Method and system for retrieving security information for secured transmission of network communication streams

US 6,772,348 B1
Filed: 04/27/2000
Issued: 08/03/2004
Est. Priority Date: 04/27/2000
Status: Expired due to Term

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for performing the steps comprising:

receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;

deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;

retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;

comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and

when a match is found, applying security measures to the communication packet according to the security data in the cache table entry.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for retrieving security data, such as Security Associations (“SAs”) of the IPSec protocols, required for secured transmission of network packets uses a caching mechanism to significantly enhance the speed of retrieving the security data. The system has a plurality of security policy filters, and each filter may have multiple security data entries associated with different communication streams. To enable fast retrieval of security data for network communication packets, the system maintains cache table. Each entry of the cache table contains data identifying a communication stream and negotiated SA data or an exempt filter for that stream. When a packet passes through the system, a security driver derives an index value from the communication stream data of the packet, and the cache table entry corresponding to the derived index value is then retrieved. If the retrieved security data in the cache table entry matches the packet, the security data therein are used for secured delivery of the packet.

Citations

20 Claims

1. A computer-readable medium having computer-executable instructions for performing the steps comprising:
- receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;
  
  deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;
  
  retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;
  
  comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and
  
  when a match is found, applying security measures to the communication packet according to the security data in the cache table entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A computer-readable medium as in claim 1, wherein the security data includes a Security Association (“
    - SA”
      
      ) under the IPSec protocols.
  - 3. A computer-readable medium as in claim 1, wherein the communication stream data of the communication packet include a source address and a destination address.
  - 4. A computer-readable medium as in claim 3, wherein the communication stream data of the communication packet further include data specifying a transport protocol used for the communication packet.
  - 5. A computer-readable medium as in claim 4, wherein the communication stream data of the communication packet further include data specifying a source transport port and a destination transport port.
  - 6. A computer-readable medium as in claim 1, having further computer-executable instructions for performing the steps of:
7. A computer-readable medium as in claim 6, having further computer-executable instructions for performing the steps of:
- when a matching security policy filter is found and a matching security parameter record is not found, calling a negotiation server to negotiate security parameters for secured delivery of the communication packet;
  
  updating the cache table entry associated with the index with the negotiated security parameters.
8. A computer-readable medium as in claim 1, wherein the security data stored in the cache table entry include an exempt filter.
9. A computer-readable medium as in claim 8, wherein the step of applying security measures includes allowing the communication packet to pass when the exempt filter is of a bypass type and dropping the communication packet when the exempt filter is of a block type.
10. A computer-readable medium as in claim 1, wherein the security data of the cache table entry include a security parameter record containing security parameters for secured delivery of a communication packet.
11. A computer-readable medium as in claim 10, wherein the security data of the cache table entry includes multiple security parameter records.
12. A computer-readable medium as in claim 1, wherein the cache table entry includes data indicating whether the security data include an exempt filter or a security parameter record.

13. A computer-readable medium having stored thereon a data structure, comprising a plurality of entries forming a cache table, each of the entries having a first data field containing communication stream data identifying a network communication stream and a second data field containing security data identifying security measures to be applied to packets in said communication stream, said each entry having a storage location index derived by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table.
- View Dependent Claims (14, 15, 16, 17)
- - 14. A computer-readable medium as in claim 13, wherein the communication stream data include a source address and a destination address of the communication stream.
  - 15. A computer-readable medium as in claim 14, wherein the security data include security parameter data representing security parameters for secured delivery of packets of the communication stream identified by the communication steam data.
  - 16. A computer-readable medium as in claim 15, wherein the security data include a Security Association (“
    - SA”
      
      ) under the IPSec protocols.
  - 17. A computer-readable medium as in claim 13, wherein the security data include an exempt filter.

18. A method of applying security measures to communication packets, comprising:
- receiving a communication packet having communication stream data identifying a communication stream to which the communication packet belongs;
  
  deriving an index from the communication stream data of the packet by combining the communication steam data into a number and calculating a modulus of said number based on a size of a cache table;
  
  retrieving from a cache table an entry corresponding to said index, the entry containing communication steam data and security data for said communication stream;
  
  comparing the communication stream data of the retrieved cache table entry with the communication stream data of the communication packet to determine whether a match between the cache table entry and the communication packet is found; and
  
  when a match is found, applying security measures to the communication packet according to the security data in the cache table entry.
- View Dependent Claims (19, 20)
- - 19. A method as in claim 18, wherein the security data includes a Security Association (“
    - SA”
      
      ) under the IPSec protocols.
  - 20. A method as in claim 18, further including the steps of:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ye, Chun
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
McArdle, Joseph M

Application Number

US09/560,038
Time in Patent Office

1,559 Days
Field of Search

713/160, 713/201, 713/200
US Class Current

726/13
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

Method and system for retrieving security information for secured transmission of network communication streams

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for retrieving security information for secured transmission of network communication streams

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links