Filtering Network Packets in Multiple Forwarding Information Base Systems

US 20140047534A1
Filed: 08/07/2012
Published: 02/13/2014
Est. Priority Date: 08/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method for routing communication, comprising:

receiving a request for a communication session from an application running on a user device, wherein the user device includes two or more perimeters, a binding interface, and an Internet Protocol (IP) security (IPsec) interface;

determining a binding interface for the communication session based on a forwarding information base (FIB) and a destination for the communication session, the binding interface shared with the two or perimeters;

determining that a virtual private network (VPN) tunnel is currently established through the IPsec interface and the binding interface; and

determining whether to filter the communication session based on which of the two or more perimeters of the user device includes the binding interface and which of the two or more perimeters of the user device includes the IPsec interface.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some implementations, a method for routing communication includes determining a binding interface for a communication session based on a forwarding information base (FIB) and a destination for the communication session. The communication session is from an application running on user equipment (UE), and the binding interface is included in a virtual private network (VPN) tunnel established through an Internet Protocol (IP) security (IPsec) interface. Whether to filter the communication session is determined based on which perimeter of the UE includes the binding interface and which perimeter of the UE includes the IPsec interface.

36 Citations

View as Search Results

20 Claims

1. A method for routing communication, comprising:
- receiving a request for a communication session from an application running on a user device, wherein the user device includes two or more perimeters, a binding interface, and an Internet Protocol (IP) security (IPsec) interface;
  
  determining a binding interface for the communication session based on a forwarding information base (FIB) and a destination for the communication session, the binding interface shared with the two or perimeters;
  
  determining that a virtual private network (VPN) tunnel is currently established through the IPsec interface and the binding interface; and
  
  determining whether to filter the communication session based on which of the two or more perimeters of the user device includes the binding interface and which of the two or more perimeters of the user device includes the IPsec interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, the method further comprising:
    - determining the binding interface, the IPsec interface, and the application are included in a same perimeter; and
      
      filtering packets from the application to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 3. The method of claim 2, wherein the same perimeter is an enterprise perimeter, the method further comprising:
    - determining applications in a personal perimeter are granted access to interfaces in the enterprise perimeter; and
      
      filtering packets from applications in both the personal perimeter and the enterprise perimeter to substantially prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 4. The method of claim 1, the method further comprising:
    - determining the binding interface and the IPsec interface are included in different perimeters;
      
      determining applications in a personal perimeter are granted access to interfaces in an enterprise perimeter; and
      
      filtering packets from applications in the personal perimeter to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 5. The method of claim 1, the method further comprising:
    - determining the binding interface and the IPsec interface are included different perimeters;
      
      determining applications in a personal perimeter are prohibited access to interfaces in an enterprise perimeter; and
      
      routing packets from the communication session to the binding interface.
  - 6. The method of claim 1, wherein the user device comprises a mobile device.
  - 7. The method of claim 1, wherein the binding interface comprises at least one of a Wifi interface, a cellular interface, or a frequency-hopping spread spectrum interface.

8. A computer program product encoded on a tangible, non-transitory storage medium, the product comprising computer readable instructions for causing one or more processors to perform operations comprising:
- receiving a request for a communication session from an application running on a user device, wherein the user device includes two or more perimeters, a binding interface, and an Internet Protocol (IP) security (IPsec) interface;
  
  determining a binding interface for the communication session based on a forwarding information base (FIB) and a destination for the communication session, the binding interface shared with the two or perimeters;
  
  determining that a virtual private network (VPN) tunnel is currently established through the IPsec interface and the binding interface; and
  
  determining whether to filter the communication session based on which of the two or more perimeters of the user device includes the binding interface and which of the two or more perimeters of the user device includes the IPsec interface.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, the instructions further comprising:
    - determining the binding interface, the IPsec interface, and the application are included in a same perimeter; and
      
      filtering packets from the application to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 10. The computer program product of claim 9, wherein the same perimeter is an enterprise perimeter, the instructions further comprising:
    - determining applications in a personal perimeter are granted access to interfaces in the enterprise perimeter; and
      
      filtering packets from applications in both the personal perimeter and the enterprise perimeter to substantially prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 11. The computer program product of claim 8, the instructions further comprising:
    - determining the binding interface and the IPsec interface are included different perimeters;
      
      determining applications in a personal perimeter are granted access to interfaces in an enterprise perimeter; and
      
      filtering packets from applications in the personal perimeter to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 12. The computer program product of claim 8, the instructions further comprising:
    - determining the binding interface and the IPsec interface are included in different perimeters;
      
      determining applications in a personal perimeter are prohibited access to interfaces in an enterprise perimeter; and
      
      routing packets from the communication session to the binding interface.
  - 13. The computer program product of claim 8, wherein the user device comprises a mobile device.
  - 14. The computer program product of claim 8, wherein the binding interface comprises at least one of a Wifi interface, a cellular interface, or a frequency-hopping spread spectrum interface.

15. A user device for routing a communication, comprising:
- memory that stores a plurality of FIBs including a FIB and an application, wherein each FIB in the plurality of FIBs identifies routes and interfaces for communicating messages; and
  
  one or more processors configured to;
  
  receive a request for a communication session from an application running on the user device, wherein the user device includes two or more perimeters, a binding interface, and an Internet Protocol (IP) security (IPsec) interface;
  
  determine a binding interface for the communication session based on the FIB and a destination for the communication session, the binding interface shared with the two or perimeters;
  
  determining that a virtual private network (VPN) tunnel is currently established through the IPsec interface and the binding interface; and
  
  determine whether to filter the communication session based on which of the two or more perimeters of the user device includes the binding interface and which of the two or more perimeters of the user device includes the IPsec interface.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The user device of claim 15, the processors further configured to:
    - determine the binding interface, the IPsec interface, and the application are included in a same perimeter; and
      
      filter packets from the application to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 17. The user device of claim 16, wherein the same perimeter is an enterprise perimeter, the processors further configured to:
    - determine applications in a personal perimeter are granted access to interfaces in the enterprise perimeter; and
      
      filter packets from applications in both the personal perimeter and the enterprise perimeter to substantially prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 18. The user device of claim 15, the processors further configured to:
    - determine the binding interface and the IPsec interface are included different perimeters;
      
      determine applications in a personal perimeter are granted access to interfaces in an enterprise perimeter; and
      
      filter packets from applications in the personal perimeter to prevent direct access to the binding interface, wherein the filtered packets were generated for the communication session.
  - 19. The user device of claim 15, the processors further configured to:
    - determine the binding interface and the IPsec interface are included in different perimeters;
      
      determine applications in a personal perimeter are prohibited access to interfaces in an enterprise perimeter; and
      
      route packets from the communication session to the binding interface.
  - 20. The user device of claim 15, wherein the binding interface comprises at least one of a Wifi interface, a cellular interface, or a frequency-hopping spread spectrum interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Tse, Chi Chiu, Xu, Jason Songbo, Halliop, Ania, Lai, Chun Hei Justin

Granted Patent

US 8,997,203 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

H04W 12/086   using security domains

Filtering Network Packets in Multiple Forwarding Information Base Systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering Network Packets in Multiple Forwarding Information Base Systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links