Approaches for applying service policies to encrypted packets

US 7,562,213 B1
Filed: 09/16/2003
Issued: 07/14/2009
Est. Priority Date: 09/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method for applying a quality of service to an encrypted packet comprising:

during initial establishment of a secure control channel, receiving and storing an identifier associated with the quality of service in association with a first Internet Key Exchange (IKE) ID;

examining an encrypted packet;

without decrypting the encrypted packet, mapping a second IKE ID from the packet, using the first IKE ID, to the identifier associated with the quality of service in a profile portion of the encrypted packet;

in response to mapping to the identifier associated with the quality of service, applying the associated quality of service to the encrypted packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for applying service polices to encrypted packets are disclosed. One approach comprises examining an encrypted packet, determining whether an identifier associated with a service is present in an encrypted packet, and if it is determined that the identifier is present in the encrypted packet, applying the service to the encrypted packet. In an embodiment, the identifier is the Internet Key Exchange (IKE) ID of the encrypted packet.

Citations

39 Claims

1. A method for applying a quality of service to an encrypted packet comprising:
- during initial establishment of a secure control channel, receiving and storing an identifier associated with the quality of service in association with a first Internet Key Exchange (IKE) ID;
  
  examining an encrypted packet;
  
  without decrypting the encrypted packet, mapping a second IKE ID from the packet, using the first IKE ID, to the identifier associated with the quality of service in a profile portion of the encrypted packet;
  
  in response to mapping to the identifier associated with the quality of service, applying the associated quality of service to the encrypted packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising the steps of:
    - before the examining;
      
      encrypting the packet, wherein said step of encryption includes establishing the second IKE ID in the packet.
  - 3. The method of claim 1, wherein the IKE ID comprises one or more of ID_IPV4_ADDR, ID_FQDN, ID_USER_FQDN, ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN, and ID_KEY_ID.
  - 4. The method of claim 1, wherein the identifier associated with the quality of service is based on at least an entry in a security association database.
  - 5. The method of claim 1, wherein said identifier associated with the quality of service maps to a quality of service (QoS) group.
  - 6. The method of claim 2, wherein the first IKE ID is created in a profile of the packet.
  - 7. The method of claim 6, wherein the profile is an ISAKMP profile.
  - 8. The method of claim 2, further comprising a step of pre-classification of the packet prior to the step of encryption.
  - 9. The method of claim 8, wherein the quality of service that is applied is selected based on both the second IKE ID and pre-classification.

10. A method for applying a quality of service to a packet comprising:
- during initial establishment of a secure control channel, receiving and storing an identifier associated with the quality of service in association with a first Internet Key Exchange (IKE) ID;
  
  encrypting the packet to create an encrypted packet;
  
  examining an identifier in a profile portion of the encrypted packet, wherein the identifier is based on a second IKE ID of the encrypted packet;
  
  without decrypting the encrypted packet, mapping the second IKE ID from the packet, using the first IKE ID, to the identifier in the encrypted packet associated with a quality of service to be applied to the encrypted packet; and
  
  in response to service mapping to the identifier associated with the quality of service, applying the quality of service to the encrypted packet.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, further comprising the step of:
    - prior to the step of encrypting, pre-classifying the packet based on the contents of the packet;
      
      wherein the quality of service that is applied to the packet is selected partially based the step of pre-classification and partially based on the second IKE ID.
  - 12. The method of claim 10, further comprising the step of:
    - during encryption, copying at least one bit into a header to identify a characteristic of the packet;
      
      wherein the quality of service that is applied to the packet is selected partially based on a value of the at least one bit and partially based on the second IKE ID.

13. A computer-readable volatile or non-volatile storage medium comprising one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to perform applying a quality of service to an encrypted packet by:
- during initial establishment of a secure control channel, receiving and storing an identifier associated with the quality of service in association with a first Internet Key Exchange (IKE) ID;
  
  examining an encrypted packet;
  
  without decrypting the encrypted packet, mapping a second IKE ID from the packet, using the first IKE ID, to the identifier associated with the quality of service in a profile portion of the encrypted packet;
  
