Method and apparatus for fragmenting and reassembling internet key exchange data packets

US 7,500,102 B2
Filed: 01/25/2002
Issued: 03/03/2009
Est. Priority Date: 01/25/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:

receiving a vendor identification value from a receiving node;

in response to receiving the vendor identification value, using the vendor identification value to determine that the receiving node is IKE fragmentation capable;

generating and transmitting an IKE packet to the receiving node over a network, the IKE packet having an original IKE header;

determining whether a response to the IKE packet was received within a predetermined time interval;

determining a maximum transmission unit size for the network;

fragmenting the IKE packet into a plurality of smaller packets that do not exceed the maximum transmission unit size, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and

transmitting each of the plurality of smaller packets over a network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for fragmenting and reassembling IKE protocol data packets that exceed a Maximum Transmission Unit is provided. A transmitting node determines whether to fragment IKE data depending on whether the receiving node has the capability to receive and reassemble fragmented data packets. The transmitting node detects whether fragmentation is appropriate and then intercepts and fragments appropriate IKE payloads for transmission over a network. The invention further includes a method and apparatus for reassembling fragmented IKE payloads. The receiving node discards certain packets according to a set of predetermined rules that are designed to prevent denial of service attacks and other similar attacks. No modification is required to the existing IKE protocol or to other lower level networking protocols.

Citations

8 Claims

1. A method for transmitting Internet Key Exchange (IKE) data packets across a network comprising the steps of:
- receiving a vendor identification value from a receiving node;
  
  in response to receiving the vendor identification value, using the vendor identification value to determine that the receiving node is IKE fragmentation capable;
  
  generating and transmitting an IKE packet to the receiving node over a network, the IKE packet having an original IKE header;
  
  determining whether a response to the IKE packet was received within a predetermined time interval;
  
  determining a maximum transmission unit size for the network;
  
  fragmenting the IKE packet into a plurality of smaller packets that do not exceed the maximum transmission unit size, wherein each of the smaller packets includes a header formatted according to the IKE protocol; and
  
  transmitting each of the plurality of smaller packets over a network.
- View Dependent Claims (2)
- - 2. The method of claim 1 wherein each of the smaller packets includes a header formatted according to the IKE protocol and each of the headers formatted according to the IKE protocol includes an identifier that may be used to associate the smaller packet with the IKE packet.

3. A network node that communicates with other network nodes according to the Internet Key Exchange (IKE) protocol, the network node comprising:
- a network interface card for interfacing with a network;
  
  a User Datagram Protocol (UDP) stack that is capable of generating UDP data packets for transmission over a network;
  
  an IKE protocol stack that generates IKE data packets that are subsequently processed by the UDP protocol stack; and
  
  a fragmenter module that;
  
  receives a vendor identification value from a network node and in response to receiving the vendor identification value uses the vendor identification value to determine that the network node is IKE fragmentation capable;
  
  intercepts IKE data packets prior to being processed by the UDP protocol stack and splits the IKE data packets into a plurality of smaller data packets that may be subsequently formatted by the UDP protocol stack, wherein each of the plurality of smaller data packets includes a header formatted according to the IKE protocol and state information for network address translator processing, wherein the fragmenter module does not split the IKE data packets when a response to a previously-sent IKE data packet has been successfully received within a predetermined time interval.

4. A system for transmitting Internet Key Exchange (IKE) protocol data packets across a network, the system comprising:
- means for generating an IKE packet;
  
  means for storing said IKE packet;
  
  means for initializing, operating, and monitoring a timer;
  
  means for detecting whether the IKE packet was successfully received at an intended receiver node before the expiration of the timer;
  
  means for receiving a vendor identification value from the receiver node and using the vendor identification value to determine that the receiver node is IKE fragmentation capable;
  
  means for fragmenting the IKE packet into smaller packets when the IKE packet was not successfully received at the receiver node;
  
  means for adding a separate IKE fragment header to each of the smaller packets;
  
  means for adding state information to each of the smaller packets for network address translator processing;
  
  means for adding a separate User Datagram Protocol header to each of the plurality of smaller packets; and
  
  means for transmitting each of the plurality of smaller packets over the network.
- View Dependent Claims (5)
- - 5. The system of claim 4 further comprising means for determining the capability of the receiver node for receiving fragmented packets.

6. A method for transmitting data packets across a network comprising the steps of:
- generating and transmitting an Internet Key Exchange (IKE) packet over a network to a receiving node, the IKE packet having an original IKE header;
  
  fragmenting of the IKE packet by an IP protocol layer;
  
  determining whether a response to the IKE packet was received within a predetermined time interval;
  
  using a vendor identification value received from the receiving node to determine whether the receiving node is capable of processing IKE fragments;
  
  fragmenting the IKE packet into a plurality of smaller IKE packets to avoid the fragmenting of the IKE packet by the IP protocol layer;
  
  adding a separate IKE fragment header to each of the plurality of smaller IKE packets, wherein one of the plurality of smaller IKE packets includes the original IKE header;
  
  adding state information to each of the plurality of smaller IKE packets for network address translator processing;
  
  adding a separate User Datagram Protocol header to each of the plurality of smaller IKE packets; and
  
  transmitting each of the plurality of smaller IKE packets over a network.
- View Dependent Claims (7)
- - 7. The method of claim 6 wherein the plurality of smaller packets contain the same information as that contained within the original IKE packet.

8. A method for transmitting data packets across a network comprising the steps of:
- receiving a vendor identification value from a receiver node;
  
  in response to receiving the vendor identification value, using the vendor identification value to determine that the receiver node is IKE fragmentation capable;
  
  generating a data packet containing Internet Key Exchange (IKE) information the data packet having an original IKE header;
  
  initializing a timer;
  
  determining, based at least in part on the expiration of the timer, whether fragmentation of the data packet is necessary to successfully transmit the IKE information to the receiver over a network;
  
  fragmenting the data packet if necessary into a plurality of smaller packets that may be transmitted over a network;
  
  adding a separate IKE fragment header to each of the plurality of smaller packets, wherein one of the plurality of smaller packets includes the original IKE header;
  
  adding state information to each of the plurality of smaller packets for network address translator processing;
  
  adding a separate User Datagram Protocol header to each of the plurality of smaller packets; and
  
  transmitting each of the plurality of smaller packets over a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Huitema, Christian, Swander, Brian
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/056,889
Publication Number

US 20030142823A1
Time in Patent Office

2,594 Days
Field of Search

713/171, 709/250
US Class Current

713/171
CPC Class Codes

H04L 61/256   NAT traversal

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/061   for key exchange, e.g. in p...

H04L 69/16   Implementation or adaptatio...

H04L 69/164   Adaptation or special uses ...

H04L 69/166   IP fragmentation; TCP segme...

Method and apparatus for fragmenting and reassembling internet key exchange data packets

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for fragmenting and reassembling internet key exchange data packets

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links