Method and system for retrieving security information for secured transmission of network communication streams
First Claim
1. A computer-readable medium having computer-executable instructions for performing the steps comprising:
- receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;
deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;
retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;
comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and
when a match is found, applying security measures to the communication packet according to the security data in the cache table entry.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for retrieving security data, such as Security Associations (“SAs”) of the IPSec protocols, required for secured transmission of network packets uses a caching mechanism to significantly enhance the speed of retrieving the security data. The system has a plurality of security policy filters, and each filter may have multiple security data entries associated with different communication streams. To enable fast retrieval of security data for network communication packets, the system maintains cache table. Each entry of the cache table contains data identifying a communication stream and negotiated SA data or an exempt filter for that stream. When a packet passes through the system, a security driver derives an index value from the communication stream data of the packet, and the cache table entry corresponding to the derived index value is then retrieved. If the retrieved security data in the cache table entry matches the packet, the security data therein are used for secured delivery of the packet.
-
Citations
20 Claims
-
1. A computer-readable medium having computer-executable instructions for performing the steps comprising:
-
receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;
deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;
retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;
comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and
when a match is found, applying security measures to the communication packet according to the security data in the cache table entry. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
when a match between the cache table entry and the communication packet is not found, traversing a list of security policy filters to find a security policy filter matching the communication packet;
reviewing a plurality of security parameter records associated with the matching security policy filter to identify a security parameter record matching the communication packet;
performing security operations on the communication packet according to data in the matching security parameter record for secured delivery of the communication packet; and
updating the cache table entry associated with the index with data in the matching security parameter record.
-
-
7. A computer-readable medium as in claim 6, having further computer-executable instructions for performing the steps of:
-
when a matching security policy filter is found and a matching security parameter record is not found, calling a negotiation server to negotiate security parameters for secured delivery of the communication packet;
updating the cache table entry associated with the index with the negotiated security parameters.
-
-
8. A computer-readable medium as in claim 1, wherein the security data stored in the cache table entry include an exempt filter.
-
9. A computer-readable medium as in claim 8, wherein the step of applying security measures includes allowing the communication packet to pass when the exempt filter is of a bypass type and dropping the communication packet when the exempt filter is of a block type.
-
10. A computer-readable medium as in claim 1, wherein the security data of the cache table entry include a security parameter record containing security parameters for secured delivery of a communication packet.
-
11. A computer-readable medium as in claim 10, wherein the security data of the cache table entry includes multiple security parameter records.
-
12. A computer-readable medium as in claim 1, wherein the cache table entry includes data indicating whether the security data include an exempt filter or a security parameter record.
- 13. A computer-readable medium having stored thereon a data structure, comprising a plurality of entries forming a cache table, each of the entries having a first data field containing communication stream data identifying a network communication stream and a second data field containing security data identifying security measures to be applied to packets in said communication stream, said each entry having a storage location index derived by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table.
-
18. A method of applying security measures to communication packets, comprising:
-
receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;
deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;
retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;
comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and
when a match is found, applying security measures to the communication packet according to the security data in the cache table entry. - View Dependent Claims (19, 20)
when a match between the cache table entry and the communication packet is not found, traversing a list of security policy filters to find a security policy filter matching the communication packet;
reviewing a plurality of security parameter records associated with the matching security policy filter to identify a security parameter record matching the communication packet;
performing security operations on the communication packet according to data in the matching security parameter record for secured delivery of the communication packet; and
updating the cache table entry associated with the index with data in the matching security parameter record.
-
Specification