Apparatus and method for processing encrypted packets in a computer network device

US 7,023,863 B1
Filed: 08/19/2004
Issued: 04/04/2006
Est. Priority Date: 10/29/1999
Status: Expired due to Term

First Claim

Patent Images

1. An architecture for a network access server, the architecture comprising:

a first network interface device for communicating with a first network having a first protocol type, where the first network interface device has a first interface terminal for coupling to the first network and a second interface terminal, and where the first network device is configured to perform processing for the first protocol type for data packets exchanged between the first and second interface terminals of the first network device;

a second network interface device for communicating with a second network having a second protocol type, where the second network interface device has a first interface terminal for coupling to the second network and a second interface terminal coupled to the second interface terminal of the first network device, and where the second network device is configured to perform processing for the second protocol type for a first type of data packet exchanged between the first and second interface terminals of the second network device;

a third network interface device for communicating with the second network, where the third network interface device has a first interface terminal for coupling to the second network, a second interface terminal coupled to the second interface terminal of the first network device, and a third interface terminal coupled to the first interface terminal of the second network device, and where the third network device is configured to perform processing for the second protocol type for a second type of data packet exchanged between the first and second interface terminals of the third network device, the third network interface device being further configured to detect reception of the firs type of data packet at the first interface terminal of the third network interface device and route the first type of data packet to the third interface terminal of the third network interface device; and

wherein the first protocol type of the first network is a first real-time sensitive protocol and the second protocol type is a second real-time sensitive protocol configured to route each data packet to a destination address included in each data packet.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an architecture for a network access server wherein a switching device is placed between a network gateway device and a first network, where the switching device detects the presence or absence of a security protocol field in the header information of data packets received from the first network and routes the data packets accordingly. When the security protocol field is absent, the switching device routes the data packet to the network gateway device for processing in accordance with a protocol service provided by the network access server. When the security protocol field is present, the switching device decrypts the data packet, processes the data packet in accordance with the protocol service provided by the network access server, and routes the data packet to another device within the network access server on the basis of decrypted address information within the data packet.

70 Citations

View as Search Results

21 Claims

1. An architecture for a network access server, the architecture comprising:
- a first network interface device for communicating with a first network having a first protocol type, where the first network interface device has a first interface terminal for coupling to the first network and a second interface terminal, and where the first network device is configured to perform processing for the first protocol type for data packets exchanged between the first and second interface terminals of the first network device;
  
  a second network interface device for communicating with a second network having a second protocol type, where the second network interface device has a first interface terminal for coupling to the second network and a second interface terminal coupled to the second interface terminal of the first network device, and where the second network device is configured to perform processing for the second protocol type for a first type of data packet exchanged between the first and second interface terminals of the second network device;
  
  a third network interface device for communicating with the second network, where the third network interface device has a first interface terminal for coupling to the second network, a second interface terminal coupled to the second interface terminal of the first network device, and a third interface terminal coupled to the first interface terminal of the second network device, and where the third network device is configured to perform processing for the second protocol type for a second type of data packet exchanged between the first and second interface terminals of the third network device, the third network interface device being further configured to detect reception of the firs type of data packet at the first interface terminal of the third network interface device and route the first type of data packet to the third interface terminal of the third network interface device; and
  
  wherein the first protocol type of the first network is a first real-time sensitive protocol and the second protocol type is a second real-time sensitive protocol configured to route each data packet to a destination address included in each data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The architecture of claim 1, wherein the first protocol type is one of H.323 and H.324, and the second protocol type is IP/RTP.
  - 3. The architecture of claim 2, wherein the first type of data packet is an unencrypted IP data packet and the second type of data packet is an encrypted data packet.
  - 4. The architecture of claim 3, where the second type of data packet is an IPsec encrypted data packet.
  - 5. The architecture of claim 4, where the third network interface device is configured to identify the second type of data packet by determining whether one of an AH field and an ESP field is present in a predetermined header of the second type of data packet, and where the third network interface device is further configured to detect the first type of data packet by detecting that the AH field and the ESP field are absent from the predetermined header of the first type of data packet.
  - 6. The architecture of claim 1, wherein the second and third network interface devices share a predetermined network address on the second network.
  - 7. The architecture of claim 1, wherein the third network interface device further comprises:
    - a switching device having a first terminal coupled to the first interface terminal of the third network interface device, a second terminal, and a third terminal coupled to the third interface terminal of the third network interface device, where the switching device is configured to identify the first type of data packet received at the first terminal and route it to the third terminal and identify the second type of data packet received at the first terminal and route it to the second terminal; and
      
