Process for prioritized end-to-end secure data protection

US 20100135287A1
Filed: 12/02/2008
Published: 06/03/2010
Est. Priority Date: 12/02/2008
Status: Abandoned Application

First Claim

Patent Images

9. A process for prioritizing messages from a first computer system having at least one computer connected to a first edge router to be sent to a second computer system having at least one second computer connected to a second edge router, and the above two edge routers are connected via at least one core router includes the steps of:

the source computer builds and sends IP packet to the first inner side of the edge router;

the edge router providing and encrypted priority status message to the core router;

decrypting the priority status of the message at the core router;

de-encrypting the priority status message at the core router; and

sending the message based on its priority status to other core or edge router if no more core router exist.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a process for prioritizing messages from a first computer system having at least one computer connected to a first edge router to be sent to a second computer system having at least one computer connected to a second edge router, the process includes the steps of: 1) providing priority status from the at least one first computer to the at the first edge router; 2) determining the priority status of the message by the first edge router; 3) prioritizing the sending of the message by the first edge router; 4) encrypting the priority status prior to sending the message to the at least one second computer a the selected priority status; and 5) upon receiving the encrypted message, the second edge router decrypts the priority status of the message and sends it to the at least one second computer at the selected priority status.

78 Citations

View as Search Results

22 Claims

9. A process for prioritizing messages from a first computer system having at least one computer connected to a first edge router to be sent to a second computer system having at least one second computer connected to a second edge router, and the above two edge routers are connected via at least one core router includes the steps of:
- the source computer builds and sends IP packet to the first inner side of the edge router;
  
  the edge router providing and encrypted priority status message to the core router;
  
  decrypting the priority status of the message at the core router;
  
  de-encrypting the priority status message at the core router; and
  
  sending the message based on its priority status to other core or edge router if no more core router exist.
- View Dependent Claims (10, 11)
- - 10. The process as set forth in claim 9 whereinpacket marking is accomplished by either the host itself at application layer and/or (b) at the nearest network router;
    - packet classification is accomplished by the process consisting of;
      
      can parsing multiple fields of the IP header or parsing the ToS byte/precedence;
      
      admission Control is accomplished by bandwidth control and policy control;
      
      QoS is accomplished by application terminals can for their traffic; and
      
      scheduling/queuing is assigned to different packets based on their classification.
  - 11. The process as set forth in claim 10 whereina queuing system in which there are three classes of packets—
    - high, med, and low priority, which arrive under independent Poisson distribution;
      
      No lower-priority packet enters to be serviced when any higher-priority packets are present; and
      
      If a lower-priority packet is in service, its service will be interrupted at once if a higher-priority packet arrives, and will not be resumed until the system is again clear of higher-priority packets.

13. The process as set forth in claim 12 wherein QoS is applied by the process consisting of the application layer for message queuing;
- in the network layer for IP packet queuing;
  
  or in the link layer for Ethernet frame queuing.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 1. A process for prioritizing messages from a first computer system having at least one computer connected to a first edge router to be sent to a second computer system having at least one computer connected to a second edge router, the process includes the steps of:
    - providing priority status from at least one first computer to the first edge router;
      
      determining the priority status of the message by the first edge router;
      
      prioritizing the sending of the message by the first edge router;
      
      encrypting the priority status prior to sending the message to at least one second computer at the selected priority status; and
      
      upon receiving the encrypted message, the second edge router decrypts the priority status of the message and sends it to at least one second computer at the selected priority status.
  - 2. The process as set forth in claim 1 herein:
    - the priority status is encrypted by at least one first computer; and
      
      the first edge router de crypts the priority status of message to determine priority status.
  - 3. The process as set forth in claim 1 wherein encryption of the priority status is accomplished by the first edge router.
  - 4. The process as set forth in claim 2, or 3 wherein in packet classification can be accomplished by the following processes selected from the group consisting of parsing multiple fields of the IP header, flow label information, and parsing the ToS byte/precedence.
  - 5. The process as set forth in claim 4 comprisingadmission Control consists of bandwidth control and policy control;
    - applications terminals request a particular QoS for their traffic; and
      
      scheduling and queuing are assigned to different packets based on their classification.
  - 6. The process as set forth in claim 5 wherein the priority status comprising a queuing system in which there are at least two classes of packets and no lower-priority packet enters to be serviced when any higher-priority packets is present;
    - andif a lower-priority packet is in service, its service will be interrupted at once if a higher-priority packet arrives, and will not be resumed until the system is again clear of higher-priority packets.
  - 7. The process as set forth in claim 3 wherein QoS can be applied in the group consisting of:
    - application layer for message queuing, or applied in the network layer for IP packet queuing, or applied in the link layer for Ethernet frame queuing.
  - 8. The process as set forth in claim 5 whereinencrypted Traffic Class or ToS or DSCP field is used to carry Internet traffic priority delivery value;
    - the flow label field is used for specifying special router handling from source to destination(s) for a sequence of packets;
      