  in response to mapping to the identifier associated with the quality of service, applying the associated quality of service to the encrypted packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer-readable medium of claim 13 comprising one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to carry out before the examining:
    - encrypting the packet, wherein said step of encryption includes establishing the second IKE ID in the packet.
  - 15. The computer-readable medium of claim 13 wherein the IKE ID comprises one or more of ID_IPV4_ADDR, ID_FQDN, ID_USER_FQDN, ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN, and ID_KEY_ID.
  - 16. The computer-readable medium of claim 13 wherein the identifier associated with the quality of service is based on at least an entry in a security association database.
  - 17. The computer-readable medium of claim 13 wherein said identifier associated with the quality of service maps to a quality of service (QoS) group.
  - 18. The computer-readable medium of claim 14 wherein the first IKE ID is created in a profile of the packet.
  - 19. The computer-readable medium of claim 18 wherein the profile is an ISAKMP profile.
  - 20. The computer-readable medium of claim 14 further comprising one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to carry out pre-classification of the packet prior to the encryption.
  - 21. The computer-readable medium of claim 20 wherein the quality of service that is applied is selected based on both the second IKE ID and pre-classification.

22. An apparatus for applying a quality of service to an encrypted packet comprising:
- means for receiving and storing an identifier associated with the quality of service in association with a first Internet Key Exchange (IKE) ID during initial establishment of a secure control channel;
  
  means for examining an encrypted packet;
  
  means for mapping, without decrypting the encrypted packet, a second IKE ID from the packet, using the first IKE ID, to the identifier associated with the quality of service in a profile portion of the encrypted packet;
  
  means, responsive to the mapping means, for applying the quality of service to the encrypted packet.
- View Dependent Claims (23, 24, 25, 26, 36, 38)
- - 23. The apparatus of claim 22, further comprising means, operable before the examining means, for encrypting the packet, wherein the means for encryption includes means for establishing the second IKE ID in the packet.
  - 24. The apparatus of claim 22, wherein the IKE ID comprises one or more of ID_IPV4_ADDR, ID_FQDN, ID_USER_FQDN, ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN, and ID_KEY_ID.
  - 25. The apparatus of claim 22, wherein the identifier associated with the quality of service is based on at least an entry in a security association database.
  - 26. The apparatus of claim 22, wherein said identifier associated with the quality of service maps to a quality of service (QoS) group.
  - 36. The apparatus of claim 23, wherein the first IKE ID is created in a profile of the packet.
  - 38. The apparatus of claim 23, further comprising means for pre-classification of the packet prior to the step of encryption.

27. An apparatus for applying a quality of service to an encrypted packet comprising:
- one or more processors;
  
  memory communicatively coupled to the one or more processors;
  
  one or more sequences of instructions in the memory for applying a quality of service to an encrypted packet, which instructions, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  during initial establishment of a secure control channel, receiving and storing an identifier associated with the quality of service in association with a first Internet Key exchange (IKE) ID;
  
  examining an encrypted packet;
  
  without decrypting the encrypted packet, mapping a second IKE ID from the packet, using the first IKE ID, to the identifier associated with the quality of service in a profile portion of the encrypted packet;
  
  in response to mapping to the identifier associated with the quality of service, applying the quality of service to the encrypted packet.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 37, 39)
- - 28. The apparatus of claim 27, further comprising sequences of instructions for performing the steps of:
    - before the examining;
      
      encrypting the packet, wherein said step of encryption includes establishing said the second IKE ID in the packet.
  - 29. The apparatus of claim 27, wherein the IKE ID comprises one or more of ID_IPV4_ADDR, ID_FQDN, ID_USER_FQDN, ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN, and ID_KEY_ID.
  - 30. The apparatus of claim 27, wherein the identifier associated with the quality of service is based on at least an entry in a security association database.
  - 31. The apparatus of claim 27, wherein said identifier associated with the quality of service maps to a quality of service (QoS) group.
  - 32. The apparatus of claim 28, wherein the first IKE ID is created in a profile of the packet.
  - 33. The apparatus of claim 32, wherein the profile is an ISAKMP profile.
  - 34. The apparatus of claim 28, further comprising a step of pre-classification of the packet prior to the step of encryption.
  - 35. The apparatus of claim 34, wherein the quality of service that is applied is selected based on both the second IKE ID and pre-classification.
  - 37. The apparatus of claim 32, wherein the profile is an ISAKMP profile.
  - 39. The apparatus of claim 34, comprising means for selecting the quality of service that is applied based on both the second IKE ID and pre-classification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Timms, Natalie
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/664,267
Time in Patent Office

2,128 Days
Field of Search

713/160
US Class Current

713/160
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/20 for managing network securi...

Approaches for applying service policies to encrypted packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Approaches for applying service policies to encrypted packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links