Internet protocol security framework utilizing predictive security association re-negotiation

US 7,143,154 B2
Filed: 01/26/2001
Issued: 11/28/2006
Est. Priority Date: 01/26/2001
Status: Active Grant

First Claim

Patent Images

1. An apparatus for use in predicting exchanges of a specific quantity of communication traffic between network elements, said apparatus comprising:

a digital processor operable on a periodic basis to calculate a weighted traffic flow per usage for a given network element, wherein said weighted traffic flow per usage corresponding to an average use of a network element per period multiplied by an average communications traffic quantity per use, said digital processor further including,a comparison mechanism for comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic, wherein an indication is given by said network element if said remainder value is less than said weighted traffic flow.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a methodology for predicting when current sets of encryption keys used in a high speed data network are about to expire. The invention allows network elements of a communication system to re-negotiate new sets of keys well in advance so as to prevent interruptions in communications traffic flow. In accordance with one exemplary embodiment of the invention, a weighted traffic flow per usage for a given network element is calculated on a periodic basis. The value of the weighted traffic flow per usage is compared with a remainder value of a specific quantity of communications traffic yet to be processed by the network element. If the remainder value is less than the weighted traffic flow value, an indication is given to the appropriate network element to renegotiate a new set of keys.

38 Citations

View as Search Results

17 Claims

1. An apparatus for use in predicting exchanges of a specific quantity of communication traffic between network elements, said apparatus comprising:
- a digital processor operable on a periodic basis to calculate a weighted traffic flow per usage for a given network element, wherein said weighted traffic flow per usage corresponding to an average use of a network element per period multiplied by an average communications traffic quantity per use, said digital processor further including,a comparison mechanism for comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic, wherein an indication is given by said network element if said remainder value is less than said weighted traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein said digital processor waits until beginning another time period to calculate another value of said weighted traffic flow per usage to be compared with an updated remainder value.
  - 3. The apparatus of claim 1, wherein said specific quantity of communications traffic corresponds to a quantity value associated with a security association (SA) between said network elements.
  - 4. The apparatus of claim 3, wherein said indication given from said network elements prompts renegotiation of another SA.
  - 5. The apparatus of claim 3, wherein said SA is an Internet Protocol Security (IPSEC) SA.
  - 6. The apparatus of claim 1, wherein said apparatus is used in connection with a communications traffic monitoring application to identify randomly occurring traffic patterns.
  - 7. The apparatus of claim 1, wherein said apparatus is used in connection with a communications network management application to monitor usage of network components.

8. A method of predicting exchanges of a specific quantity of communication traffic between network elements, said method comprising:
- calculating, on a periodic basis, a weighted traffic flow per usage for a given network element, said weighted traffic flow per usage corresponding to an average use of a network element per period multiplied by an average communications traffic quantity per use;
  
  comparing a value of said weighted traffic flow per usage with a remainder value of said specific quantity of communications traffic; and
  
  giving an indication from said network element if said remainder value is less than said weighted traffic flow.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further including waiting until beginning another time period to calculate another value of said weighted traffic flow per usage to be compared with an updated remainder value.
  - 10. The method of claim 8, wherein said specific quantity of communications traffic corresponds to a quantity value associated with a security association (SA) between said network elements.
  - 11. The method of claim 10, wherein said indication given from said network elements prompts renegotiation of another SA.
  - 12. The method of claim 10, wherein said SA is an Internet Protocol Security (IPSEC) SA.
  - 13. The method of claim 8, wherein said method is used in connection with a communications traffic monitoring application to identify randomly occurring traffic patterns.
  - 14. The method of claim 8, wherein said method is used in connection with a communications network management application to monitor usage of network components.
  - 15. The method of claim 8, wherein at least a portion of said communications traffic flows between network elements over the public Internet.

16. A method of predicting expiration of quantity based security associations between network elements, at least a portion of communications traffic exchanged between said network flowing over the public Internet, said method comprising:
- calculating, on a periodic basis, a weighted traffic flow per usage for a given network element, said weighted traffic flow per usage corresponding to the average use of a security association per period multiplied by the average number of bytes processed per use;
  
  comparing a value of said weighted traffic flow per usage with a remainder value of one of said quantity based security associations; and
  
  renegotiating another security association with a corresponding one of said network elements if said remainder value is less than said weighted traffic flow.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein said security association is an IPSEC security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Bagasrawala, Abbas
Primary Examiner(s)
Cardone, Jason
Assistant Examiner(s)
Swearingen, Jeffrey R

Application Number

US09/771,406
Publication Number

US 20020103887A1
Time in Patent Office

2,132 Days
Field of Search

709/223
US Class Current

709/223
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/164 at the network layer

Internet protocol security framework utilizing predictive security association re-negotiation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Internet protocol security framework utilizing predictive security association re-negotiation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others