Method and arrangement for implementing IPSEC policy management using filter code
First Claim
1. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
- packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or process the packet by said policy managing means, or process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
2 Assignments
0 Petitions
Accused Products
Abstract
A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.
285 Citations
28 Claims
-
1. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
-
packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or process the packet by said policy managing means, or process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for implementing a security protocol based on processing data in packets, comprising the steps of:
-
a) examining, whether a piece of stored filter code is applicable for processing a certain packet in a packet processing means, whereby a positive result means that a a piece of stored filter code is applicable for processing a certain packet and a negative result means that a piece of stored filter code is not applicable for processing a certain packet, b) following a positive result in step a), processing the packet in said packet processing means according to the stored filter code, c) following a negative result in step a), communicating the packet into a policy managing means and examining, whether filter code should be generated and communicated to said packet processing means for the processing of the packet in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, d) following a positive result in step c), generating filter code applicable for the processing of the packet and communicating the generated filter code to said packet processing means, e) following a negative result in step c), examining, whether filter code should be generated and communicated to said packet processing means for the processing of further similar packets in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, f) following a positive result in step e), processing the packet in the policy managing means and generating filter code applicable for the processing of further similar packet and communicating the generated filter code to said packet processing means, and g) following a negative result in step e), processing the packet in the policy managing means.
-
-
21. An apparatus for processing packets comprising:
-
a computer having at least one network interface and having a memory having therein a operating system kernel address space and a user mode process address space;
a policy manager computer program residing in said user mode address space and structured to control said computer to process received non regular packets in accordance with policy rules stored in a policy rules database, and to generate filter code for at least some received non regular packets which can be executed in said kernel operating space to process non regular packets of that type when nonregular packets of that type are received in the future;
an IPSEC engine computer program residing in said kernel address space and structured to control said computer to receive and process regular packets in accordance with filter code which implements one or more policy rules where regular packets are defined as packets for which said filter code has code therein which implements a policy rule of a type appropriate to process that type of packet, and, non regular packets are defined as packets of a type where no filter code exists in said IPSEC engine computer program implementing a policy rule appropriate to process that type of packet, said IPSEC engine computer program structured to transmit said non regular packet to said policy manager computer program for further processing;
a packet interceptor computer program residing in said kernel address space which is structured to control said computer to receive packets from said network interface, and if said packet is of a predetermined type, transmitting said packet to said IPSEC engine computer program for processing. - View Dependent Claims (22, 23)
-
-
24. A method of speeding up the processing of IP packets in IPSEC packet transformation processing comprising:
-
receiving a stream of packets and filtering out only an IP packet for processing by an IPSEC engine;
transmitting said IP packet to an IPSEC engine in execution in an operating system kernel address space;
if filter code exists in said IPSEC engine which is appropriate to process said IP packet, processing said IP packet in said IPSEC engine by executing filter code which encodes policy rules received from a policy manager program executing in a user mode address space, said execution of filter code performing any one or more known IPSEC processing functions on said packet, and if no filter code appropriate to process the type of IP packet received exists, transmitting said packet to said policy manager program for further processing.
-
-
25. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
-
packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means for use in processing the packet.
-
-
26. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
-
packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means process the packet send by said packet processing means.
-
-
27. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
-
packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
-
-
28. A computer program product for processing packets comprising:
-
a computer usable medium having computer readable program code embodied in said medium for processing data packets and having;
computer readable computer code which implements a policy manager computer program structured to control said computer to process received non regular packets in accordance with policy rules stored in a policy rules database, and to generate filter code for at least some received non regular packets which can be executed in a computer to process non regular packets of that type when nonregular packets of that type are received in the future;
computer readable computer code which implements an IPSEC engine computer program which is structured to control a computer to receive and process regular packets in accordance with filter code which implements one or more policy rules where regular packets are defined as packets for which said filter code has code therein which implements a policy rule of a type appropriate to process that type of packet, and, non regular packets are defined as packets of a type where no filter code exists in said IPSEC engine computer program implementing a policy rule appropriate to process that type of packet, said IPSEC engine computer program structured to transmit said non regular packet to said policy manager computer program for further processing.
-
Specification