Firewall for filtering tunneled data packets
First Claim
1. A method of filtering a data packet, comprisingproviding a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload,providing a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules,receiving at an intermediate device along a tunnel, a tunneled data packet sent from a first end point of the tunnel and destined to a second end point of the tunnel, the received tunneled data packet comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, said intermediate device being located apart from the first and second tunnel end points,performing a first search, at said intermediate device, only among said first set of filtering rules provided for filtering said received tunneled data packet based on the outer header of said received tunneled data packet, for a first filtering rule containing a value of at least one header field matching to the value of at least one outer header field of said received tunneled data packet,only in response to finding said matching first filtering rule containing the matching value of at least one header field, taking the action defined in the first matching filtering rule of said first set of filtering rules for filtering an inner data packet without involvement of the first and second end points and without interrupting the tunnel at said intermediate device along the tunnel, the defined action filtering an inner data packet further comprisingdetecting the inner data packet within said received tunneled data packet,selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule,performing a second search only among said selected second set of filtering rules for a second filtering rule matching the value of at least one field of the inner data packet and without searching among the other unselected ones of said plurality of said second sets of filtering rules,taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, andin response to not finding said matching first filtering rule containing the matching value of at least one header field, forwarding said received tunneled data packet from the intermediate device to the second end point of the tunnel without searching any of said plurality of second sets of filtering rules and without filtering the inner data packet.
9 Assignments
0 Petitions
Accused Products
Abstract
A method of filtering a tunneled data packet including an outer header and an outer payload, the outer payload including an inner data packet including an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule includes detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.
141 Citations
16 Claims
-
1. A method of filtering a data packet, comprising
providing a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, providing a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, receiving at an intermediate device along a tunnel, a tunneled data packet sent from a first end point of the tunnel and destined to a second end point of the tunnel, the received tunneled data packet comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, said intermediate device being located apart from the first and second tunnel end points, performing a first search, at said intermediate device, only among said first set of filtering rules provided for filtering said received tunneled data packet based on the outer header of said received tunneled data packet, for a first filtering rule containing a value of at least one header field matching to the value of at least one outer header field of said received tunneled data packet, only in response to finding said matching first filtering rule containing the matching value of at least one header field, taking the action defined in the first matching filtering rule of said first set of filtering rules for filtering an inner data packet without involvement of the first and second end points and without interrupting the tunnel at said intermediate device along the tunnel, the defined action filtering an inner data packet further comprising detecting the inner data packet within said received tunneled data packet, selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule, performing a second search only among said selected second set of filtering rules for a second filtering rule matching the value of at least one field of the inner data packet and without searching among the other unselected ones of said plurality of said second sets of filtering rules, taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, and in response to not finding said matching first filtering rule containing the matching value of at least one header field, forwarding said received tunneled data packet from the intermediate device to the second end point of the tunnel without searching any of said plurality of second sets of filtering rules and without filtering the inner data packet.
-
10. A network gateway configured to be connected to an intermediate point of a tunnel formed by tunneled data packets sent from a first end point of the tunnel and destined to a second end point of the tunnel, for filtering the tunneled data packet without involvement of the first and second end points and without interrupting the tunnel at said network gateway along the tunnel, said intermediate point being located apart from the first and second tunnel end points, the network gateway comprising
a mechanism for providing a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, a mechanism for providing a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, a mechanism for intercepting a tunneled data packet sent from said first end point of the tunnel and destined to said second end point of the tunnel, the received tunneled data packeting comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, a mechanism for performing a first search among said first set of filtering rules for a first filtering rule containing a value of at least one header field matching to the value of at least one outer header field of the received tunneled data packet, and a mechanism, responsive only to finding said matching first filtering rule, for taking the action defined in the first matching filtering rule of said first set of filtering rules for filtering an inner data packet without involvement of the first and second end points and without interrupting the tunnel at said network gateway along the tunnel, said mechanism taking the defined action for filtering an inner data packet further comprising a mechanism for detecting the inner data packet within the tunneled data packet, a mechanism for selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule and without searching among the other unselected ones of said plurality of said second sets of filtering rules, a mechanism for performing a second search among said selected second set of filtering rules for a second filtering rule matching the value of at least one field of the inner data packet, a mechanism for taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, and a mechanism responsive to not finding said matching first filtering rule containing the matching value of at least one header field for forwarding the tunneled data packet from the intermediate device to the second end point of the tunnel without searching any of said plurality of second sets of filtering rules and without filtering the inner data packet.
