APPLICATION STEERING AND APPLICATION BLOCKING OVER A SECURE TUNNEL

US 20080165964A1
Filed: 01/04/2007
Published: 07/10/2008
Est. Priority Date: 01/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

mapping at least a first Security Parameter Index (SPI) to a first application identifier at a first tunnel endpoint to generate first mapping information; and

communicating the first mapping information from the first tunnel endpoint to a network entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for enabling application steering/blocking in a secure network which includes a network entity, and a first tunnel endpoint coupled to the network entity over an encrypted tunnel. The first tunnel endpoint associates at least a first Security Parameter Index (SPI) to a first application identifier to generate first mapping information (MI), communicates the first MI to the network entity, and transmits an encrypted message to the network entity over the encrypted tunnel. The encrypted message includes an encrypted packet and an unencrypted header including the first SPI. The network entity determines the first SPI from the unencrypted header, determines the first application identifier based on the first SPI and the first MI, and identifies a first application associated with the first application identifier. The network entity can still perform application steering/blocking even though traffic passing through the tunnel is encrypted.

Citations

32 Claims

1. A method, comprising:
- mapping at least a first Security Parameter Index (SPI) to a first application identifier at a first tunnel endpoint to generate first mapping information; and
  
  communicating the first mapping information from the first tunnel endpoint to a network entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method according to claim 1, wherein the step of mapping further comprises:
    - mapping a first Security Parameter Index (SPI) and a second SPI to a first application identifier at the first tunnel endpoint to generate a first mapping information
  - 3. A method according to claim 2, wherein the first SPI comprises an inbound SPI and wherein the second SPI comprises an outbound SPI.
  - 4. A method according to claim 2, further comprising:
    - transmitting an encrypted message from the first tunnel endpoint to the network entity over an encrypted tunnel, wherein the encrypted message comprises an encrypted packet and an unencrypted header comprising the first SPI;
      
      determining the first SPI at the network entity from the unencrypted header; and
      
      using the first SPI and the first mapping information at the network entity to determine the first application identifier and to identify a first application associated with the first application identifier.
  - 5. A method according to claim 4, wherein the first tunnel endpoint comprises a mobile host, and wherein the network entity comprises a mobile router.
  - 6. A method according to claim 5, wherein the mobile router comprises a mobile access point.
  - 7. A method according to claim 4, further comprising:
    - selecting, at the mobile router, one of a plurality of interfaces based on the first application, wherein the selected interface is used to transmit the encrypted packet from the mobile router to another network entity.
  - 8. A method according to claim 4, wherein the first tunnel endpoint comprises a Policy Enforcement Point (PEP).
  - 9. A method according to claim 8, wherein the network entity comprises another Policy Enforcement Point (PEP), and further comprising:
    - selecting, at the other Policy Enforcement Point (PEP), one of a plurality of interfaces based on the first application, wherein the selected interface is used to transmit the encrypted packet from the other Policy Enforcement Point (PEP) to another network entity.
  - 10. A method according to claim 9, wherein the other network entity comprises a mobile router.
  - 11. A method according to claim 10, wherein the mobile router comprises a mobile access point.

12. A system, comprising:
- a first tunnel endpoint designed to associate at least a first Security Parameter Index (SPI) to a first application identifier to generate first mapping information; and
  
  a network entity coupled to the first tunnel endpoint over an encrypted tunnel,wherein the first tunnel endpoint is further designed to;
  
  communicate the first mapping information to the network entity.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. A system according to claim 12, wherein the first tunnel endpoint is further designed to associate the first Security Parameter Index (SPI) and a second SPI to the first application identifier to generate the first mapping information.
  - 14. A system according to claim 13, wherein the first SPI comprises an inbound SPI and wherein the second SPI comprises an outbound SPI.
  - 15. A system according to claim 12, wherein the first tunnel endpoint is further designed to:
    - transmit a encrypted message to the network entity over the encrypted tunnel, wherein the encrypted message comprises an encrypted packet and an unencrypted header comprising the first SPI, andwherein the network entity is designed to;
      
      determine the first SPI from the unencrypted header, determine the first application identifier based on the first SPI and the first mapping information, and identify a first application associated with the first application identifier.
  - 16. A system according to claim 15, wherein the first tunnel endpoint comprises a mobile host, and wherein the network entity comprises a mobile router.
  - 17. A system according to claim 16, wherein the network entity comprises a router, and wherein the router is designed to select one of a plurality of interfaces based on the first application, wherein the selected interface is used to transmit the encrypted packet from the router to another network entity.
  - 18. A system according to claim 15, wherein the first tunnel endpoint comprises a Policy Enforcement Point (PEP).
  - 19. A system according to claim 18, wherein the network entity comprises another Policy Enforcement Point (PEP) designed to select one of a plurality of interfaces based on the first application, wherein the selected interface is used to transmit the encrypted packet from the other Policy Enforcement Point (PEP) to another network entity.
  - 20. A system according to claim 18, wherein the other network entity comprises a mobile router.

21. A node designed to communicate with a network entity over an encrypted tunnel, the node comprising:
- a memory designed to store a unique Security Parameter Index (SPI) for each application identifier;
  
  a processor designed to associate at least a first Security Parameter Index (SPI) to a first application identifier and to generate first mapping information; and
  
  a transmitter designed to transmit the first mapping information to the network entity.
- View Dependent Claims (22, 23, 24, 25)
- - 22. A node according to claim 21, wherein the processor is further designed to associate the first SPI and a second SPI to the first application identifier to generate the first mapping information.
  - 23. A node according to claim 22, wherein the first SPI comprises an inbound SPI and wherein the second SPI comprises an outbound SPI.
  - 24. A node according to claim 21, wherein the node comprises a mobile host, and wherein the network entity comprises a mobile access point.
  - 25. A node according to claim 21, wherein the node comprises a Policy Enforcement Point (PEP), and wherein the network entity comprises another Policy Enforcement Point (PEP).

26. A network entity, comprising:
- a memory which stores first mapping information from a first tunnel endpoint, wherein the first mapping information comprises;
  
  at least a first Security Parameter Index (SPI) associated with a first application identifier;
  
  a receiver which receives a encrypted message from the first tunnel endpoint over an encrypted tunnel, wherein the encrypted message comprises an encrypted packet and an unencrypted header comprising the first SPI; and
  
  a processor designed to extract the first SPI from the unencrypted header, and to determine the first application identifier based on the first SPI and the first mapping information, and to identify a first application associated with the first application identifier.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. A network entity according to claim 26, wherein the first mapping information further comprises a second SPI associated with first application identifier.
  - 28. A network entity according to claim 27, wherein the first SPI comprises an inbound SPI and wherein the second SPI comprises an outbound SPI.
  - 29. A network entity according to claim 26, wherein the network entity further comprises:
    - a plurality of interfaces, wherein each of the interfaces is designed to operate over a particular type of link, andwherein the processor is further designed to;
      
      select one of the plurality of interfaces based on the first application, wherein the selected interface is used to transmit the encrypted packet from the network entity to another network entity.
  - 30. A network entity according to claim 26, wherein the network entity comprises a mobile router.
  - 31. A network entity according to claim 26, wherein the mobile router comprises a mobile access point.
  - 32. A network entity according to claim 26, wherein the network entity comprises a Policy Enforcement Point (PEP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Inventors
Lewis, Adam C., Popovich, George, Thomas, Peter E.

Granted Patent

US 8,677,114 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/255
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

APPLICATION STEERING AND APPLICATION BLOCKING OVER A SECURE TUNNEL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION STEERING AND APPLICATION BLOCKING OVER A SECURE TUNNEL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links