Method and apparatus for providing network security

US 7,061,899 B2
Filed: 05/01/2001
Issued: 06/13/2006
Est. Priority Date: 05/01/2001
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for performing network routing, the apparatus comprising:

authentication logic configured to receive packets sent from a source agent to an endpoint of a tunnel and to determine whether a security association of a packet received corresponds to said source agent, the tunnel being configured by said source agent in accordance with a network protocol;

decision logic configured to make a routing decision for each authenticated packet at least in part without regard to contents of a payload of the packet, the routing decision being based on the security association of the authenticated packet; and

routing logic configured to select a routing destination for each authenticated packet and to route the authenticated packet to the selected routing destination, the routing destination selection being based at least partially on said routing decision.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and a method are provided for performing network routing. The present invention comprises authentication logic, decision logic and routing logic. The authentication logic is configured to receive packets sent from a source agent to a tunnel endpoint and to determine whether or not the security association corresponds to the source agent that configured the tunnel. The decision logic makes a routing decision that is constrained based on the security association of an authenticated. The routing logic then selects a routing destination for the authenticated packet that is based at least partially on the routing decision made by the decision.

Citations

30 Claims

1. An apparatus for performing network routing, the apparatus comprising:
- authentication logic configured to receive packets sent from a source agent to an endpoint of a tunnel and to determine whether a security association of a packet received corresponds to said source agent, the tunnel being configured by said source agent in accordance with a network protocol;
  
  decision logic configured to make a routing decision for each authenticated packet at least in part without regard to contents of a payload of the packet, the routing decision being based on the security association of the authenticated packet; and
  
  routing logic configured to select a routing destination for each authenticated packet and to route the authenticated packet to the selected routing destination, the routing destination selection being based at least partially on said routing decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1, wherein the routing destination selection is based solely on said routing decision.
  - 3. The apparatus of claim 1, further comprising:
    - decapsulation logic configured to decapsulate received packets, wherein when the decapsulation logic decapsulates a packet, the security association of the packet is preserved and contents of a payload of an authenticated packet are routed to the selected routing destination.
  - 4. The apparatus of claim 1, wherein the network protocol is Internet Protocol Security (IPSec) Protocol (IPSEP).
  - 5. The apparatus of claim 1, wherein the network protocol is a public protocol.
  - 6. The apparatus of claim 1, wherein the network protocol is a private protocol.
  - 7. The apparatus of claim 1, wherein said routing decision is a decision to route at least a portion of contents of a payload of an authenticated packet to a layer 3 device, wherein layer 3 corresponds to a particular layer of Open Systems Interconnect (OST) networking model.
  - 8. The apparatus of claim 7, wherein the layer 3 device is a router.
  - 9. The apparatus of claim 1, wherein said routing decision is a decision to route at least a portion of contents of a payload of an authenticated packet to a layer 2 device, wherein layer 2 corresponds to a particular layer of Open Systems Interconnect (OSI) networking model.
  - 10. The apparatus of claim 9, wherein the layer 2 device is a switch.
  - 11. The apparatus of claim 10, wherein the e switch is comprised by a Virtual Local Area Network (VLAN).
  - 12. The apparatus of claim 1, wherein the decision made by the decision logic is a decision whether to route at least a portion of payload contents of an authenticated packet to a layer 2 device or to a layer 3 device, wherein layers 2 and 3 correspond to particular layers of Open Systems Interconnect (OSI) networking model.
  - 13. The apparatus of claim 1, wherein said routing decision is made by said decision logic without any regard to the contents of a payload of the authenticated packet.
  - 14. The apparatus of claim 1, wherein an authentication ID is derived from said security association, and wherein said routing decision is constrained based on said authentication ID.

