Method and apparatus for fragmenting and reassembling internet key exchange data packets
First Claim
1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:
- receiving a vendor identification value from a receiving node;
in response to receiving the vendor identification value, using the vendor identification value to determine that the receiving node is IKE fragmentation capable;
generating and transmitting an IKE packet to the receiving node over a network, the IKE packet having an original IKE header;
determining whether a response to the IKE packet was received within a predetermined time interval;
determining a maximum transmission unit size for the network;
fragmenting the IKE packet into a plurality of smaller packets that do not exceed the maximum transmission unit size, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and
transmitting each of the plurality of smaller packets over a network.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for fragmenting and reassembling IKE protocol data packets that exceed a Maximum Transmission Unit is provided. A transmitting node determines whether to fragment IKE data depending on whether the receiving node has the capability to receive and reassemble fragmented data packets. The transmitting node detects whether fragmentation is appropriate and then intercepts and fragments appropriate IKE payloads for transmission over a network. The invention further includes a method and apparatus for reassembling fragmented IKE payloads. The receiving node discards certain packets according to a set of predetermined rules that are designed to prevent denial of service attacks and other similar attacks. No modification is required to the existing IKE protocol or to other lower level networking protocols.
-
Citations
8 Claims
-
1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:
-
receiving a vendor identification value from a receiving node; in response to receiving the vendor identification value, using the vendor identification value to determine that the receiving node is IKE fragmentation capable; generating and transmitting an IKE packet to the receiving node over a network, the IKE packet having an original IKE header; determining whether a response to the IKE packet was received within a predetermined time interval; determining a maximum transmission unit size for the network; fragmenting the IKE packet into a plurality of smaller packets that do not exceed the maximum transmission unit size, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and transmitting each of the plurality of smaller packets over a network. - View Dependent Claims (2)
-
-
3. A network node that communicates with other network nodes according to the Internet Key Exchange (IKE) protocol, the network node comprising:
-
a network interface card for interfacing with a network; a User Datagram Protocol (UDP) stack that is capable of generating UDP data packets for transmission over a network; an IKE protocol stack that generates IKE data packets that are subsequently processed by the UDP protocol stack; and a fragmenter module that; receives a vendor identification value from a network node and in response to receiving the vendor identification value uses the vendor identification value to determine that the network node is IKE fragmentation capable; intercepts IKE data packets prior to being processed by the UDP protocol stack and splits the IKE data packets into a plurality of smaller data packets that may be subsequently formatted by the UDP protocol stack, wherein each of the plurality of smaller data packets includes a header formatted according to the IKE protocol and state information for network address translator processing, wherein the fragmenter module does not split the IKE data packets when a response to a previously-sent IKE data packet has been successfully received within a predetermined time interval.
-
-
4. A system for transmitting Internet Key Exchange (IKE) protocol data packets across a network, the system comprising:
-
means for generating an IKE packet; means for storing said IKE packet; means for initializing, operating, and monitoring a timer; means for detecting whether the IKE packet was successfully received at an intended receiver node before the expiration of the timer; means for receiving a vendor identification value from the receiver node and using the vendor identification value to determine that the receiver node is IKE fragmentation capable; means for fragmenting the IKE packet into smaller packets when the IKE packet was not successfully received at the receiver node; means for adding a separate IKE fragment header to each of the smaller packets; means for adding state information to each of the smaller packets for network address translator processing; means for adding a separate User Datagram Protocol header to each of the plurality of smaller packets; and means for transmitting each of the plurality of smaller packets over the network. - View Dependent Claims (5)
-
-
6. A method for transmitting data packets across a network comprising the steps of:
-
generating and transmitting an Internet Key Exchange (IKE) packet over a network to a receiving node, the IKE packet having an original IKE header; fragmenting of the IKE packet by an IP protocol layer; determining whether a response to the IKE packet was received within a predetermined time interval; using a vendor identification value received from the receiving node to determine whether the receiving node is capable of processing IKE fragments; fragmenting the IKE packet into a plurality of smaller IKE packets to avoid the fragmenting of the IKE packet by the IP protocol layer; adding a separate IKE fragment header to each of the plurality of smaller IKE packets, wherein one of the plurality of smaller IKE packets includes the original IKE header; adding state information to each of the plurality of smaller IKE packets for network address translator processing; adding a separate User Datagram Protocol header to each of the plurality of smaller IKE packets; and transmitting each of the plurality of smaller IKE packets over a network. - View Dependent Claims (7)
-
-
8. A method for transmitting data packets across a network comprising the steps of:
-
receiving a vendor identification value from a receiver node; in response to receiving the vendor identification value, using the vendor identification value to determine that the receiver node is IKE fragmentation capable; generating a data packet containing Internet Key Exchange (IKE) information the data packet having an original IKE header; initializing a timer; determining, based at least in part on the expiration of the timer, whether fragmentation of the data packet is necessary to successfully transmit the IKE information to the receiver over a network; fragmenting the data packet if necessary into a plurality of smaller packets that may be transmitted over a network; adding a separate IKE fragment header to each of the plurality of smaller packets, wherein one of the plurality of smaller packets includes the original IKE header; adding state information to each of the plurality of smaller packets for network address translator processing; adding a separate User Datagram Protocol header to each of the plurality of smaller packets; and
transmitting each of the plurality of smaller packets over a network.
-
Specification