Agile network protocol for secure communications with assured system availability
First Claim
1. A method of transmitting information between a first computer and a second computer over a network comprising the steps of:
- (1) embedding in a header of each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over the network;
(2) transmitting the plurality of data packets between the first computer and the second computer;
(3) receiving the transmitted data packets at the second computer; and
(4) for each received data packet, comparing the network address to a moving window of valid network addresses and, in response to detecting a match within the moving window, accepting the received data packet for further processing, and otherwise rejecting the received data packet.
3 Assignments
0 Petitions
Accused Products
Abstract
A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator'"'"'s parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving-nodes. These techniques include a self-synchronization technique in which a sync field is transmitted as part of each packet, and a “checkpoint” scheme by which transmitting and receiving nodes can advance to a known point in their hopping schemes. A fast-packet reject technique based on the use of presence vectors is also described. A distributed transmission path embodiment incorporates randomly selected physical transmission paths.
-
Citations
52 Claims
-
1. A method of transmitting information between a first computer and a second computer over a network comprising the steps of:
-
(1) embedding in a header of each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over the network; (2) transmitting the plurality of data packets between the first computer and the second computer; (3) receiving the transmitted data packets at the second computer; and (4) for each received data packet, comparing the network address to a moving window of valid network addresses and, in response to detecting a match within the moving window, accepting the received data packet for further processing, and otherwise rejecting the received data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 48, 49)
-
-
19. A method of transmitting data packets over a network comprising a plurality of computers connected to each other through a plurality of physical transmission paths, the method comprising the steps of:
-
(1) for each of a plurality of data packets, randomly selecting one of the plurality of physical transmissions paths through the plurality of computers; (2) selecting a next pair of source and destination network addresses generated from an algorithm that generates a plurality of pairs of source and destination network addresses each associated with the one randomly selected physical transmission path; and (3) transmitting each data packet over the randomly selected physical transmission path using the selected next pair of source and destination network addresses. - View Dependent Claims (20)
-
-
21. A system comprising:
-
a first computer that embeds into each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over a network, and a second computer coupled to the first computer through the network, wherein the first computer transmits the plurality of data packets to the second computer, and wherein the second computer receives the transmitted data packets, compares the network address in each received data packet to a moving window of valid network addresses and, in response to detecting a match, accepts the received data packet for further processing, and otherwise rejects the received data packet. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 50, 51)
-
-
39. A router coupled to a network comprising a plurality of computers connected to each other through a plurality of physical transmission paths,
wherein the router receives a plurality of data packets for transmission across the network; - and
wherein the router, for each data packet, randomly selects one of the plurality of physical transmission paths through the plurality of computers and transmits each data packet over the randomly selected physical transmission path using a pair of source and destination network addresses generated from an algorithm that generates a plurality of pairs of source and destination addresses each associated with the one randomly selected physical transmission path. - View Dependent Claims (40)
- and
-
41. A system comprising in combination:
-
a transmitting node that generates pseudo-random network addresses and embeds the pseudo-random network addresses into headers of data packets for transmission; and a receiving node that receives data packets transmitted by the transmitting node, wherein the receiving node, for each received packet, extracts each pseudo-randomly generated network address, compares it to a moving window of potentially valid network addresses shared between the transmitting node and the receiving node and, in response to detecting a match, accepts the data packet, and otherwise discards the packet. - View Dependent Claims (42, 43, 44, 45, 52)
-
-
46. A receiving computer that receives data packets from a transmitting computer, wherein the receiving computer comprises computer instructions that execute the steps of
(1) for each received data packet, extracting a discriminator value inserted by the transmitting computer; -
(2) comparing the extracted discriminator value to a set of valid discriminator values on the basis of information previously shared with the transmitting computer; and (3) in response to detecting a match in step (2), accepting the received data packet for further processing and otherwise rejecting the data packet, wherein the receiving computer maintains a sliding window of valid discriminator values, wherein the window slides to encompass a next range of valid discriminator values in response to detecting matches, wherein the receiving computer further comprises computer instructions that extract as the discriminator value an Internet Protocol address from a header portion of each data packet. - View Dependent Claims (47)
-
Specification