Delayed network protocol proxy for packet inspection in a network
First Claim
1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
- receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
storing one or more of the TCP parameters in a connection block data structure;
sending the TCP SYN/ACK packet toward the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and
based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity.
1 Assignment
0 Petitions
Accused Products
Abstract
An intermediary device, which behaves as a proxy for two entities after the entities have established a connection between themselves, is disclosed, as is a method that may be performed by such a device. The intermediary device can inspect a complete message, whose parts may be spread among multiple separate packets, without engaging in handshake phases with the message'"'"'s origin or destination. As a first entity negotiates connection parameters with a second entity, the intermediary device stores the connection parameters as the parameters flow through the intermediary device. After the two entities have established an original connection, the intermediary device uses the intercepted parameters to form two separate connections in the place of the original connection: one between the intermediary device and the first entity, and another between the intermediary device and the second entity. To the entities, the newly formed connections appear to be same as the original connection.
-
Citations
18 Claims
-
1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
-
receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
storing one or more of the TCP parameters in a connection block data structure;
sending the TCP SYN/ACK packet toward the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and
based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
-
receiving, at the intermediary device, an original Transmission Control Protocol (TCP) SYN packet that indicates one or more proposed TCP parameters that a first;
entity proposes for use in an original TCP connection between the first entity and a second entity for which the original TCP SYN packet is destined, wherein the one or more proposed TCP parameters include one or more TCP parameters that the intermediary device does not support;
altering, at the intermediary device, the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters, wherein the one or more altered TCP parameters do not include the one or more TCP parameters that the intermediary device does not support;
sending the altered TCP packet from the intermediary device toward the second entity;
receiving, at the intermediary device, a TCP SYN/ACK packet that indicates one or more accepted TCP parameters that a second entity has accepted for use in the original TCP connection;
storing, at the intermediary device, one or more of the accepted TCP parameters in a connection block data structure;
sending the TCP SYN/ACK packet from the intermediary device toward the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating, at the intermediary device, a first TCP endpoint of a first TCP connection to the first entity without negotiating TCP parameters with the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating, at the intermediary device, a second TCP endpoint of a second TCP connection to the second entity without negotiating TCP parameters with the second entity;
receiving two or more data packets at the first TCP endpoint;
in response to receiving each of the two or more data packets, sending a separate TCP ACK packet through the first TCP endpoint;
forming a message by concatenating contents of the payload portions of the two or more data packets;
determining whether any part of the message matches a specified pattern;
if any part of the message matches the specified pattern, then dropping the two or more data packets so that the two or more data packets are not received by the second entity; and
if no part of the message matches the specified pattern, then sending the two or more data packets through the second TCP endpoint.
-
-
14. A method of proxying a connection, the method comprising the computer-implemented steps of:
-
intercepting, at an intermediary device, connection parameters that a first entity other than the intermediary device has negotiated with a second entity other than the intermediary device;
based on the connection parameters intercepted at the intermediary device, forming a first;
connection between the first entity and the intermediary device without negotiating connection parameters between the first entity and the intermediary device; and
based on the connection parameters intercepted at the intermediary device, forming a second connection between the second entity and the intermediary device without negotiating connection parameters between the second entity and the intermediary device.
-
-
15. A computer-readable medium carrying one or more sequences of instructions for enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
storing one or more of the TCP parameters in a connection block data structure;
sending the TCP SYN/ACK packet toward the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a TCP connection to the first entity; and
based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a TCP connection to the second entity.
-
-
16. An apparatus that behaves as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, comprising:
-
means for receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
means for storing one or more of the TCP parameters in a connection block data structure;
means for sending the TCP SYN/ACK packet toward the first entity;
means for creating, based on the one or more TCP parameters that are stored in the connection block data structure, a first TCP endpoint of a first TCP connection to the first entity; and
means for creating, based on the one or more TCP parameters that are stored in the connection block data structure, a second TCP endpoint of a second TCP connection to the second entity.
-
-
17. An apparatus that behaves as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
receiving a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
storing one or more of the TCP parameters in a connection block data structure;
sending the TCP SYN/ACK packet toward the first entity;
based on the one or more TCP parameters that are stored in the connection block data structure, creating a first TCP endpoint of a first TCP connection to the first entity; and
based on the one or more TCP parameters that are stored in the connection block data structure, creating a second TCP endpoint of a second TCP connection to the second entity.
-
-
18. A method comprising:
-
receiving a network transport layer packet that indicates one or more parameters that a second entity has accepted for use in an original connection between the second entity and a first entity for which the packet is destined;
storing one or more of the parameters in a connection data structure;
sending the packet toward the first entity;
based on the one or more parameters that are stored in the connection data structure, creating a first endpoint of a first connection to the first entity;
based on the one or more parameters that are stored in the connection data structure, creating a second endpoint of a second connection to the second entity; and
proxying communications between the first entity and the second entity.
-
Specification