Selective encryption of application session packets

US 7,266,683 B1
Filed: 07/27/2002
Issued: 09/04/2007
Est. Priority Date: 07/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy;

providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy;

reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applicationssharing the real-time bandwidth pool among a plurality of real-time communication sessions by selectively admitting application sessions based upon currently available resources in real-time bandwidth pool; and

securely communicating between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are provided for multiplexing and selectively encrypting application flows, such as VoIP services, over a pre-allocated bandwidth reservation protocol session. According to one embodiment, a pre-allocated reservation protocol session, such as an RSVP session, is shared by one or more individual application sessions. The reservation protocol session is pre-allocated over a path between a first network device associated with a first user community and a second network device associated with a second user community based upon an estimated usage of the path for individual application sessions between users of the first and second user communities. Subsequently, the one or more individual application sessions are dynamically aggregated by multiplexing application flows associated with the one or more individual application sessions onto the pre-allocated reservation protocol session at the first network device and demultiplexing at the second network device. Additionally, various levels of security may be selectively applied to the application sessions by performing encryption at the first network device and decryption at the second network device.

75 Citations

View as Search Results

24 Claims

1. A method comprising:
- providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy;
  
  providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy;
  
  reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applicationssharing the real-time bandwidth pool among a plurality of real-time communication sessions by selectively admitting application sessions based upon currently available resources in real-time bandwidth pool; and
  
  securely communicating between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said reserving a predetermined portion of available bandwidth between the first media aggregation manager and the second media aggregation manager includes pre-allocating a reservation protocol session over a path between the first media aggregation manager and the second media aggregation manager based upon an estimated usage of the path for individual application sessions between users of the first user community and the second user community.
  - 3. The method of claim 2, wherein said sharing the real-time bandwidth pool among a plurality of real-time communication sessions includes dynamically aggregating one or more individual application sessions by multiplexing application flows associated with plurality of real-time communication sessions onto the pre-allocated reservation protocol session at the first media aggregation manager.
  - 4. The method of claim 3, wherein the reservation protocol session comprises a Resource Reservation Protocol (RSVP) session.
  - 5. The method of claim 4, wherein at least one of the real-time communication session includes H.323 session and as a real-time Transport Protocol (RTP) session.
  - 6. The method of claim 3, further comprising:
    - forming an encapsulated packet by appending a tag to a media packet received at the first media aggregation manager from a source local application/endpoint associated with the first user community, the tag including information to allow the second media aggregation manager to determine a destination local application/endpoint associated with the second user community, andremoving the tag at the second media aggregation manager prior to forwarding the media packet to the destination local application/endpoint.
  - 7. The method of claim 6, wherein the tag includes a network address associated with the source local application/endpoint.
  - 8. The method of claim 6, wherein the tag includes a network address associated with the destination local application/endpoint.
  - 9. The method of claim 6, wherein the tag includes a packet type indication that specifies how to further identify a subprocess within the destination local application/endpoint.

10. A method comprising:
- establishing an aggregated reservation protocol session over a path between a first edge device and a second edge device based upon an estimate of a number of individual application sessions needed for the path during a predetermined window of time; and
  
  securely communicating and sharing the aggregated reservation protocol session among a plurality of individual application sessions tagging packets associated with corresponding application flows and selectively encrypting application flows for transmission between the first edge device and the second edge device, the tagged packets being multiplexed onto the aggregated reservation protocol session by the first edge device or the second edge device and demultiplexed by the other including removal of the tags from the media packets.

11. A method comprising:
- establishing a Resource Reservation Protocol (RSVP) session between a first network device and a second network device that are part of an Internet Protocol (IP) network;
  
  receiving, at the first network device from a first local terminal, a request to initiate a first real-time communication session with a first remote terminal associated with the second network device;
  
  allocating a portion of pre-allocated resources associated with the RSVP session to the first real-time communication session between the first local terminal and the first remote terminal;
  
  receiving, at the first network device from a second local terminal, a request to initiate a second real-time communication session with a second remote terminal associated with the second network device;
  
  allocating portion of the pre-allocated resources associated with the RSVP session to the second real-time communication session between the second local terminal and the second remote terminal; and
  
  securely communicating over the RSVP session and sharing the RSVP session between the first real-time communication session and the second real time communication session by encrypting and multiplexing voice packets associated with the first and second real-time communication sessions onto the RSVP session.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - transmitting voice packets from the first local terminal and first remote terminal by forming an encapsulated packet at the first network device that includes tag information to allow the second network device to determine the voice packets are intended for the first remote terminal; and
      
      removing the tag information at the second network device prior to forwarding the voice packets to the first remote terminal.
  - 13. The method of claim 12, wherein the tag information includes the IP address of the first local terminal.
  - 14. The method of claim 12, wherein the tag information includes the IP address of the first remote terminal.
  - 15. The method of claim 12, wherein the tag information includes a packet type indicator that specifies how to further identify a subprocess within the first remote terminal.

16. A method comprising:
- establishing a Resource Reservation Protocol (RSVP) session between a first network device and a second network device that are part of an Internet Protocol (IP) network;
  
  the first network device presenting itself as a recipient of a first call originated by a first local terminal associated with the first network device by providing its logical channel information to the first local terminal rather than providing logical channel information associated with the intended recipient of the first call;
  
  the first network device presenting itself as a recipient of a second call originated by a second local terminal associated with the first network device by providing its logical channel information to the second local terminal rather than providing logical channel information associated with the intended recipient of the second call; and
  
  the first network device selectively and securely transmitting voice packets from the first local terminal to an intended recipient of the first call and from the second local terminal to the intended recipient of the second call by encrypting and multiplexing the voice packets onto the RSVP session.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising the first network device presenting itself as the originator of a third call to the second network device by providing its logical channel information to the second network device rather than providing logical channel information associated with a third local terminal associated with the first network device that truly originated the third call.

