Technique for processing data packets in a communication network
First Claim
1. A method for processing data packets, the method comprising the steps of:
- receiving a first frame at a secure gateway of a communication network, the first frame containing a data packet, a first network header portion and a first transport layer header portion;
identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;
determining a mode of transmitting the data packet to a destination in accordance with the entry; and
if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet.
7 Assignments
0 Petitions
Accused Products
Abstract
A technique for processing secure data packets that are directly and not directly addressed to a policy enforcement point (PEP). The present invention incorporates a dual internal path for the fast path processing of secure data packets at a PEP. A first path is used to process secure data packets addressed to the PEP. A second path is used to process secure data packets not addressed to the PEP. On the first path, secure data packets addressed to the PEP are transferred to the PEP for immediate processing. On the second path, a series of checks are performed to maximize the speed of processing the secure data packets. In addition, policies associated with the secure data packets are retrieved and destination address/mask combinations are used along with destination addresses in the secure data packets to determine if the packets are to be further processed or dropped.
73 Citations
22 Claims
-
1. A method for processing data packets, the method comprising the steps of:
-
receiving a first frame at a secure gateway of a communication network, the first frame containing a data packet, a first network header portion and a first transport layer header portion;
identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;
determining a mode of transmitting the data packet to a destination in accordance with the entry; and
if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for processing data packets, the method comprising:
-
receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion;
incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicating a range of addresses. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A security gateway in a communication network comprising:
-
a module receiving a frame at a secure gateway of a communication network, the frame containing a data packet, a network header portion and a first transport layer header portion; and
a processor for;
a) identifying a policy associated with the data packet using the information on the first network header portion and on the first transport layer header portion;
b) determining a mode of transmitting the data packet to a destination in accordance with the entry; and
c) if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol, encrypting the data packet.
-
-
18. A security gateway in a communication network comprising:
-
a module receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion; and
a processor for;
a) incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
b) using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicating a range of addresses. - View Dependent Claims (19, 20)
-
-
21. A computer readable medium having computer readable program codes embodied therein for processing data packets, the computer readable medium program codes performing functions comprising:
-
a routine for receiving a frame at a secure gateway of a communication network, the frame containing a data packet, a network header portion and a transport layer header portion;
a routine for identifying a policy associated with the data packet using the information on the network header portion and on the transport layer header portion;
a routine for determining a mode of transmitting the data packet to a destination in accordance with the entry; and
a routine for, encrypting the data packet if the mode of transmitting requires for the data packet to be secured using a security standard and/or protocol.
-
-
22. A computer readable medium having computer readable program codes embodied therein for processing data packets, the computer readable medium program codes performing functions comprising:
-
a routine for receiving a frame having a secure data packet at a secure gateway of a communication network, the secure data packet containing an encrypted inner data packet and an outer header portion;
a routine for incorporating a dual internal path at the secure gateway for processing the secure data packet, the secure data packet is routed through a first path or a second path of the dual internal path at the secure gateway; and
a routine for using the information on the outer header portion to identify a policy associated with the secure data packet, the policy indicates a range of addresses.
-
Specification