Method and apparatus for controlling the flow of data across a network interface

US 8,122,242 B2
Filed: 09/15/2008
Issued: 02/21/2012
Est. Priority Date: 03/19/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving, via a network device, a data stream that includes a plurality of data packets;

receiving a report that includes an encryption capacity indicator associated with a network interface;

determining a traffic class for a data packet in the data stream; and

selectively undertaking at least one ofselecting an outbound network interface link to transmit the data packet based at least in part on both the received encryption capacity indicator and the identified traffic class, anddropping the packet based at least in part on both the received encryption capacity indicator and the identified traffic class.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention performs “flow control” based on the remaining encryption capacity of an encrypted outbound network interface link of a network routing device, such as a router or switch. As the encrypted link begins to run low on encryption key material, this invention begins to discard datagrams queued for transit across that link, in order to signal distant host computers that they should slow down the rate at which they are sending datagrams. The invention, which is particularly useful in cryptographically protected networks that run the TCP/IP protocol stack, allows fine-grained flow control of individual traffic classes because it can determine, for example, how various classes of data traffic (e.g., voice, video, TCP) should be ordered and transmitted through a network. Thus, the invention can be used to implement sophisticated flow control rules so as to give preferential treatment to certain people, departments or computers.

Citations

23 Claims

1. A method, comprising:
- receiving, via a network device, a data stream that includes a plurality of data packets;
  
  receiving a report that includes an encryption capacity indicator associated with a network interface;
  
  determining a traffic class for a data packet in the data stream; and
  
  selectively undertaking at least one ofselecting an outbound network interface link to transmit the data packet based at least in part on both the received encryption capacity indicator and the identified traffic class, anddropping the packet based at least in part on both the received encryption capacity indicator and the identified traffic class.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising generating the encryption capacity indicator, the encryption capacity indicator comprising a quantitative measure representing a capacity of the network interface to encrypt subsequent data packets from the data stream.
  - 3. The method of claim 1, further comprising generating the report, the report further comprising data representing an amount of time that has elapsed since a prior report was generated.
  - 4. The method of claim 3, the report further comprising an amount of data encrypted since the prior report was sent.
  - 5. The method of claim 1, further comprising:
    - obtaining the traffic class from at least one of a database, a policy, and a data packet; and
      
      basing the traffic class on at least one of the following;
      
      a datagram packet content, a source address, a destination address, a protocol, a port number, a user, a department, and a computing device.
  - 6. The method of claim 1, further comprising;
    - a network routing device that includes an inbound network interface; and
      
      receiving the data stream on the inbound network interface of the network routing device.
  - 7. The method of claim 1, further comprising:
    - a network routing device;
      
      an outbound network interface;
      
      assigning a data packet to a transmission queue, andtransmitting the data packet to the network routing device via the outbound network interface if the data packet is assigned to the transmission queue.
  - 8. The method of claim 1, further comprising:
    - computing a discard probability for the data packet based on the encryption capacity indicator and the traffic class;
      
      generating a random number; and
      
      selectively undertaking at least one ofdropping the data packet if the discard probability is greater than or equal to the random number, andtransmitting the data packet across the network interface if the discard probability is less than the random number.
  - 9. The method of claim 1, further comprising generating an estimate of remaining encryption capacity based on the report.

10. A device, comprising:
- an inbound network interface link configured to receive a data stream that includes a plurality of data packets;
  
  at least two outbound network interface links, wherein each of the outbound network interface links is configured to transmit at least one of the received data packets to a network routing device; and
  
