Securing network traffic using distributed key generation and dissemination over secure tunnels
First Claim
Patent Images
1. A method for securing message traffic in a data network using a security protocol, the method comprising the steps of:
- at a policy enforcement point (PEP) within a network of PEPS, determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
generating an outbound key to be used in securing the traffic;
distributing the outbound key to peer PEPs in the network of PEPs;
receiving an outbound packet, the outbound packet having original source and destination addresses;
applying security processing to the outbound packet according to the security policy; and
forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.
9 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security keys where key generation, key distribution, policy generation and policy distribution are separated, with inner to outer header replication on packet traffic. The approach permits encrypted messages to travel seamlessly through various otherwise unsecured internetworking devices.
-
Citations
27 Claims
-
1. A method for securing message traffic in a data network using a security protocol, the method comprising the steps of:
-
at a policy enforcement point (PEP) within a network of PEPS, determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
generating an outbound key to be used in securing the traffic;
distributing the outbound key to peer PEPs in the network of PEPs;
receiving an outbound packet, the outbound packet having original source and destination addresses;
applying security processing to the outbound packet according to the security policy; and
forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A policy enforcement point (PEP) within a network of PEPs, the PEP comprising:
-
a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
an outbound key to be used in securing the traffic, the outbound key being distributed to peer PEPs in the network of PEPs;
means for receiving an outbound packet, the outbound packet having original source and destination addresses;
means for applying security processing to the outbound packet according to the security policy; and
means for forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol at a policy enforcement point (PEP) within a network of PEPs, the computer readable medium program codes performing functions comprising:
-
a routine for determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
a routine for generating an outbound key to be used in securing the traffic;
a routine for distributing the outbound key to peer PEPs in the network of PEPs;
a routine for receiving an outbound packet, the outbound packet having original source and destination addresses;
a routine for applying security processing to the outbound packet according to the security policy; and
a routine for forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.
-
Specification