Agile network protocol for secure communications with assured system availability
First Claim
1. A method of anonymously communicating data between a first node and a second node coupled via a network, comprising the steps of:
- at the first node,(a) using a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and using each selected network address in a header of a packet that is transmitted from the first node over the network to the second node;
(b) evaluating the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node to select from among a second plurality of different network addresses each of which is mapped in the network to the second node,(c) upon determining that the header of a received packet received at the first node contains a network address that conforms to the second algorithm, accepting the received packet for processing; and
upon determining that the header does not contain a network address that conforms to the second algorithm, rejecting the received packet for further processing; and
(d) wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the network addresses selected in each header of received packet appears random; and
wherein the first and second algorithms select each network address on a quasi-random basis.
4 Assignments
0 Petitions
Accused Products
Abstract
A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator'"'"'s parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.
151 Citations
20 Claims
-
1. A method of anonymously communicating data between a first node and a second node coupled via a network, comprising the steps of:
-
at the first node, (a) using a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and using each selected network address in a header of a packet that is transmitted from the first node over the network to the second node; (b) evaluating the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node to select from among a second plurality of different network addresses each of which is mapped in the network to the second node, (c) upon determining that the header of a received packet received at the first node contains a network address that conforms to the second algorithm, accepting the received packet for processing; and
upon determining that the header does not contain a network address that conforms to the second algorithm, rejecting the received packet for further processing; and(d) wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the network addresses selected in each header of received packet appears random; and wherein the first and second algorithms select each network address on a quasi-random basis. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of anonymously communicating data between first and second nodes in a network, comprising the steps of:
-
at the first node, (1) storing a transmit netblock comprising a plurality of pairs of source and destination IP addresses that will be used for communicating with the second node, and an algorithm for selecting pairs of source and destination IP addresses from among the plurality of pairs of source and destination IP addresses; (2) generating a plurality of IP packets each comprising one of the selected pairs or source and destination IP addresses; (3) transmitting each IP packet generated in step (2) to the second node, wherein each pair of source and destination IP addresses of the netblock are selected by hopping among the source and destination IP addresses so that the source and destination network addresses selected for each IP packet appears random; and wherein upon receipt by the first node of a plurality of IP packets from the second node, for each IP packet received; (a) determining whether the received IP packet contains a valid source and destination IP address, wherein the validity of each address is determined with reference to a second algorithm; (b) upon determining that the received IP packet contains a valid source and destination IP address, accepting the IP packet for further processing; and
upon determining that the received IP packet does not contain a valid source and destination IP address, rejecting the IP packet; andwherein the first and second algorithms select each network address on a quasi-random basis. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system comprising:
-
a first node configured and arranged so that data can be anonymously communicated between the first node and a second node; wherein the first node is configured and arranged so as to (a) use a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and (b) use each selected network address in a header of a packet that is transmitted over the network to the second node; wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the source and destination network addresses selected in each header of a packet appear random; wherein the first node is further configured and arranged so as to evaluate a the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node; and
upon determining that a header of a received packet contains a network address that conforms to the second algorithm, accept the packet for processing; and
upon determining that the header does not contain a network address that conforms to the second algorithm, reject the packet for processing; andwherein the first and second algorithms select each network address on a quasi-random basis. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system for anonymously communicating data between first and second nodes in a network, comprising:
-
wherein the first node is configured and arranged so as to (a) store a transmit netblock comprising a plurality of pairs of source and destination IP addresses that will be used for communicating with the second node, (b) perform a first algorithm so as to select pairs of source and destination IP addresses from among the plurality of pairs of source and destination IP addresses;
(c) generate a plurality of IP packets each comprising one of the selected pairs or source and destination IP addresses; and
(d) transmit each IP packet generated in (c) to the second node; andwherein each pair of source and destination IP addresses of the netblock are selected by hopping among the source and destination IP addresses so that the source and destination network addresses selected for each IP packet appears random, wherein the first node is further configured and arranged so as to receive a plurality of IP packets at the first node and, for each received IP packet; (a) determine whether the received IP packet contains a valid source and destination IP address so as to indicate that the received IP packet is from the second node, and (b) the validity of each address is determined with reference to a second algorithm configured and arranged so as to determine whether the received IP packet contains a valid source and destination IP address so that (i) if valid the IP packet is further processed; and
(ii) if not valid the IP packet is rejected; andwherein the first and second algorithms select each network address on a quasi-random basis. - View Dependent Claims (17, 18, 19, 20)
-
Specification