Agile network protocol for secure communications with assured system availability

US 7,133,930 B2
Filed: 03/31/2003
Issued: 11/07/2006
Est. Priority Date: 10/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of transmitting data packets from a first computer to a second computer, comprising the steps of:

(i) determining a sender'"'"'s Internet Protocol (IP) address selected from a first set of IP addresses allocated to the first computer;

(ii) determining a receiver'"'"'s IP address selected from a second set of IP addresses allocated to the second computer;

(iii) creating a packet header comprising the sender'"'"'s and receiver'"'"'s IP addresses;

(iv) the first computer transmitting to the second computer a data packet comprising the packet header;

(v) the second computer receiving the data packet;

(vi) determining a second sender IP address selected from a third set of IP addresses allocated to the first computer;

(vii) determining a second receiver IP address selected from a fourth set of IP addresses allocated to the second computer; and

(viii) accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein in steps (vi) and (vii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator'"'"'s parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes. These techniques include a self-synchronization technique in which a sync field is transmitted as part of each packet, and a “checkpoint” scheme by which transmitting and receiving nodes can advance to a known point in their hopping schemes. A fast-packet reject technique based on the use of presence vectors is also described. A distributed transmission path embodiment incorporates randomly selected physical transmission paths.

324 Citations

18 Claims

1. A method of transmitting data packets from a first computer to a second computer, comprising the steps of:
- (i) determining a sender'"'"'s Internet Protocol (IP) address selected from a first set of IP addresses allocated to the first computer;
  
  (ii) determining a receiver'"'"'s IP address selected from a second set of IP addresses allocated to the second computer;
  
  (iii) creating a packet header comprising the sender'"'"'s and receiver'"'"'s IP addresses;
  
  (iv) the first computer transmitting to the second computer a data packet comprising the packet header;
  
  (v) the second computer receiving the data packet;
  
  (vi) determining a second sender IP address selected from a third set of IP addresses allocated to the first computer;
  
  (vii) determining a second receiver IP address selected from a fourth set of IP addresses allocated to the second computer; and
  
  (viii) accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein in steps (vi) and (vii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the first and second sets of addresses are mutually exclusive.
  - 3. The method of claim 1, wherein in steps (i) and (ii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
  - 4. The method of claim 1, wherein the packet header periodically changes between successive data packets.

5. A method of transmitting data packets between a first computer and a second computer, comprising the steps of:
- (i) the second computer receiving a data packet including a packet header comprising a first sender Internet Protocol (IP) address and a first receiver IP address;
  
  (ii) determining a second sender IP address selected from a first set of IP addresses allocated to the first computer;
  
  (iii) determining a second receiver IP address selected from a second set of IP addresses allocated to the second computer;
  
  (iv) accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein the first receiver IP address periodically changes between successive data packets,wherein in steps (ii) and (iii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair of the second sender IP address and the second receiver IP address.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein the first and second sets of IP addresses are mutually exclusive.

7. A receiving computer that receives data packets from a transmitting computer, wherein the receiving computer comprises computer instructions that execute the steps of:
- (i) receiving data packets from a transmitting computer including a packet header comprising a first sender Internet Protocol (IP) address and a first receiver IP address;
  
  (ii) for each data packet, determining a second sender IP address selected from a first set of IP addresses allocated to the transmitting computer;
  
  (iii) for each data packet, determining a second receiver IP address selected from a second set of IP addresses allocated to the receiving computer;
  
  (iv) for each data packet, accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein the first receiver IP address periodically changes between successive data packets,wherein in steps (ii) and (iii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair of the second sender IP address and the second receiver IP address.
- View Dependent Claims (8)
- - 8. The receiving computer of claim 7, wherein the first and second sets of IP addresses are mutually exclusive.

