Fragmenting security encapsulated ethernet frames

US 20080162922A1
Filed: 12/27/2006
Published: 07/03/2008
Est. Priority Date: 12/27/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for fragmenting a security encapsulated data packet comprising:

security encapsulating a data packet to form a security encapsulated data packet; and

fragmenting the security encapsulated data packet in an event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing security functions, such as data origin authentication, data integrity, and data confidentiality to data packets communicated over a communications pathway, in some instances, may result in data packets too large in size to be communicated over the pathway. A technique is provided which security encapsulates a data packet, and in event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway, fragments the security encapsulated data packet. As such, the provided technique enables data packets to be secured with security functions and to be communicated over the communications pathway without being impacted by or otherwise affected by the properties of the communications pathway.

Citations

21 Claims

1. A method for fragmenting a security encapsulated data packet comprising:
- security encapsulating a data packet to form a security encapsulated data packet; and
  
  fragmenting the security encapsulated data packet in an event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein fragmenting includes dividing the security encapsulated data packet into a first security encapsulated data fragment and at least one second security encapsulated data fragment, each security encapsulated data fragment having a portion of an encrypted payload of the security encapsulated data packet, a data fragment header identical to a data packet header of the security encapsulated data packet, and an encapsulation header.
  - 3. The method of claim 1 wherein fragmenting includes re-assembling the security encapsulated data packet from a first security encapsulated data fragment and at least one second security encapsulated data fragment, each security encapsulated data fragment having a portion of an encrypted payload of the security encapsulated data packet, a data fragment header identical to the data packet header of the security encapsulated data packet, and an encapsulation header.
  - 4. The method of claim 2 wherein dividing includes:
    - identifying each security encapsulated data fragment associated with the security encapsulated data packet being divided with a fragment identifier; and
      
      setting a fragment flag in an event a security encapsulated data fragment is a beginning fragment.
  - 5. The method of claim 4 further comprising setting a second fragment flag in an event a security encapsulated data fragment is an ending fragment.
  - 6. The method of claim 4 wherein identifying includes reusing fragment identifiers in an event the number of security encapsulated data fragments exceeds the number of fragment identifiers available.
  - 7. The method of claim 4 wherein identifying includes reusing fragment identifiers in a round-robin manner in an event the number of security encapsulated data fragments exceeds the number of fragment identifiers available.
  - 8. The method of claim 3 wherein re-assembling includes associating each security encapsulated data fragment with a security encapsulated data packet being re-assembled using a fragment identifier of each security encapsulated data fragment and a time of receipt of each security encapsulated data fragment.
  - 9. The method of claim 3 wherein re-assembling includes:
    - identifying each security encapsulated data fragment associated with the security encapsulated data packet being re-assembled from a fragment identifier and a fragment flag;
      
      time-stamping each security encapsulated data fragment with a time of receipt; and
      
      discarding a security encapsulated data fragment in an event the time of receipt time-stamped exceeds a timeout period.
  - 10. The method of claim 3 further comprising de-encapsulating the security encapsulated data packet re-assembled from the security encapsulated data fragments.
  - 11. The method of claim 10 wherein de-encapsulating the security encapsulated data packet includes:
    - authenticating the security encapsulated data packet re-assembled from the security encapsulated data fragments;
      
      de-encrypting the encrypted payload of the security encapsulated data packet re-assembled from the security encapsulated data fragments; and
      
      removing an encapsulation header, an initialization vector, and an authentication header from the security encapsulated data packet re-assembled from the security encapsulated data fragments.

12. A system for fragmenting a security encapsulated data packet comprising:
- a security encapsulator configured to security encapsulate a data packet to form a security encapsulated data packet;
  
  a fragmenter coupled to the security encapsulator and configured to fragment the security encapsulated data packet in an event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12 wherein the fragmenter includes a divider adapted to divide the security encapsulated data packet into a first security encapsulated data fragment and at least one second security encapsulated data fragment, each security encapsulated data fragment having a portion of an encrypted payload of the security encapsulated data packet, a data fragment header identical to a data packet header of the security encapsulated data packet, and a encapsulation header.
  - 14. The system of claim 12 wherein the fragmenter includes a re-assembler adapted to re-assemble the security encapsulated data packet from a first security encapsulated data fragment and at least one second security encapsulated data fragment, each security encapsulated data fragment having a portion of an encrypted payload of the security encapsulated data packet, a data fragment header identical to the data packet header of the security encapsulated data packet, and an encapsulation header.
  - 15. The system of claim 13 wherein the divider includes:
    - an identifier adapted to identify each security encapsulated data fragment associated with the security encapsulated data packet being divided with a fragment identifier; and
      
      a setter adapted to set a fragment flag in an event a security encapsulated data fragment is a beginning fragment.
  - 16. The system of claim 15 wherein the setter is adapted to set a second fragment flag in an event a security encapsulated data fragment is an ending fragment.
  - 17. The system of claim 14 wherein the re-assembler includes an identifier adapted to associate each security encapsulated data fragment with a security encapsulated data packet being re-assembled using a fragment identifier of each security encapsulated data fragment and a time of receipt of each security encapsulated data fragment.
  - 18. The system of claim 14 wherein the re-assembler includes:
    - an identifier adapted to identify each security encapsulated data fragment associated with the security encapsulated data packet being re-assembled from a fragment identifier and a fragment flag;
      
      a timestamper adapted to timestamp each security encapsulated data fragment with a time of receipt; and
      
      a discarder adapted to discard a security encapsulated data fragment in an event the time of receipt time-stamped exceeds a timeout period.
  - 19. The system of claim 13 further comprising a de-encapsulator adapted to de-encapsulate the security encapsulated data packet re-assembled from the security encapsulated data fragments.

20. An apparatus for fragmenting a security encapsulated data packet comprising:
- means for security encapsulating a data packet to form a security encapsulated data packet; and
  
  means for fragmenting the security encapsulated data packet in an event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway.

21. A computer program product comprising:
- a computer usable medium embodying computer usable code for fragmenting a security encapsulated data packet, the computer program product including;
  
  computer usable program code for security encapsulating a data packet to form a security encapsulated data packet; and
  
  computer usable program code for fragmenting the security encapsulated data packet in an event the size of the security encapsulated data packet exceeds a maximum data packet size capable of being transmitted over a communications pathway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Swartz, Troy A.

Application Number

US11/646,201
Publication Number

US 20080162922A1
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/162 at the data link layer

Fragmenting security encapsulated ethernet frames

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Fragmenting security encapsulated ethernet frames

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links