Sequence number based TCP session proxy

US 20070283429A1
Filed: 05/30/2006
Published: 12/06/2007
Est. Priority Date: 05/30/2006
Status: Abandoned Application

First Claim

Patent Images

1. In a computer communication network including a firewall protecting a secured host against attack from outside computers, the host and an outside computer communicating through the firewall via data packets including byte sequence numbers, a method for processing communications between the host and computer, one of which acts as a source and the other as a destination for the communication, said method comprising the steps of:

defining a sequence number offset which characterizes the byte sequence number received by the firewall from the source and the byte sequence number the firewall will provide to the destination for that communication; and

in the firewall, combining the offset with a source byte sequence number in a packet the firewall receives from the source to determine a corresponding destination byte sequence number the firewall will provide to the destination in place of the source byte sequence number.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer communication network including a firewall which protects a secured host against attack from outside computers, the host communicating with an outside computer, through the firewall, via data packets which include byte sequence numbers. In a communication between the host and computer in which one of them acts as a source and the other as a destination for the communication, a sequence number offset is derived by the firewall which characterizes the byte sequence number received from the source and the byte sequence number the firewall will provide to the destination for that communication. In a communication received from the source, the firewall adds the offset to byte sequence numbers in a packet passing between the source and destination, in order to determine the byte sequence numbers it will provide to the destination. Thus, proper sequence numbers can be provided to both locations, without the firewall having to restructure packets. This speeds communication between the source and destination and substantially reduces the commitment of processing and storage resources.

87 Citations

View as Search Results

40 Claims

1. In a computer communication network including a firewall protecting a secured host against attack from outside computers, the host and an outside computer communicating through the firewall via data packets including byte sequence numbers, a method for processing communications between the host and computer, one of which acts as a source and the other as a destination for the communication, said method comprising the steps of:
- defining a sequence number offset which characterizes the byte sequence number received by the firewall from the source and the byte sequence number the firewall will provide to the destination for that communication; and
  
  in the firewall, combining the offset with a source byte sequence number in a packet the firewall receives from the source to determine a corresponding destination byte sequence number the firewall will provide to the destination in place of the source byte sequence number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the offset is a combination of an initial byte sequence number that the firewall provides to the destination and an initial byte sequence number that the source provides to the firewall.
  - 3. The method of claim 2 wherein the combination is a subtraction.
  - 4. The method of claim 3 wherein the combining step is an addition.
  - 5. The method of claim 1 wherein the combining step is an addition.
  - 6. The method of claim 5 further comprising performing an additional combining step with a different source byte sequence number than that in the combining step.
  - 7. The method of claim 6 wherein the combining step is performed apart from the additional combining step and the additional combining step is one of:
    - a substitute for the combining step; and
      
      performed simultaneously with the combining step.
  - 8. The method of claim 5 further comprising the additional steps of:
    - defining a second offset which characterizes;
      
      a byte sequence number received by the firewall from the destination in a reverse communication; and
      
      the byte sequence number the firewall will provide to the source for the reverse communication; and
      
      in the firewall, combining the second offset with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 9. The method of claim 4 further comprising performing an additional combining step with a different source byte sequence number than that in the combining step.
  - 10. The method of claim 9 wherein the combining step is performed apart from the additional combining step and the additional combining step is one of:
    - a substitute for the combining step; and
      
      performed simultaneously with the combining step.
  - 11. The method of claim 4 further comprising the additional steps of:
    - defining a second offset which characterizes;
      
      a byte sequence number received by the firewall from the destination in a reverse communication; and
      
      the byte sequence number the firewall will provide to the source for the reverse communication; and
      
      in the firewall, combining the second offset with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 12. The method of claim 3 further comprising performing an additional combining step with a different source byte sequence number than that in the combining step.
  - 13. The method of claim 12 wherein the combining step is performed apart from the additional combining step and the additional combining step is one of:
    - a substitute for the combining step; and
      
      performed simultaneously with the combining step.
  - 14. The method of claim 3 further comprising the additional steps of:
    - defining a second offset which characterizes;
      
      a byte sequence number received by the firewall from the destination in a reverse communication; and
      
      the byte sequence number the firewall will provide to the source for the reverse communication; and
      
      in the firewall, combining the second offset with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 15. The method of claim 2 further comprising performing an additional combining step with a different source byte sequence number than that in the combining step.
  - 16. The method of claim 15 wherein the combining step is performed apart from the additional combining step and the additional combining step is one of:
    - a substitute for the combining step; and
      
      performed simultaneously with the combining step.
  - 17. The method of claim 2 further comprising the additional steps of:
    - defining a second offset which characterizes;
      
      a byte sequence number received by the firewall from the destination in a reverse communication; and
      
      the byte sequence number the firewall will provide to the source for the reverse communication; and
      
      in the firewall, combining the second offset with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 18. The method of claim 1 further comprising performing an additional combining step with a different source byte sequence number than that in the combining step.
  - 19. The method of claim 18 wherein the combining step is performed apart from the additional combining step and the additional combining step is one of:
    - a substitute for the combining step; and
      
      performed simultaneously with the combining step.
  - 20. The method of claim 1 further comprising the additional steps of:
    - defining a second offset which characterizes;
      
      a byte sequence number received by the firewall from the destination in a reverse communication; and
      
      the byte sequence number the firewall will provide to the source for the reverse communication; and
      
      in the firewall, combining the second offset with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.

