Establishing consistent, end-to-end protection for a user datagram
First Claim
1. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
computer-readable program code means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and computer program product for providing consistent, end-to-end protection within a computer network for user datagrams (i.e. packets) traveling through the network. The network may comprise network segments that are conventionally assumed to be secure (such as those found in a corporate intranet) as well as network segments in non-secure networks (such as the public Internet or corporate extranets). Because security breaches may in fact happen in any network segment when datagrams are unprotected, the present invention discloses a technique for protecting datagrams throughout the entire network path by establishing cascaded tunnels. The datagrams may be exposed in cleartext at the endpoints of each tunnel, thereby enabling security gateways to perform services that require content inspection (such as network address translation, access control and authorization, and so forth). The preferred embodiment is used with the “IPSec” (Internet Protocol Security Protocol) and “IKE” (Internet Key Exchange) protocols, thus providing a standards-based solution.
-
Citations
45 Claims
-
1. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
computer-readable program code means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for providing end-to-end protection for datagrams in a computer networking environment, comprising:
-
means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A method of providing end-to-end protection for datagrams in a computer networking environment, comprising steps of:
-
protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising steps of;
establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
30. The method according to claim 30, wherein the establishing step and the cascading step further comprise the step of establishing security associations which use strong cryptographic techniques.
- 31. The method according to claim 31, wherein the strong cryptographic techniques used for the security associations are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
-
43. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
computer-readable program code means for cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
-
-
44. A system for providing end-to-end protection for datagrams in a computer networking environment, comprising:
-
means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
means for establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
means for cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
means for cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
-
-
45. A method of providing end-to-end protection for datagrams in a computer networking environment, comprising steps of:
-
protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising steps of;
establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
-
Specification