      a fourth network interface device for processing the second protocol type for the second type of data packet, where the fourth network interface device has a first terminal coupled to the second terminal of the switching device and a second terminal coupled to the second interface terminal of the third network interface device.
  - 8. The architecture of claim 7, where the switching device holds a predetermined network address on the second network that is shared by the second and fourth network interface devices.

9. A method for processing data packets in a network access device, the method comprising the steps of:
- receiving a data packet from a first network;
  
  determining whether the data packet has a first protocol type field in a header of the data packet;
  
  routing the data packet to a first gateway device for processing when the data packet has the first protocol type field;
  
  routing the data packet to a second gateway device for processing when the data packet does not have the first protocol type field;
  
  processing the data packet for a real-time sensitive protocol in the first gateway device; and
  
  processing the data packet for a security protocol and for the real-time sensitive protocol in the second gateway device.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 9.
  - 11. The method of claim 9, where the real-time sensitive protocol is RTP and the security protocol is IPsec.
  - 12. The method of claim 9, further including the steps of:
    - routing the data packet to a third gateway device after processing by the first gateway device, where the third gateway device is coupled to a second network; and
      
      routing the data packet to the third gateway device after processing by the second gateway device.
  - 13. The method of claim 12, where the real-time sensitive protocol is RTP and the security protocol is IPsec, and including the step of processing the data packet for one of an H.323 and an H.324 protocol in the third gateway device.
  - 14. The method of claim 9, where the step of receiving a data packet from a first network includes using a single predetermined address for receiving the data packet from the first network when the data packet has the first protocol type field in the header of the data packet and when the data packet does not have the first protocol type field in the header of the data packet.

15. A network access server for communicating between first and second networks, the server comprising:
- a first gateway device for processing data flow between the first network and the network access server;
  
  a second gateway device for processing data flow between the first gateway device and the second network;
  
  a switching device interposed between the second gateway device and the second network for routing a first type of data packet from the second network to the second gateway device and for processing a second type of data packet from the second network and routing the second type of data packet to the first gateway; and
  
  where the second type of data packet is an encrypted packet and where the switching device is configured to decrypt the second type of packet and route the second type of packet to the first gateway device based upon decrypted header information.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The network access server of claim 15, where the network access server has a single predetermined address on the second network.
  - 17. The network access server of claim 15, where the second type of data packet is an IPsec encrypted packet and where the switching device is configured to perform IPsec decryption of the second type of packet.
  - 18. The network access server of claim 17, where the switching device is configured to identify the second type of data packet by detecting whether one of an AH field and an ESP field is present in a predetermined header of the second type of packet.
  - 19. The network access server of claim 17, where the switching device is configured to route the second type of packet to the first gateway device based upon a decrypted UDP header in the second type of packet.
  - 20. The network access server of claim 19, where the first network is a PSTN and the first gateway device is configured to process one of an H.323 and an H.324 protocol.
  - 21. The network access server of claim 20, where the second network is an internet protocol (IP) network, the second gateway device is configured to perform RTP protocol processing, and the switching device is configured to perform RTP protocol processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Gentles, Thomas A., Naudus, Stanley T., Nadkarni, Vijay
Primary Examiner(s)
Chin, Wellington
Assistant Examiner(s)
HO, CHUONG T

Application Number

US10/922,647
Time in Patent Office

593 Days
Field of Search

370/352, 370/356, 370/401, 370/526, 370/473, 370/474, 379/88.17, 379/88.24, 379/93.26, 379/418, 713/160, 713/150, 713/153, 713/154, 713/161
US Class Current

370/401
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/164 at the network layer

Apparatus and method for processing encrypted packets in a computer network device

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and method for processing encrypted packets in a computer network device

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others