Transparent inline content inspection and modification in a TCP session

US 20160105469A1
Filed: 10/13/2014
Published: 04/14/2016
Est. Priority Date: 10/13/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

during a TCP session established between a sending entity and a receiving entity, inspecting a stream of TCP traffic;

upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets received from the sending entity, placing, in an input record, the one or more input data packets constituting the portion;

returning to the sending entity an acknowledgement for each input data packet received except for a last input data packet constituting the portion;

generating, from the one or more input data packets in the input record, a modified portion of the stream, the modified portion comprising one or more output data packets to be sent to the receiving entity;

placing in an output record the one or more output data packets;

forwarding into the stream of TCP traffic to the receiving entity the one or more output data packets in the output record; and

upon receipt of acknowledgements from the receiving entity for each output data packet in the output record, transmitting an acknowledgement of the last input data packet to the sending entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network appliance is configured to provide inline traffic inspection for all flow through the device, to selectively intercept based on traffic content or policy, and to modify intercepted traffic content, all without connection termination and re-origination. Content modification may involve substitution of traffic content with smaller or larger content, in which case the device provides appropriate sequence number translations for acknowledgements to the endpoints. This streaming rewrite may occur on a byte-at-a-time basis, while keeping the session alive and without a need to proxy it. The appliance enables transmitted TCP data to be modified inline and then reliably delivered without the overhead of forwarding packets through a full-blown TCP stack. Rather, the approach relies upon an initiator entity'"'"'s TCP stack for congestion control, as well as the receiving entity'"'"'s re-transmission behavior to determine how the device manages packets internally.

Citations

25 Claims

1. A method, comprising:
- during a TCP session established between a sending entity and a receiving entity, inspecting a stream of TCP traffic;
  
  upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets received from the sending entity, placing, in an input record, the one or more input data packets constituting the portion;
  
  returning to the sending entity an acknowledgement for each input data packet received except for a last input data packet constituting the portion;
  
  generating, from the one or more input data packets in the input record, a modified portion of the stream, the modified portion comprising one or more output data packets to be sent to the receiving entity;
  
  placing in an output record the one or more output data packets;
  
  forwarding into the stream of TCP traffic to the receiving entity the one or more output data packets in the output record; and
  
  upon receipt of acknowledgements from the receiving entity for each output data packet in the output record, transmitting an acknowledgement of the last input data packet to the sending entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream.
  - 3. The method as described in claim 2 further including:
    - determining a sequence number delta that results as a result of a number of bytes in the output record differing from a number of bytes in the input record; and
      
      applying the sequence number delta with respect to an acknowledgement returned to the sending entity.
  - 4. The method as described in claim 1 further including:
    - discarding the one or more input data packets in the input record upon generating the one or more output packets.
  - 5. The method as described in claim 1 further including:
    - discarding a respective output data packet in the output record upon receipt from the receiving entity of the acknowledgement for that respective output data packet.
  - 6. The method as described in claim 1 further including:
    - reassembling any out-of-order input data packets received from the sending entity prior to generating the modified portion of the stream.
  - 7. The method as described in claim 1 further including:
    - dropping any retransmit of the last input data packet that is received from the sending entity while any output data packet is not yet acknowledged by the receiving entity.
  - 8. The method as described in claim 7 further including:
    - re-forwarding to the receiving entity each output data packet of the output record that is not yet acknowledged by the receiving entity.

9. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor, the computer memory comprising a first memory buffer, and a second memory buffer, the computer program instructions, comprising;
  
  program code operative during a TCP session established between a first computing entity and a second computing entity, to inspect a stream of TCP traffic;
  
  program code operative upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets, to store into the first memory buffer the one or more input data packets constituting the portion;
  
  program code operative to return an acknowledgement for each input data packet received except for a last input data packet constituting the portion;
  
  program code operative to generate, from the one or more input data packets, a modified portion of the stream, the modified portion comprising one or more output data packets;
  
  program code to store into the second memory buffer the one or more output data packets;
  
  program code operative to forward into the stream of TCP traffic the one or more output data packets; and
  
