End-to-end security in data networks

US 7,043,632 B2
Filed: 12/12/2001
Issued: 05/09/2006
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for managing a data transmission in a network, the network having a client, a load balancing node and a server cluster, the method comprising the steps of:

monitoring a port on the load balancing node, the port using a security protocol;

receiving a client connection, the connection being based on the security protocol, and having TCP/IP information of the client;

establishing handshake between the client and the load balancing node based on the security protocol, the handshake resulting in session information and working keys;

selecting a real server from the server cluster by the load balancing node based on a load balancing policy;

exporting a context to the real server, the context comprising the TCP/IP information of the client, the session information, and the working keys;

extending a logical end point of the client connection from the load balancing node to the real server to form a real server connection;

splicing the client connection and the real server connection to relay a traffic, the traffic being encrypted using the security protocol, between the client and the real server; and

establishing a direct communication between the client end the real server for subsequent connections having the context.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing a data transmission in a network is provided, which has a client, a real server and a load-balancing node (virtual server). The load-balancing node includes a handshake executor for handling a security protocol to establish a handshake between a client and a server, and a communication executor for establishing a direct communication between the client and the server using a session information in respect to the established handshake. The handshake executor establishes the handshake with the client. When the handshake is established, the communication executor exports session information in respect to the established handshake. The client establishes TCP/IP connection with the server. The client and server communicate each other directly.

49 Citations

View as Search Results

16 Claims

1. A method for managing a data transmission in a network, the network having a client, a load balancing node and a server cluster, the method comprising the steps of:
- monitoring a port on the load balancing node, the port using a security protocol;
  
  receiving a client connection, the connection being based on the security protocol, and having TCP/IP information of the client;
  
  establishing handshake between the client and the load balancing node based on the security protocol, the handshake resulting in session information and working keys;
  
  selecting a real server from the server cluster by the load balancing node based on a load balancing policy;
  
  exporting a context to the real server, the context comprising the TCP/IP information of the client, the session information, and the working keys;
  
  extending a logical end point of the client connection from the load balancing node to the real server to form a real server connection;
  
  splicing the client connection and the real server connection to relay a traffic, the traffic being encrypted using the security protocol, between the client and the real server; and
  
  establishing a direct communication between the client end the real server for subsequent connections having the context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the load balancing node is a virtual server.
  - 3. The method of claim 1 wherein the security protocol is Secure Socket Layer (SSL).
  - 4. The method of claim 1, further comprising the step of checking a session in a cache, the session based on the security protocol, and reusing the handshake in the presence of the session in the cache.
  - 5. The method of claim 1 wherein the establishing step includes a step of parsing a certificate of the client to select the server among a server cluster.
  - 6. The method of claim 5 wherein the establishing step further includes a step of connecting to the server based on the certificate.
  - 7. The method of claim 1 wherein the establishing step includes a step of decrypting information from the client to select the server.
  - 8. The method of claim 7 wherein the establishing step further includes a step of connecting to the server based on the decrypted information.

9. A load balancing node for managing a data transmission in a network, the network having a client and a cluster of servers, the load balancing node comprising:
- a monitor for monitoring a port on the load balancing node, the port using a security protocol;
  
  a receiver for receiving a client connection, the client connection being encrypted using the security protocol, and having TCP/IP information of the client;
  
  a handshake executor for establishing a handshake between the client and the load balancing node based on the security protocol, the handshake resulting in session information and working keys;
  
  a selector for selecting a real server from the server cluster based on a load balancing policy;
  
  a sender for exporting a context to the real server, the context comprising the TCP/IP information of the client, the session information and the working keys;
  
  an elongator for extending a logical end point of the client connection to the real server to form a real server connection;
  
  a splicer for splicing the connection and the real server connection to relay a traffic, the traffic being encrypted using the security protocol, between the client and the real server; and
  
  a communicator for establishing a direct communication between the client and the real server for subsequent connections having the context.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The load balancing node of claim 9 wherein the load balancing node is a virtual server.
  - 11. The load balancing node of claim 9 wherein the security protocol is Secure Socket Layer (SSL).
  - 12. The load balancing node of claim 9, further comprising a matcher for checking a session in a cache, the session based on the security protocol, and a recycler for reusing the handshake in the presence of the session in the cache.
  - 13. The load balancing node of claim 9, further comprising means for parsing a certificate of the client to select the real server among the server cluster.
  - 14. The load balancing node of claim 13 further comprising means for connecting to the real server based on the certificate.
  - 15. The load balancing node of claim 9 further comprising means for decrypting information from the client to select the real server.
  - 16. The load balancing node of claim 15 further comprising means for connecting to the real server based on the decrypted information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Barbir, Abulkadev, Chapman, Diana M.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Derwich, Kristin

Application Number

US10/012,340
Publication Number

US 20030110259A1
Time in Patent Office

1,609 Days
Field of Search

713/151, 713/153, 713/171, 713/152, 718/105, 709/229, 709/228, 709/227, 709/237
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/102   Entity profiles

H04L 63/166   at the transport layer

H04L 67/1001   for accessing one among a p...

End-to-end security in data networks

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

End-to-end security in data networks

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others