Method and apparatus for controlling the flow of data across a network interface
First Claim
1. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:
- storing a key material in a key storage area;
providing a cryptographic engine configured to use at least a portion of the key material to encrypt a data packet from the stream;
generating a report comprising an indicator of a remaining encryption capacity, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets from the stream; and
for each data packet in the stream,determining a traffic class for the data packet,computing a probability of discard (Pd) for the data packet based on the indicator of the remaining encryption capacity from the report and the traffic class,discarding the data packet if the probability of discard (Pd) is greater than or equal to a random number, andqueuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number.
10 Assignments
0 Petitions
Accused Products
Abstract
The present invention performs “flow control” based on the remaining encryption capacity of an encrypted outbound network interface link of a network routing device, such as a router or switch. As the encrypted link begins to run low on encryption key material, this invention begins to discard datagrams queued for transit across that link, in order to signal distant host computers that they should slow down the rate at which they are sending datagrams. The invention, which is particularly useful in cryptographically protected networks that run the TCP/IP protocol stack, allows fine-grained flow control of individual traffic classes because it can determine, for example, how various classes of data traffic (e.g., voice, video, TCP) should be ordered and transmitted through a network. Thus, the invention can be used to implement sophisticated flow control rules so as to give preferential treatment to certain people, departments or computers.
84 Citations
51 Claims
-
1. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:
-
storing a key material in a key storage area; providing a cryptographic engine configured to use at least a portion of the key material to encrypt a data packet from the stream; generating a report comprising an indicator of a remaining encryption capacity, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets from the stream; and for each data packet in the stream, determining a traffic class for the data packet, computing a probability of discard (Pd) for the data packet based on the indicator of the remaining encryption capacity from the report and the traffic class, discarding the data packet if the probability of discard (Pd) is greater than or equal to a random number, and queuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:
-
receiving a report comprising an indicator of a remaining encryption capacity for the network interface, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the network interface to encrypt subsequent data packets from the stream; and for each data packet in the stream, determining a traffic class for the data packet, computing a probability of discard (Pd) for the data packet based on the remaining encryption capacity and the traffic class, comparing the probability of discard (Pd) to a random number, discarding the data packet if the probability of discard (Pd) is greater than or equal to the random number, and queuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method for controlling the flow of a stream of data across an encrypted network interface, comprising:
-
receiving a report comprising an indicator of a remaining encryption capacity for the encrypted network interface, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the network interface to encrypt subsequent data packets from the stream; determining a traffic class for a data packet in the stream; computing a probability of discard (Pd) for the data packet based on the remaining encryption capacity and the traffic class; comparing the probability of discard (Pd) to a random number; discarding the data packet if the probability of discard (Pd) is greater than or equal to the random number; and queuing the data packet for transmission across the encrypted network interface if the probability of discard (Pd) is less than the random number. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
Specification