Method and apparatus for controlling the flow of data across a network interface

US 7,441,267 B1
Filed: 03/19/2003
Issued: 10/21/2008
Est. Priority Date: 03/19/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:

storing a key material in a key storage area;

providing a cryptographic engine configured to use at least a portion of the key material to encrypt a data packet from the stream;

generating a report comprising an indicator of a remaining encryption capacity, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets from the stream; and

for each data packet in the stream,determining a traffic class for the data packet,computing a probability of discard (Pd) for the data packet based on the indicator of the remaining encryption capacity from the report and the traffic class,discarding the data packet if the probability of discard (Pd) is greater than or equal to a random number, andqueuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention performs “flow control” based on the remaining encryption capacity of an encrypted outbound network interface link of a network routing device, such as a router or switch. As the encrypted link begins to run low on encryption key material, this invention begins to discard datagrams queued for transit across that link, in order to signal distant host computers that they should slow down the rate at which they are sending datagrams. The invention, which is particularly useful in cryptographically protected networks that run the TCP/IP protocol stack, allows fine-grained flow control of individual traffic classes because it can determine, for example, how various classes of data traffic (e.g., voice, video, TCP) should be ordered and transmitted through a network. Thus, the invention can be used to implement sophisticated flow control rules so as to give preferential treatment to certain people, departments or computers.

84 Citations

View as Search Results

51 Claims

1. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:
- storing a key material in a key storage area;
  
  providing a cryptographic engine configured to use at least a portion of the key material to encrypt a data packet from the stream;
  
  generating a report comprising an indicator of a remaining encryption capacity, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the cryptographic engine to encrypt subsequent data packets from the stream; and
  
  for each data packet in the stream,determining a traffic class for the data packet,computing a probability of discard (Pd) for the data packet based on the indicator of the remaining encryption capacity from the report and the traffic class,discarding the data packet if the probability of discard (Pd) is greater than or equal to a random number, andqueuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the indicator is based on an amount of key material in the key storage area.
  - 3. The method of claim 1, wherein the indicator is based on data representing an amount of time elapsed since a prior report was generated.
  - 4. The method of claim 1, wherein the indicator is based on data representing the amount of time elapsed since the key material was replenished.
  - 5. The method of claim 1, wherein the indicator comprises a quantity of data encrypted by the cryptographic subsystem since a prior report was generated.
  - 6. The method of claim 1, wherein the indicator comprises a quantity of additional data the cryptographic engine can encrypt prior to the key material in the key storage area being exhausted.
  - 7. The method of claim 1, wherein the indicator comprises a rate at which the key material is being used by the cryptographic engine.
  - 8. The method of claim 1, wherein the determining step comprises inspecting the data packet.
  - 9. The method of claim 1, further comprising the step of storing the report in a database.
  - 10. The method of claim 1, further comprising the step of estimating a remaining encryption capacity based on the report.
  - 11. The method of claim 1, further comprising the step of providing a key material distribution system configured to supply additional key material to the key storage area.
  - 12. The method of claim 11, wherein the key material distribution system comprises a quantum cryptographic subsystem.
  - 13. The method of claim 11, wherein the key material distribution system comprises a key-filling device.
  - 14. The method of claim 11, wherein the key material distribution system comprises a centralized secret key management system.
  - 15. The method of claim 11, wherein the key material distribution system comprises a distributed secret key management system.
  - 16. The method of claim 11, wherein the key material distribution system uses a mathematical process for agreeing on a secret key.
  - 17. The method of claim 16, wherein the mathematical process comprises the Diffie-Hellman technique.

18. A method for controlling the flow of a stream of data across a network interface, comprising the steps of:
- receiving a report comprising an indicator of a remaining encryption capacity for the network interface, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the network interface to encrypt subsequent data packets from the stream; and
  
