Tuning of SSL session caches based on SSL session IDS

US 8,145,768 B1
Filed: 02/26/2008
Issued: 03/27/2012
Est. Priority Date: 02/26/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A network device for managing a network communication, comprising:

an input interface for receiving requests and sending responses;

a session cache for storing information for re-establishing an Secured Socket Layer (SSL) session, wherein the session cache comprises at least one cache lookup table; and

a processor arranged to enable actions embodied by at least a portion of instructions stored in a memory, the actions comprising;

receiving an SSL session identifier (ID) within an SSL handshake protocol for establishing with a client device, an SSL connection;

performing a reversible exclusive-or operation on the SSL session ID and a pre-determined ID associated with the network device to generate an ID, wherein the generated ID comprises at least one of a cache line for identifying an entry within a cache lookup table, or a cache ID for identifying the cache lookup table;

determining, based on at least a portion of the generated ID, a failure statistic associated with re-establishing an SSL session for the SSL connection; and

tuning the session cache based on the failure statistic derived from the reversible exclusive-or operation performed on the SSL session ID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus are directed towards managing a network communication. A Secured Socket Layer (SSL) session identifier (ID) is received within an SSL handshake protocol message for establishing an SSL connection. The SSL session ID is combined with a pre-determined ID associated with a network device to generate another ID. The other ID may comprise a plurality of information associated with an operation for caching the SSL session ID and/or for caching other information usable in re-establishing an SSL session over the SSL connection. The plurality of information may comprise an expiration time, a cache line, a cache ID, and a unique ID. Based on at least a portion of the other ID, a failure statistic associated with re-establishing the SSL session for the SSL connection is determined. A session cache and/or the operation for caching are tuned based on the failure statistic.

44 Citations

View as Search Results

17 Claims

1. A network device for managing a network communication, comprising:
- an input interface for receiving requests and sending responses;
  
  a session cache for storing information for re-establishing an Secured Socket Layer (SSL) session, wherein the session cache comprises at least one cache lookup table; and
  
  a processor arranged to enable actions embodied by at least a portion of instructions stored in a memory, the actions comprising;
  
  receiving an SSL session identifier (ID) within an SSL handshake protocol for establishing with a client device, an SSL connection;
  
  performing a reversible exclusive-or operation on the SSL session ID and a pre-determined ID associated with the network device to generate an ID, wherein the generated ID comprises at least one of a cache line for identifying an entry within a cache lookup table, or a cache ID for identifying the cache lookup table;
  
  determining, based on at least a portion of the generated ID, a failure statistic associated with re-establishing an SSL session for the SSL connection; and
  
  tuning the session cache based on the failure statistic derived from the reversible exclusive-or operation performed on the SSL session ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1, wherein determining the failure statistic is based at least in part on one of:
    - whether the cache line is greater than a maximum cache size, orwhether the cache ID is unassociated with one of the at least one cache lookup table.
  - 3. The network device of claim 1, wherein determining the failure statistic is based at least in part on one of:
    - whether an expiration time portion of the generated ID is less than a current time of the network device, orwhether an unique ID portion of the generated ID is greater than a maximum unique ID.
  - 4. The network device of claim 1, wherein tuning comprises:
    - modifying a maximum cache size for the cache lookup table, an expiration time window for generating a new expiration time, or a number of cache lookup tables.
  - 5. The network device of claim 1, wherein receiving an SSL session ID comprises receiving the SSL session ID within a CLIENT-HELLO message.
  - 6. The network device of claim 1, wherein the actions further comprise:
    - retrieving the information for re-establishing the SSL session from the session cache based on the generated ID.
  - 7. The network device of claim 1, wherein the actions further comprise:
    - establishing the SSL connection, if the SSL session ID is determined as valid based on the at least the portion of the generated ID.

8. A system for managing a network communication, comprising:
- a session cache for storing at least a plurality of Secured Socket Layer (SSL) session identifiers (IDs), wherein the session cache comprises at least one cache lookup table; and
  
  a network device interposed between a client and at least one server, wherein the network device is configured to perform actions comprising;
  
  receiving an SSL session ID within an SSL handshake protocol for establishing an SSL connection with the client, wherein data sent over the SSL connection is configured to be forwarded from the client to the at least one server;
  
  performing a reversible exclusive-or operation on the SSL session ID and a pre-determined ID associated with the network device to generate an ID, wherein the generated ID comprises a plurality of information associated with an operation of the session cache;
  
  determining, based on at least a portion of the generated ID, a failure statistic associated with re-establishing an SSL session for the SSL connection; and
  
  tuning the session cache based on the failure statistic derived from the reversible exclusive-or operation performed on the SSL session ID.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the generated ID comprises a cache line for identifying an entry within the at least one cache lookup table, and wherein determining the failure statistic is based on whether the cache line is greater than a maximum cache size.
  - 10. The system of claim 8, wherein the generated ID comprises an SSL session ID, and wherein determining the failure statistic is based on whether the SSL session ID is greater than a maximum unique ID.
  - 11. The system of claim 8, wherein the generated ID comprises a cache ID, and wherein determining the failure statistic is based on whether the cache ID is unassociated with one of the at least one cache lookup table.
  - 12. The system of claim 8, wherein the generated ID comprises a expiration time, and wherein determining the failure statistic is based on whether the expiration time is less than a current time.
  - 13. The system of claim 8, wherein tuning comprises:
    - modifying a maximum cache size for at least one cache lookup table, an expiration time window for generating a new expiration time, or a number of at least one cache lookup table.
  - 14. The system of claim 8, wherein the actions further comprise:
    - retrieving at least one of the plurality of SSL session IDs from the session cache based on the generated ID; and
      
      establishing the SSL connection based on the at least one of the plurality of SSL session IDs.

15. A non-transitory machine-readable storage medium having machine-executable instructions stored thereon, which when executed by at least one processor, causes the at least one processor to perform one or more actions, comprising:
- receiving an SSL session identifier (ID) within an Secured Socket Layer (SSL) handshake protocol message for establishing an SSL connection;
  
  performing a reversible exclusive-or operation on the SSL session ID and a known value to generate an ID, wherein the generated ID comprises a plurality of information associated with an operation for caching the SSL session ID;
  
  determining, based on at least a portion of the generated ID, a failure statistic associated with re-establishing an SSL session for the SSL connection; and
  
  tuning the operation for caching based on the failure statistic derived from the reversible exclusive-or operation performed on the SSL session ID.
- View Dependent Claims (16, 17)
- - 16. The non-transitory machine-readable storage medium of claim 15, wherein tuning comprises:
    - modifying a maximum cache size, an expiration time window for generating a new expiration time, or a number of cache lookup tables.
  - 17. The non-transitory machine-readable storage medium of claim 15, wherein tuning comprises:
    - providing an interface for modifying the operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hawthorne, Jonathan Mini
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
KOROBOV, VITALI A

Application Number

US12/037,824
Time in Patent Office

1,491 Days
Field of Search

709/205, 709/217, 709/223, 709/227, 709/238, 709/228, 726/5
US Class Current

709/228
CPC Class Codes

H04L 63/166 at the transport layer

Tuning of SSL session caches based on SSL session IDS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Tuning of SSL session caches based on SSL session IDS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links