Security enabled network access control

US 7,185,365 B2
Filed: 03/27/2002
Issued: 02/27/2007
Est. Priority Date: 03/27/2002
Status: Expired due to Fees

First Claim

Patent Images

1. An access control system comprising:

a router having a plurality of network interfaces for receiving and transmitting packets of data, the router including forwarding elements to apply filter rules to the packets; and

a filter rule constructor engine associated with said forwarding elements to receive access control rules and security information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, andtransmit the set of filter rules to two or more forwarding elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control system including a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets, and a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.

Citations

31 Claims

1. An access control system comprising:
- a router having a plurality of network interfaces for receiving and transmitting packets of data, the router including forwarding elements to apply filter rules to the packets; and
  
  a filter rule constructor engine associated with said forwarding elements to receive access control rules and security information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, andtransmit the set of filter rules to two or more forwarding elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the filter rule constructor engine also applies the derived set of filter rules to clear packet headers.
  - 3. The system of claim 1, wherein the security protocol is a secure Internet protocol.
  - 4. The system of claim 1, wherein the filter rule constructor engine is on the same platform as the forwarding elements.
  - 5. The system of claim 1, wherein the router is connected to a Virtual Private Network (VPN).
  - 6. The system of claim 5, wherein the router is also connected to an Internet host.
  - 7. The system of claim 1, wherein the set of filter rules includes a filter rule applied to unencrypted packet headers.
  - 8. The system of claim 7, wherein the set of filter rules further includes an outer and inner set of filter rules, wherein the outer set routes the encrypted packet headers to the inner set that decrypts the packet headers.
  - 9. The system of claim 1, wherein the security information is a Security Information Transport Protocol mapping table.
  - 10. The system of claim 9, wherein the SITP table includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 11. The system of claim 10, wherein the access control rules are in a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 12. The system of claim 1, further comprising an engine to collect statistics from counters associated with the set of filter rules.
  - 13. The system of claim 1, wherein the statistics engine is integral with the filter rule constructor engine.

14. A machine-accessible medium with executable instructions stored thereon that, when accessed by a machine, causes the machine to perform the following operations:
- receive access control rules and security information for a security protocol;
  
  derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol; and
  
  transmit the set of filter rules to a router including two or more forwarding elements.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The article of claim 14, the instructions further operable to cause the machine to apply the derived set of filter rules to both clear packet headers and packet headers encrypted with the security protocol.
  - 16. The article of claim 14, further including instructions to receive security information for a secure Internet protocol.
  - 17. The article of claim 14, further including instructions to derive a set of filter rules that includes a filter rule applied to unencrypted packet headers.
  - 18. The article of claim 14, further including instructions to derive a set of filter rules that includes an outer and inner set of filter rules, wherein the outer set routes the encrypted packet headers to the inner set that decrypts the packet headers.
  - 19. The article of claim 14, further including instructions to receive security information in the form of a Security Information Transport Protocol mapping table.
  - 20. The article of claim 19, further including instructions to receive a Security Information Transport Protocol mapping table that includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 21. The article of claim 14, further including instructions to receive access control rules in the form of a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 22. The article of claim 14, the instructions further operable to cause the machine to collect statistics from counters associated with the set of filter rules and reset the counters.

23. An access control method, comprising:
- receiving access control rules and security information for a security protocol;
  
  deriving from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol; and
  
  transmitting the set of filter rules to a router including two or more forwarding elements.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The method of claim 23, further comprising applying the derived set of filter rules to both clear packet headers and packet headers encrypted with the security protocol.
  - 25. The method of claim 23, wherein the security protocol is a secure Internet protocol.
  - 26. The method of claim 23, wherein the set of filter rules includes a filter rule applied to unencrypted packet headers.
  - 27. The method of claim 26, wherein the set of filter rules further includes an outer and inner set of filter rules, wherein the outer set routes the encrypted packet headers to the inner set that decrypts the packet headers.
  - 28. The method of claim 23, wherein the security information is a Security Information Transport Protocol mapping table.
  - 29. The method of claim 28, wherein the SITP table includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 30. The method of claim 23, wherein the access control rules are in a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 31. The method of claim 23, further comprising collecting statistics from counters associated with the set of filter rules and resetting the counters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Liu, Hsin-Yuo, Tang, Puqi
Primary Examiner(s)
Arani; Taghi T.

Application Number

US10/109,605
Publication Number

US 20030188192A1
Time in Patent Office

1,798 Days
Field of Search

713150-155, 713/180, 713200-225, 709220-225, 709/238, 726/1, 726/2, 726/13
US Class Current

726/13
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Security enabled network access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Security enabled network access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links