Integrated policy checking system and method

US 8,176,545 B1
Filed: 12/19/2003
Issued: 05/08/2012
Est. Priority Date: 12/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method for validating a security service associated with packets communicated on a network, comprising:

receiving a packet at a transport offload engine;

decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;

calculating a hash of a security service based on the packet, utilizing the transport offload engine;

determining whether the packet is a SYN packet utilizing the transport offload engine;

in response to a determination that the packet is a SYN packet;

sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor;

performing IPSec policy checking of the SYN packet utilizing the processor;

determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;

in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;

generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and

sending the SYN/ACK packet utilizing the transport offload engine.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for validating a security service associated with packets communicated on a network. A hash of a security service associated with packets communicated on a network is generated. In use, the security service associated with the packets is validated utilizing the hash.

235 Citations

35 Claims

1. A method for validating a security service associated with packets communicated on a network, comprising:
- receiving a packet at a transport offload engine;
  
  decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;
  
  calculating a hash of a security service based on the packet, utilizing the transport offload engine;
  
  determining whether the packet is a SYN packet utilizing the transport offload engine;
  
  in response to a determination that the packet is a SYN packet;
  
  sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor;
  
  performing IPSec policy checking of the SYN packet utilizing the processor;
  
  determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;
  
  in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;
  
  generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and
  
  sending the SYN/ACK packet utilizing the transport offload engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method as recited in claim 1, wherein the security service includes at least one of:
    - authentication, encryption, terms of use of authentication, and terms of use of encryption.
  - 3. The method as recited in claim 2, wherein the security service includes at least one of a security association and an inner-Internet Protocol (IP) header.
  - 4. The method as recited in claim 2, wherein the security service includes the IPSec transformation.
  - 5. The method as recited in claim 1, wherein the hash is order-dependent.
  - 6. The method as recited in claim 1, wherein the hash has a fixed length.
  - 7. The method as recited in claim 1, wherein the hash is generated utilizing an XOR operation.
  - 8. The method as recited in claim 1, wherein the hash is generated utilizing a random number.
  - 9. The method as recited in claim 8, wherein the random number is unique to a security association and any descendents of the security association.
  - 10. The method as recited in claim 1, wherein the hash that is generated for a first instance of the security service is the same as the hash that is generated for a subsequent instance of the security service.
  - 11. The method as recited in claim 1, and further comprising determining whether the packet is a synchronize acknowledgement (SYN/ACK) packet.
  - 12. The method as recited in claim 11, if it is determined that the packet is the SYN/ACK packet, further comprising retrieving another control block associated with the SYN/ACK packet, which includes another hash.
  - 13. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet matches the hash associated with the control block, further comprising accepting the SYN/ACK packet, and generating a handshake ACK packet.
  - 14. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet matches the hash associated with the control block, further comprising generating a handshake ACK packet.
  - 15. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet does not match the hash associated with the control block, further comprising rejecting the SYN/ACK packet.
  - 16. The method as recited in claim 1, and further comprising determining whether the packet is neither a synchronize (SYN) packet nor a synchronize acknowledgement (SYN/ACK) packet.
  - 17. The method as recited in claim 16, if it is determined that the packet is neither the SYN packet nor the SYN/ACK packet, further comprising retrieving another control block associated with the packet, which includes another hash.
  - 18. The method as recited in claim 17, wherein, if the another hash associated with the packet matches the hash associated with the control block, further comprising accepting the packet.
  - 19. The method as recited in claim 17, wherein, if the another hash associated with the packet does not match the hash associated with the control block, further comprising rejecting the packet.
  - 20. The method as recited in claim 1, and further comprising requesting a client connection.
  - 21. The method as recited in claim 20, and further comprising generating another synchronize (SYN) packet.
  - 22. The method as recited in claim 21, and further comprising receiving another SYN/ACK packet in response to the another SYN packet.
  - 23. The method as recited in claim 22, and further comprising calculating another hash associated with the another SYN/ACK packet.
  - 24. The method as recited in claim 23, wherein, if the another hash associated with the another SYN/ACK packet matches the hash associated with the control block, further comprising accepting the another SYN/ACK packet, and generating a handshake ACK packet.
  - 25. The method as recited in claim 23, wherein, if the another hash associated with the another SYN/ACK packet does not match the hash associated with the control block, further comprising rejecting the another SYN/ACK packet.
  - 26. The method as recited in claim 1, wherein the security service is validated at a network protocol layer that resides above an IPSec protocol layer.
  - 27. The method as recited in claim 1, wherein at least one of the decrypting and the authenticating is performed on the packet utilizing an ordered-list of IPSec transformations.
  - 28. The method as recited in claim 1, wherein the IPSec transformation includes an IPSec transformation utilized to perform the decrypting and the authenticating on the packet.
  - 29. The method as recited in claim 1, wherein the hash is calculated utilizing an order-dependent XOR checksum with rotate operation.
  - 30. The method as recited in claim 1, wherein when an authenticated packet is received that does not have a matching hash, the transport offload engine generates an exception and limits Internet security association and key management protocol (ISAKMP) establishment with a source IP address associated with the authenticated packet.
  - 31. The method as recited in claim 1, wherein the hash of the security service based on the packet is calculated utilizing a security association, an ordered list of security association handles, and a plurality of IP headers.
  - 32. The method as recited in claim 31, wherein the hash of the security service is calculated by:
    - setting an initial hash value to 0;
      
