Architecture for routing and IPSec integration

US 20060059370A1
Filed: 09/15/2004
Published: 03/16/2006
Est. Priority Date: 09/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method for integrating encapsulation and encryption with packet routing, comprising:

decrypting an encrypted packet that is included in an encapsulated packet, wherein the encapsulated packet is received over a network;

if a selector list indicates an intermediate hop for the decrypted packet, the decrypted packet is re-encrypted and included in another encapsulated packet, wherein the other encapsulated packet is routed towards an exit gateway; and

if the decrypted packet is unassociated with an intermediate hop, routing the decrypted packet towards its destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed towards routing a packet using both IPSec and common routing protocols within dynamic network topologies in a VPN. The routing of IPSec packets employs Open System Interconnection (OSI) layer three information. In one embodiment, a tree mechanism is used for looking up layer three information that may be associated with a protected subnetwork. When a packet is identified as being associated with a protected subnetwork, the packet may be encrypted and encapsulated, including the original destination and source IP address header information within another packet employing the IP Encapsulating Security Payload (ESP) protocol. New source and destination IP addresses are provided for the new packet using IP addresses associated with an entry gateway and an exit gateway to the VPN. The new packet may then be routed through the VPN using traditional routing protocols.

111 Citations

22 Claims

1. A method for integrating encapsulation and encryption with packet routing, comprising:
- decrypting an encrypted packet that is included in an encapsulated packet, wherein the encapsulated packet is received over a network;
  
  if a selector list indicates an intermediate hop for the decrypted packet, the decrypted packet is re-encrypted and included in another encapsulated packet, wherein the other encapsulated packet is routed towards an exit gateway; and
  
  if the decrypted packet is unassociated with an intermediate hop, routing the decrypted packet towards its destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining if a destination address in the decrypted packet is included in an IPSec lookup store;
      
      determining if an intermediate hop is indicated for the destination address included in an IPSec lookup store;
      
      re-encrypting the decrypted packet that includes the destination address that is indicated for the intermediate hop; and
      
      re-encapsulating the re-encrypted packet in another encapsulated packet, wherein the other encapsulated packet is forwarded towards the exit gateway.
  - 3. The method of claim 1, wherein the other encapsulated packet employs a destination IP address of an exit gateway and a source IP address of an entry gateway.
  - 4. The method of claim 1, further comprising:
    - receiving a packet, wherein the packet is unencrypted;
      
      if a destination address and a source address of the received packet is included in the selector list, determining if the destination address and the source address are included in an IPSec lookup store;
      
      encrypting the packet that includes the source address and the destination address that are included in both the selector list and the IPSec lookup store;
      
      encapsulating the encrypted packet in the encapsulated packet; and
      
      forwarding the encapsulated packet towards its destination.
  - 5. The method of claim 4, wherein the encapsulated packet employs a destination IP address of an exit gateway and a source IP address of an entry gateway.
  - 6. The method of claim 1, wherein the encrypted packet included in the encapsulated packet includes a destination address and a source address that are separate from another destination address and another source address that are included in the encapsulated packet.
  - 7. The method of claim 1, wherein the other destination address is associated with an exit gateway and the other source address is associated with an entry gateway.
  - 8. The method of claim 1, further comprising:
    - if a received routing update is associated with at least one rule, updating an IPSEC lookup store with the routing update; and
      
      if the received routing update is unassociated with at least one rule, updating a routing table.

9. An apparatus that provides for integrating encapsulation and encryption with packet routing, comprising:
- a memory for storing instructions; and
  
  a processor for enabling actions based at least in part on the instructions, including;
  
  decrypting an encrypted packet that is included in an encapsulated packet, wherein the encapsulated packet is received over a network;
  
  if a selector list indicates an intermediate hop for the decrypted packet, the decrypted packet is re-encrypted and included in another encapsulated packet, wherein the other encapsulated packet is routed towards an exit gateway; and
  
  if the decrypted packet is unassociated with an intermediate hop, routing the decrypted packet towards its destination.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The apparatus of claim 9, wherein the actions further comprise:
    - determining if a destination address in the decrypted packet is included in an IPSec lookup store;
      
      determining if an intermediate hop is indicated for the destination address included in an IPSec lookup store;
      
