System and method to monitor and determine if an active IPSec tunnel has become disabled

US 6,668,282 B1
Filed: 08/02/2000
Issued: 12/23/2003
Est. Priority Date: 08/02/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for monitoring the status of an active secure tunnel between a pair of network elements in a communications network, comprising:

a first network element for originating and transmitting a test message to a second network element using the secure tunnel in response to the receipt of an active tunnel monitor command;

a second network element for receiving the test message and transmitting a response back to the first network element using the secure tunnel; and

an active tunnel monitoring logic module in the first network element for accumulating a number of times that the second network element failed to return a response to each test message during a predetermined time interval and comparing the accumulated failures with a threshold value to determine if the active secure tunnel has become disabled.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for monitoring the status of an active secure tunnel between a pair of network elements in a communications network. The first network element originates and transmits an Internet Protocol Security (IPSec) test message to a second network element using a first unidirectional secure tunnel in response to the receipt of an active tunnel monitor command. The second network element receives the IPSec test message and transmits a response back to the first network element using a second unidirectional secure tunnel. The number of times that second network element failed to return a response to an IPSec test message is accumulated during a predetermined time interval and then compared with a threshold value to determine if the active secure tunnel has become disabled.

199 Citations

33 Claims

1. A system for monitoring the status of an active secure tunnel between a pair of network elements in a communications network, comprising:
- a first network element for originating and transmitting a test message to a second network element using the secure tunnel in response to the receipt of an active tunnel monitor command;
  
  a second network element for receiving the test message and transmitting a response back to the first network element using the secure tunnel; and
  
  an active tunnel monitoring logic module in the first network element for accumulating a number of times that the second network element failed to return a response to each test message during a predetermined time interval and comparing the accumulated failures with a threshold value to determine if the active secure tunnel has become disabled.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system for monitoring the status of an active secure tunnel of claim 1 further comprising a computer connected to the communications network and running a network management application that transmits the active tunnel monitor command to the first network element.
  - 3. The system for monitoring the status of an active secure tunnel of claim 1 further comprising a console interface on the first network element for generating the active tunnel monitor command.
  - 4. The system for monitoring the status of an active secure tunnel of claim 1 further comprising two unidirectional tunnels that form the secure tunnel.
  - 5. The system for monitoring the status of an active secure tunnel of claim 1 wherein the communications network is a virtual private network (VPN).
  - 6. The system for monitoring the status of an active secure tunnel of claim 1 wherein the secure tunnel is an Internet Protocol Security (IPSec) tunnel.
  - 7. The system for monitoring the status of an active secure tunnel of claim 6 wherein the test message is an IPSec tunnel ping.
  - 8. The system for monitoring the status of an active secure tunnel of claim 1 wherein the active tunnel monitor command includes an identification of the secure tunnel to test, and an interval of time that the monitor function is active.
  - 9. The system for monitoring the status of an active secure tunnel of claim 8 wherein the active tunnel monitor command further comprises a time to wait between each tunnel status verification attempt, a number of consecutive failures of tunnel status verification attempts required to determine that the active secure tunnel is disabled, and a payload size of a test packet.
  - 10. The system for monitoring the status of an active secure tunnel of claim 4 wherein a first unidirectional tunnel is used to send an Internet Protocol Security (IPSec) tunnel ping from the first network element to the second network element, and a second unidirectional tunnel is used to send a response IPSec ping from the second network element to the first network element.
  - 11. The system for monitoring the status of an active secure tunnel of claim 1 wherein the active tunnel monitoring logic prevents the transmitting of a test message if the number of bytes received or transmitted in the active secure tunnel has increased since a previous tunnel status verification attempt.

12. A method for monitoring the status of an active secure tunnel between a pair of network elements in a communications network, comprising the acts of:
- originating and transmitting a test message from a first network element to a second network element using the secure tunnel in response to an active tunnel monitor command;
  
  receiving the test message at a second network element and transmitting a response back to the first network element using the secure tunnel;
  
  accumulating a number of times that the second network element failed to return a response to each test message during a predetermined time interval; and
  