15. A method for performing network routing, the method comprising:
- authenticating received packets sent from a source agent to an endpoint of a tunnel by determining whether a security association of a received packet corresponds to the source agent that sent the packet, the tunnel being configured by said source agent in accordance with a network protocol;
  
  making a routing decision for an authenticated packet at least in part without regard to contents of a payload of the packet, the routing decision being constrained based on the security association of the authenticated packet;
  
  selecting a routing destination for a packet based at least partially on the routing decision; and
  
  routing the authenticated packet to the selected routing destination.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, further comprising:
    - decapsulating the packets, wherein when the packet is decapsulated, contents of a payload of the authenticated packet are decapsulated and the security association of the packet is preserved.
  - 17. The method of claim 15, wherein the network protocol is Internet Protocol Security (IPSec) Protocol (IPSEP).
  - 18. The method of claim 15, wherein said routing decision is a decision to route at least a portion of payload contents of the authenticated packet to a layer 3 device, layer 3 corresponding to a particular layer of an Open Systems Interconnect (OSI) networking model.
  - 19. The method of claim 18, wherein the layer 3 device is a router.
  - 20. The method of claim 15, wherein said routing decision is a decision to route at least a portion of payload contents of an authenticated packet to a layer 2 device, layer 2 corresponding to a particular layer of an Open Systems Interconnect (OSI) networking model.
  - 21. The method of claim 20, wherein the layer 2 device is a switch.
  - 22. The method of claim 21, wherein the switch is comprised by a Virtual Local Area Network (VLAN).
  - 23. The method of claim 15, wherein the routing decision is a decision as to whether to route at least a portion of payload contents of an authenticated packet to a layer 2 device or to a layer 3 device, wherein layers 2 and 3 correspond to particular layers of an Open Systems Interconnect (OSI) networking model.

24. A computer program for performing network routing in accordance with a private network security technique, the computer program being embodied on a computer readable medium, the computer program comprising:
- a first code segment, the first code segment authenticating received packets sent from a source agent to a tunnel endpoint to determine whether a security association of a received packet corresponds to the source agent that sent the packet, the tunnel being configured by said source in accordance with a network protocol;
  
  a second code segment, the second code segment making a routing decision for an authenticated packet at least in part without regard to contents of a payload of the packet, the routing decision being constrained based on the security association of the authenticated; and
  
  a third code segment, the third code segment selecting a routing destination for the authenticated packet based at least partially on the routing decision made by the second code segment.
- View Dependent Claims (25)
- - 25. The computer program of claim 24, further comprising:
    - a fourth code segment that is executed before the second code segment, the fourth code segment performing a decryption algorithm that attempts to decrypt the authenticated packet prior to the second code segment making a routing decision, wherein when the decryption algorithm is successful at decrypting the authenticated packet, contents of a payload of the authenticated packet are decrypted and the security association of the decrypted packet is preserved for use by the second code segment in making the routing decision.

26. A method for routing a packet, comprising:
- receiving a packet at a tunnel endpoint;
  
  authenticating the packet;
  
  preserving a security association of the packet as an authentication ID;
  
  making a routing determination for routing contents of the packet by looking up the authentication ID in a table to determine a destination IP address to which the packet is to be routed.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26, wherein the routing determination is made without regard to an internal destination address contained within a payload of the packet.
  - 28. The method of claim 26, wherein the packet is an Internet Protocol Security (IPSec) packet.
  - 29. The method of claim 26, further comprising routing the packet to an IP address found in the table.
  - 30. The method of claim 26, further comprising broadcasting the packet to all IP addresses found in the table that pertain to a given destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Hochmuth, Roland M, Walker, Philip M, Martin, Robert P
Primary Examiner(s)
Nguyen, Chau
Assistant Examiner(s)
Cho, Hong Sol

Application Number

US09/846,407
Publication Number

US 20020163920A1
Time in Patent Office

1,869 Days
Field of Search

370/400, 370/401, 370/351, 370/389, 370/392, 709/249
US Class Current

370/351
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 63/164   at the network layer

Method and apparatus for providing network security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links