Method and apparatus for control of security protocol negotiation

US 7,120,930 B2
Filed: 06/13/2002
Issued: 10/10/2006
Est. Priority Date: 06/13/2002
Status: Active Grant

First Claim

Patent Images

1. A method for security negotiation control for a plurality of local clients over a gateway computer without additional encapsulation of a data packet between one of the local clients and a remote computer, comprising:

providing the gateway computer with access to a data structure that includes a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer;

receiving at the gateway computer a packet;

determining if the packet is a security negotiation packet;

checking the mapping table for a Medium Access Control (MAC) source address and a destination address of the remote computer in response to the packet being part of the security negotiation;

in response to finding in the mapping table the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value comprising a Security Parameter Index (SPI) for the destination address of the remote computer is in the data structure; and

in response to not finding the security value in the data structure for the destination address, suppressing transmission of the security negotiation packet, andin response to finding the SPI in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for enhanced security for communication over a network, and more particularly to control of security protocol negotiation to enable multiple clients to establish a virtual private network connection with a same remote address, is described. A mapping table accessible by a gateway computer is used to form associations between a local address for the client and a destination address for a peer and a Security Parameters Index associated with IPSec-protected traffic from the peer. When a packet is received at the gateway from a client it is checked to determine if it is an Internet Key Exchange (IKE) packet, whether an IKE session has already been recorded from this client in the mapping table for the destination address in the IKE packet, whether a Security Parameters Index has been observed in the clear from a remote computer associated with the destination address.

Citations

29 Claims

1. A method for security negotiation control for a plurality of local clients over a gateway computer without additional encapsulation of a data packet between one of the local clients and a remote computer, comprising:
- providing the gateway computer with access to a data structure that includes a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer;
  
  receiving at the gateway computer a packet;
  
  determining if the packet is a security negotiation packet;
  
  checking the mapping table for a Medium Access Control (MAC) source address and a destination address of the remote computer in response to the packet being part of the security negotiation;
  
  in response to finding in the mapping table the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value comprising a Security Parameter Index (SPI) for the destination address of the remote computer is in the data structure; and
  
  in response to not finding the security value in the data structure for the destination address, suppressing transmission of the security negotiation packet, andin response to finding the SPI in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the security negotiation packet has a public source address.
  - 3. The method of claim 1 wherein the security negotiation packet has a private source address wherein the SPI comprises a Remote-to-Local packets IP source address.
  - 4. The method of claim 1 wherein the security negotiation packet is an Internet Key Exchange packet.
  - 5. The method of claim 1 wherein the destination address is for a non-local computer.
  - 6. The method of claim 1 wherein the destination address is for a local computer.
  - 7. The method of claim 1 wherein the data structure is a mapping table.
  - 8. The method of claim 1 wherein the security value is for an Authentication Header protocol or an Encapsulating Security Payload protocol.

9. A method for Internet Key Exchange (IKE) control of a received packet in communication between a plurality of local clients and a remote computer without additional encapsulation or header of a packet sent to one of the local clients from the remote computer, comprising:
- providing a gateway computer with a mapping table;
  
  receiving a packet at the gateway computer from a local client computer;
  
  checking if the packet is an IKE packet;
  
  in response to the packet being the IKE packet, identifying a record comprising a single row in the mapping table matching both an Internet Protocol (IP) public destination address and a local Medium Access Control (MAC) address of the IKE packet in the mapping table;
  
  checking for an initiator cookie recorded in the single row of the mapping table;
  
  in response to matching the IP destination address and the local MAC address between a single row and the packets;
  