-
11. An apparatus, comprising a computer-readable storage that contains a computer software which, when executed in a computer device, causes the computer device to provide a routine of filtering a data packet comprising
providing a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, providing a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, receiving a tunneled data packet at an intermediate device along a tunnel, a tunneled data packet sent from a first end point of the tunnel and destined to a second end point of said tunnel, said intermediate point being located apart from the first and second tunnel end points, the received tunneled data packet comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, performing a first search, at said intermediate device, only among said first set of filtering rules for a first filtering rule containing the matching value of at least one header field matching the value of at least one outer header field of the received tunneled data packet, and only in response to finding said matching first filtering rule containing the matching value of at least one header field, taking the action defined in the first matching filtering rule of said first set of filtering rules for filtering an inner data packet transparently to the first and second end points and without breaking the tunnel, said defined action for filtering an inner data packet comprising detecting the inner data packet within the received tunneled data packet, selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule, performing a further second search only among said selected second set of filtering rules for a second filtering rule matching to the value of at least one field of the inner data packet and without searching among the other unselected ones of said plurality of said second sets of filtering rules, taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, and in response to not finding said matching first filtering rule containing the matching value of at least one header field, forwarding said receiving tunneled data packet from the intermediate point to the second end point of the tunnel without searching any of said plurality of second sets of filtering rules and without filtering the inner data packet.
-
12. A method of filtering a data packet, comprising
providing a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, providing a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, receiving, at an intermediate device along said tunnel, a tunneled data packet sent from said first end point of the tunnel and destined to said second end point of the tunnel, the received tunneled data packet comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, said intermediate device being located apart from the first and second tunnel end points, if the received tunneled data packet is a first packet of said tunnel, performing, at said intermediate device, among said first set of filtering rules, only a first search for a first filtering rule containing a value of at least one header field matching to the value of at least one outer header field of the received tunneled data packet, and a) in response to not finding any matching filtering rule in said first search performed only among the first set of filtering rules, rejecting the tunnel as not allowed and discarding the received tunneled data packet, b) only in response to finding said matching first filtering rule in said first search performed only among the first set of filtering rules, allowing the tunnel and creating, on the basis of the outer header, to a first connection state table, an entry for processing other data packets of the same tunnel, the entry comprising a value of at least one outer header field for identifying the other data packets of the same tunnel and instructions for filtering the inner data packet, detecting the inner data packet within said received tunneled data packet, if the inner data packet is a first packet of a connection within the tunnel, selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching rule, performing a second search, without involvement of the first and second end points and without interrupting the tunnel at said intermediate device along the tunnel, only among said selected second set of filtering rules for a second filtering rule matching the value of at least one field of the inner data packet and without searching among the other unselected ones of said plurality of said second sets of filtering rules, in response to not finding any matching filtering rule in the selected second set of filtering rules, rejecting the connection as not allowed and discarding the tunneled data packet, in response to finding a matching second filtering rule in said second search performed only among the selected second set of filtering rules, allowing the connection and creating, on the basis of the inner header, to a second connection state table, an entry for processing other data packets of the same connection, the entry comprising a value of at least one inner header field for identifying the other data packets of the same connection and instructions for processing the inner data packet, and taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, and forwarding, from the intermediate device to the second end point of the tunnel, those of the tunneled data packets that have passed the filtering.
