Processing of data packets within a network element cluster

US 7,280,540 B2
Filed: 10/19/2001
Issued: 10/09/2007
Est. Priority Date: 01/09/2001
Status: Active Grant

First Claim

Patent Images

1. A gateway node of a network element cluster, said gateway node havingfirst means for processing data packets and establishing secure tunnel connections in accordance with a protocol suite for securing packet data communications,second means for storing hash values, which are currently allocated to said gateway node and different from hash values allocated to other gateway nodes in the cluster so as to enable load distribution,third means for filtering at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, said third means being arranged to accept only data packets having one of the hash values currently allocated to said node and to ignore other data packets,fourth means for filtering a plurality of second data packets, which are data packets of a secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and at least second header field(s) of a second data packet, said fourth means being arranged to accept only second data packets having one of the hash values being currently allocated to said node and to ignore other data packets,fifth means for generating value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said node, andmeans for providing the second header field(s) of a second data packet outbound from the node with said generated value(s).

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a network element cluster having a plurality of nodes, distribution decisions are determined on the basis of certain field(s) of data packets according to predetermined criteria, and data packets are distributed to nodes of the network element cluster according to the distribution decisions. Data packets are processed by said nodes of the network element cluster, and the processing involves selecting at least partly arbitrary value(s) for at least one of the field(s) of at least one data packet. Such value(s) are selected for at least one of said certain field(s) of a third data packet, such that distribution decisions determined according to the predetermined criteria result in the same node in the cluster processing inbound and outbound packets of the same session ID.

Citations

12 Claims

1. A gateway node of a network element cluster, said gateway node havingfirst means for processing data packets and establishing secure tunnel connections in accordance with a protocol suite for securing packet data communications,second means for storing hash values, which are currently allocated to said gateway node and different from hash values allocated to other gateway nodes in the cluster so as to enable load distribution,third means for filtering at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, said third means being arranged to accept only data packets having one of the hash values currently allocated to said node and to ignore other data packets,fourth means for filtering a plurality of second data packets, which are data packets of a secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and at least second header field(s) of a second data packet, said fourth means being arranged to accept only second data packets having one of the hash values being currently allocated to said node and to ignore other data packets,fifth means for generating value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said node, andmeans for providing the second header field(s) of a second data packet outbound from the node with said generated value(s).
- View Dependent Claims (2, 3)
- - 2. A node according to claim 1, further comprising:
    - sixth means for filtering a plurality of third data packets, which are data packets in accordance with a protocol for establishing secure tunnel connections, based on third packet-specific hash values, a third packet-specific hash value being calculated using a third hash function and at least third header field(s) of a third data packet, said sixth means arranged to accept only third data packets having one of the hash values currently allocated to said node,seventh means for generating value(s) for the third header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the third hash function is a hash value currently allocated to said node, andeighth means for communicating information about established secure tunnel connections.
  - 3. A node according to claim 2, further comprising:
    - ninth means for filtering a plurality of fourth data packets, which are data packets in accordance with a protocol for establishing secure key management sessions, based on fourth packet-specific hash values, a fourth packet-specific hash value being calculated using a fourth hash function and at least fourth header field(s) of a fourth data packet, said ninth means arranged to accept only fourth data packets having one of the hash values currently allocated to said node, andmeans for generating value(s) for the fourth header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the fourth hash function is a hash value currently allocated to said node.

4. A network element cluster for processing data packets, said network element cluster comprising a plurality of gateway nodes, said network element cluster having means for allocating a range of hash values to the gateway nodes, so that each gateway node has node-specific hash values different from the hash values of other gateway nodes, and at least one of said gateway nodes comprisestunnel means for processing data packets and establishing secure tunnels connections in accordance with a protocol suite for securing packet data communications,storing means for storing hash values, which are currently allocated to said gateway node and different from the hash values allocated to other gateway nodes in the cluster so as to enable load distribution, andfirst means for filtering at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, said first means being arranged to accept only data packets having one of the hash values currently allocated to said gateway node and to ignore other data packets,second means for filtering a plurality of second data packets, which are data packets of a secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash functions and second header field(s) of a second data packet, said second means being arranged to accept only second data packets having one of the hash values being currently allocated to said gateway node and to ignore other data packets, andthird means for generating value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said gateway node, andmeans for providing the second header field(s) of a second data packet outbound from the gateway node with said generated value(s).
- View Dependent Claims (5, 6, 7)
- - 5. A network element cluster according to claim 4, wherein said at least one of said gateway nodes further comprises:
    - fourth means for filtering a plurality of third data packets, which are data packets in accordance with a protocol for establishing secure tunnel connections, based on third packet-specific hash values, a third packet-specific hash value being calculated using a third hash function and third header field(s) of a third data packet, said fourth means arranged to accept only third data packets having one of the hash a values currently allocated to said gateway node,fifth means for generating value(s) for the third header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the third hash function is a hash value currently allocated to said gateway node, andsixth means for communicating information about established secure tunnel connections.
  - 6. A network element cluster according to claim 4, further comprising:
    - fourth means for monitoring the state of gateway nodes belonging to said network element cluster, andfifth means for reallocating the range of hash values to gateway nodes belonging to said network element cluster.
  - 7. A network element cluster according to claim 4, wherein said at least one gateway node further comprisesfourth means for checking if there are established secure tunnel connections relating to reallocated hash values, arranged to operate after reallocation of hash values,fifth means for deleting a secure tunnel relating to a reallocated hash value, andsixth means for establishing a new secure tunnel to replace a deleted secure tunnel.

