Method and system for security protocol partitioning and virtualization

US 20080240432A1
Filed: 03/30/2007
Published: 10/02/2008
Est. Priority Date: 03/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a security protocol, comprising:

receiving a packet from a network connection;

obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations;

applying a security association from the one of the plurality of SADB partitions to the packet; and

sending the packet to the one of the plurality of packet destinations associated with the SADB partition,wherein the packet is processed at the one of the plurality of packet destinations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing a security protocol, involving receiving a packet from a network connection, obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, applying a security association from the one of the plurality of SADB partitions to the packet, and sending the packet to the one of the plurality of packet destinations associated with the SADB partition, wherein the packet is processed at the one of the plurality of packet destinations.

Citations

20 Claims

1. A method for implementing a security protocol, comprising:
- receiving a packet from a network connection;
  
  obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations;
  
  applying a security association from the one of the plurality of SADB partitions to the packet; and
  
  sending the packet to the one of the plurality of packet destinations associated with the SADB partition,wherein the packet is processed at the one of the plurality of packet destinations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - obtaining an identifier for one of a plurality of security policy database (SPD) partitions associated with the packet, wherein each of the plurality of SPD partitions is associated with one of a plurality of packet destinations; and
      
      applying a security policy from the one of the plurality of SPD partitions to the packet,wherein the security policy determines an admittance of the packet to the packet destination.
  - 3. The method of claim 2, wherein each of the plurality of SPD partitions is associated with one of a plurality of destination policy databases.
  - 4. The method of claim 3, further comprising:
    - populating the plurality of SPD partitions using the plurality of policy databases.
  - 5. The method of claim 1, wherein each of the plurality of SADB partitions is associated with an identifier, a capacity, and an address.
  - 6. The method of claim 1, wherein each of the plurality of SPD partitions is associated with an identifier, a capacity, and an address.
  - 7. The method of claim 1, wherein each of the plurality of SADB partitions is associated with one of a plurality of internet key exchange (IKE) daemons.
  - 8. The method of claim 1, wherein each of the plurality of SADB partitions is associated with a cryptographic offload engine.
  - 9. The method of claim 1, wherein the plurality of SADB partitions is located on a memory of a network interface card (NIC).
  - 10. The method of claim 1, wherein the security association comprises a plurality of security parameters used to secure the network connection.

11. A network interface card, comprising:
- a cryptographic offload engine; and
  
  a plurality of security association database (SADB) partitions associated with the cryptographic offload engine,wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, andwherein the cryptographic offload engine is configured to;
  
  receive a packet from a network connection, wherein the packet is encrypted using a security protocol;
  
  obtain an identifier for one of the plurality of security association database (SADB) partitions associated with the packet;
  
  apply a security association from the one of the plurality of SADB partitions to the packet to obtain a decrypted packet; and
  
  send the decrypted packet to the one of the plurality of packet destinations associated with the SADB partition.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The network interface card of claim 11, wherein the NIC further comprises:
    - a policy engine; and
      
      a plurality of security policy database (SPD) partitions associated with the policy engine,wherein each of the plurality of SPD partitions comprises a plurality of security policies, andwherein at least one of the plurality of security policies determines an admittance of the packet to the packet destination.
  - 13. The network interface card of claim 12, wherein each of the plurality of SPD partitions is associated with one of a plurality of destination policy databases, and wherein each of the plurality of destination policy databases is located on a host operatively connected to the network interface card.
  - 14. The network interface card of claim 11, wherein each of the plurality of SADB partitions is associated with one of a plurality of internet key exchange (IKE) daemons.
  - 15. The network interface card of claim 11, wherein each of the plurality of SADB partitions is associated with an identifier, a capacity, and an address.
  - 16. The network interface card of claim 15, wherein the address corresponds to a location in a memory of the network interface card.
  - 17. The network interface card of claim 11, wherein the security association comprises a plurality of security parameters used to secure the network connection.

18. A computer readable medium comprising software instructions to perform a method, the method comprising:
- receiving a packet from a network connection;
  
  obtaining an identifier for one of a plurality of security association database (SADB) partitions associated with the packet, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations;
  
  applying a security association from the one of the plurality of SADB partitions to the packet; and
  
  sending the packet to the one of the plurality of packet destinations associated with the SADB partition,wherein the packet is processed at the one of the plurality of packet destinations.
- View Dependent Claims (19, 20)
- - 19. The computer readable medium of claim 18, the method further comprising:
    - obtaining an identifier for one of a plurality of security policy database (SPD) partitions associated with the packet, wherein each of the plurality of SPD partitions is associated with one of a plurality of packet destinations; and
      
      applying a security policy from the one of the plurality of SPD partitions to the packet,wherein the security policy determines an admittance of the packet to the packet destination.
  - 20. The computer readable medium of claim 18, wherein each of the plurality of SPD partitions is associated with one of a plurality of destination policy databases.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Johnson, Darrin P., Belgaied, Kais

Granted Patent

US 8,175,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/255
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Method and system for security protocol partitioning and virtualization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for security protocol partitioning and virtualization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links