Method and apparatus for routing data traffic in a cryptographically-protected network

US 7,392,378 B1
Filed: 03/19/2003
Issued: 06/24/2008
Est. Priority Date: 03/19/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A system for routing data packets over a selected network interface link of a data communications network, comprising:

a network routing device coupled to at least two potential network interface links, each one of the at least two potential network interface links being protected by a cryptographic subsystem comprisingkey material stored in a key storage area,a cryptographic engine configured to use at least a portion of the key material to encrypt the data packets before transmitting the data packets over the selected network interface link, anda key storage area information channel configured to convey to the network routing device a report comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets;

wherein the network routing device is configured to determine, based on the indicator, which one of the potential network interface links will be the selected network interface link.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is useful for routing data traffic in data communications networks where some or all of the network interface links are protected by cryptographic techniques, e.g., encryption. The invention routes datagram traffic in such networks toward interface links perceived to have strong encryption protection and away from interface links perceived to have weak or weakening encryption protection, based on the remaining encryption capacity for such links.

73 Citations

View as Search Results

69 Claims

1. A system for routing data packets over a selected network interface link of a data communications network, comprising:
- a network routing device coupled to at least two potential network interface links, each one of the at least two potential network interface links being protected by a cryptographic subsystem comprisingkey material stored in a key storage area,a cryptographic engine configured to use at least a portion of the key material to encrypt the data packets before transmitting the data packets over the selected network interface link, anda key storage area information channel configured to convey to the network routing device a report comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets;
  
  wherein the network routing device is configured to determine, based on the indicator, which one of the potential network interface links will be the selected network interface link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 2. The system of claim 1, wherein the indicator is based on the an amount of key material in the key storage area.
  - 3. The system of claim 1, wherein the indicator is based on data representing an amount of time elapsed since a prior report was conveyed.
  - 4. The system of claim 1, wherein the indicator is based on data representing an amount of time elapsed since the key material was replenished.
  - 5. The system of claim 1, wherein the indicator is based on data representing a quantity of data packets encrypted by the cryptographic subsystem since a prior report was conveyed.
  - 6. The system of claim 1, wherein the indicator comprises a quantity of additional data packets the cryptographic engine can encrypt prior to the key material in the key storage area being exhausted.
  - 7. The system of claim 1, wherein the indicator comprises a rate at which the key material is being used by the cryptographic engine.
  - 8. The system of claim 1, wherein the network routing device includes a database for storing the report.
  - 9. The system of claim 1, wherein the report is conveyed to at least one other network routing device coupled to the data communications network.
  - 10. The system of claim 1, wherein the report is conveyed to a network management system coupled to the data communications network.
  - 11. The system of claim 1, wherein the report is conveyed to a key management system coupled to the data communications network.
  - 12. The system of claim 1, wherein the report is conveyed to a host computer coupled to the data communications network.
  - 13. The system of claims 1, 9, 10, 11 or 12, wherein the report is conveyed in response to an occurrence of a specified event.
  - 14. The system of claims 1, 9, 10, 11 or 12, wherein the report is conveyed in response to a specified condition for the interface link.
  - 15. The system of claims 1, 9, 10, 11 or 12, wherein the report is conveyed when an amount of key material in the key storage area reaches a specified level.
  - 16. The system of claims 1, 9, 10, 11 or 12, wherein the report is conveyed when the key material has been present in the key storage area for a specified time period.
  - 17. The system of claim 1, wherein the network routing device includes a statistical analyzer configured to generate an estimated remaining encryption capacity based on the report.
  - 18. The system of claim 1, further comprising a key material distribution system configured to provide the key storage area with additional key material.
  - 19. The system of claim 18, wherein the key material distribution system comprises a quantum cryptological subsystem.
  - 20. The system of claim 18, wherein the key material distribution system comprises a key-filling device.
  - 21. The system of claim 18, wherein the key material distribution system comprises a centralized secret key management system.
  - 22. The system of claim 18, wherein the key material distribution system comprises a distributed secret key management system.
  - 23. The system of claim 18, wherein the key material distribution system includes a mathematical-process for agreeing on a secret key.
  - 24. The system of claim 23, wherein the mathematical process comprises the Diffie-Hellman technique.
  - 25. The system of claim 1, wherein the report is conveyed to the network routing device in response to a request generated by the network routing device.
  - 26. The system of claim 1, wherein the report is conveyed to the network routing device at a specified time.
  - 27. The system of claim 1, wherein the report is conveyed to the network routing device in response to the expiration of a specified time interval.
  - 28. The system of claim 1, wherein the report is conveyed to the network routing device in response to a specified condition.
  - 29. The system of claim 1, further comprising:
    - a source network element;
      
      a target network element;
      
      at least two data communication paths between the source network element and the target network element, at least one of the data communication paths comprising the network routing device, the interface link, the cryptographic subsystem and the key storage area information channel; and
      