      the source address field is used to contain source address of the sending node; and
      
      the destination address field is used to contain address of the destination node.
  - 14. The process as set forth in claim 13 wherein admission control consists of bandwidth control and policy control;
    - applications terminals request a particular QoS for their traffic;
      
      usage of resource is checked and if usage of resource is greater than the default threshold, the medium and low priority packets will be dropped;
      
      the new packet will be processed when its priority is high; and
      
      the devices in the network through which this traffic passes can either grant or deny the request depending on capacity, load, policies.
  - 15. The process as set forth in claim 14 whereinthe source computer builds the message, the source IP address is set to source computer IP address, destination;
    - the IP address is set to the inner side of the edge router'"'"'s IP address, and routing header extension has destination computer'"'"'s IP address;
      
      source edge router uses IP tunneling protocols to destination edge router, where inner IP destination is set to destination computer'"'"'s IP Address;
      
      the source edge router performs encryption on the packet, where source IP address is set to outer interface address of source edge router, and destination IP address is set to outer interface IP address of destination edge router;
      
      core routers use access control list in order to provide packet priority between two gateways;
      
      the destination edge router un-tunnels IP Packet, performs IP packet decryption, and forwards it to the destination host; and
      
      The destination host receives the packet and processes according to the packet priority.
  - 16. The process as set forth in claim 15 whereinfirst encryption is applied from original IP header to encapsulated security payload trailer;
    - andauthentication is applied from new IP header to encapsulated security payload trailer.
  - 17. The process as set forth in claim 16 wherein the configuration of source and destination edge routers makes up three or more unique source-destination IP address, which can be used to route various priority packets or it has only one unique source/destination IP address, where the ToS/TC field is encrypted;
    - or the outer ToS/QoS field is encrypted with a random number, and source core router shares one or more random number along with a session key with its peers, and at the destination gateway, the encrypted random number is compared with the received encrypted ToS/QoS field in order to process the packet in the correct priority.
  - 18. The process as set forth in claim 17 wherein security of data between source and destination computers can be achieved using separate encryption policy.
  - 19. The process as set forth in claim 18 whereinthe edge router receives an IP Packet on the input side interface of the router,the ToS/TC/DS field in IP packet is examined;
    - The CCID and Session ID tags are added to the IP Packet to be send to a GIG IP Address;
      
      INFOSEC initialization vector is added in the INFOSEC module;
      
      session-ID is copied to the outer TC/ToS/DS/flow label field;
      
      the IP Packet is encrypted and routed through the INFOSEC based on the CCID;
      
      the CCID bridges the IP packet from the ingress IP Address to the egress IP address of the INFOSEC module; and
      
      the CCID is removed and lower layer framing is performed and routed.
  - 20. The process as set forth in claim 15 wherein the core router receives an encrypted control IP message via signaling protocol;
    - the core router decrypts the control message;
      
      the core router extracts source IP address, destination IP address, session ID and priority Information (QoS) from the IP packet; and
      
      the Core Router adds a tuple in the ACL table in order to processing user data associated for that session.
  - 21. The process as set forth in claim 20 whereinthe core router receives a user IP packet;
    - the source IP address, destination IP address, and session ID in IP Packet are examined against the ACL;
      
      the core router process IP packet to another core/edge router using the QoS specified in the ACL; and
      
      the IP packet is framed through lower layer framer and sent towards the destination IP address.
  - 22. The process as set forth in claim 21 whereinthe encrypted IP packet with destination IP address is received from a core router;
    - the lower layer de-framer removes lower layer sync from the packet;
      
      the CCID tag is added to the IP Packet for the INFOSEC;
      
      the INFOSEC decrypts the IP packet based on the CCID tag;
      
      the INFOSEC processing removes the initialization vector; and
      
      edge router forwards the user data to the destination host for processing.

14-1. The process as set forth in claim 13 whereininternet traffic priority delivery value is carried by encrypted traffic class or the ToS or the DSCP;
- the flow label field is used for specifying special router handling from source to destination) for a sequence of packets;
  
  the source address field is used to contain source address of the sending node;
  
  the destination address field is used to contain address of the destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Corporation
Original Assignee
Northrop Grumman Corporation
Inventors
Hosain, Akram M., Arteaga, Ricardo A.

Application Number

US12/315,297
Publication Number

US 20100135287A1
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/2433   Allocation of priorities to...

H04L 47/2441   relying on flow classificat...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/164   at the network layer

Process for prioritized end-to-end secure data protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

78 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Process for prioritized end-to-end secure data protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links