Delayed network protocol proxy for packet inspection in a network

US 20060190612A1
Filed: 02/18/2005
Published: 08/24/2006
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:

receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;

storing one or more of the TCP parameters in a connection block data structure;

sending the TCP SYN/ACK packet toward the first entity;

based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and

based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary device, which behaves as a proxy for two entities after the entities have established a connection between themselves, is disclosed, as is a method that may be performed by such a device. The intermediary device can inspect a complete message, whose parts may be spread among multiple separate packets, without engaging in handshake phases with the message'"'"'s origin or destination. As a first entity negotiates connection parameters with a second entity, the intermediary device stores the connection parameters as the parameters flow through the intermediary device. After the two entities have established an original connection, the intermediary device uses the intercepted parameters to form two separate connections in the place of the original connection: one between the intermediary device and the first entity, and another between the intermediary device and the second entity. To the entities, the newly formed connections appear to be same as the original connection.

Citations

18 Claims

1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
- receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  storing one or more of the TCP parameters in a connection block data structure;
  
  sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, wherein the step of creating the first TCP endpoint comprises creating the first TCP endpoint based on one or more TCP parameters that are indicated in a data packet that the first entity sent toward the second entity over the original TCP connection.
  - 3. A method as recited in claim 2, wherein the data packet does not indicate the one or more TCP parameters that are stored in the connection block data structure.
  - 4. A method as recited in claim 2, wherein the data packet is not a TCP SYN packet or a TCP SYN/ACK packet.
  - 5. A method as recited in claim 1, wherein the step of creating the first TCP endpoint comprises creating the first TCP endpoint without negotiating TCP parameters with the first entity.
  - 6. A method as recited in claim 1, wherein a maximum segment size is among the one or more TCP parameters that is indicated in the TCP SYN/ACK packet and stored in the connection block data structure.
  - 7. A method as recited in claim 1, wherein a window scaling factor is among the one or more TCP parameters that is indicated in the TCP SYN/ACK packet and stored in the connection block data structure.
  - 8. A method as recited in claim 1, the method further comprising:
    - receiving a data packet at the first TCP endpoint; and
      
      in response to receiving the data packet at the first TCP endpoint, sending the data packet through the second TCP endpoint.
  - 9. A method as recited in claim 1, the method further comprising:
    - receiving a data packet at the first TCP endpoint;
      
      modifying content that is contained in a payload portion of the data packet; and
      
      after modifying the content, sending the data packet through the second TCP endpoint.
  - 10. A method as recited in claim 1, the method further comprising:
    - receiving a first data packet at the first TCP endpoint; and
      
      in response to receiving the first data packet, sending a TCP ACK packet through the first TCP endpoint.
  - 11. A method as recited in claim 10, the method further comprising:
    - receiving a second data packet at the first TCP endpoint;
      
      forming a message by appending contents of at least a payload portion of the second data packet to contents of at least a payload portion of the first data packet;
      
      determining whether any part of the message matches a specified pattern;
      
      if any part of the message matches the specified pattern, then dropping the first data packet and the second data packet so that neither the first data packet nor the second data packet is received by the second entity; and
      
      if no part of the message matches the specified pattern, then sending the first data packet and the second data packet through the second TCP endpoint.
  - 12. A method as recited in claim 1, the method further comprising:
    - receiving an original TCP SYN packet that indicates one or more proposed TCP parameters that the first entity proposes for use in the original TCP connection, wherein the original TCP SYN packet is destined for the second entity;
      
      altering the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters; and
      
      sending the altered TCP packet, instead of the original TCP SYN packet, toward the second entity.

13. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
- receiving, at the intermediary device, an original Transmission Control Protocol (TCP) SYN packet that indicates one or more proposed TCP parameters that a first;
  
  entity proposes for use in an original TCP connection between the first entity and a second entity for which the original TCP SYN packet is destined, wherein the one or more proposed TCP parameters include one or more TCP parameters that the intermediary device does not support;
  
  altering, at the intermediary device, the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters, wherein the one or more altered TCP parameters do not include the one or more TCP parameters that the intermediary device does not support;
  
  sending the altered TCP packet from the intermediary device toward the second entity;
  
  receiving, at the intermediary device, a TCP SYN/ACK packet that indicates one or more accepted TCP parameters that a second entity has accepted for use in the original TCP connection;
  
  storing, at the intermediary device, one or more of the accepted TCP parameters in a connection block data structure;
  
  sending the TCP SYN/ACK packet from the intermediary device toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating, at the intermediary device, a first TCP endpoint of a first TCP connection to the first entity without negotiating TCP parameters with the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating, at the intermediary device, a second TCP endpoint of a second TCP connection to the second entity without negotiating TCP parameters with the second entity;
  
  receiving two or more data packets at the first TCP endpoint;
  
  in response to receiving each of the two or more data packets, sending a separate TCP ACK packet through the first TCP endpoint;
  
  forming a message by concatenating contents of the payload portions of the two or more data packets;
  
  determining whether any part of the message matches a specified pattern;
  
  if any part of the message matches the specified pattern, then dropping the two or more data packets so that the two or more data packets are not received by the second entity; and
  
  if no part of the message matches the specified pattern, then sending the two or more data packets through the second TCP endpoint.

14. A method of proxying a connection, the method comprising the computer-implemented steps of:
- intercepting, at an intermediary device, connection parameters that a first entity other than the intermediary device has negotiated with a second entity other than the intermediary device;
  
  based on the connection parameters intercepted at the intermediary device, forming a first;
  
  connection between the first entity and the intermediary device without negotiating connection parameters between the first entity and the intermediary device; and
  
  based on the connection parameters intercepted at the intermediary device, forming a second connection between the second entity and the intermediary device without negotiating connection parameters between the second entity and the intermediary device.

15. A computer-readable medium carrying one or more sequences of instructions for enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  storing one or more of the TCP parameters in a connection block data structure;
  
  sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a TCP connection to the second entity.

16. An apparatus that behaves as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, comprising:
- means for receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  means for storing one or more of the TCP parameters in a connection block data structure;
  
  means for sending the TCP SYN/ACK packet toward the first entity;
  
  means for creating, based on the one or more TCP parameters that are stored in the connection block data structure, a first TCP endpoint of a first TCP connection to the first entity; and
  
  means for creating, based on the one or more TCP parameters that are stored in the connection block data structure, a second TCP endpoint of a second TCP connection to the second entity.

17. An apparatus that behaves as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  storing one or more of the TCP parameters in a connection block data structure;
  
  sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity.

18. A method comprising:
- receiving a network transport layer packet that indicates one or more parameters that a second entity has accepted for use in an original connection between the second entity and a first entity for which the packet is destined;
  
  storing one or more of the parameters in a connection data structure;
  
  sending the packet toward the first entity;
  
  based on the one or more parameters that are stored in the connection data structure, creating a first endpoint of a first connection to the first entity;
  
  based on the one or more parameters that are stored in the connection data structure, creating a second endpoint of a second connection to the second entity; and
  
  proxying communications between the first entity and the second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mathison, Paul, Waterman, Alex, Majee, Sumandra, Kahol, Anurag

Granted Patent

US 9,118,717 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/230
CPC Class Codes

H04L 67/564   Enhancement of application ...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/24   Negotiation of communicatio...

Delayed network protocol proxy for packet inspection in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Delayed network protocol proxy for packet inspection in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links