Method and apparatus to manage address translation for secure connections
First Claim
Patent Images
1. A method to manage secure connections, comprising:
- receiving a first initial encrypted packet transmitted from an internal node and addressed to a secure port of an external node;
recording an unmatched flow comprising an internal address and a security identifier associated with said first initial encrypted packet in a list to designate a secure connection between said internal node and said external node;
receiving a second initial encrypted packet having a security identifier and an external address that represents a plurality of internal addresses;
translating said external address of said second initial encrypted packet by selecting one of said internal addresses associated with an oldest or most recently active unmatched flow recorded in said list;
communicating said second initial encrypted packet to said selected internal address; and
forwarding a subsequent encrypted packet having a security identifier that matches said security identifier of said second initial encrypted packet to said selected internal address.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques to manage address translation for secure connections are described. An apparatus may include a secure connection manager. The secure connection manager may comprise a flow module to create a list of identifiers, with each identifier representing a secure flow terminating at a device with an internal address. The secure connection manager may also comprise a translation module to select an internal address for an encrypted packet having an external address and a flow identifier. Other embodiments are described and claimed.
-
Citations
28 Claims
-
1. A method to manage secure connections, comprising:
-
receiving a first initial encrypted packet transmitted from an internal node and addressed to a secure port of an external node; recording an unmatched flow comprising an internal address and a security identifier associated with said first initial encrypted packet in a list to designate a secure connection between said internal node and said external node; receiving a second initial encrypted packet having a security identifier and an external address that represents a plurality of internal addresses; translating said external address of said second initial encrypted packet by selecting one of said internal addresses associated with an oldest or most recently active unmatched flow recorded in said list; communicating said second initial encrypted packet to said selected internal address; and forwarding a subsequent encrypted packet having a security identifier that matches said security identifier of said second initial encrypted packet to said selected internal address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21)
-
-
9. A method to manage secure connections, comprising:
-
creating a list of unmatched flows comprising security identifiers to designate secure connections by storing security identifiers in response to receiving initial encrypted packets addressed to a secure port, with each security identifier representing a tunnel terminating at a device having an internal address; translating each of said internal addresses to an external address; receiving an initial encrypted packet having said external address and a security identifier; translating said external address of said initial encrypted packet by selecting one of said internal addresses associated with an oldest or most recently active unmatched flow from said list; communicating said initial encrypted packet to said selected internal address; and forwarding a subsequent encrypted packet having a security identifier that matches said security identifier of said initial encrypted packet to said selected internal address. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A secure connection manager, comprising:
-
a flow module to create a list of unmatched flows comprising security identifiers to designate secure connections by storing security identifiers in response to receiving initial encrypted packets addressed to a secure port, with each security identifier representing a secure flow terminating at a device with an internal address; and a translation module to select an internal address for an initial encrypted packet having an external address and a security identifier, said internal address associated with an oldest or most recently active unmatched flow from said list, and to translate said external address to said internal address for a subsequent encrypted packet having a security identifier that matches said security identifier of said initial encrypted packet. - View Dependent Claims (16)
-
-
17. A system to manage secure connections, comprising:
-
a first network node to send encrypted packets to an external address; a second network node to receive said encrypted packets and translate said external address to an internal address using a list of security identifiers; and a third network node having said internal address to receive said encrypted packets, wherein said second network node receives a first initial encrypted packet transmitted from said third network node and addressed to a secure port of said first network node, said second network node records an unmatched flow comprising an internal address and a security identifier associated with said first initial encrypted packet in said list of security identifiers to designate a secure connection between said third network node and said first network node, said second network node translates said external address of a second initial encrypted packet having a security identifier received from said first network node by selecting an internal address associated an oldest or most recently active unmatched flow recorded in said list, said second network node communicates said second initial encrypted packet to said selected internal address, and said second network node forwards a subsequent encrypted packet having a security identifier that matches said security identifier of said second initial encrypted packet to said selected internal address. - View Dependent Claims (18, 19, 20)
-
-
22. An article comprising:
-
a storage medium; said storage medium including stored instructions that, when executed by a processor, result in managing a secure connection by receiving a first initial encrypted packet transmitted from an internal node and addressed to a secure port of an external node, recording an unmatched flow comprising an internal address and a security identifier associated with said first initial encrypted packet in a list to designate a secure connection between said internal node and said external node, receiving a second initial encrypted packet having a security identifier and an external address that represents a plurality of internal addresses, translating said external address of said second initial encrypted packet by selecting one of said internal addresses associated with an oldest or most recently active unmatched flow recorded in said list, communicating said second initial encrypted packet to said selected internal address, and forwarding a subsequent encrypted packet having a security identifier that matches said security identifier of said second initial encrypted packet to said selected internal address. - View Dependent Claims (23, 24, 25)
-
-
26. An article comprising:
-
a storage medium; said storage medium including stored instructions that, when executed by a processor, result in managing secure connections by creating a list of ummatched flows comprising security identifiers to designate secure connections by storing security identifiers in response to receiving initial encrypted packets addressed to a secure port, with each security identifier representing a tunnel terminating at a device having an internal address, translating each of said internal addresses to an external address, receiving an initial encrypted packet having said external address and a security identifier, translating said external address of said initial encrypted packet by selecting one of said internal addresses associated with an oldest or most recently active unmatched flow, communicating said initial encrypted packet to said selected internal address, and forwarding a subsequent encrypted packet having a security identifier that matches said security identifier of said initial encrypted packet to said selected internal address. - View Dependent Claims (27, 28)
-
Specification