Method and apparatus for conveying a security context in addressing information

US 7,254,835 B2
Filed: 01/04/2002
Issued: 08/07/2007
Est. Priority Date: 01/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for conveying a security context, comprising:

obtaining a virtual address associated with a process executing on a recipient computer system;

issuing a first Internet Protocol version compliant packet, comprising;

invoking a Supernet Attach Command on an authentication server daemon;

receiving, in response to the Supernet Attach Command, Supernet configuration information comprising the security context; and

registering a mapping of the Supernet configuration information with a virtual address daemon,wherein the first Internet Protocol version compliant packet comprises a first Internet Protocol version compliant header,wherein the first Internet Protocol version compliant header comprises the security context,wherein the security context comprises a Supernet identifier, a Channel identifier, and the virtual address, andwherein data in a payload of the first Internet Protocol version compliant packet is encrypted using the Supernet identifier and the Channel identifier to obtain an encrypted payload;

issuing a second Internet Protocol version compliant packet, wherein the second Internet Protocol version compliant packet comprises a second Internet Protocol version compliant header,wherein the second Internet Protocol version compliant header comprises a second Internet Protocol version compliant address of the recipient computer system,wherein a payload of the second Internet Protocol version compliant packet comprises the first Internet Protocol version compliant packet, andwherein the first Internet Protocol version is different from the second Internet Protocol version; and

forwarding the second Internet Protocol version compliant packet to the recipient computer system,wherein the security context is used by the recipient computer to decrypt the encrypted payload.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for conveying a security context, including creating and assigning a virtual address to a client process, issuing a first Internet Protocol version compliant packet wherein the first Internet Protocol version compliant packet comprises a security context, prepending an issued packet with a second Internet Protocol version header producing a second Internet Protocol version compliant packet, forwarding the second Internet Protocol version compliant packet to a recipient, stripping away the second Internet Protocol version compliant header from the second Internet Protocol version compliant packet producing a stripped packet at the recipient, decrypting and authenticating the stripped packet using a particular method as indicated by the security context producing a decrypted and authenticated packet, and routing the decrypted and authenticated packet to a recipient process using the virtual address.

Citations

14 Claims

1. A method for conveying a security context, comprising:
- obtaining a virtual address associated with a process executing on a recipient computer system;
  
  issuing a first Internet Protocol version compliant packet, comprising;
  
  invoking a Supernet Attach Command on an authentication server daemon;
  
  receiving, in response to the Supernet Attach Command, Supernet configuration information comprising the security context; and
  
  registering a mapping of the Supernet configuration information with a virtual address daemon,wherein the first Internet Protocol version compliant packet comprises a first Internet Protocol version compliant header,wherein the first Internet Protocol version compliant header comprises the security context,wherein the security context comprises a Supernet identifier, a Channel identifier, and the virtual address, andwherein data in a payload of the first Internet Protocol version compliant packet is encrypted using the Supernet identifier and the Channel identifier to obtain an encrypted payload;
  
  issuing a second Internet Protocol version compliant packet, wherein the second Internet Protocol version compliant packet comprises a second Internet Protocol version compliant header,wherein the second Internet Protocol version compliant header comprises a second Internet Protocol version compliant address of the recipient computer system,wherein a payload of the second Internet Protocol version compliant packet comprises the first Internet Protocol version compliant packet, andwherein the first Internet Protocol version is different from the second Internet Protocol version; and
  
  forwarding the second Internet Protocol version compliant packet to the recipient computer system,wherein the security context is used by the recipient computer to decrypt the encrypted payload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first Internet Protocol version compliant packet is Internet Protocol version 6 compliant packet.
  - 3. The method of claim 1, wherein the second Internet Protocol version compliant packet is Internet Protocol version 4 compliant packet.
  - 4. The method of claim 1, wherein the security context comprises a 128 bit unique value.
  - 5. The method of claim 4, wherein the 128 bit unique value comprises a 16 bit set and a 112 bit set.
  - 6. The method of claim 5, wherein the 16 bit set denotes a site local Internet protocol address comprising 12 bits for an address prefix followed by 4 bits for a zero value.
  - 7. The method of claim 5, wherein the 112 bit set comprises contiguous bits for the Supernet identifier, the Channel identifier, and the virtual address.
  - 8. The method of claim 5, wherein the 112 bit set comprises a 64 bit Supernet identifier, a 24 bit Channel identifier, and a 24 bit virtual address.
  - 9. The method of claim 1, wherein the virtual address daemon maps the virtual address of the recipient process within the Supernet to an actual Internet protocol address.

10. A method for processing a security context, comprising:
- receiving a first Internet Protocol version compliant packet comprising a first Internet Protocol version compliant header and a first Internet Protocol version compliant payload,wherein the first Internet Protocol version compliant payload comprises a second Internet Protocol version compliant packet,wherein the second Internet Protocol version compliant packet comprises encrypted data and a second Internet Protocol version compliant header comprising the security context, andwherein the security context comprises a 128 bit unique value, wherein the 128 bit unique value comprises a 16 bit set and a 112 bit set, wherein the 112 bit set comprises contiguous bits for a virtual address, a Supernet identifier, and a Channel identifier;
  
  extracting the encrypted data and the security context from the second Internet Protocol version compliant packet;
  
  decrypting the encrypted data, by a recipient computer system, using the Supernet identifier and Channel identifier to obtain decrypted data; and
  
  routing the decrypted data to a process in the recipient computer system using the virtual address,wherein the first Internet Protocol version compliant header comprises a first Internet Protocol version compliant address used to route the first Internet Protocol version compliant packet to the recipient computer system.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the 16 bit set denotes a site local Internet protocol address comprising 12 bits for an address prefix followed by 4 bits for a zero value.
  - 12. The method of claim 10, wherein the 112 bit set comprises a 64 bit Supernet identifier, a 24 bit Channel identifier, and a 24 bit virtual address.
  - 13. The method of claim 10, wherein the security context is obtained from the second Internet Protocol version compliant packet using a handler mechanism.
  - 14. The method of claim 13, wherein the handler mechanism is a Netfilter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
St. Pierre, Robert P., Caronni, Germano
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US10/037,800
Publication Number

US 20030131123A1
Time in Patent Office

2,041 Days
Field of Search

713200-201, 380/277, 726/14, 726/15, 709/238, 709/230, 370/409, 370/466
US Class Current

726/14
CPC Class Codes

H04L 63/164   at the network layer

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/167   Adaptation for transition b...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Method and apparatus for conveying a security context in addressing information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for conveying a security context in addressing information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links