21. A firewall for use in a computer communication network to protect a secured host against attack from outside computers, the host and an outside computer communicating through the firewall via data packets including byte sequence numbers, one of them acting as a source and the other as a destination for a communication, the firewall comprising:
- an offset processor generating an offset code which characterizes the byte sequence number received by the firewall from the source and corresponding byte sequence number the firewall provides to the destination for that communication; and
  
  a combiner combining the offset with a source byte sequence number in a packet the firewall receives from the source to determine a corresponding destination byte sequence number the firewall will provides to the destination in place of the source byte sequence number.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The firewall of claim 21 wherein the offset processor combines an initial byte sequence number that the firewall provides to the destination an initial byte sequence number that the source provides to the firewall to produce the offset code.
  - 23. The firewall of claim 22 wherein the offset processor performs a subtraction.
  - 24. The firewall of claim 23 wherein the combiner performs an addition.
  - 25. The firewall of claim 21 wherein the combiner performs an addition.
  - 26. The firewall of claim 25 further comprising an additional offset processor and an additional combiner to permit simultaneous processing of a different source byte sequence number than the combiner.
  - 27. The firewall of claim 26 wherein the additional combiner one of:
    - substitutes for the combiner; and
      
      operates simultaneously with the combiner.
  - 28. The firewall of claim 25 further comprising:
    - a second offset processor generating a second offset code which characterizes a byte sequence number received by the firewall from the destination in a reverse communication and a corresponding byte sequence number the firewall provides to the source for that reverse communication; and
      
      a second combiner combining the second offset code with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 29. The firewall of claim 24 further comprising an additional offset processor and an additional combiner to permit simultaneous processing of a different source byte sequence number than the combiner.
  - 30. The firewall of claim 29 wherein the additional combiner one of:
    - substitutes for the combiner; and
      
      operates simultaneously with the combiner.
  - 31. The firewall of claim 24 further comprising:
    - a second offset processor generating a second offset code which characterizes a byte sequence number received by the firewall from the destination in a reverse communication and a corresponding byte sequence number the firewall provides to the source for that reverse communication; and
      
      a second combiner combining the second offset code with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 32. The firewall of claim 23 further comprising an additional offset processor and an additional combiner to permit simultaneous processing of a different source byte sequence number than the combiner.
  - 33. The firewall of claim 32 wherein the additional combiner one of:
    - substitutes for the combiner; and
      
      operates simultaneously with the combiner.
  - 34. The firewall of claim 23 further comprising:
    - a second offset processor generating a second offset code which characterizes a byte sequence number received by the firewall from the destination in a reverse communication and a corresponding byte sequence number the firewall provides to the source for that reverse communication; and
      
      a second combiner combining the second offset code with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 35. The firewall of claim 22 further comprising an additional offset processor and an additional combiner to permit simultaneous processing of a different source byte sequence number than the combiner.
  - 36. The firewall of claim 35 wherein the additional combiner one of:
    - substitutes for the combiner; and
      
      operates simultaneously with the combiner.
  - 37. The firewall of claim 22 further comprising:
    - a second offset processor generating a second offset code which characterizes a byte sequence number received by the firewall from the destination in a reverse communication and a corresponding byte sequence number the firewall provides to the source for that reverse communication; and
      
      a second combiner combining the second offset code with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.
  - 38. The firewall of claim 21 further comprising an additional offset processor and an additional combiner to permit simultaneous processing of a different source byte sequence number than the combiner.
  - 39. The firewall of claim 38 wherein the additional combiner one of:
    - substitutes for the combiner; and
      
      operates simultaneously with the combiner.
  - 40. The firewall of claim 21 further comprising:
    - a second offset processor generating a second offset code which characterizes a byte sequence number received by the firewall from the destination in a reverse communication and a corresponding byte sequence number the firewall provides to the source for that reverse communication; and
      
      a second combiner combining the second offset code with a byte sequence number in a packet the firewall receives from the destination to determine a corresponding byte sequence number the firewall will provide to the source in place of the destination byte sequence number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun, Hwang, Shih-Tsung

Application Number

US11/442,774
Publication Number

US 20070283429A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0254 Stateful filtering

H04L 63/1458 Denial of Service

Sequence number based TCP session proxy

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Sequence number based TCP session proxy

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links