  for each data packet in the stream,determining a traffic class for the data packet,computing a probability of discard (Pd) for the data packet based on the remaining encryption capacity and the traffic class,comparing the probability of discard (Pd) to a random number,discarding the data packet if the probability of discard (Pd) is greater than or equal to the random number, andqueuing the data packet for transmission across the network interface if the probability of discard (Pd) is less than the random number.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The method of claim 18, wherein the indicator is based on an amount of key material in the key storage area.
  - 20. The method of claim 18, wherein the indicator is based on data representing an amount of time elapsed since a prior report was received.
  - 21. The method of claim 18, wherein the indicator is based on data representing the amount of time elapsed since the key material was replenished.
  - 22. The method of claim 18, wherein the indicator comprises a quantity of data encrypted by the cryptographic subsystem since a prior report was received.
  - 23. The method of claim 18, wherein the indicator comprises a quantity of additional data the cryptographic engine can encrypt prior to the key material in the key storage area being exhausted.
  - 24. The method of claim 18, wherein the indicator comprises a rate at which the key material is being used by the cryptographic engine.
  - 25. The method of claim 18, wherein the determining step comprises inspecting the data packet.
  - 26. The method of claim 18, further comprising the step of storing the report in a database.
  - 27. The method of claim 18, further comprising the step of estimating a remaining encryption capacity based on the report.
  - 28. The method of claim 18, further comprising the step of providing a key material distribution system configured to supply additional key material to the key storage area.
  - 29. The method of claim 28, wherein the key material distribution system comprises a quantum cryptographic subsystem.
  - 30. The method of claim 28, wherein the key material distribution system comprises a key-filling device.
  - 31. The method of claim 28, wherein the key material distribution system comprises a centralized secret key management system.
  - 32. The method of claim 28, wherein the key material distribution system comprises a distributed secret key management system.
  - 33. The method of claim 28, wherein the key material distribution system uses a mathematical process for agreeing on a secret key.
  - 34. The method of claim 33, wherein the mathematical process comprises the Diffie-Hellman technique.

35. A method for controlling the flow of a stream of data across an encrypted network interface, comprising:
- receiving a report comprising an indicator of a remaining encryption capacity for the encrypted network interface, wherein the indicator of the remaining encryption capacity comprises a quantitative measure representative of a capacity of the network interface to encrypt subsequent data packets from the stream;
  
  determining a traffic class for a data packet in the stream;
  
  computing a probability of discard (Pd) for the data packet based on the remaining encryption capacity and the traffic class;
  
  comparing the probability of discard (Pd) to a random number;
  
  discarding the data packet if the probability of discard (Pd) is greater than or equal to the random number; and
  
  queuing the data packet for transmission across the encrypted network interface if the probability of discard (Pd) is less than the random number.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 36. The method of claim 35, wherein the indicator is based on an amount of key material in the key storage area.
  - 37. The method of claim 35, wherein the indicator is based on data representing an amount of time elapsed since a prior report was received.
  - 38. The method of claim 35, wherein the indicator is based on data representing the amount of time elapsed since the key material was replenished.
  - 39. The method of claim 35, wherein the indicator comprises a quantity of data encrypted by the cryptographic subsystem since a prior report was received.
  - 40. The method of claim 35, wherein the indicator comprises a quantity of additional data the cryptographic engine can encrypt prior to the key material in the key storage area being exhausted.
  - 41. The method of claim 35, wherein the indicator comprises a rate at which the key material is being used by the cryptographic engine.
  - 42. The method of claim 35, wherein the determining step comprises inspecting the data packet.
  - 43. The method of claim 35, further comprising the step of storing the report in a database.
  - 44. The method of claim 35, further comprising the step of estimating a remaining encryption capacity based on the report.
  - 45. The method of claim 35, further comprising the step of providing a key material distribution system configured to supply additional key material to the key storage area.
  - 46. The method of claim 45, wherein the key material distribution system comprises a quantum cryptographic subsystem.
  - 47. The method of claim 45, wherein the key material distribution system comprises a key-filling device.
  - 48. The method of claim 45, wherein the key material distribution system comprises a centralized secret key management system.
  - 49. The method of claim 45, wherein the key material distribution system comprises a distributed secret key management system.
  - 50. The method of claim 45, wherein the key material distribution system uses a mathematical process for agreeing on a secret key.
  - 51. The method of claim 50, wherein the mathematical process comprises the Diffie-Hellman technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
BBN Technologies (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Elliott, Brig Barnum
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/391,582
Time in Patent Office

2,043 Days
Field of Search

713150-154, 380255-257, 380/277, 380/278, 380/279, 380/44, 380/28, 709/230, 709/232, 709238-244, 709/223, 709/220, 726 11- 14, 370/254, 370/351, 370/40, 370/401, 370/412, 370/431, 370/464, 370/229, 370/400
US Class Current

726/13
CPC Class Codes

H04L 63/0428 wherein the data content is...

Method and apparatus for controlling the flow of data across a network interface

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling the flow of data across a network interface

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links