8. A method of processing data packets in a gateway node of a network element cluster, comprisingprocessing data packets and establishing secure tunnel connections in accordance with a protocol suite for securing packet data communications,storing hash values, which are currently allocated to a gateway node and different from hash values allocated to other gateway nodes in the cluster so as to enable load distribution,filtering at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, and accepting only data packets having one of the hash values currently allocated to said gateway node and ignoring other data packets,filtering a plurality of second data packets, which are data packets of a secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash functions and at least second header field(s) of a second data packet, and accepting only second data packets having one of said hash values being currently allocated to said gateway node and ignoring other data packets, andgenerating value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said gateway node andproviding the second header field(s) of a second data packet outbound from the gateway node with said generated value(s).

9. A method of processing data packets in a network element cluster comprised of a plurality of gateway nodes, said method comprising:
- allocating a range of hash values to the gateway nodes of a network element cluster, so that each gaeway node has node-specific hash values different from hash values of other ones of said plurality of gateway nodes,processing data packets and establishing secure tunnel connections in accordance with a protocol suite for securing packet data communications,storing hash values, which are currently allocated to said gateway node and different from the hash values allocated to other ones of said plurality of gateway nodes in said network element cluster so as to enable load distribution, andfiltering at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, and accepting only data packets having one of the hash values currently allocated to said gateway node and ignoring other data packets,filtering a plurality of second data packets, which are data packets of secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and second header field(s) of a second data packet, and accepting only second data packets having one of the hash values being currently allocated to said gateway node ignoring other data packets,generating value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said gateway node, andproviding the second header field(s) of a second data packet outbound from the gateway node with said generated value(s).

10. A computer readable storage medium having encoded thereon computer executable program code which, when executed on a gateway node in a network, causes said gateway node toprocess data packets and establish secure tunnel connections in accordance with a protocol suite for securing packet data communications,store hash values, which are currently allocated to a gateway node and different from hash values allocated to other gateway nodes in a cluster of nodes so as to enable load distribution,filter at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, and accepting only data packets having one of the hash values currently allocated to said gateway node and ignoring other data packets,filter a plurality of second data packets, which are data packets of secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and at least second header field(s) of a second data packet, and accepting only second data packets having one of the hash values being currently allocated to said gateway node and ignoring other data packets,generate value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said gateway node, andprovide the second header fields(s) of a second data packet outbound from the gateway node with said generated value(s).

11. A computer readable storage medium having encoded thereon computer executable program code which, when executed on a gateway node in a network, causes said gateway node toallocate a range of hash values to a gateway node, so that each node has node-specific hash values different from hash values allocated to other gateway nodes in said cluster so as to enable load distribution,process data packets and establish secure tunnel connections in accordance with a protocol suite for securing packet data communications,store hash values, which are currently allocated to said node, andfilter at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, and accepting only data packets having one of the hash values currently allocated to said gateway node and ignoring other data packets,filter a plurality of second data packets, which are data packets of secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and second header field(s) of a second data packet, and accepting only second data packets having one of the hash values being currently allocated to said gateway node and ignoring other data packets,generate value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said gateway node.

12. A gateway node of a network element cluster, wherein:
- said gateway node is configured to process data packets and establish secure tunnel connection in accordance with a protocol suite for securing packet data communications;
  
  said gateway node is configured to store hash values, which are currently allocated to said gateway node and different from hash values allocated to other gateway nodes in the cluster so as to enable load distribution;
  
  said gateway node is configured to filter at least a plurality of data packets based on packet-specific first hash values, a first packet-specific hash value being calculated using a first hash function and first header field(s) of a data packet, and to accept only data packets having one of the hash values currently allocated to said node and to ignore other data packets;
  
  said gateway node is configured to filter a plurality of second data packets, which are data packets of a secure tunnel according to a protocol suite for securing packet data communications, based on second packet-specific hash values, a second packet-specific hash value being calculated using a second hash function and at least second header field(s) of a second data packet, and to accept only second data packets having one of the hash values being currently allocated to said node and to ignore other data packets;
  
  said gateway node is configured to generate value(s) for the second header field(s), arranged to generate such value(s) that a hash value calculated using said value(s) and the second hash function is a hash value currently allocated to said node, andsaid gateway node is configured to provide the second header field(s) of a second data packet outbound from the node with said generated value(s).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Original Assignee
Stonesoft Oy (Rtx Corporation)
Inventors
Halme, Matti, Syvanne, Tuomo, Virtanen, Timo, Harjulahti, Esa, Virtanen, Tommi
Primary Examiner(s)
Backer; Firmin
Assistant Examiner(s)
Ngo; Nguyen

Application Number

US10/013,613
Publication Number

US 20020097724A1
Time in Patent Office

2,181 Days
Field of Search

370/392, 370/389, 370/401, 713/190, 713/150, 713/153, 713/154
US Class Current

370/392
CPC Class Codes

H04L 67/1001   for accessing one among a p...

H04L 67/1014   based on the content of a r...

H04L 67/1023   based on a hash applied to ...

H04L 69/22   Parsing or analysis of headers

Processing of data packets within a network element cluster

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Processing of data packets within a network element cluster

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links