9. A transmitting computer that transmits data packets to a receiving computer, wherein the transmitting computer comprises computer instructions that execute the steps of:
- (i) determining a sender'"'"'s IP address selected from a first set of IP addresses allocated to the transmitting computer;
  
  (ii) determining a receiver'"'"'s IP address selected from a second set of IP addresses allocated to the receiving computer;
  
  (iii) creating a packet header comprising the sender'"'"'s and receiver'"'"'s IP addresses;
  
  (iv) the transmitting computer transmitting to the receiving computer a data packet comprising the packet header;
  
  (v) receiving an indication from the receiving computer of a result of the receiving computer performing steps of;
  
  a. the receiving computer determining a second sender IP address selected from a third set of IP addresses allocated to the transmitting computer;
  
  b. determining a second receiver IP address selected from a fourth set of IP addresses allocated to the receiving computer; and
  
  c. accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein in steps a. and b. the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
- View Dependent Claims (10, 11, 12)
- - 10. The transmitting computer of claim 9, wherein the first and second sets of IP addresses are mutually exclusive.
  - 11. The transmitting computer of claim 9, wherein in steps (i) and (ii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
  - 12. The transmitting computer of claim 9, wherein the packet header periodically changes between successive data packets.

13. A method of transmitting data packets between a first computer and a second computer, comprising the steps of:
- (i) the second computer receiving a data packet including a packet header comprising a first sender Internet Protocol (IP) address and a first receiver IP address;
  
  (ii) determining a second sender IP address selected from a first set of IP addresses allocated to the first computer;
  
  (iii) determining a second receiver IP address selected from a second set of IP addresses allocated to the second computer;
  
  (iv) accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein the first receiver IP address periodically changes between successive data packets,wherein in steps (ii) and (iii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising the step of maintaining a window of IP address pairs corresponding to a sequence of IP address pairs of sender and receiver IP addresses determined by the pseudo-random algorithm, andwherein step (iv) includes a step of accepting the data packet when the first sender and first receiver IP addresses of the packet header match any of the IP address pairs presently in the window.
  - 15. The method of claim 14, wherein the window of IP address pairs changes over time.
  - 16. The method of claim 14, wherein a length of the window is configured to be adjusted.

17. A receiving computer that receives data packets from a transmitting computer, wherein the receiving computer comprises computer instructions that execute the steps of:
- (i) receiving data packets from a transmitting computer including a packet header comprising a first sender Internet Protocol (IP) address and a first receiver IP address;
  
  (ii) for each data packet, determining a second sender IP address selected from a first set of IP addresses allocated to the transmitting computer;
  
  (iii) for each data packet, determining a second receiver IP address selected from a second set of IP addresses allocated to the receiving computer;
  
  (iv) for each data packet, accepting the data packet when first and second sender IP addresses match and first and second receiver IP addresses match, otherwise, rejecting the packet,wherein the first receiver IP address periodically changes between successive data packets,wherein in steps (ii) and (iii) the IP address determination is based on a pseudo-random algorithm that selects an IP address pair.
- View Dependent Claims (18)
- - 18. The receiving computer of claim 17, wherein the receiving computer maintains a window of IP address pairs corresponding to a sequence of IP address pairs of sender and receiver IP addresses determined by the pseudo-random algorithm,wherein step (iv) includes a step of accepting the data packet when the first sender and first receiver IP addresses of the packet header match any of the IP address pairs presently in the window,wherein the window is moved in response to detecting matches of the first sender and first receiver IP addresses and one of the IP address pairs presently in the window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VirnetX Inc. (Virnetx Holding Corporation)
Original Assignee
Science Applications International Corporation
Inventors
Munger, Edmund Colby, Sabio, Vincent J., Short, Robert Dunham, Gligor, Virgil D., Schmidt, Douglas Charles
Primary Examiner(s)
Burgess, Glenton B.
Assistant Examiner(s)
STRANGE, AARON N

Application Number

US10/401,551
Publication Number

US 20040003116A1
Time in Patent Office

1,317 Days
Field of Search

709/238, 709/250, 709/240, 709/245, 718/100
US Class Current

709/245
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/20   Hop count for routing purpo...

H04L 45/24   Multipath

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/30   Managing network names, e.g...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5076   Update or notification mech...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/0407   wherein the identity of one...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 69/14   Multichannel or multilink p...

H04L 9/065   Encryption by serially and ...

H04M 3/42008   Systems for anonymous commu...

Agile network protocol for secure communications with assured system availability

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

324 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Agile network protocol for secure communications with assured system availability

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

324 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links