  program code operative upon receipt of acknowledgements for each output data packet to transmit an acknowledgement of the last input data packet.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as described in claim 9 wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream.
  - 11. The apparatus as described in claim 9 wherein the computer program instructions further include:
    - program code operative to determine a sequence number delta that occurs as a result of a number of bytes in the output record differing from a number of bytes in the input record; and
      
      program code to apply the sequence number delta with respect to an acknowledgement forwarded into the stream of TCP traffic.
  - 12. The apparatus as described in claim 9 wherein the computer program instructions further include:
    - program code operative to discard the one or more input data packets in the input record upon generating the one or more output packets.
  - 13. The apparatus as described in claim 9 wherein the computer program instructions further include:
    - program code operative to discard a respective output data packet in the output record upon receipt of the acknowledgement for that respective output data packet.
  - 14. The apparatus as described in claim 9 wherein the computer program instructions further include:
    - program code operative to reassemble any out-of-order input data packets prior to generating the modified portion of the stream.
  - 15. The apparatus as described in claim 9 wherein the computer program instructions further include:
    - program code operative to drop any retransmit of the last input data packet that is received while any output data packet is not yet acknowledged.
  - 16. The apparatus as described in claim 15 wherein the computer program instructions further include:
    - program code operative to re-forward into the stream each output data packet of the output record that is not yet acknowledged.

17. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system, the computer program instructions comprising:
- program code operative during a TCP session established between a first computing entity and a second computing entity, to inspect a stream of TCP traffic;
  
  program code operative upon determining that a portion of the stream is to be rewritten, the portion comprising one or more input data packets, to store into a first memory buffer the one or more input data packets constituting the portion;
  
  program code operative to return an acknowledgement for each input data packet received except for a last input data packet constituting the portion;
  
  program code operative to generate, from the one or more input data packets, a modified portion of the stream, the modified portion comprising one or more output data packets;
  
  program code to store into a second memory buffer the one or more output data packets;
  
  program code operative to forward into the stream of TCP traffic the one or more output data packets; and
  
  program code operative upon receipt of acknowledgements for each output data packet to transmit an acknowledgement of the last input data packet.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as described in claim 17 wherein a number of input data packets constituting the portion of the stream to be rewritten differs from a number of output data packets constituting the modified portion of the stream.
  - 19. The computer program product as described in claim 17 wherein the computer program instructions further include:
    - program code operative to determine a sequence number delta that occurs as a result of a number of bytes in the output record differing from a number of bytes in the input record; and
      
      program code to apply the sequence number delta with respect to an acknowledgement forwarded into the stream of TCP traffic.
  - 20. The computer program product as described in claim 17 wherein the computer program instructions further include:
    - program code operative to discard the one or more input data packets in the input record upon generating the one or more output packets.
  - 21. The computer program product as described in claim 17 wherein the computer program instructions further include:
    - program code operative to discard a respective output data packet in the output record upon receipt of the acknowledgement for that respective output data packet.
  - 22. The computer program product as described in claim 17 wherein the computer program instructions further include:
    - program code operative to reassemble any out-of-order input data packets prior to generating the modified portion of the stream.
  - 23. The computer program product as described in claim 17 wherein the computer program instructions further include:
    - program code operative to drop any retransmit of the last input data packet that is received while any output data packet is not yet acknowledged.
  - 24. The computer program product as described in claim 23 wherein the computer program instructions further include:
    - program code operative to re-forward into the stream each output data packet of the output record that is not yet acknowledged.

25. A method, comprising:
- inspecting traffic flowing between a pair of endpoints that each support a TCP stack;
  
  as the traffic is flowing, and without connection termination, selectively rewriting the traffic to generate rewritten data content; and
  
  using endpoint-generated retransmitted packets and acknowledgement messages to control transmission of the rewritten data content;
  
  wherein the inspecting, rewriting and control operations are performed in software executing in one or more hardware elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dennerline, David Allen, Galloway, Gregory Lyle, Coccoli, Paul Jr., Mazur, Steven Ashley

Granted Patent

US 10,382,591 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 69/16   Implementation or adaptatio...

Transparent inline content inspection and modification in a TCP session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent inline content inspection and modification in a TCP session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links