  comparing the accumulated failures with a threshold value to determine if the active secure tunnel has become disabled.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method for monitoring the status of an active secure tunnel of claim 12 further comprising transmitting the active tunnel monitor command from a network management application to the first network element.
  - 14. The method for monitoring the status of an active secure tunnel of claim 12 further comprising generating the active tunnel monitor command at a console interface on the first network element.
  - 15. The method for monitoring the status of an active secure tunnel of claim 12 wherein the secure tunnel is formed from two unidirectional tunnels.
  - 16. The method for monitoring the status of an active secure tunnel of claim 12 wherein the communications network is a virtual private network (VPN).
  - 17. The method for monitoring the status of an active secure tunnel of claim 12 wherein the secure tunnel is an Internet Protocol Security (IPSec) tunnel.
  - 18. The method for monitoring the status of an active secure tunnel of claim 17 wherein the test message is an IPSec tunnel ping.
  - 19. The method for monitoring the status of an active secure tunnel of claim 12 wherein the active tunnel monitor command includes an identification of the secure tunnel to test, and an interval of time that the monitor function is active.
  - 20. The method for monitoring the status of an active secure tunnel of claim 19 wherein the active tunnel monitor command further comprises a time to wait between each tunnel status verification attempt, a number of consecutive failures of tunnel status verification attempts required to determine that the active secure tunnel is disabled, and a payload size of a test packet.
  - 21. The method for monitoring the status of an active secure tunnel of claim 15 wherein a first unidirectional tunnel is used to send an Internet Protocol Security (IPSec) tunnel ping from the first network element to the second network element, and a second unidirectional tunnel is used to send a response IPSec tunnel ping from the second network element to the first network element.
  - 22. The method for monitoring the status of an active secure tunnel of claim 12 further comprising bypassing the transmitting of a test message using the secure tunnel if the number of bytes received or transmitted in the active secure tunnel has increased since a previous tunnel status verification attempt.

23. A computer readable medium containing a computer program product for monitoring the status of an active secure tunnel between a pair of network elements in a communications network, the computer program product comprising:
- program instructions that originate and transmit a test message to a paired network element using the secure tunnel in response to the receipt of an active tunnel monitor command;
  
  program instructions that receive a test message and transmit a response back to a paired network element using the secure tunnel;
  
  program instructions that accumulate a number of times that the paired network element failed to return a response to each test message during a predetermined time interval; and
  
  program instructions that compare the accumulated failures with a threshold value to determine if the active secure tunnel has become disabled.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer program product for monitoring the status of an active secure tunnel of claim 23 further comprising program instructions that receive the active tunnel monitor command from a network management application.
  - 25. The computer program product for monitoring the status of an active secure tunnel of claim 23 further comprising program instructions that generate the active tunnel monitor command.
  - 26. The computer program product for monitoring the status of an active secure tunnel of claim 23 wherein two unidirectional tunnels form the secure tunnel.
  - 27. The computer program product for monitoring the status of an active secure tunnel of claim 23 wherein the communications network is a virtual private network (VPN).
  - 28. The computer program product for monitoring the status of an active secure tunnel of claim 23 wherein the secure tunnel is an Internet Protocol Security (IPSec) tunnel.
  - 29. The computer program product for monitoring the status of an active secure tunnel of claim 28 wherein the test message is an IPSec tunnel ping.
  - 30. The computer program product for monitoring the status of an active secure tunnel of claim 23 wherein the active tunnel monitor command includes an identification of the secure tunnel to test, and an interval of time that the monitor function is active.
  - 31. The computer program product for monitoring the status of an active secure tunnel of claim 30 wherein the active tunnel monitor command further comprises a time to wait between each tunnel status verification attempt, a number of consecutive failures of tunnel status verification attempts required to determine that the active secure tunnel is disabled, and a payload size of a test packet.
  - 32. The computer program product for monitoring the status of an active secure tunnel of claim 26 wherein a first unidirectional tunnel is used to send an Internet Protocol Security (IPSec) tunnel ping from the first network element to the second network element, and a second unidirectional tunnel is used to send a response IPSec ping from the second network element to the first network element.
  - 33. The computer program product for monitoring the status of an active secure tunnel of claim 23 further comprising program instructions that prevent the transmitting of a test message if the number of bytes received or transmitted in the active secure tunnel has increased since a previous tunnel status verification attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Temoshenko, Leo, Wang, Xiaogang, Booth, III, Earl Hardin, Lingafelt, Charles Steven, Nguyen, Phuong Thanh
Primary Examiner(s)
Wiley, David
Assistant Examiner(s)
Avellino, Joseph E

Application Number

US09/630,936
Time in Patent Office

1,238 Days
Field of Search

709/223, 709/224, 709/227, 709/231
US Class Current

709/224
CPC Class Codes

H04L 41/0681   Configuration of triggering...

H04L 43/0817   by checking functioning

H04L 43/106   using time related informat...

H04L 43/16   Threshold monitoring

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/164   at the network layer

System and method to monitor and determine if an active IPSec tunnel has become disabled

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to monitor and determine if an active IPSec tunnel has become disabled

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links