METHOD AND APPARATUS FOR CONTROLLING THE FLOW OF DATA ACROSS A NETWORK INTERFACE

US 20090013175A1
Filed: 09/15/2008
Published: 01/08/2009
Est. Priority Date: 03/19/2003
Status: Active Grant

First Claim

Patent Images

1-97. -97. (canceled)

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention performs “flow control” based on the remaining encryption capacity of an encrypted outbound network interface link of a network routing device, such as a router or switch. As the encrypted link begins to run low on encryption key material, this invention begins to discard datagrams queued for transit across that link, in order to signal distant host computers that they should slow down the rate at which they are sending datagrams. The invention, which is particularly useful in cryptographically protected networks that run the TCP/IP protocol stack, allows fine-grained flow control of individual traffic classes because it can determine, for example, how various classes of data traffic (e.g., voice, video, TCP) should be ordered and transmitted through a network. Thus, the invention can be used to implement sophisticated flow control rules so as to give preferential treatment to certain people, departments or computers.

103 Citations

View as Search Results

120 Claims

1-97. -97. (canceled)

98. A method, comprising:
- receiving a data stream that includes a plurality of data packets;
  
  receiving a report that includes an encryption capacity indicator associated with a network interface;
  
  determining a traffic class for a data packet in the data stream; and
  
  selectively undertaking at least one ofassigning the data packet to a transmission queue, anddropping the packet based at least in part on both the received encryption capacity indicator and the identified traffic class.

107. A device, comprising:
- an inbound network interface link configured to receive a data stream that includes a plurality of data packets;
  
  at least two outbound network interface links, wherein each of the outbound network interface links is configured to transmit at least one of the received data packets to a network routing device; and
  
  a routing processor configured toidentify a traffic class for a data packet in the data stream,receive an encryption capacity indicator for each of the outbound network interface links, andselect one of the outbound network interface links to transmit the data packet based at least in part on both the received encryption capacity indicators and the identified traffic class.
- View Dependent Claims (108, 109, 110, 111, 112, 113)
- - 108. The device of claim 107, further comprising a packet classifier configured to determine the traffic class of the data packet.
  - 109. The device of claim 107, further comprising a cryptographic subsystem configured to encrypt the data packet prior to transmitting the data packet on at least one of the outbound network interface links.
  - 110. The device of claim 109, wherein the cryptographic subsystem is further configured to estimate an amount of remaining encryption capacity for each of the outbound network interface links, and generate an encryption capacity indicator for each of the outbound network interface links, wherein each encryption capacity indicator comprises a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets.
  - 111. The device of claim 107, further comprising a packet classifier, and a policing agent coupled to the packet classifier, wherein the policing agent is configured to determine whether the data packet will be transmitted on one of the outbound network interface links based on both of the traffic class and the encryption capacity indicator.
  - 112. The device of claim 107, further comprising a cryptographic subsystem coupled to at least one of the outbound network interface links and configured to encrypt the data packet.
  - 113. The device of claim 107, further comprising:
    - a cryptographic engine configured to encrypt the data packet before the packet is transmitted across one of the outbound network interface links, wherein the encryption capacity indicator represents a quantitative measure of a capacity of the cryptographic engine to encrypt subsequent data packets.

114. A system, comprising:
- a network routing device configured to receive a data packet;
  
  a cryptographic subsystem; and
  
  an outbound network interface link that is coupled to the network routing device and protected by the cryptographic subsystem, wherein the network routing device determines whether the data packet will be transmitted across the outbound network interface link based on an encryption capacity indicator received from the cryptographic subsystem, and wherein the encryption capacity indicator includes a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets.
- View Dependent Claims (115, 116, 117, 118, 119, 120)
- - 115. The system of claim 114, further comprising a database for storing a report, wherein the report includes the encryption capacity indicator.
  - 116. The system of claim 114, further comprising at least one other network routing device, wherein the encryption capacity indicator is conveyed to the at least one other network routing device.
  - 117. The system of claim 114, wherein the cryptographic subsystem generates a report that includes the encryption capacity indicator and conveys the report in response to at least one of the following:
    - an occurrence of a specified event;
      
      a specified condition for the outbound network interface link;
      
      a time when an amount of key material in a key storage area reaches a specified level; and
      
      a time when the key material has been present in the key storage area for a specified time period.
  - 118. The system of claim 114, further comprising a statistical analyzer configured to generate an estimated remaining encryption capacity based on the encryption capacity indicator.
  - 119. The system of claim 114, further comprising:
    - a source network element;
      
      a target network element in communication with the source network element;
      
      at least two data communication paths between the source network element and the target network element, wherein at least one of the data communication paths includes the network routing device, the outbound network interface link, and the cryptographic subsystem; and
      
      a routing processor that determines, based on the encryption capacity indicator, which one of the at least two communication paths will be used to transmit the data packet from the source network element to the target network element.
  - 120. The system of claim 114, wherein the encryption capacity indicator is conveyed using at least one of the following:
    - Open Shortest Path First (OSPF) Protocol;
      
      Constraint-based Routing Label Distribution Protocol (CR-LDP);
      
      Intermediate System to Intermediate System (IS-IS) Protocol;
      
      Resource Reservation Protocol (RSVP);
      
      Border Gateway Protocol (BGP);
      
      Simple Network Management Protocol (SNMP);
      
      Synchronous Optical Network (SONET) protocol; and
      
      Internet Control Message Protocol (ICMP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Raytheon BBN Technlogies Corp. (Rtx Corporation)
Inventors
Elliott, Brig Barnum

Granted Patent

US 8,122,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 63/0428 wherein the data content is...

METHOD AND APPARATUS FOR CONTROLLING THE FLOW OF DATA ACROSS A NETWORK INTERFACE

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

120 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR CONTROLLING THE FLOW OF DATA ACROSS A NETWORK INTERFACE

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

120 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links