Method and arrangement for implementing IPSEC policy management using filter code

US 6,253,321 B1
Filed: 06/19/1998
Issued: 06/26/2001
Est. Priority Date: 06/19/1998
Status: Expired due to Term

First Claim

Patent Images

1. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:

packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or process the packet by said policy managing means, or process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.

285 Citations

28 Claims

1. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
- packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or process the packet by said policy managing means, or process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A data processing system according to claim 1, further comprising a policy database for storing a plurality of policy rules, wherein said policy database is implemented as a part of said policy managing means.
  - 3. A data processing system according to claim 2, further comprising key management means for implementing the key management functions according to said security protocol, wherein said key management means is arranged to communicate with said policy managing means.
  - 4. A data processing system according to claim 3, wherein said key management means and said policy managing means are arranged to generate and maintain a plurality of security associations as specific applications of said policy rules and key management functions to certain communications.
  - 5. A data processing system according to claim 4, wherein said policy managing means is arranged to generate filter code on the basis of the information contained within said policy rules and said security associations.
  - 6. A data processing system according to claim 1, wherein said policy managing means is arranged to communicate information about security associations to said packet processing means in addition to the generated filter code, and said packet processing means is arranged to perform cryptographic transformations on packets, said cryptographic transformations being based on said filter code and said information about said security associations.
  - 7. A data processing system according to claim 1, wherein said policy managing means is arranged to communicate information about only a fraction of security associations known to said policy managing means to said packet processing means.
  - 8. A data processing system according to claim 7, wherein said packet processing means is arranged to store the filter code separately from said information about said security associations.
  - 9. A data processing system according to claim 1, further comprising packet intercepting means for separating data packets for the processing of which said security protocol is applicable from a general stream of packets, wherein said packet intercepting means is arranged to communicate with said packet processing means.
  - 10. A data processing system according to claim 1, further comprising means for implementing a kernel process in a kernel address space and means for implementing user-mode processes in a user-mode process address space, wherein said packet processing means resides in said kernel address space and said policy managing means resides in said user-mode process address space.
  - 11. A data processing system according to claim 1, further comprising means for implementing a kernel process in a kernel address space and means for implementing user-mode processes in a user-mode process address space, wherein said packet processing means and said policy managing means both reside in said user-mode process address space.
  - 12. A data processing system according to claim 1, further comprising at least two network interfaces, wherein said packet processing means is arranged to store separate filter code for each network interface.
  - 13. A data processing system according to claim 1, wherein said packet processing means is arranged to process incoming and outgoing packets and store separate filter code for the processing of incoming and outgoing packets.
  - 14. A data processing system according to claim 1, wherein said filter code does not contain any backward jumps.
  - 15. A data processing system according to claim 1, wherein said filter code includes the operations of dropping a packet, passing a packet through, and referring the packet to the policy managing means.
  - 16. A data processing system according to claim 15, wherein said filter code additionally includes the operation of applying a transformation to a packet.
  - 17. A data processing system according to claim 1, wherein said packet processing means is arranged to process packets in fragments, applying said filter code to the processing of the first fragment of a packet before receiving the other fragments and processing any remaining fragments of the packet separately using the actions determined for the first fragment.
  - 18. A data processing system according to claim 17, wherein said filter code contains an instruction to require, as a response to receiving a fragment, a full packet before processing can continue.
  - 19. A data processing system according to claim 1, wherein said filter code consists of actual compiled processor instructions.

20. A method for implementing a security protocol based on processing data in packets, comprising the steps of:
- a) examining, whether a piece of stored filter code is applicable for processing a certain packet in a packet processing means, whereby a positive result means that a a piece of stored filter code is applicable for processing a certain packet and a negative result means that a piece of stored filter code is not applicable for processing a certain packet, b) following a positive result in step a), processing the packet in said packet processing means according to the stored filter code, c) following a negative result in step a), communicating the packet into a policy managing means and examining, whether filter code should be generated and communicated to said packet processing means for the processing of the packet in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, d) following a positive result in step c), generating filter code applicable for the processing of the packet and communicating the generated filter code to said packet processing means, e) following a negative result in step c), examining, whether filter code should be generated and communicated to said packet processing means for the processing of further similar packets in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, f) following a positive result in step e), processing the packet in the policy managing means and generating filter code applicable for the processing of further similar packet and communicating the generated filter code to said packet processing means, and g) following a negative result in step e), processing the packet in the policy managing means.

