Integrated policy checking system and method
First Claim
Patent Images
1. A method for validating a security service associated with packets communicated on a network, comprising:
- receiving a packet at a transport offload engine;
decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;
calculating a hash of a security service based on the packet, utilizing the transport offload engine;
determining whether the packet is a SYN packet utilizing the transport offload engine;
in response to a determination that the packet is a SYN packet;
sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor;
performing IPSec policy checking of the SYN packet utilizing the processor;
determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;
in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;
generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and
sending the SYN/ACK packet utilizing the transport offload engine.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for validating a security service associated with packets communicated on a network. A hash of a security service associated with packets communicated on a network is generated. In use, the security service associated with the packets is validated utilizing the hash.
235 Citations
35 Claims
-
1. A method for validating a security service associated with packets communicated on a network, comprising:
-
receiving a packet at a transport offload engine; decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation; calculating a hash of a security service based on the packet, utilizing the transport offload engine; determining whether the packet is a SYN packet utilizing the transport offload engine; in response to a determination that the packet is a SYN packet; sending the SYN packet from the transport offload engine to a processor, sending the IPSec transformation from the transport offload engine to the processor, and sending the hash from the transport offload engine to the processor;
performing IPSec policy checking of the SYN packet utilizing the processor;determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor; in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management; generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and sending the SYN/ACK packet utilizing the transport offload engine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A transport offload engine sub-system, comprising:
a transport offload engine, which includes a tangible circuit, in communication with a hardware processor and a network, the transport offload engine for; receiving a packet, decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation, calculating a hash of a security service based on the packet, determining whether the packet is a SYN packet, in response to a determination that the packet is a SYN packet, sending the SYN packet to a processor, sending the IPSec transformation to the processor, and sending the hash to the processor for performing IPSec policy checking of the SYN packet and determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor, in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management, generating the SYN/ACK packet based on the SYN packet, and sending the SYN/ACK packet.
-
34. A system, comprising:
-
a hardware processor; and a transport offload engine in communication with the hardware processor and a network via a bus, the transport offload engine for; receiving a packet, decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation, calculating a hash of a security service based on the packet, determining whether the packet is a SYN packet, in response to a determination that the packet is a SYN packet; sending the SYN packet from the transport offload engine to the processor, sending the IPSec transformation from the transport offload engine to the processor, and sending the hash from the transport offload engine to the processor, in response to a determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management, generating the SYN/ACK packet based on the SYN packet, and sending the SYN/ACK packet; wherein the hardware processor is operable to; perform IPSec policy checking of the SYN packet, and determine that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking.
-
-
35. A computer program product embodied on a non-transitory computer readable medium for validating a security service associated with packets communicated on a network, comprising:
-
computer code for receiving a packet at a transport offload engine; computer code for decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation; computer code for calculating a hash of a security service based on the packet, utilizing the transport offload engine; computer code for determining whether the packet is a SYN packet utilizing the transport offload engine; computer code for, in response to a determination that the packet is a SYN packet; sending the SYN packet from the transport offload engine to a processor, sending the IPSec transformation from the transport offload engine to the processor, and sending the hash from the transport offload engine to the processor; computer code for performing IPSec policy checking of the SYN packet utilizing the processor; computer code for determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor; computer code for, in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management; computer code for generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and computer code for sending the SYN/ACK packet utilizing the transport offload engine.
-
Specification