      a routing processor configured to determine, based on the report, which one of the at least two communication paths will be used to transmit the data packets from the source network element to the target network element.
  - 30. The system of claim 29, wherein the routing processor resides in the source network element.
  - 31. The system of claim 29, wherein the routing processor resides in the target network element.
  - 32. The system of claim 1, wherein the report is conveyed using a link-state based routing protocol.
  - 33. The system of claim 32, wherein the link-state based routing protocol comprises the Open Shortest Path First (OSPF) Protocol.
  - 34. The system of claim 32, wherein the link-state based routing protocol comprises the Constraint-based Routing Label Distribution Protocol (CR-LDP).
  - 35. The system of claim 32, wherein the link-state based routing protocol comprises the Intermediate System to Intermediate System (IS—
    - IS) Protocol.
  - 36. The system of claim 32, wherein the link-state based routing protocol is employed in conjunction with Multiprotocol Label Switching (MPLS).
  - 37. The system of claim 32, wherein the link-state based routing protocol is employed in conjunction with Asynchronous Transfer Mode (ATM).
  - 38. The system of claim 32, wherein the link-state based routing protocol is employed in conjunction with the Resource Reservation Protocol (RSVP).
  - 39. The system of claim 32, wherein the link-state based routing protocol is employed in conjunction with the Routing Information Protocol (RIP).
  - 40. The system of claim 1, wherein the report is conveyed using a distance vector routing protocol.
  - 41. The system of claim 40, wherein the distance vector routing protocol is employed in conjunction with the Resource Reservation Protocol (RSVP).
  - 42. The system of claim 1, wherein the report is conveyed using the Border Gateway Protocol (BGP).
  - 43. The system of claim 1, wherein the report is conveyed using the Simple Network Management Protocol (SNMP).
  - 44. The system of claim 1, wherein the report is conveyed using the Synchronous Optical Network (SONET) protocol.
  - 45. The system of claim 1, wherein the report is conveyed using the Internet Control Message Protocol (ICMP).

46. A programmed computer coupled to at least two network interface links, the programmed computer comprising:
- a memory having at least one region for storing computer executable program code; and
  
  a processor for executing the program code stored in said memory;
  
  wherein the program code includes code, responsive to a report received from a cryptographic subsystem indicating a remaining encryption capacity for the cryptographic subsystem including a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets, that determines which one of the at least two network interface links will be selected to transmit encrypted data packets and provides instructions that identify the network interface link to transmit the encrypted data packets based on the report.
- View Dependent Claims (47)
- - 47. The programmed computer of claim 46, wherein the cryptographic subsystem comprises key material stored in a key storage area;
    - a cryptographic engine configured to use at least a portion of the key material to encrypt the data packets before transmitting the data packets over the selected network interface link; and
      
      a key storage area information channel configured to convey the report to the programmed computer.

48. A method for routing data packets over a selected network interface link of a data communications network, comprising:
- providing a network routing device coupled to at least two network interface links, at least one of the two network interface links being protected by a cryptographic subsystem configured to encrypt data packets;
  
  receiving a report from the cryptographic subsystem comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets;
  
  determining, based on the indicator, which one of the at least two network interface links will be the selected network interface link; and
  
  transmitting the data packets over the selected network interface link.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 49. The method of claim 48, whereinthe cryptographic subsystem comprises a key storage area configured to store a key material;
    - andthe indicator is based on an amount of key material stored in the key storage area.
  - 50. The method of claim 49, wherein the indicator is based on data representing an amount of time elapsed since the key material was replenished.
  - 51. The method of claim 49, wherein the indicator comprises a rate at which the key material is being used by the cryptographic engine.
  - 52. The method of claim 49, wherein the indicator comprises a quantity of additional data packets the cryptographic engine can encrypt prior to the key material in the key storage area being exhausted.
  - 53. The method of claim 48, wherein the indicator is based on data representing an amount of time elapsed since a prior report was received.
  - 54. The method of claim 48, wherein the indicator is based on data representing a quantity of data packets encrypted by the cryptographic subsystem since a prior report was received.
  - 55. The method of claim 48, wherein the network routing device includes a database for storing the report.
  - 56. The method of claim 48, wherein the report is conveyed to at least one other network routing device coupled to the data communications network.
  - 57. The method of claim 48, wherein the report is conveyed to a network management system coupled to the data communications network.
  - 58. The method of claim 48, wherein the report is conveyed to a key management system coupled to the data communications network.
  - 59. The method of claim 48, wherein the report is conveyed to a host computer coupled to the data communications network.
  - 60. The method of claims 48, 56, 57, 58 or 59, wherein the report is conveyed in response to an occurrence of a specified event.
  - 61. The method of claims 48, 56, 57, 58 or 59, wherein the report is conveyed in response to a specified condition for the interface link.
  - 62. The method of claims 48, 56, 57, 58 or 59, wherein the report is conveyed when an amount of key material in the key storage reaches a specified level.
  - 63. The method of claims 48, 56, 57, 58 or 59, wherein the report is conveyed when the key material has been present in the key storage for a specified time period.
  - 64. The method of claim 48, wherein the network routing device includes a statistical analyzer configured to generate an estimated remaining encryption capacity based on the report.
  - 65. The method of claim 49, further comprising providing the key storage area with additional key material.
  - 66. The method of claim 48, wherein the network routing device receives the report in response to a request generated by the network routing device.
  - 67. The method of claim 48, wherein the network routing device receives the report at a specified time.
  - 68. The method of claim 48, wherein the network routing device receives the report in response to the expiration of a specified time interval.
  - 69. The method of claim 48, wherein the network routing device receives the report in response to a specified condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
BBN Technologies (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Elliott, Brig Barnum
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/392,492
Time in Patent Office

1,924 Days
Field of Search

713150-154, 380255-257, 380/277, 380/278, 380/279, 380/44, 380/28, 709/230, 709/232, 709238-244, 709/223, 709/220, 726 11- 14, 370/254, 370/351, 370/400, 370/401, 370/412, 370/431, 370/464, 370/229
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0852   Quantum cryptography transm...

Method and apparatus for routing data traffic in a cryptographically-protected network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for routing data traffic in a cryptographically-protected network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links