Method and apparatus for control of security protocol negotiation
First Claim
1. A method for security negotiation control for a plurality of local clients over a gateway computer without additional encapsulation of a data packet between one of the local clients and a remote computer, comprising:
- providing the gateway computer with access to a data structure that includes a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer;
receiving at the gateway computer a packet;
determining if the packet is a security negotiation packet;
checking the mapping table for a Medium Access Control (MAC) source address and a destination address of the remote computer in response to the packet being part of the security negotiation;
in response to finding in the mapping table the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value comprising a Security Parameter Index (SPI) for the destination address of the remote computer is in the data structure; and
in response to not finding the security value in the data structure for the destination address, suppressing transmission of the security negotiation packet, andin response to finding the SPI in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet.
0 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus for enhanced security for communication over a network, and more particularly to control of security protocol negotiation to enable multiple clients to establish a virtual private network connection with a same remote address, is described. A mapping table accessible by a gateway computer is used to form associations between a local address for the client and a destination address for a peer and a Security Parameters Index associated with IPSec-protected traffic from the peer. When a packet is received at the gateway from a client it is checked to determine if it is an Internet Key Exchange (IKE) packet, whether an IKE session has already been recorded from this client in the mapping table for the destination address in the IKE packet, whether a Security Parameters Index has been observed in the clear from a remote computer associated with the destination address.
-
Citations
29 Claims
-
1. A method for security negotiation control for a plurality of local clients over a gateway computer without additional encapsulation of a data packet between one of the local clients and a remote computer, comprising:
-
providing the gateway computer with access to a data structure that includes a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer; receiving at the gateway computer a packet; determining if the packet is a security negotiation packet; checking the mapping table for a Medium Access Control (MAC) source address and a destination address of the remote computer in response to the packet being part of the security negotiation; in response to finding in the mapping table the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value comprising a Security Parameter Index (SPI) for the destination address of the remote computer is in the data structure; and in response to not finding the security value in the data structure for the destination address, suppressing transmission of the security negotiation packet, and in response to finding the SPI in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for Internet Key Exchange (IKE) control of a received packet in communication between a plurality of local clients and a remote computer without additional encapsulation or header of a packet sent to one of the local clients from the remote computer, comprising:
-
providing a gateway computer with a mapping table; receiving a packet at the gateway computer from a local client computer; checking if the packet is an IKE packet; in response to the packet being the IKE packet, identifying a record comprising a single row in the mapping table matching both an Internet Protocol (IP) public destination address and a local Medium Access Control (MAC) address of the IKE packet in the mapping table; checking for an initiator cookie recorded in the single row of the mapping table; in response to matching the IP destination address and the local MAC address between a single row and the packets; checking for a security parameters index related to the single row in the mapping table in response to identifying the record in the mapping table and suppressing transmission of the IKE packet to the local computer if there is not a Security Parameter index SPI recorded in the single row. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer readable medium storing instructions which, when executed by a gateway computer in at least partial response to receipt of a packet having an Internet Protocol (IP) destination address from one local client computer of a plurality of local computers communicating over the gateway computer with a remote computer, causes execution of a method comprising:
-
providing a mapping table accessible by the gateway computer; the mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer; checking if the packet is an Internet Key Exchange (IKE) packet; in response to the packet being the IKE packet, identifying a record in the row the mapping table matching both the IP destination address and a local Medium Access Control (MAC) address of the IKE packet in the mapping table assigned to one of the local computers; checking for a security parameters index related to the record in the mapping table in response to identifying the record in the mapping table assigned to the local computer; and in response to finding the Security Parameters Index in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet. - View Dependent Claims (24, 25, 26)
-
-
27. A computer readable medium storing instructions which, when executed by a gateway computer in at least partial response to receipt of a packet from a local computer, causes execution of a method comprising:
-
determining if the packet is a security negotiation packet; providing a data structure accessible by the gateway computer the structure including a mapping table having a row assigned to each connection between a local client and a remote client and storing on one of the rows a public IP address assigned to one of the local clients communicating with the remote computer; checking the data structure for a Medium Access Control (MAC) source address and a destination address in response to the packet being part of the security negotiation; in response to finding in the data structure the destination address and to not finding in the data structure the MAC source address in association with the destination address, determining if a security value for the destination address is in the data structure, and in response to finding the Security Parameters Index in the mapping table, forwarding the packet to the local client using one of the client'"'"'s public IP destination address or the local client'"'"'s MAC address or the local client'"'"'s private IP address assigned by the gateway computer and without additional encapsulation of the packet. - View Dependent Claims (28, 29)
-
Specification