METHOD AND APPARATUS FOR SECURITY ENCAPSULATING IP DATAGRAMS

US 20110314274A1
Filed: 05/17/2011
Published: 12/22/2011
Est. Priority Date: 05/17/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by a network security device for security encapsulating an original IP datagram received from a network, the method comprising:

determining whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol;

based on the determining, encrypting a portion of the IP payload to form an encrypted payload;

forming a security encapsulated IP packet with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload; and

providing the security encapsulated IP packet to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and corresponding apparatus are provided to security encapsulate an original IP datagram received from a network. It is first determined whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol. Based on this determination, a portion of the IP payload is encrypted resulting in an encrypted payload. A security encapsulated IP packet is then formed with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload. The security encapsulated IP packet is then provided to the network.

29 Citations

View as Search Results

21 Claims

1. A method performed by a network security device for security encapsulating an original IP datagram received from a network, the method comprising:
- determining whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol;
  
  based on the determining, encrypting a portion of the IP payload to form an encrypted payload;
  
  forming a security encapsulated IP packet with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload; and
  
  providing the security encapsulated IP packet to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein determining the IP payload includes determining whether an IP protocol field within an IP header of the original IP datagram indicates that the IP payload is a TCP segment, UDP datagram or packet of another type of network protocol.
  - 3. The method of claim 1, in the event of determining that the IP payload is a TCP segment or UDP datagram, wherein encrypting the portion of the IP payload includes encrypting a payload of the TCP segment or UDP datagram, the encrypted TCP or UDP payload being the encrypted payload of the security encapsulated IP packet, and passing a header of the TCP segment or UDP datagram without encrypting the header, the header being passed referred to as a non-encrypted header;
    - andwherein forming includes forming the security encapsulated IP packet with the non-encrypted header together with the source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload.
  - 4. The method of claim 1, in the event of determining that the IP payload is a packet of another network protocol, wherein encrypting the portion of the IP payload includes encrypting the entire IP payload, the encrypted IP payload being the encrypted payload of the security encapsulated IP packet.
  - 5. The method of claim 1 wherein encrypting includes encrypting the portion of the IP payload using Advanced Encryption Standard (AES) encryption.
  - 6. The method of claim 1 wherein encrypting includes computing an initialization vector and encrypting the initialization vector and portion of the IP payload, the encrypted initialization vector and portion of the IP payload being the encrypted payload of the security encapsulated IP packet.
  - 7. The method of claim 1 wherein forming the security encapsulated IP packet includes adding a security parameters index value and sequence number to the packet.
  - 8. The method of claim 1 wherein forming the security encapsulated IP packet includes computing an integrity check value and adding the integrity check value to the packet.
  - 9. The method of claim 8 wherein computing includes computing the integrity check value using Hash-based Message Authentication Code using Security Hash Algorithm 1 (HMAC-SHA-1).
  - 10. The method of claim 3 wherein forming the security encapsulated IP packet includes computing a TCP/UDP checksum value for the encrypted payload and replacing an original TCP/UDP checksum value of the TCP segment or UDP datagram with the computed TCP/UDP checksum value.

11. A network security device to security encapsulate an original IP datagram received from a network, the device comprising:
- an interface to the network;
  
  a security encapsulation processor communicatively coupled to the interface, the security encapsulation processor configured to;
  
  determine whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol;
  
  based on the determination, encrypt a portion of the IP payload to form an encrypted payload;
  
  form a security encapsulated IP packet with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload; and
  
  provide the security encapsulated IP packet to the network through the interface.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The network security device of claim 11 wherein the security encapsulation processor is further configured to determine whether an IP protocol field within an IP header of the original IP datagram indicates that the IP payload is a TCP segment, UDP datagram or packet of another type of network protocol.
  - 13. The network security device of claim 11 wherein, in the event of a determination that the IP payload is a TCP segment or UDP datagram, the security encapsulation processor is further configured to:
    - encrypt a payload of the TCP segment or UDP datagram, the encrypted TCP or UDP payload being the encrypted payload of the security encapsulated IP packet;
      
      pass a header of the TCP segment or UDP datagram without encrypting the header, the header being passed referred to as a non-encrypted header; and
      
      form the security encapsulated IP packet with the non-encrypted header together with the source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload.
  - 14. The network security device of claim 11 wherein, in the event of a determination that the IP payload is a packet of another network protocol, the security encapsulation processor is further configured to encrypt the entire IP payload, the encrypted IP payload being the encrypted payload of the security encapsulated IP packet.
  - 15. The network security device of claim 11 wherein the security encapsulation processor is further configured to encrypt the portion of the IP payload using Advanced Encryption Standard (AES) encryption.
  - 16. The network security device of claim 11 wherein the security encapsulation processor is further configured to:
    - compute an initialization vector; and
      
      encrypt the initialization vector and portion of the IP payload, the encrypted initialization vector and portion of the IP payload being the encrypted payload of the security encapsulated IP packet.
  - 17. The network security device of claim 11 wherein the security encapsulation processor is further configured to add a security parameters index value and sequence number to the security encapsulated IP packet.
  - 18. The network security device of claim 11 wherein the security encapsulation processor is further configured to:
    - compute an integrity check value; and
      
      add the integrity check value to the security encapsulated IP packet.
  - 19. The network security device of claim 18 wherein the security encapsulation processor is further configured to compute the integrity check value using Hash-based Message Authentication Code using Security Hash Algorithm 1 (HMAC-SHA-1).
  - 20. The network security device of claim 13 wherein the security encapsulation processor is further configured to:
    - compute a TCP/UDP checksum value for the encrypted payload; and
      
      replace an original TCP/UDP checksum value of the TCP segment or UDP datagram with the computed TCP/UDP checksum value.

21. Logic encoded in one or more non-transitory computer readable medium for execution and when executed operable to:
- determine whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol;
  
  based on the determination, encrypt a portion of the IP payload to form an encrypted payload;
  
  form a security encapsulated IP packet with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload; and
  
  provide the security encapsulated IP packet to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Swartz, Troy

Granted Patent

US 9,294,506 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/160
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/164   at the network layer

METHOD AND APPARATUS FOR SECURITY ENCAPSULATING IP DATAGRAMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR SECURITY ENCAPSULATING IP DATAGRAMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links