METHODS AND DEVICES FOR PACKET TAGGING USING IP INDEXING VIA DYNAMIC-LENGTH PREFIX CODE

US 20100183014A1
Filed: 01/22/2009
Published: 07/22/2010
Est. Priority Date: 01/22/2009
Status: Active Grant

First Claim

Patent Images

1. A method for packet tagging, the method comprising the steps of:

(a) upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet;

(b) securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint;

(c) determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;

(d) checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and

(e) enforcing a security policy, by said receiver module, according to said sender identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

30 Citations

View as Search Results

23 Claims

1. A method for packet tagging, the method comprising the steps of:
- (a) upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet;
  
  (b) securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint;
  
  (c) determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;
  
  (d) checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and
  
  (e) enforcing a security policy, by said receiver module, according to said sender identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, the method further comprising the step of:
    - (f) prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints.
  - 3. The method of claim 2, wherein said step of partitioning includes dynamically re-assigning said multiple distinct identities to entities on said IP endpoint.
  - 4. The method of claim 1, wherein said step of obtaining includes:
    - (i) accessing, by said sender module, a server for obtaining said sender identity; and
      
      (ii) associating, by said server, said sender identity with said IP endpoint.
  - 5. The method of claim 4, wherein said associating is performed using a prefix code for encoding said multiple distinct identities.
  - 6. The method of claim 1, wherein said step of tagging is performed using an identification field and a time-to-live (TTL) field.
  - 7. The method of claim 1, wherein said receiver module and said receiver module are components of a device independently selected from the group consisting of:
    - a gateway and an IP endpoint.

8. A device for enforcing network access control, the device comprising:
- (a) a sender module configured for;
  
  (i) upon sending an internet-protocol (IP) packet, obtaining a sender identity for a sender of said IP packet; and
  
  (ii) securely tagging said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The device of claim 8, wherein said sender module is further configured for:
    - (iii) prior to said tagging, dynamically partitioning said virtual field to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints.
  - 10. The device of claim 9, wherein said partitioning includes dynamically re-assigning said multiple distinct identities to entities on said IP endpoint.
  - 11. The device of claim 8, wherein said obtaining includes:
    - (A) accessing a server for obtaining said sender identity; and
      
      (B) associating, by said server, said sender identity with said IP endpoint.
  - 12. The device of claim 11, wherein said associating is performed using a prefix code for encoding said multiple distinct identities.
  - 13. The device of claim 8, wherein said tagging is performed using an identification field and a time-to-live (TTL) field.
  - 14. The device of claim 8, wherein said sender module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.

15. A device for enforcing network access control, the device comprising:
- (a) a receiver module configured for;
  
  (i) determining a sender identity by extracting said sender identity from an internet-protocol (IP) packet;
  
  (ii) checking said IP packet to ensure said IP packet has been appropriately tagged; and
  
  (iii) enforcing a security policy according to said sender identity.
- View Dependent Claims (16)
- - 16. The device of claim 15, wherein said receiver module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.

17. A computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
- (a) program code for, upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet;
  
  (b) program code for securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint;
  
  (c) program code for determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;
  
  (d) program code for checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and
  
  (e) program code for enforcing a security policy, by said receiver module, according to said sender identity.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The storage medium of claim 17, the computer-readable code further comprising:
    - (f) program code for, prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints.
  - 19. The storage medium of claim 18, wherein said program code for partitioning includes program code for dynamically re-assigning said multiple distinct identities to entities on said IP endpoint.
  - 20. The storage medium of claim 17, wherein said program code for obtaining includes:
    - (i) program code for accessing, by said sender module, a server for obtaining said sender identity; and
      
      (ii) program code for associating, by said server, said sender identity with said IP endpoint.
  - 21. The storage medium of claim 20, wherein said program code for associating is operative using a prefix code for encoding said multiple distinct identities.
  - 22. The storage medium of claim 17, wherein said program code for tagging is operative using an identification field and a time-to-live (TTL) field.
  - 23. The storage medium of claim 17, wherein said sender module and said receiver module are components of a device independently selected from the group consisting of:
    - a gateway and an IP endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
SHUA, Avi

Granted Patent

US 8,615,655 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.300
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 9/3236   using cryptographic hash fu...

METHODS AND DEVICES FOR PACKET TAGGING USING IP INDEXING VIA DYNAMIC-LENGTH PREFIX CODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND DEVICES FOR PACKET TAGGING USING IP INDEXING VIA DYNAMIC-LENGTH PREFIX CODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links