21. An apparatus for processing packets comprising:
- a computer having at least one network interface and having a memory having therein a operating system kernel address space and a user mode process address space;
  
  a policy manager computer program residing in said user mode address space and structured to control said computer to process received non regular packets in accordance with policy rules stored in a policy rules database, and to generate filter code for at least some received non regular packets which can be executed in said kernel operating space to process non regular packets of that type when nonregular packets of that type are received in the future;
  
  an IPSEC engine computer program residing in said kernel address space and structured to control said computer to receive and process regular packets in accordance with filter code which implements one or more policy rules where regular packets are defined as packets for which said filter code has code therein which implements a policy rule of a type appropriate to process that type of packet, and, non regular packets are defined as packets of a type where no filter code exists in said IPSEC engine computer program implementing a policy rule appropriate to process that type of packet, said IPSEC engine computer program structured to transmit said non regular packet to said policy manager computer program for further processing;
  
  a packet interceptor computer program residing in said kernel address space which is structured to control said computer to receive packets from said network interface, and if said packet is of a predetermined type, transmitting said packet to said IPSEC engine computer program for processing.
- View Dependent Claims (22, 23)
- - 22. An apparatus as defined in claim 21 wherein said filter code is compiled code capable of direct execution by said computer without any intermediate interpretation step.
  - 23. An apparatus as defined in claim 21 wherein said filter code is linear byte code which only forward jumps and no loops.

24. A method of speeding up the processing of IP packets in IPSEC packet transformation processing comprising:
- receiving a stream of packets and filtering out only an IP packet for processing by an IPSEC engine;
  
  transmitting said IP packet to an IPSEC engine in execution in an operating system kernel address space;
  
  if filter code exists in said IPSEC engine which is appropriate to process said IP packet, processing said IP packet in said IPSEC engine by executing filter code which encodes policy rules received from a policy manager program executing in a user mode address space, said execution of filter code performing any one or more known IPSEC processing functions on said packet, and if no filter code appropriate to process the type of IP packet received exists, transmitting said packet to said policy manager program for further processing.

25. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
- packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means for use in processing the packet.

26. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
- packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means process the packet send by said packet processing means.

27. A data processing system for implementing a security protocol based on processing data in packets, said data processing system comprising:
- packet processing means for storing filter code and processing data packets according to stored filter code, and policy managing means for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine, whether the stored filter code is applicable for processing a certain packet, and to communicate such packets for the processing of which the stored filter code is not applicable to said policy managing means, and wherein said policy managing means is arranged to, as a response to receiving a packet from said packet processing means process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.

28. A computer program product for processing packets comprising:
- a computer usable medium having computer readable program code embodied in said medium for processing data packets and having;
  
  computer readable computer code which implements a policy manager computer program structured to control said computer to process received non regular packets in accordance with policy rules stored in a policy rules database, and to generate filter code for at least some received non regular packets which can be executed in a computer to process non regular packets of that type when nonregular packets of that type are received in the future;
  
  computer readable computer code which implements an IPSEC engine computer program which is structured to control a computer to receive and process regular packets in accordance with filter code which implements one or more policy rules where regular packets are defined as packets for which said filter code has code therein which implements a policy rule of a type appropriate to process that type of packet, and, non regular packets are defined as packets of a type where no filter code exists in said IPSEC engine computer program implementing a policy rule appropriate to process that type of packet, said IPSEC engine computer program structured to transmit said non regular packet to said policy manager computer program for further processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tectia Oyj
Original Assignee
SSH Communications Security Ltd. (SSH Communications Security Oyj)
Inventors
Nikander, Pekka, Ylonen, Tatu
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/100,272
Time in Patent Office

1,103 Days
Field of Search

713/160, 713/162, 713/168, 713/189, 713/200, 713/201
US Class Current

713/160
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

Method and arrangement for implementing IPSEC policy management using filter code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

285 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for implementing IPSEC policy management using filter code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links