Method and apparatus for routing data traffic in a cryptographically-protected network
First Claim
Patent Images
1. A system for routing data packets over a selected network interface link of a data communications network, comprising:
- a network routing device coupled to at least two potential network interface links, each one of the at least two potential network interface links being protected by a cryptographic subsystem comprisingkey material stored in a key storage area,a cryptographic engine configured to use at least a portion of the key material to encrypt the data packets before transmitting the data packets over the selected network interface link, anda key storage area information channel configured to convey to the network routing device a report comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets;
wherein the network routing device is configured to determine, based on the indicator, which one of the potential network interface links will be the selected network interface link.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention is useful for routing data traffic in data communications networks where some or all of the network interface links are protected by cryptographic techniques, e.g., encryption. The invention routes datagram traffic in such networks toward interface links perceived to have strong encryption protection and away from interface links perceived to have weak or weakening encryption protection, based on the remaining encryption capacity for such links.
73 Citations
69 Claims
-
1. A system for routing data packets over a selected network interface link of a data communications network, comprising:
-
a network routing device coupled to at least two potential network interface links, each one of the at least two potential network interface links being protected by a cryptographic subsystem comprising key material stored in a key storage area, a cryptographic engine configured to use at least a portion of the key material to encrypt the data packets before transmitting the data packets over the selected network interface link, and a key storage area information channel configured to convey to the network routing device a report comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets; wherein the network routing device is configured to determine, based on the indicator, which one of the potential network interface links will be the selected network interface link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A programmed computer coupled to at least two network interface links, the programmed computer comprising:
-
a memory having at least one region for storing computer executable program code; and a processor for executing the program code stored in said memory; wherein the program code includes code, responsive to a report received from a cryptographic subsystem indicating a remaining encryption capacity for the cryptographic subsystem including a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets, that determines which one of the at least two network interface links will be selected to transmit encrypted data packets and provides instructions that identify the network interface link to transmit the encrypted data packets based on the report. - View Dependent Claims (47)
-
-
48. A method for routing data packets over a selected network interface link of a data communications network, comprising:
-
providing a network routing device coupled to at least two network interface links, at least one of the two network interface links being protected by a cryptographic subsystem configured to encrypt data packets; receiving a report from the cryptographic subsystem comprising an indicator of a remaining encryption capacity for the cryptographic subsystem, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets; determining, based on the indicator, which one of the at least two network interface links will be the selected network interface link; and transmitting the data packets over the selected network interface link. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
-
Specification