One-way proxy system

US 20060248582A1
Filed: 04/28/2005
Published: 11/02/2006
Est. Priority Date: 04/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of operating an inline network appliance that intercepts data traffic flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:

receiving data traffic of a given TCP session from the first TCP endpoint with the inline network appliance;

providing the received data traffic from the first TCP endpoint to the analyzer for processing and receiving corresponding processed data traffic from the analyzer;

transmitting the data traffic that has been processed by the analyzer from the inline network appliance to the second TCP endpoint in the same given TCP session;

receiving data traffic in the same given TCP session from the second TCP endpoint at the inline network appliance in the same given TCP session;

modifying TCP acknowledgement numbers in the received data traffic at the inline network appliance in the same given TCP session; and

transmitting the data traffic containing the modified TCP acknowledgement numbers to the first TCP endpoint in the same given TCP session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A one-way proxy system is provided that supports one-way analysis of a transport control protocol (TCP) data stream. The one-way proxy system is used to intercept a TCP data link between two respective TCP endpoints. A one-way analyzer such as a one-way content filter, virus scanner, or firewall may be used to analyze a TCP data stream that is intercepted by the one-way proxy system. The one way proxy system preserves TCP options and TCP properties associated with the TCP packets in the TCP data stream, so that an existing TCP session between the TCP endpoints can survive in the event of a hardware bypass operation. The one-way proxy has a low overhead because significant TCP processing of the TCP data stream is only required in one direction.

271 Citations

14 Claims

1. A method of operating an inline network appliance that intercepts data traffic flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:
- receiving data traffic of a given TCP session from the first TCP endpoint with the inline network appliance;
  
  providing the received data traffic from the first TCP endpoint to the analyzer for processing and receiving corresponding processed data traffic from the analyzer;
  
  transmitting the data traffic that has been processed by the analyzer from the inline network appliance to the second TCP endpoint in the same given TCP session;
  
  receiving data traffic in the same given TCP session from the second TCP endpoint at the inline network appliance in the same given TCP session;
  
  modifying TCP acknowledgement numbers in the received data traffic at the inline network appliance in the same given TCP session; and
  
  transmitting the data traffic containing the modified TCP acknowledgement numbers to the first TCP endpoint in the same given TCP session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method defined in claim 1 further comprising:
    - receiving a FIN signal from the second TCP endpoint and forwarding the FIN to the first TCP endpoint without acknowledging the FIN with the inline network appliance; and
      
      passing an acknowledgement that has been generated by the first TCP endpoint in response to the FIN to the second TCP endpoint.
  - 3. The method defined in claim 1 further comprising acknowledging data received from the second TCP endpoint only by passing acknowledgements to the second TCP endpoint that have been received from the first TCP endpoint.
  - 4. The method defined in claim 1 wherein receiving the data traffic from the second TCP endpoint and transmitting the data traffic received from the second TCP endpoint comprises receiving and transmitting the data traffic of the same given TCP session without reordering out of order packets in the data traffic at the inline network appliance.
  - 5. The method defined in claim 1 wherein receiving the data traffic from the second TCP endpoint and transmitting the data traffic received from the second TCP endpoint comprises receiving and transmitting the data traffic of the same given TCP session without queuing the data traffic at the inline network appliance.
  - 6. The method defined in claim 1 wherein receiving the data traffic from the second TCP endpoint and transmitting the data traffic received from the second TCP endpoint comprises receiving and transmitting the data traffic of the same given TCP session without performing fragment reassembly operations on the data traffic at the inline network appliance.
  - 7. The method defined in claim 1 wherein the data traffic received from the first TCP endpoint includes TCP packets and wherein the analyzer processes the packets and inserts additional packets, and wherein the analyzer provides the processed and inserted packets to a transmitter at the inline network appliance, the method further comprising:
    - using the transmitter to provide time stamp values to the processed and inserted packets that pass a prevention against wrapped sequence (PAWS) check performed at the second TCP endpoint.
  - 8. The method defined in claim 1 further comprising:
    - retaining sequence number information in the data traffic of the same given TCP session from the first TCP endpoint at the inline network appliance;
      
      receiving an acknowledgement number from the second TCP endpoint in the same given TCP session;
      
      at the inline network appliance, updating the acknowledgement number received from the second TCP endpoint with a value corresponding to the retained sequence number information from the data traffic received from first TCP endpoint; and
      
      transmitting a TCP packet containing the updated acknowledgement number to the first TCP endpoint from the inline network appliance.
  - 9. The method defined in claim 1 further comprising:
    - at the inline network appliance, receiving a TCP packet containing a SACK from the second TCP endpoint;
      
      responding to the SACK by retransmitting missing data to the second TCP endpoint from the inline network appliance;
      
      at the inline network appliance, replacing the SACK in the received TCP packet with a NOP; and
      
      transmitting the TCP packet with the NOP to the first TCP endpoint.
  - 10. The method defined in claim 1 further comprising using the inline network appliance to adjust a window size parameter in the data traffic that is being transmitted to the first TCP endpoint.
  - 11. The method defined in claim 1 wherein the inline network appliance contains an outgoing data queue in which TCP packets associated with the transmitted TCP data traffic are queued, the method further comprising:
    - monitoring the outgoing data queue while transmitting the TCP data traffic to the second TCP endpoint; and
      
      if it is determined that the outgoing data queue is too full, automatically creating backpressure by reducing a widow size parameter in the TCP data traffic that is being transmitted to the first TCP endpoint.
  - 12. The method defined in claim 1 further comprising:
    - extracting a TCP header from a TCP packet in the data traffic received from the second TCP endpoint;
      
      modifying the TCP header;
      
      identifying a change between the TCP header and the modified TCP header;
      
      calculating a new checksum based on an old checksum value associated with the TCP packet and the identified change;
      
      replacing the old checksum with the new checksum in the TCP packet; and
      
      transmitting the TCP packet with the new checksum to the first TCP endpoint.

13. An inline network appliance that intercepts data flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:
- a TCP receiver that receives data from the first TCP endpoint, validates TCP headers, reorders out-of-order packets, and provides the data to the one-way analyzer;
  
  a TCP transmitter that transmits the data to the second TCP endpoint after processing by the one-way analyzer; and
  
  a TCP adapter that receives data from the second TCP endpoint, modifies TCP packet headers in the data, and transmits the data with the modified TCP packet headers to the first TCP endpoint.

14. A method for operating an inline network appliance that intercepts data flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by an analyzer so that the TCP session survives in the event of a hardware bypass, wherein the inline network appliance has a hardware bypass switch through which the data is directed when the inline network appliance enters hardware bypass mode, comprising:
- in establishing the TCP session, receiving a TCP SYN packet for the TCP session from the one of the TCP endpoints;
  
  in establishing the TCP session, transmitting the received TCP SYN packet to the other of the TCP endpoints;
  
  after the TCP session has been established, receiving data from the first TCP endpoint and providing the received data to the analyzer for processing;
  
  retaining the highest time stamp value that has been received in the data from the first TCP endpoint; and
  
  receiving the processed data from the analyzer and transmitting the processed data to the second TCP endpoint in TCP data packets that use the retained time stamp value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Toshniwal, Rohit K., Panjwani, Dileep Kumar

Granted Patent

US 8,069,250 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/18   Protocol analysers

H04L 47/10   Flow control; Congestion co...

H04L 47/193   at the transport layer, e.g...

H04L 47/263   Rate modification at the so...

H04L 47/27   Evaluation or update of win...

H04L 67/56   Provisioning of proxy servi...

H04L 67/564   Enhancement of application ...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

One-way proxy system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

271 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

One-way proxy system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others