SYSTEM AND METHOD FOR SECURE CLOUD SERVICE DELIVERY WITH PRIORITIZED SERVICES IN A NETWORK ENVIRONMENT

US 20130311778A1
Filed: 05/16/2012
Published: 11/21/2013
Est. Priority Date: 05/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities;

mapping the request to one or more cryptographic modules that can support the cloud capability set; and

offloading the VPN tunnel to the one or more cryptographic modules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.

136 Citations

20 Claims

1. A method, comprising:
- receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities;
  
  mapping the request to one or more cryptographic modules that can support the cloud capability set; and
  
  offloading the VPN tunnel to the one or more cryptographic modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      mapping the another request to another one or more cryptographic modules; and
      
      offloading the another VPN tunnel to the another one or more cryptographic modules.
  - 3. The method of claim 1, wherein the request comprises an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload.
  - 4. The method of claim 1, further comprising:
    - splitting the VPN tunnel between the one or more cryptographic modules if no single cryptographic module can support substantially all of the one or more cloud capabilities in the cloud capability set.
  - 5. The method of claim 1, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 6. The method of claim 1, wherein the request is received from the subscriber.
  - 7. The method of claim 6, wherein the request is compared with a service catalog comprising authorized cloud capabilities derived from a SLA between the subscriber and a cloud service provider managing the cloud, the method further comprising:
    - denying the request if at least one cloud capability in the cloud capability set does not match any of the authorized cloud capabilities.
  - 8. The method of claim 1, wherein each cloud capability is a selected one of a group of cloud capabilities, the group consisting of:
    - (a) a capability to support different multicast encryption schemes,(b) a capability to encrypt Layer 2 tunneling protocol (L2TP) version 2, and L2TPv3 tunnels,(c) a capability to encrypt Generic Routing Encapsulation tunnels,(d) a capability to encrypt IPv6 traffic,(e) a capability to provide different quality of service for Internet Protocol security (IPsec),(f) a capability to support different VPN technologies including EzVPN, dynamic multipoint VPN, and group encrypted transport VPN,(g) a capability to support IKEv2,(h) a capability to support mobility including mobile VPN client and home agent/foreign agent,(i) a capability to support Lempel-Ziv-Stac compression before encryption,(j) a capability to support data encryption standards (DES)/Triple DES (3DES)/Advanced Encryption Standard 256,(h) a capability to support hot standby routing protocol, and(k) a capability to support IPsec with network/port address translation.

9. An apparatus, comprising:
- a memory configured to store data; and
  
  a processor operable to execute instructions associated with the data, wherein the processor and the memory cooperate, such that the apparatus is configured for;
  
  receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities;
  
  mapping the request to one or more cryptographic modules that can support the cloud capability set; and
  
  offloading the VPN tunnel to the one or more cryptographic modules.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein the request comprises an ISAKMP packet listing the one or more cloud capabilities in a private payload.
  - 11. The apparatus of claim 9, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 12. The apparatus of claim 9, wherein the request is received from the subscriber.
  - 13. The apparatus of claim 9, further configured for:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      mapping the another request to another one or more cryptographic modules; and
      
      offloading the another VPN tunnel to the another one or more cryptographic modules.
  - 14. The apparatus of claim 9, further configured for:
    - splitting the VPN tunnel between the one or more cryptographic modules if no single cryptographic module can support substantially all of the one or more cloud capabilities in the cloud capability set.

15. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations, comprising:
- receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities;
  
  mapping the request to one or more cryptographic modules that can support the cloud capability set; and
  
  offloading the VPN tunnel to the one or more cryptographic modules.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The logic of claim 15, wherein the request comprises an ISAKMP packet listing the one or more cloud capabilities in a private payload.
  - 17. The logic of claim 15, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 18. The logic of claim 15, wherein the request is received from the subscriber.
  - 19. The logic of claim 15, the operations further comprising:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      mapping the another request to another one or more cryptographic modules; and
      
      offloading the another VPN tunnel to the another one or more cryptographic modules.
  - 20. The logic of claim 15, the operations further comprising:
    - splitting the VPN tunnel between the one or more cryptographic modules if no single cryptographic module can support substantially all of the one or more cloud capabilities in the cloud capability set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cherukuri, Sunil, Khalid, Mohamed, Cinque, Brian

Granted Patent

US 8,862,883 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 41/0803   Configuration setting

H04L 63/0272   Virtual private networks

H04L 67/1001   for accessing one among a p...

H04L 9/0838   Key agreement, i.e. key est...

SYSTEM AND METHOD FOR SECURE CLOUD SERVICE DELIVERY WITH PRIORITIZED SERVICES IN A NETWORK ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

136 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR SECURE CLOUD SERVICE DELIVERY WITH PRIORITIZED SERVICES IN A NETWORK ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others