-
14. An apparatus, comprising a computer-readable storage, containing a computer software which, when executed in a computer device, causes the computer device to provide a routine of filtering a data packet comprising
providing, at an intermediate point along a tunnel, a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, said intermediate point being located apart from the first and second tunnel end points, providing, at said intermediate point, a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, receiving, at said intermediate point, a tunneled data packet sent from said first end point of the tunnel and destined to said second end point of the tunnel, the received tunneled data packet comprising an outer header and an outer payload provided at said first end point of said tunnel to be removed at said second end point of the tunnel, if the received tunneled data packet is a first packet of a tunnel, performing, at said intermediate point, among said first set of filtering rules only, a first search for a first filtering rule containing a value of at least one header field matching to the value of at least one outer header field of the received tunneled data packet, and a) in response to not finding any matching first filtering rule in said first search performed only among the first set of filtering rules containing the matching value of at least one header field, rejecting, at said intermediate point, the tunnel as not allowed and discarding the tunneled data packet, b) in response to finding said matching first filtering rule in said first search performed only among the first set of filtering rules, allowing, at said intermediate point, the tunnel and creating, on the basis of the outer header, to a first connection state table, an entry for processing other data packets of the same tunnel, the entry comprising a value of at least one outer header field for identifying the other data packets of the same tunnel and instructions for filtering the inner data packet, detecting, at said intermediate point, the inner data packet within the received tunneled data packet, if the inner data packet is a first packet of a connection within the tunnel, selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule, performing, at said intermediate point, among said selected second set of filtering rules only, a second search for a second filtering rule matching the value of at least one field of the inner data packet transparently to the first and second end points and without breaking the tunnel, in response to not finding any matching filtering rule in said second search performed only among the selected second set of filtering rules, rejecting, at said intermediate point, the connection as not allowed and discarding the received tunneled data packet, in response to finding a matching second filtering rule in said second search performed only among the selected second set of filtering rules, allowing, at said intermediate point, the connection and creating, on the basis of the inner header, to a second connection state table, an entry for processing other data packets of the same connection, the entry comprising a value of at least one inner header field for identifying the other data packets of the same connection and instructions for processing the inner data packet, and taking the action defined in the matching second filtering rule for filtering the detected inner data packet separately from the filtering of the outer header, forwarding, from the intermediate point to the second end point of the tunnel, those of the tunneled data packets that have passed the filtering.
-
16. A network gateway comprising
a firewall connectable between a gateway packet radio support node and a packet radio support node for filtering tunneled data packets sent the gateway packet radio support node and destined to the packet radio support node, or vice versa, over a tunnel having one end point at the gateway packet radio support node and another end point at the packet radio support node without involvement of the gateway packet radio support node and without interrupting said tunnel at said firewall, said firewall being located apart from the packet radio support node and the gateway packet radio support node, the firewall having a first set of filtering rules for filtering tunneled data packets based on outer headers of tunneled data packets only, each tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, the firewall having a plurality of second sets of filtering rules for filtering inner data packets of tunneled data packets only, each second set of filtering rules being different from the first set of filtering rules, the firewall being configured to intercept a tunneled data packet sent from the gateway packet radio support node and destined to the packet radio support node, or vice versa, the intercepted tunneled data packet being provided at one of the end points of said tunnel to be removed at another one of said end points of the tunnel, the firewall being configured to perform only among said first set of filtering rules, a first search for a first filtering rule matching to the value of at least one outer header field of the intercepted tunneled data packet, and the firewall being configured to, only in response to finding said matching first filtering rule in said first search performed only among the first set of filtering rules, take the action defined in the first matching filtering rule of said first set of filtering rules for filtering an inner data packet without involvement of the gateway packet radio support node and the packet radio support node and without interrupting the tunnel at said firewall, the firewall being configured to take the defined action for filtering an inner data packet by detecting the inner data packet within the tunneled data packet, selecting among said plurality of said second sets of filtering rules only one second set of filtering rules corresponding to said first matching filtering rule found in said first search performed only among the first set of filtering rules, performing, among said selected second set of filtering rules only, a second search for a second filtering rule matching the value of at least one field of the inner data packet, taking the action defined in the matching second filtering rule found in said first search performed only among the first set of filtering rules for filtering the detected inner data packet separately from the filtering of the outer header, the firewall being configured to forward, from the packet radio support node to the gateway packet radio support node, or vice versa, those of the tunneled data packets that have passed the filtering.
Specification