according to a determined quality of service policy and based on a corresponding assigned maximum output bandwidth for the corresponding queuing means, the means for reordering configured for outputting to the generating means the group of data packets, from each corresponding queuing means according to the corresponding assigned maximum output bandwidth, for generation of the encrypted packets. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
-
Specification