  a routing processor configured toidentify a traffic class for a data packet in the data stream,receive an encryption capacity indicator for each of the outbound network interface links, andselect one of the outbound network interface links to transmit the data packet based at least in part on both the received encryption capacity indicators and the identified traffic class.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The device of claim 10, further comprising a packet classifier configured to determine the traffic class of the data packet.
  - 12. The device of claim 10, further comprising a cryptographic subsystem configured to encrypt the data packet prior to transmitting the data packet on at least one of the outbound network interface links.
  - 13. The device of claim 12, wherein the cryptographic subsystem is further configured to estimate an amount of remaining encryption capacity for each of the outbound network interface links, and generate an encryption capacity indicator for each of the outbound network interface links, wherein each encryption capacity indicator comprises a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets.
  - 14. The device of claim 10, further comprising a packet classifier, and a policing agent coupled to the packet classifier, wherein the policing agent is configured to determine whether the data packet will be transmitted on one of the outbound network interface links based on both of the traffic class and the encryption capacity indicator.
  - 15. The device of claim 10, further comprising a cryptographic subsystem coupled to at least one of the outbound network interface links and configured to encrypt the data packet.
  - 16. The device of claim 10, further comprising:
    - a cryptographic engine configured to encrypt the data packet before the packet is transmitted across one of the outbound network interface links, wherein the encryption capacity indicator represents a quantitative measure of a capacity of the cryptographic engine to encrypt subsequent data packets.

17. A system, comprising:
- a network routing device configured to receive a data packet;
  
  a cryptographic subsystem; and
  
  an outbound network interface link that is coupled to the network routing device and protected by the cryptographic subsystem,wherein the network routing device is further configured to;
  
  receive an encryption capacity indicator from the cryptographic subsystem, wherein the encryption capacity indicator includes a quantitative measure representative of a capacity of the cryptographic subsystem to encrypt subsequent data packets;
  
  at least selectively undertake one oftransmit the data packet across the outbound network interface link based at least in part on both an encryption capacity indicator and an identified traffic class; and
  
  drop the packet based at least in part on both the received encryption capacity indicator and the identified traffic class.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, further comprising a database for storing a report, wherein the report includes the encryption capacity indicator.
  - 19. The system of claim 17, further comprising at least one other network routing device, wherein the encryption capacity indicator is conveyed to the at least one other network routing device.
  - 20. The system of claim 17, wherein the cryptographic subsystem generates a report that includes the encryption capacity indicator and conveys the report in response to at least one of the following:
    - an occurrence of a specified event;
      
      a specified condition for the outbound network interface link;
      
      a time when an amount of key material in a key storage area reaches a specified level; and
      
      a time when the key material has been present in the key storage area for a specified time period.
  - 21. The system of claim 17, further comprising a statistical analyzer configured to generate an estimated remaining encryption capacity based on the encryption capacity indicator.
  - 22. The system of claim 17, further comprising:
    - a source network element;
      
      a target network element in communication with the source network element;
      
      at least two data communication paths between the source network element and the target network element, wherein at least one of the data communication paths includes the network routing device, the outbound network interface link, and the cryptographic subsystem; and
      
      a routing processor that determines, based on the encryption capacity indicator, which one of the at least two communication paths will be used to transmit the data packet from the source network element to the target network element.
  - 23. The system of claim 17, wherein the encryption capacity indicator is conveyed using at least one of the following:
    - Open Shortest Path First (OSPF) Protocol;
      
      Constraint-based Routing Label Distribution Protocol (CR-LDP);
      
      Intermediate System to Intermediate System (IS-IS) Protocol;
      
      Resource Reservation Protocol (RSVP);
      
      Border Gateway Protocol (BGP);
      
      Simple Network Management Protocol (SNMP);
      
      Synchronous Optical Network (SONET) protocol; and
      
      Internet Control Message Protocol (ICMP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Raytheon BBN Technologies Corp. (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Elliott, Brig Barnum
Primary Examiner(s)
Patel, Nirav B

Application Number

US12/210,786
Publication Number

US 20090013175A1
Time in Patent Office

1,254 Days
Field of Search

713150-154, 713168-172, 726 11- 14, 380255-257, 380/277, 380/44, 380/28, 370/229, 370/254, 370/351, 709238-244, 709/220, 709/222, 709/227
US Class Current

713/154
CPC Class Codes

H04L 63/0428 wherein the data content is...

Method and apparatus for controlling the flow of data across a network interface

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling the flow of data across a network interface

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links