APPLICATION STEERING AND APPLICATION BLOCKING OVER A SECURE TUNNEL
First Claim
1. A method, comprising:
- mapping at least a first Security Parameter Index (SPI) to a first application identifier at a first tunnel endpoint to generate first mapping information; and
communicating the first mapping information from the first tunnel endpoint to a network entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for enabling application steering/blocking in a secure network which includes a network entity, and a first tunnel endpoint coupled to the network entity over an encrypted tunnel. The first tunnel endpoint associates at least a first Security Parameter Index (SPI) to a first application identifier to generate first mapping information (MI), communicates the first MI to the network entity, and transmits an encrypted message to the network entity over the encrypted tunnel. The encrypted message includes an encrypted packet and an unencrypted header including the first SPI. The network entity determines the first SPI from the unencrypted header, determines the first application identifier based on the first SPI and the first MI, and identifies a first application associated with the first application identifier. The network entity can still perform application steering/blocking even though traffic passing through the tunnel is encrypted.
-
Citations
32 Claims
-
1. A method, comprising:
-
mapping at least a first Security Parameter Index (SPI) to a first application identifier at a first tunnel endpoint to generate first mapping information; and communicating the first mapping information from the first tunnel endpoint to a network entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
a first tunnel endpoint designed to associate at least a first Security Parameter Index (SPI) to a first application identifier to generate first mapping information; and a network entity coupled to the first tunnel endpoint over an encrypted tunnel, wherein the first tunnel endpoint is further designed to;
communicate the first mapping information to the network entity. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A node designed to communicate with a network entity over an encrypted tunnel, the node comprising:
-
a memory designed to store a unique Security Parameter Index (SPI) for each application identifier; a processor designed to associate at least a first Security Parameter Index (SPI) to a first application identifier and to generate first mapping information; and a transmitter designed to transmit the first mapping information to the network entity. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A network entity, comprising:
-
a memory which stores first mapping information from a first tunnel endpoint, wherein the first mapping information comprises;
at least a first Security Parameter Index (SPI) associated with a first application identifier;a receiver which receives a encrypted message from the first tunnel endpoint over an encrypted tunnel, wherein the encrypted message comprises an encrypted packet and an unencrypted header comprising the first SPI; and a processor designed to extract the first SPI from the unencrypted header, and to determine the first application identifier based on the first SPI and the first mapping information, and to identify a first application associated with the first application identifier. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
Specification