      re-encrypting the decrypted packet that includes the destination address that is indicated for the intermediate hop; and
      
      re-encapsulating the re-encrypted packet in another encapsulated packet, wherein the other encapsulated packet is forwarded towards the exit gateway.
  - 11. The apparatus of claim 9, wherein the other encapsulated packet employs a destination IP address of an exit gateway and a source IP address of an entry gateway.
  - 12. The apparatus of claim 9, wherein the actions further comprise:
    - receiving a packet, wherein the packet is unencrypted;
      
      if a destination address and a source address of the received packet is included in the selector list, determining if the destination address and the source address are included in an IPSec lookup store;
      
      encrypting the packet that includes the source address and the destination address that are included in both the selector list and the IPSec lookup store;
      
      encapsulating the encrypted packet in the encapsulated packet; and
      
      forwarding the encapsulated packet towards its destination.
  - 13. The apparatus of claim 12, wherein the encapsulated packet employs a destination IP address of an exit gateway and a source IP address of an entry gateway.
  - 14. The apparatus of claim 9, wherein the encrypted packet included in the encapsulated packet includes a destination address and a source address that are separate from another destination address and another source address that are included in the encapsulated packet.
  - 15. The apparatus of claim 9, wherein the other destination address is associated with an exit gateway and the other source address is associated with an entry gateway.
  - 16. The apparatus of claim 9, wherein the apparatus includes at least one of a router, firewall, server, and a network device.
  - 17. The apparatus of claim 9, further comprising:
    - a routing daemon for performing operations, including;
      
      if a received routing update is associated with at least one rule, updating an IPSEC lookup store with the routing update; and
      
      if the received routing update is unassociated with at least one rule, updating a routing table.

18. A computer readable medium that includes a plurality of executable instructions, wherein the plurality of instructions enable actions to be performed, comprising:
- decrypting an encrypted packet that is included in an encapsulated packet, wherein the encapsulated packet is received over a network;
  
  if a selector list indicates an intermediate hop for the decrypted packet, the decrypted packet is re-encrypted and included in another encapsulated packet, wherein the other encapsulated packet is routed towards an exit gateway; and
  
  if the decrypted packet is unassociated with an intermediate hop, routing the decrypted packet towards its destination.
- View Dependent Claims (19, 20, 21)
- - 19. The computer readable medium of claim 18, wherein the actions further comprise:
    - determining if a destination address in the decrypted packet is included in an IPSec lookup store;
      
      determining if an intermediate hop is indicated for the destination address included in an IPSec lookup store;
      
      re-encrypting the decrypted packet that includes the destination address that is indicated for the intermediate hop; and
      
      re-encapsulating the re-encrypted packet in another encapsulated packet, wherein the other encapsulated packet is forwarded towards the exit gateway.
  - 20. The computer readable medium of claim 18, wherein the other encapsulated packet employs a destination IP address of an exit gateway and a source IP address of an entry gateway.
  - 21. The computer readable medium of claim 18, wherein the actions further comprise:
    - receiving a packet, wherein the packet is unencrypted;
      
      if a destination address and a source address of the received packet is included in the selector list, determining if the destination address and the source address are included in an IPSec lookup store;
      
      encrypting the packet that includes the source address and the destination address that are included in both the selector list and the IPSec lookup store;
      
      encapsulating the encrypted packet in the encapsulated packet; and
      
      forwarding the encapsulated packet towards its destination.

22. An apparatus for integrating the operations of IPsec and packet routing, comprising:
- a memory for storing a plurality of instructions; and
  
  a processor for employing the plurality of instructions to enable actions, including;
  
  determining if a received packet encapsulates an encrypted packet, and if so, performing actions, comprising;
  
  decrypting the encrypted packet that is included in the encapsulated packet;
  
  if an intermediate hop is associated with the decrypted packet, re-encrypting the decrypted packet in another encapsulated packet, wherein the other encapsulated packet is routed towards an exit gateway; and
  
  if the decrypted packet is unassociated with an intermediate hop, routing the decrypted packet towards its destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Asnis, James D., Lehtonen, Teemu S., Kartau, Olev

Granted Patent

US 7,647,492 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Architecture for routing and IPSec integration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Architecture for routing and IPSec integration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links