Processing internet protocol security traffic

US 6,996,842 B2
Filed: 01/30/2001
Issued: 02/07/2006
Est. Priority Date: 01/30/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

determining at a first classifying forwarding element if a classification parameter is available for Internet Protocol security (IPsec) traffic that indicates a route for the IPsec traffic and classifying said traffic if available;

if said classification parameter is not available, and the IPsec traffic is encrypted then decrypting traffic in a decrypting forwarding element separate from the first classifying forwarding element after said traffic has passed through said classifying forwarding element, and determining the classification parameter for the IPsec traffic;

forwarding the IPsec traffic based on the classification parameter; and

providing the classification parameter to the first classifying forwarding element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processing Internet Protocol security (IPsec) traffic includes determining at a first location if a classification parameter is available for the IPsec traffic that indicates a route for the IPsec traffic and forwarding the IPsec traffic based on the classification parameter. If a classification parameter is not available, processing IPsec traffic includes decrypting the IPsec traffic at a second location if the IPsec traffic is encrypted and determining the classification parameter for the IPsec traffic at the second location.

85 Citations

View as Search Results

25 Claims

1. A method comprising:
- determining at a first classifying forwarding element if a classification parameter is available for Internet Protocol security (IPsec) traffic that indicates a route for the IPsec traffic and classifying said traffic if available;
  
  if said classification parameter is not available, and the IPsec traffic is encrypted then decrypting traffic in a decrypting forwarding element separate from the first classifying forwarding element after said traffic has passed through said classifying forwarding element, and determining the classification parameter for the IPsec traffic;
  
  forwarding the IPsec traffic based on the classification parameter; and
  
  providing the classification parameter to the first classifying forwarding element.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising receiving the IPsec traffic at the classifying forwarding element.
  - 3. The method of claim 1 in which the classification parameter includes a security parameter index (SPI) associated with the IPsec traffic.
  - 4. The method of claim 1 in which the IPsec traffic includes a data packet.
  - 5. The method of claim 1 further comprising receiving at the first classifying forwarding element other IPsec traffic included in a traffic stream with the IPsec traffic, and further comprising forwarding the other IPsec traffic based on the provided classification parameter.

6. An article comprising:
- a machine-readable medium which stores machine-executable instructions, the instructions causing a machine to;
  
  determine at a first mechanism if a classification parameter is available for Internet Protocol security (IPsec) traffic that indicates a route for the IPsec traffic;
  
  if a classification parameter is not available, sending said traffic to a second mechanism separate from the first mechanism after said traffic has passed said first mechanism, and which second mechanism decrypts the IPsec traffic if the IPsec traffic is encrypted and determine the classification parameter for the IPsec trafficforward the IPsec traffic based on the classification parameter; and
  
  provide the classification parameter to the first mechanism.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The article of claim 6 further causing a machine to receive the IPsec traffic at the first mechanism.
  - 8. The article of claim 6 in which the classification parameter includes a security parameter index (SPI) associated with the IPsec traffic.
  - 9. The article of claim 6 in which the IPsec traffic includes a data packet.
  - 10. The article of claim 6 further causing the first mechanism to forward other IPsec traffic included in a traffic stream with the IPsec traffic based on the provided classification parameter.

11. A system comprising:
- a classifying forwarding element configured to communicate with a network, to determine if a classification parameter that indicates a route for a traffic stream is available for a packet included in the traffic stream;
  
  a control element in communication with the classifying forwarding element, the control element configured to receive information including classification information for the traffic stream and cryptographic information for the traffic stream, the control element further configured to transmit at least some classification information to the classifying forwarding element and to transmit at least one key based on the cryptographic information to a decrypting forwarding element separate from the classifying forwarding element; and
  
  wherein the decrypting forwarding element is configured to receive the packet from the classifying forwarding element, and to perform an encryption-related procedure on the packet if the packet is encrypted and associated with the at least one key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 12. The system of claim 11 wherein the control element is configured to receive at least some of the cryptographic information in an Internet Key Exchange packet.
  - 13. The system of claim 12 in which the decrypting forwarding element is also configured to forward the packet to the control element if the packet is not associated with a known encryption-related key.
  - 14. The system of claim 12, wherein the decrypting forwarding element is included in a plurality of decrypting forwarding elements, each in communication with at least one server of a plurality of servers, and wherein the control element includes security information for each of the plurality of servers.
  - 15. The system of claim 12, wherein the cryptographic information includes an encryption-related key.
  - 16. The system of claim 11 further comprising a plurality of additional mechanisms, each additional mechanism configured to communicate with the classifying forwarding element to perform an encryption-related procedure on the packet if the packet is encrypted and associated with a known encryption-related key, and, if the classification parameter is available, to forward the packet based on the route for the traffic stream.
  - 17. The system of claim 11 in which the packet includes an Internet Protocol security data packet.
  - 18. The system of claim 11 in which the traffic stream includes a plurality of Internet Protocol security data packets.
  - 19. The system of claim 11 in which the classifying forwarding element is also configured to forward the packet to the decrypting forwarding element if the packet is encrypted.
  - 20. The system of claim 11 in which the route for the traffic stream includes a route through a network.
  - 21. The system of claim 20 in which the network includes an Internet.
  - 22. The system of claim 11 in which the encryption-related procedure includes encrypting the packet.
  - 23. The system of claim 11 in which the encryption-related procedure includes decrypting the packet.
  - 24. The system of claim 11 further comprising another mechanism configured to receive the packet from the decrypting forwarding element and to forward the packet based on the route to an ultimate destination of the packet.
  - 25. The system of claim 11 in which the classifying forwarding element is also configured to route packets included in the traffic stream based on a load balancing scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Strahm, Frederick William, Kunze, Aaron R.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US09/774,429
Publication Number

US 20020104020A1
Time in Patent Office

1,834 Days
Field of Search

713/151, 713/201, 713/160, 713/200, 713/153, 713/154, 709/245, 709/239, 709/230, 709/241, 709/217, 370/389, 370/230, 726/11, 726 13- 14, 726 1- 10, 726/12, 726 15- 36
US Class Current

726/13
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/164 at the network layer

Processing internet protocol security traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Processing internet protocol security traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links