  checking for a security parameters index related to the single row in the mapping table in response to identifying the record in the mapping table and suppressing transmission of the IKE packet to the local computer if there is not a Security Parameter index SPI recorded in the single row.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 10. The method of claim 9 further comprising suppressing transmission of the IKE packet in response to not finding another security parameters index for another record in the mapping table with the IP destination but with a different local MAC address.
  - 11. The method of claim 10 wherein the IKE packet has a non-public IP source address.
  - 12. The method of claim 10 wherein the IP destination address is for a remote computer.
  - 13. The method of claim 10 wherein the IP destination address is for a local computer.
  - 14. The method of claim 10 wherein the IKE packet is a User Datagram Protocol packet, the User Datagram Protocol packet comprising a destination port number equal to 500.
  - 15. The method of claim 10 wherein the security parameters index is for an Authentication Header protocol.
  - 16. The method of claim 10 wherein the security parameters index is for an Encapsulating Security Payload protocol.
  - 17. The method of claim 10 wherein the IKE packet has a public IP source address.
  - 18. The method of claim 10 further comprising setting a pending bit in association with the IP destination address to indicate absence of another security parameters index.
  - 19. The method of claim 9 further comprising allowing transmission of the IKE packet in response to finding the security parameters index for the record.
  - 20. The method of claim 9 further comprising creating a row in the mapping table in response to locating the security parameters index in the mapping table for a different Initiator Cookie.
  - 21. The method of claim 20 wherein the row creation comprises:
    - recording a medium address of the client computer;
      
      recording the IP destination address of the IKE packet in association with the medium address of the client computer, andrecording the Initiator Cookie of the IKE packet in association with the IP destination address.
  - 22. The method of claim 20 further comprising recording a source address of the IKE packet in association with the medium address.

23. A computer readable medium storing instructions which, when executed by a gateway computer in at least partial response to receipt of a packet having an Internet Protocol (IP) destination address from one local client computer of a plurality of local computers communicating over the gateway computer with a remote computer, causes execution of a method comprising:
- providing a mapping table accessible by the gateway computer;
  
  the mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer;
  
  checking if the packet is an Internet Key Exchange (IKE) packet;
  
  in response to the packet being the IKE packet, identifying a record in the row the mapping table matching both the IP destination address and a local Medium Access Control (MAC) address of the IKE packet in the mapping table assigned to one of the local computers;
  
  checking for a security parameters index related to the record in the mapping table in response to identifying the record in the mapping table assigned to the local computer; and
  
  in response to finding the Security Parameters Index in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet.
- View Dependent Claims (24, 25, 26)
- - 24. The computer readable medium of claim 23 wherein the method further comprises suppressing transmission of the IKE packet in response to not finding another security parameters index for another record in the mapping table with the IP destination but with a different local MAC address.
  - 25. The computer readable medium of claim 23 wherein the method further comprises creating a row in the mapping table in response to locating the security parameters index in the mapping table.
  - 26. The computer readable medium of claim 23 wherein the method further comprises creating a row in the mapping table in response to locating the security parameters index in the mapping table, wherein the row creation comprises:
    - recording a medium address of the client computer;
      
      recording the IP destination address of the IKE packet in association with the medium address of the client computer;
      
      recording the ISAKMP Initiator Cookie of the IKE packet in association with the IP destination address.

27. A computer readable medium storing instructions which, when executed by a gateway computer in at least partial response to receipt of a packet from a local computer, causes execution of a method comprising:
- determining if the packet is a security negotiation packet;
  
  providing a data structure accessible by the gateway computer the structure including a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer;
  
  checking the data structure for a Medium Access Control (MAC) source address and a destination address in response to the packet being part of the security negotiation;
  
  in response to finding in the data structure the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value for the destination address is in the data structure, andin response to finding the Security Parameters Index in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet.
- View Dependent Claims (28, 29)
- - 28. The computer readable medium of claim 27 wherein the method further comprises in response to not finding the security value in the data structure for the destination address, suppressing transmission of the security negotiation packet.
  - 29. A computer readable medium as claimed in claim 27 wherein when a private IP address field for the client computer is filled in then the public IP destination and MAC address are blank in the single row.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Sidenblad, Paul J., Nanda, Sameer, Maufer, Thomas Albert
Primary Examiner(s)
Smithers, Matthew

Application Number

US10/172,683
Publication Number

US 20030233568A1
Time in Patent Office

1,580 Days
Field of Search

726/11, 726/12
US Class Current

726/11
CPC Class Codes

H04L 61/10   of different types

H04L 61/2514   between local and global IP...

H04L 61/255   Maintenance or indexing of ...

H04L 61/256   NAT traversal

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5014   using dynamic host configur...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/164   at the network layer

H04L 69/24   Negotiation of communicatio...

Method and apparatus for control of security protocol negotiation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for control of security protocol negotiation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links