18. A media aggression manager comprising:
- a resource manager to establish a reservation protocol session with one or more other media aggression managers prior to establishment of any application sessions that share resources associated with the reservation protocol and to subsequently allocate and deallocate the resources in response to anticipated use of application session establishment requests and application session termination requests, respectively;
  
  an admission control manager coupled to the resource manager, the admission control manager to provide admission control for application flows based upon availability of the resources as indicated by the resource manager;
  
  a media multiplexor coupled to the admission control manager, the media multiplexor to tag media packets received from local application/endpoints that are associated with admitted application flows and to transmit the tagged media packets over the reservation protocol session;
  
  a media demultiplexor to forward media packets received from remote application/endpoints to the local application/endpoints based upon tags appended by a media multiplexor of the one or more other media aggregation managers;
  
  a media encryptor coupled to the media multiplexor to selectively encrypt media packet received from local application/endpoints that are associated with secure application flows; and
  
  a media decryptor coupled to the media demultiplexor to decrypt encrypted media packets received from the remote application/endpoints.

19. A network device comprising:
- a storage device having stored therein one or more routines for establishing and managing an aggregated reservation protocol session;
  
  a processor coupled to the storage device for executing the one or more routines to pre-allocate the aggregated reservation protocol session and thereafter share the aggregated reservation session among a plurality of individual application sessions, where;
  
  the aggregated reservation protocol session is pre-allocated based upon an estimate of the bandwidth requirements to accommodate the plurality of individual application sessions, the plurality of individual application sessions are established between a plurality of local application/endpoints and a plurality of remote application/endpoints;
  
  the aggregated reservation protocol session is securely shared by selectively encrypting and multiplexing outbound media packets originated by a local application/endpoint of plurality of local application/endpoints onto the aggregated reservation protocol session, and decrypting and demultiplexing inbound media packets originated by a remote application/endpoint of the plurality of remote application/endpoints from the aggregated reservation protocol session.

20. A system for secure real-time communications comprising:
- a first edge device coupled to a first plurality of terminals, the first edge device including a resource manager to reserve a predetermined portion of available bandwidth by establishing a reservation protocol session with one or more other media aggression managers prior to establishment of any application sessions that share resources associated with the reservation protocol;
  
  an admission control manager to provide admission control for real-time communication application sessions based upon remaining resources associated with a real-time bandwidth pool,a tunneling control manager that specifies an encryption program and a tunneling protocol; and
  
  ,a media encryptor to selectively encrypt information associated with secure application flows based on said encryption program specified by said tunneling control manager;
  
  and a second edge device coupled to a second plurality of terminals, the second edge device including a decryptor to decrypt information associated with secure application flows for use by the appropriate terminal of the second plurality of terminals.

21. A machine-readable medium having stored thereon data representing instructions which, when executed by a processor, cause the processor to:
- providing a first media at an edge of a first local area network on which a first set of terminals of a first user community of an enterprise reside, the first set of terminals running a first set of local applications on behalf of which the first media aggregation manager is configured to act as a signaling and control proxy;
  
  providing a second media aggregation manager at an edge of a second local area network on which a second set of terminals of a second user community of the enterprise reside, the second set of terminals running a second set of local applications on behalf of which the second media aggregation manager is configured to act as a signaling and control proxy;
  
  reserving a predetermined portion of available bandwidth as a real-time bandwidth pool over a path through an enterprise network between the first media aggregation manager and the second media aggregation manager for real-time communication sessions between the first set of local applications and the second set of local applications;
  
  share the real-time bandwidth pool among a plurality of real-time communication session by selectively admitting application sessions based upon currently available resources to the real-time bandwidth pool; and
  
  securely communicate between the first user community and the second user community by selectively encrypting information associated with the plurality of real-time communication sessions.
- View Dependent Claims (22, 23, 24)
- - 22. The machine-readable medium of claim 21, wherein the predetermined portion of available bandwidth between the first media aggregation manager and the second media aggregation manager is reserved by pre-allocating a reservation protocol session over a path between the first media aggregation manager and the second media aggregation manager based upon an estimated usage of the path for individual application sessions between users of the first user community and the second user community.
  - 23. The machine-readable medium of claim 22, wherein the real-time bandwidth pool is shared among the plurality of real-time communication sessions by multiplexing application flows associated with plurality of real-time communication sessions onto the pre-allocated reservation protocol session at the first media aggregation manager.
  - 24. The machine-readable medium of claim 23, wherein the reservation protocol session comprises a Resource Reservation Protocol (RSVP) session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Winterspring Digital LLC
Original Assignee
Prom KS Mgmt LLC (Intellectual Ventures LLC)
Inventors
Nag, Siddhartha
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Besrour; Saoussen

Application Number

US10/206,402
Time in Patent Office

1,865 Days
Field of Search

713/150
US Class Current

713/154
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0485   Networking architectures fo...

H04L 63/105   Multiple levels of security

Selective encryption of application session packets

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Selective encryption of application session packets

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links