Technique for processing data packets in a communication network

US 20070214502A1
Filed: 01/30/2007
Published: 09/13/2007
Est. Priority Date: 03/08/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for processing data packets, the method comprising the steps of:

receiving a first frame at a secure gateway of a communication network, the first frame containing a data packet, a first network header portion and a first transport layer header portion;

identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;

determining a mode of transmitting the data packet to a destination in accordance with the entry; and

if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for processing secure data packets that are directly and not directly addressed to a policy enforcement point (PEP). The present invention incorporates a dual internal path for the fast path processing of secure data packets at a PEP. A first path is used to process secure data packets addressed to the PEP. A second path is used to process secure data packets not addressed to the PEP. On the first path, secure data packets addressed to the PEP are transferred to the PEP for immediate processing. On the second path, a series of checks are performed to maximize the speed of processing the secure data packets. In addition, policies associated with the secure data packets are retrieved and destination address/mask combinations are used along with destination addresses in the secure data packets to determine if the packets are to be further processed or dropped.

73 Citations

View as Search Results

22 Claims

1. A method for processing data packets, the method comprising the steps of:
- receiving a first frame at a secure gateway of a communication network, the first frame containing a data packet, a first network header portion and a first transport layer header portion;
  
  identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;
  
  determining a mode of transmitting the data packet to a destination in accordance with the entry; and
  
  if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the step of identifying a policy using the information on the first network header portion and on the first transport layer portion header portion includes retrieving the policy
  - 3. The method of claim 1, wherein if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet according to the policy.
  - 4. The method of claim 1 further including, if the mode of transmitting requires for the packet to be secured using a security standard and/or protocol, encapsulating the encrypted data packet and producing an IPsec packet, the IPsec packet including an outer header portion.
  - 5. The method of claim 4 further including generating an outbound frame and placing the IPsec packet in the outbound frame.
  - 6. The method of claim 5, wherein if a distributed key mode is operating, the secure gateway copies the information on the first network header portion and on the first transport layer portion of the data packet to the outer header portion of the IPsec packet.
  - 7. The method of claim 5 further includes a step of transmitting the outbound frame via one or more routers, wherein the one or more routers generate a second frame containing the IPsec packet, the second frame having a second network header portion and a second transport layer portion.

8. A method for processing data packets, the method comprising:
- receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion;
  
  incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
  
  using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicating a range of addresses.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein the encrypted inner data packet is an IPsec packet.
  - 10. The method of claim 8, wherein the routing of the frame is determined by the information on the outer header portion of the frame.
  - 11. The method of claim 10, wherein the information on the outer header portion includes a security parameter index (SPI) and a destination address.
  - 12. The method of claim 8, wherein:
    - the first path processes the frame with an address directed to the secure gateway; and
      
      the second path processes the frame with an address not directed to the secure gateway.
  - 13. The method of claim 8, wherein operating a dual internal path at the secure gateway for processing the secure data packet includes determining if the secure gateway is operating a distributed key mode.
  - 14. The method of claim 8 further including retrieving a policy of the secure gateway associated the secure data packet if the information on the outer header portion matches with the policy, wherein the information is a SPI.
  - 15. The method of claim 14 further including the steps of:
    - a) decrypting the encrypted inner data packet if the destination address matches the range of addresses; and
      
      b) authenticating the decrypted inner data packet.
  - 16. The method of claim 9 further including generating a destination frame for the decrypted inner data packet to be forwarded onto a destination.

17. A security gateway in a communication network comprising:
- a module receiving a frame at a secure gateway of a communication network, the frame containing a data packet, a network header portion and a first transport layer header portion; and
  
  a processor for;
  
  a) identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;
  
  b) determining a mode of transmitting the data packet to a destination in accordance with the entry; and
  
  c) if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet.

18. A security gateway in a communication network comprising:
- a module receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion; and
  
  a processor for;
  
  a) incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
  
  b) using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicating a range of addresses.
- View Dependent Claims (19, 20)
- - 19. The security gateway of claim 18, wherein the processor includes a security association table.
  - 20. The security gateway of claim 18 further including a data structure configured to hold policy information that is applied to the secure data packet.

21. A computer readable medium having computer readable program codes embodied therein for processing data packets, the computer readable medium program codes performing functions comprising:
- a routine for receiving a frame at a secure gateway of a communication network, the frame containing a data packet, a network header portion and a transport layer header portion;
  
  a routine for identifying a policy associated with the data packet using the information on the network header portion and on the transport layer header portion;
  
  a routine for determining a mode of transmitting the data packet to a destination in accordance with the entry; and
  
  a routine for, encrypting the data packet if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol.

22. A computer readable medium having computer readable program codes embodied therein for processing data packets, the computer readable medium program codes performing functions comprising:
- a routine for receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion;
  
  a routine for incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
  
  a routine for using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicates a range of addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald

Application Number

US11/699,765
Publication Number

US 20070214502A1
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

Technique for processing data packets in a communication network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Technique for processing data packets in a communication network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links