      calculating a first rotate-left value by performing a rotate-left operation on the initial hash value;
      
      calculating a first random value utilizing a first of the plurality of IP headers and a first of the security association handles associated with the first of the plurality of IP headers;
      
      calculating a first hash value by performing an XOR operation between the first rotate-left value and the first random value;
      
      calculating a second rotate-left value by performing a rotate-left operation on the first hash value;
      
      calculating a second random value utilizing a second of the plurality of IP headers and a second of the security association handles associated with the second of the plurality of IP headers;
      
      calculating a second hash value by performing an XOR operation between the second rotate-left value and the second random value;
      
      calculating a third rotate-left value by performing a rotate-left operation on the second hash value;
      
      calculating a third random value utilizing an inner IP header of the plurality of IP headers and a third of the security association handles associated with the inner IP header of the plurality of IP headers;
      
      calculating a third hash value by performing an XOR operation between the third rotate-left value and the third random value;
      
      calculating a fourth rotate-left value by performing a rotate-left operation on the third hash value;
      
      calculating a fourth random value utilizing a fourth of the plurality of the IP headers and a fourth of the security association handles associated with the fourth of the plurality of IP headers; and
      
      calculating the hash by performing an XOR operation between the fourth rotate-left value and the fourth random value.

33. A transport offload engine sub-system, comprising:
- a transport offload engine, which includes a tangible circuit, in communication with a hardware processor and a network, the transport offload engine for;
  
  receiving a packet,decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation,calculating a hash of a security service based on the packet,determining whether the packet is a SYN packet,in response to a determination that the packet is a SYN packet, sending the SYN packet to a processor, sending the IPSec transformation to the processor, and sending the hash to the processor for performing IPSec policy checking of the SYN packet and determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor,in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management,generating the SYN/ACK packet based on the SYN packet, andsending the SYN/ACK packet.

34. A system, comprising:
- a hardware processor; and
  
  a transport offload engine in communication with the hardware processor and a network via a bus, the transport offload engine for;
  
  receiving a packet,decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation,calculating a hash of a security service based on the packet,determining whether the packet is a SYN packet,in response to a determination that the packet is a SYN packet;
  
  sending the SYN packet from the transport offload engine to the processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor,in response to a determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management,generating the SYN/ACK packet based on the SYN packet, andsending the SYN/ACK packet;
  
  wherein the hardware processor is operable to;
  
  perform IPSec policy checking of the SYN packet, anddetermine that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking.

35. A computer program product embodied on a non-transitory computer readable medium for validating a security service associated with packets communicated on a network, comprising:
- computer code for receiving a packet at a transport offload engine;
  
  computer code for decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;
  
  computer code for calculating a hash of a security service based on the packet, utilizing the transport offload engine;
  
  computer code for determining whether the packet is a SYN packet utilizing the transport offload engine;
  
  computer code for, in response to a determination that the packet is a SYN packet;
  
  sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor;
  
  computer code for performing IPSec policy checking of the SYN packet utilizing the processor;
  
  computer code for determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;
  
  computer code for, in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;
  
  computer code for generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; and
  
  computer code for sending the SYN/ACK packet utilizing the transport offload engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Greenfield, Daniel Leo, Minami, John Shigeto, Uyeshiro, Robin Yasu
Primary Examiner(s)
Goodarzi, Nasser
Assistant Examiner(s)
Johnson, Carlton

Application Number

US10/741,972
Time in Patent Office

3,063 Days
Field of Search

726/14
US Class Current

726/14
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/164   at the network layer

H04L 69/22   Parsing or analysis of headers

Integrated policy checking system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

235 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated policy checking system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links